Securify: Practical Security Analysis of Smart Contracts

Similar documents
Declarative Static Analysis of Smart Contracts

Smart Contract Security Tips. Ethereum devcon2 Sep Joseph Chow

Lecture 10. A2 - will post tonight - due in two weeks

Smart!= Secure - Breaking Ethereum Smart Contracts. Elliot Ward & Jake Humphries

SECURITY AUDIT REPORT

Security Audit of FuzeX Smart Contract This report is public. ChainSecurity Ltd. January 11, 2018

scompile: Critical Path Identification and Analysis for Smart Contracts

Smart Contract Vulnerabilities The most interesting transactions on the Ethereum network

kasko2go Token Contract Audit

FanChain Contract Audit

ZILLIQA / ZILIKƏ/ NEXT GEN HIGH-THROUGHPUT BLOCKCHAIN PLATFORM DONG XINSHU, CEO JIA YAOQI, BLOCKCHAIN ZILLIQA.

LECTURE 2 BLOCKCHAIN TECHNOLOGY EVOLUTION

Table of contents. Abstract. Disclaimer. Scope. Procedure. AS-IS overview. Audit overview. Conclusion. Appendix A. Automated tools reports 12

Bob s Repair Contract Audit

Gnosis Safe Documentation. Gnosis

Blockchains: new home for proven-correct software. Paris, Yoichi Hirai formal verification engineer, the Ethereum Foundation

Porosity Decompiling Ethereum Smart-Contracts. Matt Suiche Founder, Comae Technologies

A Concurrent Perspective on Smart Contracts. 1st Workshop on Trusted Smart Contracts

Ethereum. Smart Contracts Programming Model

Final Presentation Master s Thesis: Identification of Programming Patterns in Solidity

Unblockable Chains. Is Blockchain the ultimate malicious infrastructure? Omer Zohar

Christian Rossow CISPA, Saarland University, Saarland Informatics Campus. Johannes Krupp CISPA, Saarland University, Saarland Informatics Campus

How Formal Analysis and Verification Add Security to Blockchain-based Systems

Page Total

OW TO PARTICIPAT HOW TO PARTICIPATE

Porosity. Decompiling Ethereum Smart-Contracts. Matt Suiche Founder, Comae Technologies Tel Aviv (BLUEHATIL) 23 January, 2018

Pillar Token Code Review

A living programming environment for a living blockchain

BLOCKCHAIN CADEC Pär Wenåker & Peter Larsson

An Analysis of Atomic Swaps on and between Ethereum Blockchains Research Project I

ContractFuzzer: Fuzzing Smart Contracts for Vulnerability Detection *#

A Java Framework for Smart Contracts

The promise and peril of smart contracts

Porosity Decompiling Ethereum Smart-Contracts. Matt Suiche Founder, Comae Technologies

Privacy based Public Key Infrastructure (PKI) using Smart Contract in Blockchain Technology

Specifying the Ethereum Virtual Machine for Theorem Provers

Token Sale. Participation guide

DTX Token. Starter guide

Defining the Ethereum Virtual Machine for Interactive Theorem Provers

The Technology behind Smart Contracts

GENESIS VISION NETWORK

Ethereum. Campbell R. Harvey* Duke University and NBER. Ashwin Ramachandran Duke University. Brent Xu ConsenSys. Innovation and Cryptoventures

FXY TOKEN SMART CONTRACT AUDIT RESULTS FOR FIXY NETWORK LTD

BUYING HEARDBEATS VIA KRAKEN

Theta Token - SLIVER.tv Deposit Guide

a new cryptocurrency STK GLOBAL PAYMENTS USER GUIDE USER GUIDE: PARTICIPATING IN IN STK STK TOKEN TOKEN SALE USING SALE MYETHERWALLET

Oyente: Making Smart Contracts Smarter

Formal Verification of Smart Contracts: Short Paper

A Semantic Framework for the Security Analysis of Ethereum smart contracts

Blockchain for Enterprise: A Security & Privacy Perspective through Hyperledger/fabric

Learn Blockchain Programming. Ali Dorri

SDNRacer. Concurrency Analysis for SDNs. Ahmed El-Hassany Jeremie Miserez Pavol Bielik Laurent Vanbever Martin Vechev.

