declarative static analysis of smart contracts
play

Declarative Static Analysis of Smart Contracts securify.ch Quentin - PowerPoint PPT Presentation

Jan 29, 2024 •26 likes •306 views

Declarative Static Analysis of Smart Contracts securify.ch Quentin Hibon Blockchain Security Engineer, ChainSecurity Smart Contract Bugs in the News Low-level Code High-level languages Solidity Vyper compilation Low-level code

  1. Declarative Static Analysis of Smart Contracts securify.ch Quentin Hibon Blockchain Security Engineer, ChainSecurity

  2. Smart Contract Bugs in the News

  3. Low-level Code High-level languages Solidity Vyper compilation Low-level code ● Stack-based ● Untyped EVM code ● No functions ● Not designed with formal analysis in mind

  4. Ethereum Virtual Machine (EVM) Operation type Description OPCodes Arithmetic Encode calculations Add, Mul, Sub, Div, LT, EQ Control-flow Encode conditional jumps Jump, JumpI Cryptography Compute hash functions SHA3 Environment Fetch transaction information Balance, Caller, Gas, Timestamp... Memory / storage Read and write, memory and MStore, MLoad, SStore, SLoad storage Call System Message call into a contract https://ethereum.github.io/yellowpaper/paper.pdf

  5. System State Persistent Storage (S) Initially defined by the constructor Non-persistent Memory (M) Reinitialized before every transaction Stack (Q) Limited to 1024 256-bit elements Number, timestamp Block Information (B) Fixed for a given transaction

  6. Contract Semantics State: σ = (S, M, Q, B) T = (caller,{ T op i },...) Transaction: Final state Trace: σ 0 →σ 1 = T op 0 (σ 0 )→...→σ n-1 →σ n = T op n (σ n-1 ) Semantics: set of all traces for this contract Stop

  7. Unrestricted Writes Intuition Anybody can execute owner = msg.sender Formalization A write to o is unrestricted iff for any address a, there is ● T = (a, _) ● σ 0 →σ 1 = T op 0 (σ 0 )→...→σ i-1 →σ i = T op i (σ i-1 )→... with op i = SStore(o,_)

  8. Locked Ether Intuition Payable function(s), but no transfer Formalization There is a transaction increasing the balance: ● ∃ T. T σ 0 (Balance) < T σ n (Balance) No transaction extracts ether: ● ∀ T. T op i = Call(_,_,x,_) ⇒ x = 0

  9. More Security Properties Unexpected ether flows Insecure coding, such as unprivileged writes Use of unsafe inputs (e.g., reflection, hashing, …) Reentrant method calls (e.g., DAO bug) Manipulating ether flows via transaction reordering

  10. Automated Techniques Testing Dynamic Analysis Automated Verification Report true bugs Report true bugs Can report false alarms Can miss bugs Can miss bugs No missed bugs Properties like unrestricted writes cannot be checked on a single trace

  11. Demo

  12. Under the Hood 00: 60 00: x = Balance MemTag(0x20, Balance) 02: 5b 02: y = 0x20 MemTag(0x40, Const) 04: 42 04: If (x == 0x00) VarTag(z, Const) Static Infer Decompile 06: 80 06: MStore(y, x) Analysis VarTag(k, Gas) 08: 90 08: z = y Assign(s, 0x20) 0a: 56 0a: goto 0x42 Call(s{0x20}, k{Gas}) Securify Securify Securify Report EVM Semantic Intermediate Binary Representation Representation

  13. Compliance and Violation Patterns Insecure behaviors with respect to a property Secure behaviors with respect to a property

  14. Compliance and Violation Patterns Violation pattern ? (under-approximates insecure behaviors) ? Compliance pattern (under-approximates secure behaviors)

  15. Under the Hood: First Step 00: 60 00: x = Balance MemTag(0x20, Balance) 02: 5b 02: y = 0x20 MemTag(0x40, Const) 04: 42 04: If (x == 0x00) VarTag(z, Const) Static Infer Decompile 06: 80 06: MStore(y, x) Analysis VarTag(k, Gas) 08: 90 08: z = y Assign(s, 0x20) 0a: 56 0a: goto 0x42 Call(s{0x20}, k{Gas}) Securify Securify Securify Report EVM Semantic Intermediate Binary Representation Representation

  16. From EVM to CFG over SSA Control flow graph (CFG) ● Node: a basic block ● Edge: jump from one basic block to another Static single assignment form (SSA) ● Each variable assigned exactly once

  17. Under the Hood: Second Step 00: 60 00: x = Balance MemTag(0x20, Balance) 02: 5b 02: y = 0x20 MemTag(0x40, Const) 04: 42 04: If (x == 0x00) VarTag(z, Const) Static Infer Decompile 06: 80 06: MStore(y, x) Analysis VarTag(k, Gas) 08: 90 08: z = y Assign(s, 0x20) 0a: 56 0a: goto 0x42 Call(s{0x20}, k{Gas}) Securify Securify Securify Report EVM Semantic Intermediate Binary Representation Representation

