ethploit from fuzzing to efficient exploit generation
play

EthPloit : From Fuzzing to Efficient Exploit Generation against - PowerPoint PPT Presentation

Oct 23, 2022 •519 likes •918 views

EthPloit : From Fuzzing to Efficient Exploit Generation against Smart Contracts Qingzhao Zhang 1,2 , Yizhuo Wang 1 , Juanru Li 1 , Siqi Ma 3 1 Shanghai Jiao Tong University , China 2 University of Michigan , America 3 Data 61, CSIRO , Australia

  1. EthPloit : From Fuzzing to Efficient Exploit Generation against Smart Contracts Qingzhao Zhang 1,2 , Yizhuo Wang 1 , Juanru Li 1 , Siqi Ma 3 1 Shanghai Jiao Tong University , China 2 University of Michigan , America 3 Data 61, CSIRO , Australia SANER ’ 20 , London ON . Canada , Febrary 21, 2020

  2. Contents Background 1 Motivation 2 EthPloit Fuzzer 3 Evaluation 4 Conclusion 5

  3. Contents Background 1 Motivation 2 EthPloit Fuzzer 3 Evaluation 4 Conclusion 5

  4. Overview of Ethereum Ethereum is the second - largest blockchain system 8 Eth In General ▪ A programmable blockchain ▪ A platform for decentralized applications . 6 Eth In Detail ▪ A transaction - based state machine ▪ The heart is Ethereum Virtual Machine ( EVM ) 5 Eth ▪ Based on Turing - complete programming language ( Solidity )

  5. Overview of Ethereum Ethereum is the second - largest blockchain system 8 Eth In General Blockchain level ▪ A programmable blockchain EVM level ▪ A platform for decentralized applications . 6 Eth Contract level In Detail ▪ A transaction - based state machine ▪ The heart is Ethereum Virtual Machine ( EVM ) 5 Eth ▪ Based on Turing - complete programming language ( Solidity )

  6. Smart Contract Contract Code External Owned Account ▪ Source code written in Solidity Address Balance ▪ Compiled by Solc to get bytecode ▪ Bytecode run on EVM Contract Account Address Balance Contract Action code storage ▪ Created by External Owned Account ▪ Executed on incoming transactions Crowdfunding Shared Games … Schemes Wallets

  7. Transaction Basic Fields Simulate a scene Balance ▪ From : Sender ’ s Address Call a function of contract ▪ To : Receiver ’ s Address ▪ Value : Amount of Currency Balance ▪ Data : Various situations storage ▪ Empty ( just transfer currency ) Run the code ▪ Init code of contract ▪ Called function with arguments Result ▪ Change the balance ▪ Update the storage EVM -- State variable

  8. Exploitation of Smart Contract Attacker What is the exploitation Balance ▪ From attacker to target contract TX n -1 ▪ A sequence of transactions TX n -2 Categories of exploitation Exploit … TX 1 According to the cause of damages : TX 0 ▪ Balance Increment ▪ Self - destruction Balance EVM storage ▪ Code Injection

  9. Exploitable Vulnerabilities Unchecked Transfer Value ▪ Misuse of this.balance ▪ Unlimited profit Vulnerable Access Control ▪ Missing & misuse of check - before sensitive operation Exposed Secret ▪ Newly identified vulnerability ▪ Previous tools cannot exploit

  10. Exploitable Vulnerabilities Unchecked Transfer Value Secret checker ▪ Misuse of this.balance ▪ Unlimited profit Vulnerable Access Control ▪ Missing & misuse of check - before sensitive operation Exposed Secret ▪ Newly identified vulnerability Secret setter ▪ Previous tools cannot exploit

  11. Exploitable Vulnerabilities Unchecked Transfer Value Secret checker ▪ Misuse of this.balance Attackers inspect the secret from ▪ Unlimited profit the data of previous transactions Vulnerable Access Control ▪ Missing & misuse of check Attackers break the secret - before sensitive operation checking to gain profit Exposed Secret ▪ Newly identified vulnerability Secret setter ▪ Previous tools cannot exploit

  12. Contents Background 1 Motivation 2 EthPloit Fuzzer 3 Evaluation 4 Conclusion 5

  13. Goal of the Work Unchecked Transfer Value Vulnerabilities Detected Vulnerable Access Control Exposed Secret Vulnerabilities Exploited Efficient Exploit Fuzzing Generation

  14. Challenges of Exploit Generation Challenge - 1 : Unsolvable Constraint < Situation in smart contract > < Previous solution > Condition restricting sensitive operations Previous tools ( e . g ., Teether, Mythril ) - Involve complicated operation like hash rely on SMT solver • Cannot solve cryptographic constraint • Ignore the runtime value - not stored in contract state