COEN 241 Term Project. A Blockchain-based Cloud Service

Implementing and Mechanically Verifying Smart Contracts

The security and insecurity of blockchains and smart contracts

ICO Review: Etherparty (FUEL)

Tool Demonstration: FSolidM for Designing Secure Ethereum Smart Contracts

Smart Contract Security Audit Report. Loopring Protocol Smart Contract version 2

SMARTDATA: Leveraging Blockchain to Securely Capture & Verify Scientific Provenance Data

Ethereum Computation Market Documentation

BUYING ELECTRONEUM VIA KRAKEN

Secure Token Development and Deployment. Dmitry Khovratovich and Mikhail Vladimirov, University of Luxembourg and ABDK Consulting

How to buy LIVE Token with Ethereum and Bitcoin step by step

Callisto Network Whitepaper

Technical Specifications for Platform Development

Building Applications on the Ethereum Blockchain

How Secure is Blockchain? June 6 th, 2017

Erays: Reverse Engineering Ethereum s Opaque Smart Contracts

For further information about the GRID token sale, please visit gridplus.io/token-sale.

Blockchain! What consultants should know about it. Daniel

ISSUSE AND FEATURES TO CONSIDER WHEN SELECTING A BLOCKCHAIN SYSTEM. Find us at

POA Bridge. Security Assessment. Cris Neckar SECUREWARE.IO

Who wants to be a millionaire? A class in creating your own cryptocurrency

Leveraging Smart Contracts for Automatic SLA Compensation The Case of NFV Environments

Ergo platform: from prototypes to a survivable cryptocurrency

Lightweight Verification of Array Indexing

Instruction for creating an Ethereum based wallet and MUH ICO participation

The Pact Smart-Contract Language

Active Planning Committee John Lindsay, Patent Attorney Tony Schuman, Investment Advisor Todd Russell, Gov t Contract Opportunities

Key concepts of blockchain

Token sale is live now

Lecture 44 Blockchain Security I (Overview)

Zurich, September 2017

Ethereum: 30 Tips & Tricks

Designing Secure Ethereum Smart Contracts: A Finite State Machine Based Approach

Vladimir Groshev. COO, Project Coordinator.

A Lap around Cryptlets

Upgrading Bitcoin: Segregated Witness. Dr. Johnson Lau Bitcoin Core Contributor Co-author of Segregated Witness BIPs March-2016

NetComplete: Practical Network-Wide Configuration Synthesis with Autocompletion. Ahmed El-Hassany Petar Tsankov Laurent Vanbever Martin Vechev

Brown University. Yana Hrytsenko. Final Project: Blockchain for PKI: Using Blockchain data structure for Public Key. Infrastructure.

Technical Overview. Version: 1.0 Date:

Privacy-Enabled NFTs: User-Mintable, Non-Fungible Tokens With Private Off-Chain Data

Introduction to Blockchain

Verifiable Computation in Smart Contracts

Audience. Overview. Enterprise Protection Platform for PCI DSS & HIPAA Compliance

Leveraging Test Generation and Specification Mining for Automated Bug Detection without False Positives

IBM Identity Mixer. Introduction Deployment Use Cases Blockchain More Features

The power of Blockchain: Smart Contracts. Foteini Baldimtsi

SmartDec icumulate.io Smart Contracts Security Analysis

Wanchain Hackathon Handbook San Jose

Transcription:

Securify: Practical Security Analysis of Smart Contracts https://securify.ch Dr. Petar Tsankov Scientific Researcher, ICE center, ETH Zurich Co-founder and Chief Scientist, ChainSecurity AG http://www.ptsankov.com/ @ptsankov

http://ice.ethz.ch Inter-disciplinary and inter-department research center at ETH Zurich Prof. Martin Vechev Prof. Laurent Vanbever Maria Apostolaki Rüdiger Birkner Dr. Petar Tsankov Dr. Dana Drachsler Samuel Steffan Timon Gehr Roland Meier Ahmed El-Hassany Johannes Kapfhammer

Research @ ICE Programmable networks Blockchain security Safe and interpretable AI Security and privacy

Research @ ICE Programmable networks Blockchain security Safe and interpretable AI Security and privacy

What is a Smart Contract? mapping(address => uint) balances; function withdraw() { uint amount = balances[msg.sender]; msg.sender.call.value(amount); balances[msg.sender] = 0; Transfer ETH to the caller Small programs that handle cryptocurrencies Written in high-level languages (e.g., Solidity, Vyper) Executed on the blockchain (e.g. Ethereum) Usually no patching after release What can happen when programs handle billions worth of USD?

Smart Contract Security Bugs in the News 2 days ago

June 2016: The DAO hack

The DAO hack : Reentrancy User Contract Bank Contract function movebalance() mapping(address { => uint) balances; bank.withdraw(); withdraw() function withdraw() {... function () payable { // log payment uint amount = balances[msg.sender]; 10 ether msg.sender.call.value(amount)(); balances[msg.sender] = 0; Later withdraw() 0 ether balance is zeroed after ether transfer calls the default "fallback function Can the user contract withdraw more than its balance?

The DAO hack: Reentrancy User Contract function movebalance() { bank.withdraw();... function () payable { bank.withdraw(); calls withdraw() before balance is set to 0 withdraw() 10 ether withdraw() 10 ether... Bank Contract mapping(address => uint) balances; function withdraw() { uint amount = balances[msg.sender]; msg.sender.call.value(amount)(); balances[msg.sender] = 0; An attacker used this bug to steal 3.6M ether (> 1B USD today)

July 2017: Parity Multisig Bug 1

Parity Multisig Bug 1: Unprivileged Write to Storage Wallet Contract Any user may change the wallet s owner address owner =...; function initwallet(address _owner) { owner = _owner; function withdraw(uint _amount) { if (msg.sender == owner) { msg.sender.transfer(_amount); Only the owner can withdraw ether An attacker used a similar bug to steal $30M in July 2017

Four months later Parity Multisig Bug 2

Parity Multisig Bug 2: Frozen Wallets Wallet Contract address walletlibrary =... // address function() payable { walletlibrary.delegatecall(msg.data); Execute the code in the wallet library Wallet Library function() payable { // fallback function withdraw(uint amount) { walletlibrary.delegatecall(msg.data); function withdraw(uint amount) { // withdraw funds However, in Ethereum, smart contracts can be killed!

Parity Multisig Bug 2: Frozen Wallets Wallet Contract Wallet Library An attacker deleted the library address walletlibrary =... // address function() payable { walletlibrary.delegatecall(msg.data); function withdraw(uint amount) { walletlibrary.delegatecall(msg.data); No withdraws are possible... function() payable { // fallback function withdraw(uint amount) { // withdraw funds A user froze $170M by deleting the wallet library

Relevant Security Properties Unexpected ether flows Insecure coding, such as unprivileged writes Use of unsafe inputs (e.g., reflection, hashing, ) Reentrant method calls (e.g., DAO bug) Manipulating ether flows via transaction reordering Many of these are nontrivial trace-/hyper-properties

Automated Security Analysis of Smart Contracts: Challenges and Gaps

Security Analysis (high-level view) All possible contract behaviors Security violations Minor issue J : Smart contracts are written in Turing-complete languages

