securify practical security analysis of smart contracts
play

Securify: Practical Security Analysis of Smart Contracts - PowerPoint PPT Presentation

Securify: Practical Security Analysis of Smart Contracts https://securify.ch Dr. Petar Tsankov Scientific Researcher, ICE center, ETH Zurich Co-founder and Chief Scientist, ChainSecurity AG http://www.ptsankov.com/ @ptsankov


  1. Securify: Practical Security Analysis of Smart Contracts https://securify.ch Dr. Petar Tsankov Scientific Researcher, ICE center, ETH Zurich Co-founder and Chief Scientist, ChainSecurity AG � http://www.ptsankov.com/ � @ptsankov

  2. http://ice.ethz.ch Inter-disciplinary and inter-department research center at ETH Zurich Prof. Martin Prof. Laurent Dr. Petar Dr. Dana Timon Ahmed Vechev Tsankov Drachsler Vanbever Gehr El-Hassany Roland Maria Rüdiger Samuel Johannes Apostolaki Birkner Steffan Meier Kapfhammer

  3. Research @ ICE Programmable networks Blockchain security Safe and interpretable AI Security and privacy

  4. Research @ ICE Programmable networks Blockchain security Safe and interpretable AI Security and privacy

  5. What is a Smart Contract? mapping(address => uint) balances; function withdraw() { uint amount = balances[msg.sender]; msg.sender.call.value(amount); Transfer ETH to balances[msg.sender] = 0; } the caller § Small programs that handle cryptocurrencies § Written in high-level languages (e.g., Solidity, Vyper) § Executed on the blockchain (e.g. Ethereum) § Usually no patching after release What can happen when programs handle billions worth of USD?

  6. Smart Contract Security Bugs in the News 2 days ago

  7. June 2016: The DAO hack

  8. The DAO hack : Reentrancy User Contract Bank Contract function moveBalance() { mapping(address => uint) balances; calls the default bank.withdraw(); withdraw() "fallback” function } function withdraw() { ... uint amount = balances[msg.sender]; 10 ether function () payable { msg.sender.call.value(amount)(); // log payment balances[msg.sender] = 0; Later… } } balance is zeroed withdraw() after ether transfer 0 ether Can the user contract withdraw more than its balance?

  9. The DAO hack: Reentrancy User Contract Bank Contract function moveBalance() { mapping(address => uint) balances; bank.withdraw(); withdraw() } function withdraw() { ... uint amount = balances[msg.sender]; 10 ether function () payable { msg.sender.call.value(amount)(); bank.withdraw(); balances[msg.sender] = 0; withdraw() } } calls withdraw() 10 ether before balance is set to 0 ... An attacker used this bug to steal 3.6M ether (> 1B USD today )

  10. July 2017: Parity Multisig Bug 1

  11. Parity Multisig Bug 1 : Unprivileged Write to Storage Wallet Contract address owner = ...; Any user may change the function initWallet(address _owner) { owner = _owner; wallet’s owner } function withdraw(uint _amount) { if (msg.sender == owner) { Only the owner can msg.sender.transfer(_amount); } withdraw ether } An attacker used a similar bug to steal $30M in July 2017

  12. Four months later… Parity Multisig Bug 2

  13. Parity Multisig Bug 2 : Frozen Wallets Execute the Wallet Contract Wallet Library code in the address walletLibrary = ... // address wallet library function() payable { function() payable { walletLibrary.delegatecall(msg.data); // fallback } } function withdraw(uint amount) { function withdraw(uint amount) { walletLibrary.delegatecall(msg.data); // withdraw funds } } However, in Ethereum, smart contracts can be killed!

  14. Parity Multisig Bug 2 : Frozen Wallets An attacker deleted the library Wallet Contract Wallet Library address walletLibrary = ... // address ... function() payable { function() payable { No withdraws walletLibrary.delegatecall(msg.data); // fallback are possible } } function withdraw(uint amount) { function withdraw(uint amount) { walletLibrary.delegatecall(msg.data); // withdraw funds } } A user froze $170M by deleting the wallet library

  15. Relevant Security Properties… Unexpected ether flows Insecure coding, such as unprivileged writes Use of unsafe inputs (e.g., reflection, hashing, …) Reentrant method calls (e.g., DAO bug) Manipulating ether flows via transaction reordering Many of these are nontrivial trace-/hyper-properties

  16. Automated Security Analysis of Smart Contracts: Challenges and Gaps

  17. Security Analysis (high-level view) All possible contract Security behaviors violations Minor issue J : Smart contracts are written in Turing-complete languages

  18. Automated Security Solutions WANTED : Automated Verifier Truffle Oyente, Mythril, MAIAN Testing Dynamic (symbolic) analysis Report true bugs Report true bugs Can report false alarms Can miss bugs Can miss bugs No missed bugs Bug finding Verification

  19. Domain-Specific Insight: When contracts satisfy/violate a property, they often also satisfy/violate a much simpler property

  20. Example: The DAO Hack Security property function withdraw() { uint amount = balances[msg.sender]; No state changes after call instructions msg.sender .call.value(amount)(); balances[msg.sender] = 0; Hard to verify } in general Verifies 91% of all deployed contracts Compliance pattern No writes to storage may follow call instructions Easier to check Violation pattern automatically A write to storage must follow call instructions