  15. Challenges of Exploit Generation Challenge - 2 : Blockchain Effects < Situation in smart contract > < Previous solution > Previous tools have difficulties on Blockchain effects of blockchain system manipulating blockchain effect : affect the execution of smart contracts • Lack of considering the syntax - E . g ., blockchain properties of blockchain properties e . g ., invalid timestamp • Ignore the possibility of call reverting , thus lose coverage e . g ., Teether , ContractFuzzer

  16. Our Solution Fuzzing EthPloit : a smart contract specific fuzzer Feedback of runtime value Record the runtime values of Indicated information : arguments and variables ▪ Execution history ▪ Create a blank seed set ▪ e . g ., the hash image ▪ Update the seed set ▪ State of the contract ▪ Use for the next generation ▪ i . e ., the state variable Manipulation of By instrumenting the execution environment blockchain execution

  17. Contents Background 1 Motivation 2 EthPloit Fuzzer 3 Evaluation 4 Conclusion 5

  18. Workflow of EthPloit 1 4 2 3 5

  19. Workflow Taint Analyzer 1 Knowledge of dependencies of modifying contract state improves fuzzing efficiency EthPloit applies static taint analysis to discover dependencies of modifying contract states : ▪ Generate control flow graph ▪ Label taint sources and sinks ▪ Perform taint propagation Extract variable - level dependencies ▪ Variable - Data Dependency ▪ Variable - Control Dependency

  20. Workflow Taint Analyzer 1 Knowledge of dependencies of modifying contract state improves fuzzing efficiency EthPloit applies static taint analysis to discover dependencies of modifying contract states : ▪ Generate control flow graph ▪ Label taint sources and sinks ▪ Perform taint propagation Extract variable - level dependencies ▪ Variable - Data Dependency ▪ Variable - Control Dependency

  21. Workflow Test Case Generator 2 Optimize the test case by analyzing how inputs affect the execution of exploits Extend in - function dependencies to Taint Relation Graph dependencies among functions ▪ Add suitable functions into a set of candidates Function Selection ▪ Select function from candidates based on probability distribution ▪ From pseudo - random generator Arguments Generation ▪ From dynamic seed set Blockchain Properties Based on Instrumented EVM Environment Generation

  22. Workflow Instrumented EVM Environment 3 EthPloit environment Three instrumentations Configure accounts ▪ Based on remix-debugger ▪ Deploy contract - For each test case ▪ Execute transaction Configure block properties ▪ Extract full execution trace - For each execution of transaction Force external calls to revert Compared to private Ethereum chain ▪ More light - weight - For each external call ▪ More flexible for configure - Revert the 2 nd execution of call

  23. Workflow Trace Analyzers 4 Coverage Guider Exploit Detector Measure the progress of exploit - Balance Increment oracle oriented fuzzing ▪ If attackers ’ balance is increased Construct feedback as rewards Self - Destruction oracle Critical instruction coverage ▪ If the opcode SELFDESTRUCTION is found Feedback construction Code Injection oracle ▪ Seed feedback ▪ If opcodes CALLCODE , DELEGATECALL are found ▪ Function distribution feedback ▪ If destination is controlled by attackers 𝑸 𝒈 = 𝒅 𝟏 + 𝑶 𝒅 𝒅 𝟐 − 𝒅 𝟏 𝑶 𝒖

  24. Workflow Feedback Handler 5 Dynamic Seed Strategy Aim to guide the test case generator to produce proper function arguments For the whole process of fuzzing For each test case ▪ Make use of connections among transactions ▪ Perform more mutation based on interesting cases ▪ Select local seeds after each execution of transaction : ▪ Select global seeds which have a ▪ Previous arguments lifetime during fuzzing one contract ▪ State variables ▪ All arguments of interesting cases ▪ I / O of complicated calls causing coverage increment ▪ Constant values

  25. Workflow of EthPloit 1 4 2 3 5

  26. Contents Background 1 Motivation 2 EthPloit Fuzzer 3 Evaluation 4 Conclusion 5

  27. Environment Totally 45,308 contracts Dataset Two 3.60 GHz Xeon CPUs with 128 GB RAM Environment ▪ Maximum test cases as 1,000 Fuzzing Configuration ▪ Maximum length as 3 for each case Teether [1] and MAIAN [2] with a timeout of 5 minutes Comparison [1] Krupp , Johannes , and Christian Rossow . " teether : Gnawing at ethereum to automatically exploit smart contracts ." 27 th { USENIX } Security Symposium ({ USENIX } Security 18). 2018. [2] Nikolić , Ivica , et al . " Finding the greedy , prodigal , and suicidal contracts at scale ." Proceedings of the 34 th Annual Computer Security Applications Conference . 2018.