Automated Security Solutions Truffle Oyente, Mythril, MAIAN WANTED: Automated Verifier Testing Report true bugs Can miss bugs Dynamic (symbolic) analysis Report true bugs Can miss bugs Can report false alarms No missed bugs Bug finding Verification

Domain-Specific Insight: When contracts satisfy/violate a property, they often also satisfy/violate a much simpler property

Example: The DAO Hack Security property No state changes after call instructions Hard to verify in general Compliance pattern No writes to storage may follow call instructions Violation pattern A write to storage must follow call instructions function withdraw() { uint amount = balances[msg.sender]; msg.sender.call.value(amount)(); balances[msg.sender] = 0; Verifies 91% of all deployed contracts Easier to check automatically

Classifying Behaviors using Compliance and Violation Patterns Violation pattern Unsafe behaviors Safe behaviors Compliance pattern Violation All behaviors No violation Warning All unsafe behaviors are reported

www.securify.ch A practical verifier for Ethereum smart contracts: - fully-automated - extensible - scalable - precise - publicly available

DEMO

www.securify.ch Beta version released in Fall 2017 - Regularly used by auditors to perform professional security audits New release coming up very soon 95% positive feedback > 8K uploaded smart contracts > 800 users signed up for updates Interesting discussions on Reddit

Securify: Under the Hood 00: 60 02: 5b 04: 42 06: 80 08: 90 0a: 56 Decompile 00: x = Balance 02: y = 0x20 04: If (x == 0x00) 06: MStore(y, x) 08: z = y 0a: goto 0x42 Infer facts MemTag(0x20, Balance) MemTag(0x40, Const) VarTag(z, Const) VarTag(k, Gas) Assign(s, 0x20) Call(s, k) Check patterns EVM Bytecode Intermediate Representation Semantic Representation Fully automated, sound, scalable, extensible

Securify: Under the Hood 00: 60 02: 5b 04: 42 06: 80 08: 90 0a: 56 Decompile 00: x = Balance 02: y = 0x20 04: If (x == 0x00) 06: MStore(y, x) 08: z = y 0a: goto 0x42 EVM Bytecode Intermediate Representation

From EVM to CFG over SSA Decompiling EVM bytecode: Convert into static single assignment form (each variable is assigned once) Perform partial evaluation (to resolve jump destination, memory/storage offsets) Identify and inline methods (to enable context-sensitive analysis) Construct control-flow graph

Securify: Under the Hood 00: x = Balance 02: y = 0x20 04: If (x == 0x00) 06: MStore(y, x) 08: z = y 0a: goto 0x42 Infer facts MemTag(0x20, Balance) MemTag(0x40, Const) VarTag(z, Const) VarTag(k, Gas) Assign(s, 0x20) Call(s, k) Intermediate Representation Semantic Representation Which facts are relevant for verifying smart contracts?

Semantic Facts Many properties can be checked on the contract s dependency graph!"#$%&&%'(&, & )!,-.$%&&%'(&, & ) Flow dependencies The instruction at label & may follow that at label & The instruction at label & must follow that at label & Data dependencies!"#/0123(4,.) The value of 4 may depend on tag. A tag can be an instruction (e.g. Caller) or a variable /0.5#(4,.) For different values of. the value of 4 is different. The inference of all semantic facts is declaratively specified in Datalog

Example:!"#$%&&%'!"#$%&&%' (, * $%&&%'((, *)!"#$%&&%' (, * $%&&%' (,.,!"#$%&&%'(., *) 3: y--; 4: return 1: x := 10 2: y := x + 20 5: y := 0 6: return $%&&%'(1,2) $%&&%'(2,3) $%&&%'(3,4) $%&&%'(2,5) $%&&%'(5,6)!"#$%&&%'(1,2)!"#$%&&%'(1,3)!"#$%&&%'(1,4)!"#$%&&%'(1,5)!"#$%&&%'(1,6)!"#$%&&%'(2,3)!"#$%&&%'(2,4)!"#$%&&%'(2,5)!"#$%&&%'(2,6)!"#$%&&%'(3,4)!"#$%&&%'(5,6) Datalog input Datalog fixpoint