  21. Classifying Behaviors using Compliance and Violation Patterns Unsafe behaviors Safe behaviors Compliance Violation pattern pattern Violation No violation All behaviors Warning All unsafe behaviors are reported

  22. A practical verifier for Ethereum smart contracts: - fully-automated - extensible - scalable - precise - publicly available www.securify.ch

  23. DEMO

  24. www.securify.ch Beta version released in Fall 2017 95% positive feedback - Regularly used by auditors to perform > 8K uploaded smart contracts professional security audits > 800 users signed up for updates New release coming up very soon Interesting discussions on Reddit

  25. Securify: Under the Hood 00: 60 00: x = Balance MemTag (0x20, Balance ) 02: 5b 02: y = 0x20 MemTag (0x40, Const ) 04: 42 04: If (x == 0x00) VarTag (z, Const ) 06: 80 06: MStore (y, x) VarTag (k, Gas ) Check Infer Decompile patterns 08: 90 08: z = y facts Assign (s, 0x20) 0a: 56 0a: goto 0x42 Call (s, k) ⋮ ⋮ ⋮ Intermediate Semantic Representation EVM Representation Bytecode Fully automated, sound, scalable, extensible

  26. Securify: Under the Hood 00: 60 00: x = Balance 02: 5b 02: y = 0x20 04: 42 04: If (x == 0x00) 06: 80 06: MStore (y, x) Decompile 08: 90 08: z = y 0a: 56 0a: goto 0x42 ⋮ ⋮ Intermediate EVM Representation Bytecode

  27. From EVM to CFG over SSA Decompiling EVM bytecode: Convert into static single assignment form (each variable is assigned once) § Perform partial evaluation (to resolve jump destination, memory/storage offsets) § Identify and inline methods (to enable context-sensitive analysis) § Construct control-flow graph §

  28. Securify: Under the Hood 00: x = Balance MemTag (0x20, Balance ) 02: y = 0x20 MemTag (0x40, Const ) 04: If (x == 0x00) VarTag (z, Const ) 06: MStore (y, x) VarTag (k, Gas ) Infer 08: z = y facts Assign (s, 0x20) 0a: goto 0x42 Call (s, k) ⋮ ⋮ Intermediate Semantic Representation Representation Which facts are relevant for verifying smart contracts?

  29. Semantic Facts Many properties can be checked on the contract’s dependency graph Flow dependencies !"#$%&&%'(&, &’) The instruction at label & may follow that at label &’ !,-.$%&&%'(&, &’) The instruction at label & must follow A tag can be an that at label &’ instruction (e.g. Data dependencies Caller) or a variable !"#/0123(4, .) The value of 4 may depend on tag . /0.5#(4, .) For different values of . the value of 4 is different. The inference of all semantic facts is declaratively specified in Datalog

  30. Example: !"#$%&&%' !"#$%&&%' (, * ← $%&&%'((, *) !"#$%&&%' (, * ← $%&&%' (, . , !"#$%&&%'(., *) !"#$%&&%'(1,2) !"#$%&&%'(1,3) !"#$%&&%'(1,4) 1: x := 10 !"#$%&&%'(1,5) $%&&%'(1,2) 2: y := x + 20 !"#$%&&%'(1,6) $%&&%'(2,3) !"#$%&&%'(2,3) $%&&%'(3,4) !"#$%&&%'(2,4) $%&&%'(2,5) !"#$%&&%'(2,5) $%&&%'(5,6) 3: y--; 5: y := 0 !"#$%&&%'(2,6) 4: return 6: return !"#$%&&%'(3,4) !"#$%&&%'(5,6) Datalog input Datalog fixpoint

  31. Deriving MayDepOn Derived from the Balance !"##"$(1,2) !"##"$(2,3) instruction !"##"$(3,4) ,--./0 1, 23#3045 Memory 1: x := Balance 2: Mstore(0x20, x) 6-7"0-8 0x20 operations 3: y := MLoad(0x20) ;<8"=5 2, 0x20, 1 4: z := x + y ;>"3? 3, @, 0x20 AB 4, C, 1 AB 4, C, @ Capture that C is derived from 1 and @ ;3@D5BA0 1, 8 ← ,--./0(1, 8) ← AB(__, 1, 1 G ), ;3@D5BA0(1 G , 8) ;3@D5BA0 1, 8 ;3@D5BA0 1, 8 ← ;>"3? #, 1, " , .-7"0-8 #, " , ;5HI3/(#, ", 8) ;3@D5BA0 1, 8 ← ;>"3? #, 1, " , ¬.-7"0-8 #, " , ;5HI3/(#, __, 8) ;5HI3/ #, ", 8 ← ;<8"=5 #, ", 1 , .-7"0-8 " , ;3@D5BA0(1, 8) ;5HI3/ #, ⊤, 8 ← ;<8"=5 #, ", 1 , ¬.-7"0-8 " , ;3@D5BA0(1, 8) ← !"##"$- #, #′ , ;5HI3/ # G , ", 8 , ¬;<8"=5(#, ", __) ;5HI3/ #, ", 8

  32. Securify: Under the Hood MemTag (0x20, Balance ) MemTag (0x40, Const ) VarTag (z, Const ) VarTag (k, Gas ) Check patterns Assign (s, 0x20) Call (s, k) ⋮ Semantic Representation

Recommend


More recommend