Securify: Practical Security Analysis of Smart Contracts - PowerPoint PPT Presentation

Securify: Practical Security Analysis of Smart Contracts https://securify.ch Dr. Petar Tsankov Scientific Researcher, ICE center, ETH Zurich Co-founder and Chief Scientist, ChainSecurity AG � http://www.ptsankov.com/ � @ptsankov

http://ice.ethz.ch Inter-disciplinary and inter-department research center at ETH Zurich Prof. Martin Prof. Laurent Dr. Petar Dr. Dana Timon Ahmed Vechev Tsankov Drachsler Vanbever Gehr El-Hassany Roland Maria Rüdiger Samuel Johannes Apostolaki Birkner Steffan Meier Kapfhammer

Research @ ICE Programmable networks Blockchain security Safe and interpretable AI Security and privacy

Research @ ICE Programmable networks Blockchain security Safe and interpretable AI Security and privacy

What is a Smart Contract? mapping(address => uint) balances; function withdraw() { uint amount = balances[msg.sender]; msg.sender.call.value(amount); Transfer ETH to balances[msg.sender] = 0; } the caller § Small programs that handle cryptocurrencies § Written in high-level languages (e.g., Solidity, Vyper) § Executed on the blockchain (e.g. Ethereum) § Usually no patching after release What can happen when programs handle billions worth of USD?

Smart Contract Security Bugs in the News 2 days ago

June 2016: The DAO hack

The DAO hack : Reentrancy User Contract Bank Contract function moveBalance() { mapping(address => uint) balances; calls the default bank.withdraw(); withdraw() "fallback” function } function withdraw() { ... uint amount = balances[msg.sender]; 10 ether function () payable { msg.sender.call.value(amount)(); // log payment balances[msg.sender] = 0; Later… } } balance is zeroed withdraw() after ether transfer 0 ether Can the user contract withdraw more than its balance?

The DAO hack: Reentrancy User Contract Bank Contract function moveBalance() { mapping(address => uint) balances; bank.withdraw(); withdraw() } function withdraw() { ... uint amount = balances[msg.sender]; 10 ether function () payable { msg.sender.call.value(amount)(); bank.withdraw(); balances[msg.sender] = 0; withdraw() } } calls withdraw() 10 ether before balance is set to 0 ... An attacker used this bug to steal 3.6M ether (> 1B USD today )

July 2017: Parity Multisig Bug 1

Parity Multisig Bug 1 : Unprivileged Write to Storage Wallet Contract address owner = ...; Any user may change the function initWallet(address _owner) { owner = _owner; wallet’s owner } function withdraw(uint _amount) { if (msg.sender == owner) { Only the owner can msg.sender.transfer(_amount); } withdraw ether } An attacker used a similar bug to steal $30M in July 2017

Four months later… Parity Multisig Bug 2

Parity Multisig Bug 2 : Frozen Wallets Execute the Wallet Contract Wallet Library code in the address walletLibrary = ... // address wallet library function() payable { function() payable { walletLibrary.delegatecall(msg.data); // fallback } } function withdraw(uint amount) { function withdraw(uint amount) { walletLibrary.delegatecall(msg.data); // withdraw funds } } However, in Ethereum, smart contracts can be killed!

Parity Multisig Bug 2 : Frozen Wallets An attacker deleted the library Wallet Contract Wallet Library address walletLibrary = ... // address ... function() payable { function() payable { No withdraws walletLibrary.delegatecall(msg.data); // fallback are possible } } function withdraw(uint amount) { function withdraw(uint amount) { walletLibrary.delegatecall(msg.data); // withdraw funds } } A user froze $170M by deleting the wallet library

Relevant Security Properties… Unexpected ether flows Insecure coding, such as unprivileged writes Use of unsafe inputs (e.g., reflection, hashing, …) Reentrant method calls (e.g., DAO bug) Manipulating ether flows via transaction reordering Many of these are nontrivial trace-/hyper-properties

Automated Security Analysis of Smart Contracts: Challenges and Gaps

Security Analysis (high-level view) All possible contract Security behaviors violations Minor issue J : Smart contracts are written in Turing-complete languages

Automated Security Solutions WANTED : Automated Verifier Truffle Oyente, Mythril, MAIAN Testing Dynamic (symbolic) analysis Report true bugs Report true bugs Can report false alarms Can miss bugs Can miss bugs No missed bugs Bug finding Verification

Domain-Specific Insight: When contracts satisfy/violate a property, they often also satisfy/violate a much simpler property

Example: The DAO Hack Security property function withdraw() { uint amount = balances[msg.sender]; No state changes after call instructions msg.sender .call.value(amount)(); balances[msg.sender] = 0; Hard to verify } in general Verifies 91% of all deployed contracts Compliance pattern No writes to storage may follow call instructions Easier to check Violation pattern automatically A write to storage must follow call instructions

Classifying Behaviors using Compliance and Violation Patterns Unsafe behaviors Safe behaviors Compliance Violation pattern pattern Violation No violation All behaviors Warning All unsafe behaviors are reported