Deriving MayDepOn 1: x := Balance 2: Mstore(0x20, x) 3: y := MLoad(0x20) 4: z := x + y!"##"$(1,2)!"##"$(2,3)!"##"$(3,4),--./0 1, 23#3045 6-7"0-8 0x20 ;<8"=5 2, 0x20, 1 ;>"3? 3, @, 0x20 AB 4, C, 1 AB 4, C, @ ;3@D5BA0 1, 8,--./0(1, 8) ;3@D5BA0 1, 8 AB(, 1, 1 G ), ;3@D5BA0(1 G, 8) ;3@D5BA0 1, 8 ;>"3? #, 1, ",.-7"0-8 #, ", ;5HI3/(#, ", 8) ;3@D5BA0 1, 8 ;>"3? #, 1, ",.-7"0-8 #, ", ;5HI3/(#,, 8) ;5HI3/ #, ", 8 ;<8"=5 #, ", 1,.-7"0-8 ", ;3@D5BA0(1, 8) ;5HI3/ #,, 8 ;<8"=5 #, ", 1,.-7"0-8 ", ;3@D5BA0(1, 8) ;5HI3/ #, ", 8!"##"$- #, #, ;5HI3/ # G, ", 8, ;<8"=5(#, ", ) Derived from the Balance instruction Memory operations Capture that C is derived from 1 and @

Securify: Under the Hood MemTag(0x20, Balance) MemTag(0x40, Const) VarTag(z, Const) VarTag(k, Gas) Assign(s, 0x20) Call(s, k) Check patterns Semantic Representation

Patterns DSL (Labels)! (labels) (Vars) $ (variables) (Tags) %! $ (Instr) ' (')%*(!, $,, $) (Facts) / 01234!!45!,! 06)%34!!45!,! 012789:' $, % 78%;2($, %) (Patterns) 9 / ': 9 ': 9 9 9 9

Detecting the DAO Hack Security property: function withdraw() { uint amount = balances[msg.sender]; msg.sender.call.value(amount)(); balances[msg.sender] = 0; No state changes after call instructions Call instruction followed by a write to storage Formalized as a trace property Compliance pattern Violation pattern!"## #, _, _, _ : ))*+,- #., _, _. 0"12+##+3(#, #. )!"## #, _, _, _ : ))*+,- #., _, _. 067*2+##+3(#, #. ) Proofs establish a formal logical relation between the property and its patterns

Detecting Unrestricted Writes Security property: address owner =...; function initwallet(address _owner) { owner = _owner; No storage offset is writable by all users Unrestricted write Formalized as a hyperproperty Compliance pattern Violation pattern!!"#$%(_, ), _):,%"-. ), /011%$!!"#$% 1, ), : 30.,%456 ), /011%$ 30.,%456(1, /011%$)

How well does this approach work in practice?

Securify vs. Existing Solutions State-of-the-art security checkers for Ethereum smart contracts - Oyente - Mythril Dataset - 80 open-source smart contracts Experiment - Run contracts using Securify, Oyente, and Mythril - Manually inspect each reported vulnerability

Securify vs. Oyente vs. Mythril Tr ue warnings False war nings Vio la tio n Unrepo rted vulner abilitie s 60% 40% 20% Securify Oyente Securify Oyente Mythril Securify Oyente Mythril Securify Mythril 0% -20% -40% -60% Transaction reordering Reentrancy Handled exception Restricted transfer

Research Start-ups SECURE, RELIABLE, INTELLIGENT SYSTEMS LAB http://securify.ch http://ai2.ethz.ch Securing the blockchain https://chainsecurity.com http://apk-deguard.com http://jsnice.org jobs@chainsecurity.com http://psisolver.org http://eventracer.org contact@chainsecurity.com @chain_security

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback