not your grandma s smart contract verification
play

Not Your Grandmas Smart Contract Verification Florian Hubert Dana - PowerPoint PPT Presentation

Not Your Grandmas Smart Contract Verification Florian Hubert Dana Drachsler- Andrei Arthur Quentin Petar Martin Buenzli Ritzdorf Cohen Dan Gervais Hibon Tsankov Vechev http://blockchainsecurity.ethz.ch Smart Contract Security


  1. Not Your Grandma’s Smart Contract Verification Florian Hubert Dana Drachsler- Andrei Arthur Quentin Petar Martin Buenzli Ritzdorf Cohen Dan Gervais Hibon Tsankov Vechev http://blockchainsecurity.ethz.ch

  2. Smart Contract Security Bugs in the News

  3. Unpri rivileged write to storage Wallet Contract address owner = ...; Any user may function initWallet(address _owner) { change the owner = _owner; wallet’s owner } function withdraw(uint amount) { if (msg.sender == owner) { owner.transfer(amount); Only owner can } send ether } An attacker used a similar bug to steal $30M in July

  4. More Security Bugs … Unexpected ether flows

  5. More Security Bugs … Unexpected ether flows Insecure coding, such as unprivileged writes (e.g., Multisig Parity bug)

  6. More Security Bugs … Unexpected ether flows Insecure coding, such as unprivileged writes (e.g., Multisig Parity bug) Use of unsafe inputs (e.g., reflection, hashing, … )

  7. More Security Bugs … Unexpected ether flows Insecure coding, such as unprivileged writes (e.g., Multisig Parity bug) Use of unsafe inputs (e.g., reflection, hashing, … ) Reentrant method calls (e.g., DAO bug)

  8. More Security Bugs … Unexpected ether flows Insecure coding, such as unprivileged writes (e.g., Multisig Parity bug) Use of unsafe inputs (e.g., reflection, hashing, … ) Reentrant method calls (e.g., DAO bug) Manipulating ether flows via transaction reordering

  9. Transaction re reordering Token Contract uint price = 10; address owner; The owner can function setPrice(uint newPrice) { change the price if (msg.sender == owner) price = newPrice; } A user can buy with function sellToken() { the current price msg.sender.transfer(price); } The two operations do not commute

  10. Automated Security Analysis

  11. Automated Security Analysis Approaches All possible contract Security behaviors Bugs Problem : Cannot enumerate all possible contract behaviors …

  12. Security Analysis Approaches Testing Dynamic (symbolic) analysis Automated verification Report true bugs Report true bugs Can report false alarms Can miss bugs Can miss bugs No missed bugs

  13. Current State of Automated Analysis for Ethereum Smart Contracts

  14. Security Analysis Approaches Populus Oyente Testing Dynamic (symbolic) analysis Automated verification Report true bugs Report true bugs Can report false alarms Can miss bugs Can miss bugs No missed bugs

  15. Fully automated , one-click, formal verification system for Ethereum smart contracts www.securify.ch

  16. Demo

  17. Securify: Under the Hood Security patterns Captures key expressed in a semantic facts about designated security the contract language 00: 60 00: x = Balance MemTag (0x20, Balance ) 02: 5b 02: y = 0x20 MemTag (0x40, Const ) 04: 42 04: If (x == 0x00) VarTag (z, Const ) 06: 80 06: MStore (y, x) VarTag (k, Gas ) Static Infer Decomp. 08: 90 08: z = y Assign (s, 0x20) Analysis 0a: 56 0a: goto 0x42 Call (s{0x20}, k{ Gas }) ⋮ ⋮ ⋮ Securify Securify Intermediate Securify Semantic EVM Report Representation Representation Binary Fully automated, easily extensible

  18. ChainSecurity Swiss-based startup that provides intelligent security solutions for blockchains and smart contracts Automated Comprehensive Security Analysis Smart Contract Systems Auditing https://chainsecurity.com

  19. Summary Research Product Fully automated Get in touch with our team of security / blockchain / Strong guarantees program analysis experts Extensible https://chainsecurity.com contact@chainsecurity.com @chain_security https://www.securify.ch

Recommend


More recommend