A practical verifier for Ethereum smart contracts: - fully-automated - extensible - scalable - precise - publicly available www.securify.ch

DEMO

www.securify.ch Beta version released in Fall 2017 95% positive feedback - Regularly used by auditors to perform > 8K uploaded smart contracts professional security audits > 800 users signed up for updates New release coming up very soon Interesting discussions on Reddit

Securify: Under the Hood 00: 60 00: x = Balance MemTag (0x20, Balance ) 02: 5b 02: y = 0x20 MemTag (0x40, Const ) 04: 42 04: If (x == 0x00) VarTag (z, Const ) 06: 80 06: MStore (y, x) VarTag (k, Gas ) Check Infer Decompile patterns 08: 90 08: z = y facts Assign (s, 0x20) 0a: 56 0a: goto 0x42 Call (s, k) ⋮ ⋮ ⋮ Intermediate Semantic Representation EVM Representation Bytecode Fully automated, sound, scalable, extensible

Securify: Under the Hood 00: 60 00: x = Balance 02: 5b 02: y = 0x20 04: 42 04: If (x == 0x00) 06: 80 06: MStore (y, x) Decompile 08: 90 08: z = y 0a: 56 0a: goto 0x42 ⋮ ⋮ Intermediate EVM Representation Bytecode

From EVM to CFG over SSA Decompiling EVM bytecode: Convert into static single assignment form (each variable is assigned once) § Perform partial evaluation (to resolve jump destination, memory/storage offsets) § Identify and inline methods (to enable context-sensitive analysis) § Construct control-flow graph §

Securify: Under the Hood 00: x = Balance MemTag (0x20, Balance ) 02: y = 0x20 MemTag (0x40, Const ) 04: If (x == 0x00) VarTag (z, Const ) 06: MStore (y, x) VarTag (k, Gas ) Infer 08: z = y facts Assign (s, 0x20) 0a: goto 0x42 Call (s, k) ⋮ ⋮ Intermediate Semantic Representation Representation Which facts are relevant for verifying smart contracts?

Semantic Facts Many properties can be checked on the contract’s dependency graph Flow dependencies !"#$%&&%'(&, &’) The instruction at label & may follow that at label &’ !,-.$%&&%'(&, &’) The instruction at label & must follow A tag can be an that at label &’ instruction (e.g. Data dependencies Caller) or a variable !"#/0123(4, .) The value of 4 may depend on tag . /0.5#(4, .) For different values of . the value of 4 is different. The inference of all semantic facts is declaratively specified in Datalog

Example: !"#$%&&%' !"#$%&&%' (, * ← $%&&%'((, *) !"#$%&&%' (, * ← $%&&%' (, . , !"#$%&&%'(., *) !"#$%&&%'(1,2) !"#$%&&%'(1,3) !"#$%&&%'(1,4) 1: x := 10 !"#$%&&%'(1,5) $%&&%'(1,2) 2: y := x + 20 !"#$%&&%'(1,6) $%&&%'(2,3) !"#$%&&%'(2,3) $%&&%'(3,4) !"#$%&&%'(2,4) $%&&%'(2,5) !"#$%&&%'(2,5) $%&&%'(5,6) 3: y--; 5: y := 0 !"#$%&&%'(2,6) 4: return 6: return !"#$%&&%'(3,4) !"#$%&&%'(5,6) Datalog input Datalog fixpoint

Deriving MayDepOn Derived from the Balance !"##"$(1,2) !"##"$(2,3) instruction !"##"$(3,4) ,--./0 1, 23#3045 Memory 1: x := Balance 2: Mstore(0x20, x) 6-7"0-8 0x20 operations 3: y := MLoad(0x20) ;<8"=5 2, 0x20, 1 4: z := x + y ;>"3? 3, @, 0x20 AB 4, C, 1 AB 4, C, @ Capture that C is derived from 1 and @ ;3@D5BA0 1, 8 ← ,--./0(1, 8) ← AB(__, 1, 1 G ), ;3@D5BA0(1 G , 8) ;3@D5BA0 1, 8 ;3@D5BA0 1, 8 ← ;>"3? #, 1, " , .-7"0-8 #, " , ;5HI3/(#, ", 8) ;3@D5BA0 1, 8 ← ;>"3? #, 1, " , ¬.-7"0-8 #, " , ;5HI3/(#, __, 8) ;5HI3/ #, ", 8 ← ;<8"=5 #, ", 1 , .-7"0-8 " , ;3@D5BA0(1, 8) ;5HI3/ #, ⊤, 8 ← ;<8"=5 #, ", 1 , ¬.-7"0-8 " , ;3@D5BA0(1, 8) ← !"##"$- #, #′ , ;5HI3/ # G , ", 8 , ¬;<8"=5(#, ", __) ;5HI3/ #, ", 8

Securify: Under the Hood MemTag (0x20, Balance ) MemTag (0x40, Const ) VarTag (z, Const ) VarTag (k, Gas ) Check patterns Assign (s, 0x20) Call (s, k) ⋮ Semantic Representation