  18. Semantic Facts Semantic fact Description Flow dependencies Data dependencies A tag can be an instruction or a variable

  19. Inference Rules: MayFollow ← ← Derive input by declaring a predicate Follows(i, j) for: ● Edge (i, j) in the CFG ● Consecutive instructions in basic blocks 1: x := 10 2: y := x + 20 5: y = 0 3: y--; 6: return 4: return

  20. Additional Input Facts Follows(1,2) Follows(2,3) Follows(3,4) Assign(x, Balance) 1: x = Balance 2: Mstore(0x20, x) IsConst(0x20) 3: y = MLoad(0x20) 4: z = x + y MStore(2,0x20,x) MLoad(3,y,0x20) Op(4,z,x) Op(4,z,y) Code Input Facts

  21. Partial Inference Rules: MayDepOn MayDepOn(x,t) ← Assign(x,t) MayDepOn(x,t) ← Op(_,x,x'), MayDepOn(x',t) MayDepOn(x,t) ← MLoad(l,x,o), isConst(o), MemTag(l,o,t) MayDepOn(x,t) ← MLoad(l,x,o),¬isConst(o), MemTag(l,_,t) ● No label in MayDepOn ○ SSA form ● Label in MemTag ○ Offset dependencies evolve

  22. Derived Semantic Facts MayDepOn(x, Balance) MayDepOn(y, Balance) 1: x = Balance MayDepOn(z, Balance) 2: MStore(0x20, x) 3: y = MLoad(0x20) MemTag(2, 0x20, Balance) 4: z = x + y MemTag(3, 0x20, Balance) MemTag(4, 0x20, Balance) Code Derived semantic facts

  23. Under the Hood: Final Step 00: 60 00: x = Balance MemTag(0x20, Balance) 02: 5b 02: y = 0x20 MemTag(0x40, Const) 04: 42 04: If (x == 0x00) VarTag(z, Const) Static Infer Decompile 06: 80 06: MStore(y, x) Analysis VarTag(k, Gas) 08: 90 08: z = y Assign(s, 0x20) 0a: 56 0a: goto 0x42 Call(s{0x20}, k{Gas}) Securify Securify Securify Report EVM Semantic Intermediate Binary Representation Representation

  24. Example Patterns: Restricted Write Compliance pattern some SStore(l,o,_). Violation pattern ! MayDepOn(o, Caller) && ! MayDepOn(l, Caller) - Remaining patterns are encoded similarly - Proofs formally relate patterns and security properties

  25. Summary 00: 60 00: x = Balance MemTag(0x20, Balance) 02: 5b 02: y = 0x20 MemTag(0x40, Const) 04: 42 04: If (x == 0x00) VarTag(z, Const) Static Infer Decompile 06: 80 06: MStore(y, x) Analysis VarTag(k, Gas) 08: 90 08: z = y Assign(s, 0x20) 0a: 56 0a: goto 0x42 Call(s{0x20}, k{Gas}) Securify Securify Securify Report EVM Semantic Intermediate Binary Representation Representation

  26. Research Start-ups https://chainsecurity.com https://securify.ch The first automated formal audit platform for smart contracts https://apk-deguard.co m We are looking for strong business people and crypto https://jsnice.org experts to help our mission: jobs@chainsecurity.com https://psisolver.org contact@chainsecurity.com https://eventracer.org @chain_security

  27. Partial Evaluation x := 10 x := 10 x := 10 y := 10 + 20 y := x + 20 y := 10 + 20 goto L1 if (y > 0) goto L1 <then branch> <else branch> Return Return <then branch> <then branch> Return Return Code Code Constructed CFG (partial evaluation) ● Resolve jumps ○ Improve the precision of the CFG ● Resolve write offsets to storage / memory ○ Improve analysis precision

  28. Securify Pattern Language Labels l (labels) Vars x (variables) Tags t l | x Instr n Instr(l,x,...,x) Facts f MayFollow(l,l) | MustFollow(l,l) | MayDepOn(x,t) | MustDepOn(x,t) | DetBy(x,t) Patterns p f | all n.p | some n.p | p && p | p || p | ! p

Recommend

Quantitative Analysis of Smart Contracts Krishnendu Chatterjee 1 Amir Goharshady 1 Yaron Velner 2 1

Quantitative Analysis of Smart Contracts Krishnendu Chatterjee 1 Amir Goharshady 1 Yaron Velner 2 1

Quantitative Analysis of Smart Contracts Krishnendu Chatterjee 1 Amir Goharshady 1 Yaron Velner 2 1 IST Austria 2 Hebrew University of Jerusalem ESOP 2018 Outline Smart Contracts Bugs in Smart Contracts Language Design Games and Abstraction

1.06k views • 73 slides
Writing Smart Contracts Dionysis Zindros Smart Contracts Day Athens, March 2017 We talked all

Writing Smart Contracts Dionysis Zindros Smart Contracts Day Athens, March 2017 We talked all

Writing Smart Contracts Dionysis Zindros Smart Contracts Day Athens, March 2017 We talked all about what smart contracts are... ...but what does a real smart contract look like? Lets talk about writing actual Smart Contracts with code

809 views • 50 slides
Securify: Practical Security Analysis of Smart Contracts https://securify.ch Dana Martin Petar

Securify: Practical Security Analysis of Smart Contracts https://securify.ch Dana Martin Petar

Securify: Practical Security Analysis of Smart Contracts https://securify.ch Dana Martin Petar Andrei Arthur Florian Drachsler- Vechev Tsankov Dan Gervais Bnzli Cohen Grant: Startup: What is a smart contract? mapping(address

518 views • 35 slides
Contracts as a support to static analysis of open systems Work in progress Nadia Bel Hadj Aissa

Contracts as a support to static analysis of open systems Work in progress Nadia Bel Hadj Aissa

Introduction Information flow example W CET example Contracts as a support to static analysis of open systems Work in progress Nadia Bel Hadj Aissa Dorina Ghindici Gilles Grimaud Isabelle Simplot-Ryl INRIA/LIFL/Univ. Lille 1 FLACOS07 1

465 views • 20 slides
Smart Contracts Jrgen Modin The two building blocks of smart contracts Digital signatures

Smart Contracts Jrgen Modin The two building blocks of smart contracts Digital signatures

Smart Contracts Jrgen Modin The two building blocks of smart contracts Digital signatures The blockchain What does the blockchain do? One timestamp, and one context for each signature You can detect if someone is promising

289 views • 7 slides
Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting insights at compile time Full branch coverage Terminates Doesnt rely on a test suite Types are static analysis. Lets talk about

784 views • 39 slides
Security analysis of smart contracts in Datalog https://securify.ch Dr. Petar Tsankov Senior

Security analysis of smart contracts in Datalog https://securify.ch Dr. Petar Tsankov Senior

Security analysis of smart contracts in Datalog https://securify.ch Dr. Petar Tsankov Senior researcher, SRI lab, ETH Zurich Co-founder and Chief Scientist, ChainSecurity Inter-disciplinary research at Next-generation blockchain security ETH

1.22k views • 32 slides
Securify: Practical Security Analysis of Smart Contracts https://securify.ch Dr. Petar Tsankov

Securify: Practical Security Analysis of Smart Contracts https://securify.ch Dr. Petar Tsankov

Securify: Practical Security Analysis of Smart Contracts https://securify.ch Dr. Petar Tsankov Scientific Researcher, ICE center, ETH Zurich Co-founder and Chief Scientist, ChainSecurity AG http://www.ptsankov.com/ @ptsankov

407 views • 39 slides
Smart Contracts and Ethereum Winter School on Cryptocurrency Loi Luu and Blockchain Technologies

Smart Contracts and Ethereum Winter School on Cryptocurrency Loi Luu and Blockchain Technologies

Smart Contracts and Ethereum Winter School on Cryptocurrency Loi Luu and Blockchain Technologies National University of Singapore Shanghai, Jan. 15-17 2017 Some slides are courtesy of Vitalik Buterin 1 Agenda Smart contracts and

1.12k views • 79 slides
Static Analysis for Secure Development Introduction Static analysis : What , and why ?

Static Analysis for Secure Development Introduction Static analysis : What , and why ?

Static Analysis for Secure Development Introduction Static analysis : What , and why ? Basic analysis ! Example : Flow analysis ! Increasing precision ! Context -, flow -, and path sensitivity Scaling it up !

527 views • 27 slides
Bitcoin Smart Contracts Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of Electrical

Bitcoin Smart Contracts Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of Electrical

Bitcoin Smart Contracts Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of Electrical Engineering Indian Institute of Technology Bombay August 26, 2019 1 / 17 Smart Contracts Computer protocols which help execution/enforcement of

288 views • 17 slides
Smart Contract Security Assessing Solidity smart contracts About Me Evangelos Deirmentzoglou

Smart Contract Security Assessing Solidity smart contracts About Me Evangelos Deirmentzoglou

Smart Contract Security Assessing Solidity smart contracts About Me Evangelos Deirmentzoglou Security Consultant Smart contract audits Nmap/Ncrack contributor Certs: OSCE, OSCP, OSWP Blockchain Basics Front Running

642 views • 30 slides
1 Analysis Information Where Do Facts Hold? How much information depends on the client

1 Analysis Information Where Do Facts Hold? How much information depends on the client

711? CS711 Advanced Programming Languages Topics in Program Analysis Radu Rugina Fall 2005 CS711 Overview 2 Program Analysis Static vs. Dynamic Static analysis: inspect programs at compile-time Static analysis: Work done at

282 views • 4 slides
Designing Secure Ethereum Smart Contracts: A Finite State Machine Based Approach Anastasia

Designing Secure Ethereum Smart Contracts: A Finite State Machine Based Approach Anastasia

Designing Secure Ethereum Smart Contracts: A Finite State Machine Based Approach Anastasia Mavridou 1 and Aron Laszka 2 1 Vanderbilt University 2 University of Houston 2 Smart Contract Insecurity Smart contracts are riddled with bugs and

575 views • 21 slides
A Brief Introduction to Static Analysis Sam Blackshear March 13, 2012 Outline A theoretical

A Brief Introduction to Static Analysis Sam Blackshear March 13, 2012 Outline A theoretical

A Brief Introduction to Static Analysis Sam Blackshear March 13, 2012 Outline A theoretical problem and how to ignore it An example static analysis What is static analysis used for? Commercial successes Free static analysis tools you should

490 views • 37 slides
Static Analysis Static Analysis they are read? Will the current value of a variable ever be

Static Analysis Static Analysis they are read? Will the current value of a variable ever be

Interesting Questions Interesting Questions Is every statement reachable? Does every non- void method return a value? Compilation 2007 Compilation 2007 Will local variables definitely be assigned before Static Analysis Static

169 views • 13 slides
A Concurrent Perspective on Smart Contracts Ilya Sergey Aquinas Hobor 1st Workshop on

A Concurrent Perspective on Smart Contracts Ilya Sergey Aquinas Hobor 1st Workshop on

A Concurrent Perspective on Smart Contracts Ilya Sergey Aquinas Hobor 1st Workshop on Trusted Smart Contracts 7 April 2017 class ConcurrentQueue &lt;E&gt; { public synchronized void enqueue(E elem) {} public synchronized E dequeue()

605 views • 21 slides
Blockchain and Smart Contracts in the Energy Industry: A European Perspective Dr. Matthias Lang

Blockchain and Smart Contracts in the Energy Industry: A European Perspective Dr. Matthias Lang

Blockchain and Smart Contracts in the Energy Industry: A European Perspective Dr. Matthias Lang Bird &amp; Bird LLP, Dsseldorf, Germany April 11, 2019 Table of contents I. Introduction II. Blockchain and Smart Contracts in a Nutshell

787 views • 41 slides
Static and dynamic verification Software inspections Concerned with analysis of the static

Static and dynamic verification Software inspections Concerned with analysis of the static

1 Static and dynamic verification Software inspections Concerned with analysis of the static system representation to discover problems (static verification) May be supplement by tool-based document and code analysis Software

430 views • 12 slides
Static vs. Dynamic Analysis Static analysis: analyze source code or byte code Imprecise

Static vs. Dynamic Analysis Static analysis: analyze source code or byte code Imprecise

I NTELLI D ROID A Targeted Input Generator for the Dynamic Analysis of Android Malware Michelle Y. Wong and David Lie University of Toronto Department of Electrical and Computer Engineering NDSS Symposium 2016 ! ! ! B ACKGROUND Static vs.

1.02k views • 32 slides
Static analysis and all that Martin Steffen IfI UiO Spring 2014 Static analysis and all that

Static analysis and all that Martin Steffen IfI UiO Spring 2014 Static analysis and all that

Static analysis and all that Martin Steffen IfI UiO Spring 2014 Static analysis and all that Martin Steffen IfI UiO Spring 2014 Plan approx. 15 lectures, details see web-page flexible time-schedule, depending on progress/interest

2.15k views • 194 slides
CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu February 1, 2017 Static Analysis Static Analysis is the process of documenting your observations about what identifying characteristics a

575 views • 8 slides
Verification of blockchains and smart contracts Formal Methods Update, 2018 BITS Pilani Goa

Verification of blockchains and smart contracts Formal Methods Update, 2018 BITS Pilani Goa

Verification of blockchains and smart contracts Formal Methods Update, 2018 BITS Pilani Goa Madhavan Mukund Chennai Mathematical Institute http:/ /www.cmi.ac.in/~madhavan Outline Introduction to blockchains Smart contracts

859 views • 37 slides
Ethereum Smart Contracts Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of Electrical

Ethereum Smart Contracts Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of Electrical

Ethereum Smart Contracts Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of Electrical Engineering Indian Institute of Technology Bombay September 4, 2018 1 / 14 Ethereum Contracts Contract = Collection of functions and state at a

179 views • 14 slides

More recommend