291 research outputs found
Towards Smart Hybrid Fuzzing for Smart Contracts
Smart contracts are Turing-complete programs that are executed across a
blockchain network. Unlike traditional programs, once deployed they cannot be
modified. As smart contracts become more popular and carry more value, they
become more of an interesting target for attackers. In recent years, smart
contracts suffered major exploits, costing millions of dollars, due to
programming errors. As a result, a variety of tools for detecting bugs has been
proposed. However, majority of these tools often yield many false positives due
to over-approximation or poor code coverage due to complex path constraints.
Fuzzing or fuzz testing is a popular and effective software testing technique.
However, traditional fuzzers tend to be more effective towards finding shallow
bugs and less effective in finding bugs that lie deeper in the execution. In
this work, we present CONFUZZIUS, a hybrid fuzzer that combines evolutionary
fuzzing with constraint solving in order to execute more code and find more
bugs in smart contracts. Evolutionary fuzzing is used to exercise shallow parts
of a smart contract, while constraint solving is used to generate inputs which
satisfy complex conditions that prevent the evolutionary fuzzing from exploring
deeper paths. Moreover, we use data dependency analysis to efficiently generate
sequences of transactions, that create specific contract states in which bugs
may be hidden. We evaluate the effectiveness of our fuzzing strategy, by
comparing CONFUZZIUS with state-of-the-art symbolic execution tools and
fuzzers. Our evaluation shows that our hybrid fuzzing approach produces
significantly better results than state-of-the-art symbolic execution tools and
fuzzers
Targeted Greybox Fuzzing with Static Lookahead Analysis
Automatic test generation typically aims to generate inputs that explore new
paths in the program under test in order to find bugs. Existing work has,
therefore, focused on guiding the exploration toward program parts that are
more likely to contain bugs by using an offline static analysis.
In this paper, we introduce a novel technique for targeted greybox fuzzing
using an online static analysis that guides the fuzzer toward a set of target
locations, for instance, located in recently modified parts of the program.
This is achieved by first semantically analyzing each program path that is
explored by an input in the fuzzer's test suite. The results of this analysis
are then used to control the fuzzer's specialized power schedule, which
determines how often to fuzz inputs from the test suite. We implemented our
technique by extending a state-of-the-art, industrial fuzzer for Ethereum smart
contracts and evaluate its effectiveness on 27 real-world benchmarks. Using an
online analysis is particularly suitable for the domain of smart contracts
since it does not require any code instrumentation---instrumentation to
contracts changes their semantics. Our experiments show that targeted fuzzing
significantly outperforms standard greybox fuzzing for reaching 83% of the
challenging target locations (up to 14x of median speed-up)
Empirical Review of Smart Contract and DeFi Security: Vulnerability Detection and Automated Repair
Decentralized Finance (DeFi) is emerging as a peer-to-peer financial
ecosystem, enabling participants to trade products on a permissionless
blockchain. Built on blockchain and smart contracts, the DeFi ecosystem has
experienced explosive growth in recent years. Unfortunately, smart contracts
hold a massive amount of value, making them an attractive target for attacks.
So far, attacks against smart contracts and DeFi protocols have resulted in
billions of dollars in financial losses, severely threatening the security of
the entire DeFi ecosystem. Researchers have proposed various security tools for
smart contracts and DeFi protocols as countermeasures. However, a comprehensive
investigation of these efforts is still lacking, leaving a crucial gap in our
understanding of how to enhance the security posture of the smart contract and
DeFi landscape.
To fill the gap, this paper reviews the progress made in the field of smart
contract and DeFi security from the perspective of both vulnerability detection
and automated repair. First, we analyze the DeFi smart contract security issues
and challenges. Specifically, we lucubrate various DeFi attack incidents and
summarize the attacks into six categories. Then, we present an empirical study
of 42 state-of-the-art techniques that can detect smart contract and DeFi
vulnerabilities. In particular, we evaluate the effectiveness of traditional
smart contract bug detection tools in analyzing complex DeFi protocols.
Additionally, we investigate 8 existing automated repair tools for smart
contracts and DeFi protocols, providing insight into their advantages and
disadvantages. To make this work useful for as wide of an audience as possible,
we also identify several open issues and challenges in the DeFi ecosystem that
should be addressed in the future.Comment: This paper is submitted to the journal of Expert Systems with
Applications (ESWA) for revie
EF/CF: High Performance Smart Contract Fuzzing for Exploit Generation
Smart contracts are increasingly being used to manage large numbers of
high-value cryptocurrency accounts. There is a strong demand for automated,
efficient, and comprehensive methods to detect security vulnerabilities in a
given contract. While the literature features a plethora of analysis methods
for smart contracts, the existing proposals do not address the increasing
complexity of contracts. Existing analysis tools suffer from false alarms and
missed bugs in today's smart contracts that are increasingly defined by
complexity and interdependencies. To scale accurate analysis to modern smart
contracts, we introduce EF/CF, a high-performance fuzzer for Ethereum smart
contracts. In contrast to previous work, EF/CF efficiently and accurately
models complex smart contract interactions, such as reentrancy and
cross-contract interactions, at a very high fuzzing throughput rate. To achieve
this, EF/CF transpiles smart contract bytecode into native C++ code, thereby
enabling the reuse of existing, optimized fuzzing toolchains. Furthermore,
EF/CF increases fuzzing efficiency by employing a structure-aware mutation
engine for smart contract transaction sequences and using a contract's ABI to
generate valid transaction inputs. In a comprehensive evaluation, we show that
EF/CF scales better -- without compromising accuracy -- to complex contracts
compared to state-of-the-art approaches, including other fuzzers,
symbolic/concolic execution, and hybrid approaches. Moreover, we show that
EF/CF can automatically generate transaction sequences that exploit reentrancy
bugs to steal Ether.Comment: To be published at Euro S&P 202
Fuzz on the Beach: Fuzzing Solana Smart Contracts
Solana has quickly emerged as a popular platform for building decentralized
applications (DApps), such as marketplaces for non-fungible tokens (NFTs). A
key reason for its success are Solana's low transaction fees and high
performance, which is achieved in part due to its stateless programming model.
Although the literature features extensive tooling support for smart contract
security, current solutions are largely tailored for the Ethereum Virtual
Machine. Unfortunately, the very stateless nature of Solana's execution
environment introduces novel attack patterns specific to Solana requiring a
rethinking for building vulnerability analysis methods.
In this paper, we address this gap and propose FuzzDelSol, the first
binary-only coverage-guided fuzzing architecture for Solana smart contracts.
FuzzDelSol faithfully models runtime specifics such as smart contract
interactions. Moreover, since source code is not available for the large
majority of Solana contracts, FuzzDelSol operates on the contract's binary
code. Hence, due to the lack of semantic information, we carefully extracted
low-level program and state information to develop a diverse set of bug oracles
covering all major bug classes in Solana. Our extensive evaluation on 6049
smart contracts shows that FuzzDelSol's bug oracles find bugs with a high
precision and recall. To the best of our knowledge, this is the largest
evaluation of the security landscape on the Solana mainnet.Comment: This paper will appear on the ACM CCS 2023 in November 202
- …