  28. Evaluation of Contract Exploit EthPloit ▪ Totally generated 644 exploits ▪ No false positive , verified using real - world EVM ▪ 600 Balance Increment , 59 Self - destruction , 4 Code Injection Teether / MAIAN ▪ unable to analyze 5,123 contracts and 102 contracts ▪ Teether generated 14 false positive ▪ MAIAN cannot exploit lots of vulnerable contracts

Recommend

NEUZZ: Efficient Fuzzing with Neural Program Smoothing Dongdong She, Kexin Pei, Dave Epstein,

NEUZZ: Efficient Fuzzing with Neural Program Smoothing Dongdong She, Kexin Pei, Dave Epstein,

NEUZZ: Efficient Fuzzing with Neural Program Smoothing Dongdong She, Kexin Pei, Dave Epstein, Junfeng Yang, Baishakhi Ray, and Suman Jana Columbia University 1 Fuzzing: a popular way to uncover bugs [Liang et al. 2019] 2 Evolutionary Fuzzing

1.02k views • 26 slides
Scheduling Black-box Muta5onal Fuzzing ACM CCS 2013 Maverick Woo Carnegie Mellon University

Scheduling Black-box Muta5onal Fuzzing ACM CCS 2013 Maverick Woo Carnegie Mellon University

Scheduling Black-box Muta5onal Fuzzing ACM CCS 2013 Maverick Woo Carnegie Mellon University pooh@cmu.edu Our Crew Maverick Woo Sang Kil Cha Samantha Gottlieb David Brumley 2 The Story 3 Typical Exploit Genera5on Bug Finding Exploit

590 views • 48 slides
Automatic Exploit Generation an Odyssey Sophia DAntoine CanSecWest 2016 Introduction

Automatic Exploit Generation an Odyssey Sophia DAntoine CanSecWest 2016 Introduction

Automatic Exploit Generation an Odyssey Sophia DAntoine CanSecWest 2016 Introduction Programs have become increasingly difficult to exploit larger, changing surface area mitigations more bytes to siphon through 10/22/2015

652 views • 46 slides
Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction

Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction

Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction Fuzzing Media Content in Android Data Generation Fuzzing the Stagefright Framework Logging &amp; Triage Mechanisms 2 Introduction Fuzzing

1.12k views • 38 slides
FUZE: Towards Facilitating Exploit Generation for Kernel Use-After- Free Vulnerabilities Wei Wu

FUZE: Towards Facilitating Exploit Generation for Kernel Use-After- Free Vulnerabilities Wei Wu

FUZE: Towards Facilitating Exploit Generation for Kernel Use-After- Free Vulnerabilities Wei Wu 1,2,3 , Yueqi Chen 2 , Jun Xu 2 , Xinyu Xing 2 , XiaoruiGong 1,3 , and Wei Zou 1,3 1. School of Cyber Security, University of Chinese Academy of

782 views • 29 slides
FuZZan: Efficient Sanitizer Metadata Design for Fuzzing Yuseok Jeon 1 , WookHyun Han 2 , Nathan

FuZZan: Efficient Sanitizer Metadata Design for Fuzzing Yuseok Jeon 1 , WookHyun Han 2 , Nathan

FuZZan: Efficient Sanitizer Metadata Design for Fuzzing Yuseok Jeon 1 , WookHyun Han 2 , Nathan Burow 1 , Mathias Payer 1 3 1 2 3 Sanitizer: Debug Policy Violations Observe actual execution and flag incorrect behavior E.g., detect

470 views • 23 slides
GDI Font Fuzzing in Windows Kernel for Fun Kernel for Fun Lee Ling Chuan &amp; Chan Lee Yee

GDI Font Fuzzing in Windows Kernel for Fun Kernel for Fun Lee Ling Chuan &amp; Chan Lee Yee

GDI Font Fuzzing in Windows Kernel for Fun Kernel for Fun Lee Ling Chuan &amp; Chan Lee Yee Ministry of Science, Technology and Innovation Agenda Agenda Introduction TrueType Font (.TTF) TTF Fuzzer Exploit Demonstration MS11

788 views • 65 slides
Automated Test Generation: A Journey from Symbolic Execution to Smart Fuzzing and Beyond Koushik

Automated Test Generation: A Journey from Symbolic Execution to Smart Fuzzing and Beyond Koushik

Automated Test Generation: A Journey from Symbolic Execution to Smart Fuzzing and Beyond Koushik Sen EECS Department University of California, Berkeley https://people.eecs.berkeley.edu/~ksen/ 1 Programs are still written by humans, and will

1.62k views • 134 slides
Logic Bug Hunting in Chrome on Android CanSecWest 17 March, 2017 Agenda Fuzzing and memory

Logic Bug Hunting in Chrome on Android CanSecWest 17 March, 2017 Agenda Fuzzing and memory

Logic Bug Hunting in Chrome on Android CanSecWest 17 March, 2017 Agenda Fuzzing and memory corruptions Introduction to logic flaws General approach to hunting logic bugs Application in Mobile Pwn2Own 2016 Exploit improvement

963 views • 73 slides
Logic Bug Hunting in Chrome on Android Infiltrate 17 April, 2017 Agenda Fuzzing and memory

Logic Bug Hunting in Chrome on Android Infiltrate 17 April, 2017 Agenda Fuzzing and memory

Logic Bug Hunting in Chrome on Android Infiltrate 17 April, 2017 Agenda Fuzzing and memory corruptions Introduction to logic flaws General approach to hunting logic bugs Application in Mobile Pwn2Own 2016 Exploit improvement

1.07k views • 52 slides
Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me

Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me

Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me Motivation Introduction of fuzzing and afl fuzzer Necessary changes to the core and configuration Testing setup Example SIP messages and

1.03k views • 35 slides
Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is

Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is

Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is fuzzing/fuzz testing? Why AFL? How does it work with GNAT Pro/Ada? Premise: Fuzz Testing Definition: Stable Software Software that is highly

649 views • 16 slides
Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101 Agenda GEEKZONE Overview of fuzzing techniques Tutorials on specific open-source fuzzers Demonstrations DIY fuzzing! Who

825 views • 50 slides
2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid

2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid

From Blackbox Fuzzing to Whitebox Fuzzing towards Verification 2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid Microsoft Research ISSTA2010 Page 1 July 2010 Acknowledgments Joint work with:

633 views • 38 slides
Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico

Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico

Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico Politecnico di Milano October 25, 2018 1 Index Coverage-guided fuzzing An overview of rev.ng Experimental results 2 Fuzzing 3 Fuzzing 1 Generate

1.36k views • 72 slides
Exploit Generation for Information Flow Leaks in Object-Oriented Programs Reiner Hhnle (joint

Exploit Generation for Information Flow Leaks in Object-Oriented Programs Reiner Hhnle (joint

Exploit Generation for Information Flow Leaks in Object-Oriented Programs Reiner Hhnle (joint work with Richard Bubel and Quoc Huy Do) Dagstuhl Seminar 15381 Information from Deduction: Models and Proofs September 15, 2015 September 15,

920 views • 49 slides
Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange

Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange

Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange Division R&amp;D firstname dot lastname at orange-ftgroup dot com research &amp; development Forewords Wi-Fi Fuzzing/BlackHat EU 2007/Laurent Butti p

1.05k views • 78 slides
Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing

Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing

Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing what is fuzzing, why fuzz, fuzzing types How to fuzz fuzz target, fuzzing engine, libFuzzer Media processing as a target

551 views • 19 slides
WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats Andrea Fioraldi , Daniele Cono

WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats Andrea Fioraldi , Daniele Cono

WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats Andrea Fioraldi , Daniele Cono DElia and Emilio Coppa @andreafioraldi andreafioraldi@gmail.com Format-aware Fuzzing Input Input Program Crashes Format Generation Under

666 views • 63 slides
Automatic Generation of Efficient Dynamic Binary Translators Fr ed eric P etrot, Luc

Automatic Generation of Efficient Dynamic Binary Translators Fr ed eric P etrot, Luc

Introduction DBT principle Design flow Intermediate Representation Generation Conclusion Automatic Generation of Efficient Dynamic Binary Translators Fr ed eric P etrot, Luc Michel and Nicolas Fournel Tima Laboratory , Grenoble,

686 views • 25 slides
Exploit-Generation with Acceleration Daniel Kroening, Matt Lewis, Georg Weissenbacher

Exploit-Generation with Acceleration Daniel Kroening, Matt Lewis, Georg Weissenbacher

Exploit-Generation with Acceleration Daniel Kroening, Matt Lewis, Georg Weissenbacher Under-Approximating Loops in C Programs for Fast Counterexample Detection Daniel Kroening, Matt Lewis, Georg Weissenbacher, CAV 2013

373 views • 25 slides
T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1

T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1

T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1 2 Fuzzing as a bug finding approach Fuzzing is highly effective in finding bugs (CVEs) Developers use it as proactive defense measure:

844 views • 32 slides
FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr.

FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr.

MASTER SEMINAR WS16/17 PROF. DR. ALEXANDER PRETSCHNER SAAHIL OGNAWALA FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr. Alexander Pretschner Head of Chair XXII Software Engineering @TUM since

489 views • 21 slides
ParmeSan: Sanitizer-guided Greybox Fuzzing USENIX 2020 *some pages borrowed from Zheyu Ma

ParmeSan: Sanitizer-guided Greybox Fuzzing USENIX 2020 *some pages borrowed from Zheyu Ma

ParmeSan: Sanitizer-guided Greybox Fuzzing USENIX 2020 *some pages borrowed from Zheyu Ma background What is fuzzing: feed random inputs to trigger as many crashes and hangs as possible What is state-of-the-art of fuzzing research:

494 views • 18 slides

More recommend