Certifying functional correctness of Ethereum smart contracts Dr. - - PowerPoint PPT Presentation

certifying functional correctness of ethereum smart
SMART_READER_LITE
LIVE PREVIEW

Certifying functional correctness of Ethereum smart contracts Dr. - - PowerPoint PPT Presentation

Feb 27, 2023 234 likes •570 views

Certifying functional correctness of Ethereum smart contracts Dr. Petar Tsankov Co-founder and Chief scientist, ChainSecurity Senior researcher, ICE center, ETH Zurich @ptsankov Inter-disciplinary research center at Next-generation blockchain

slide-1
SLIDE 1

Certifying functional correctness of Ethereum smart contracts

  • Dr. Petar Tsankov

Co-founder and Chief scientist, ChainSecurity Senior researcher, ICE center, ETH Zurich

@ptsankov

slide-2
SLIDE 2

Inter-disciplinary research center at the #1 CS department in Europe Security and privacy Blockchain security Safety of AI Next-generation blockchain security using automated reasoning

https://chainsecurity.com @chain_security

slide-3
SLIDE 3

contract Token { mapping(addr=>uint) balances; function balanceOf(address a){ return balances[a]; } function transfer(address to, uint n){ balances[msg.sender] -= n; balances[to] += n; }

Must not fail!

What do these have in common?

slide-4
SLIDE 4

Ce Certified using formal verification

contract Token { mapping(addr=>uint) balances; function balanceOf(address a){ return balances[a]; } function transfer(address to, uint n){ balances[msg.sender] -= n; balances[to] += n; }

Be Best-ef effor

  • rt

What sets them apart?

slide-5
SLIDE 5

Ce Certified using formal verification

contract Token { mapping(addr=>uint) balances; function balanceOf(address a){ return balances[a]; } function transfer(address to, uint n){ balances[msg.sender] -= n; balances[to] += n; }

Be Best-ef effor

  • rt

What sets them apart?

slide-6
SLIDE 6
  • Mathematically model all behaviors of smart contracts
  • Prove that no bugs can occur
  • Scale via automation and state-of-the-art research

Our mission

Bring formal security guarantees to contracts

slide-7
SLIDE 7
  • Mathematically model all behaviors of smart contracts
  • Prove that no bugs can occur
  • Scale via automation and state-of-the-art research

Our mission

Bring formal security guarantees to contracts

Formal verifier for certifying custom functional specifications of Ethereum contracts

VerX

slide-8
SLIDE 8

Why is it hard to ce certify the custom behavior of smart contracts?

Certify cu custom m behavior Find generic vulnerabilities Note:

slide-9
SLIDE 9
  • Sum of all deposits equals the escrow’s ether balance
  • Investors cannot claim refunds after the goal is reached

Escrow

mapping(address => uint) deposits; function deposit() { .. } function withdraw() { .. } function claimRefund() { .. }

Crowdsale

uint raised; uint goal; uint closeTime; function invest() { .. } function close(){ .. }

Requirements

Functional correctness

slide-10
SLIDE 10

Step 1: Fo Formalize requirements

”Sum of all deposits equals the escrow’s ether balance”

always sum(Escrow.deposits) == Escrow.balance)

Formal property (Informal) requirement:

slide-11
SLIDE 11

Initial state

invest(0) invest(9999)

invest (0) invest(9999) claimRefund()

...

Unbounded depth Infeasible to brute-force width

... claimRefund()

Step 2: Ch Check formal property

slide-12
SLIDE 12

Manual review

RELIABILITY

Methods and guarantees

  • Time consuming
  • Ca

Can miss errors

slide-13
SLIDE 13

Automated testing Manual review

RELIABILITY

Methods and guarantees

  • Time consuming
  • Ca

Can miss errors

  • Fuzzing
  • Symbolic execution
  • Ca

Can mi miss er errors

slide-14
SLIDE 14

Initial state

invest(0) invest(9999)

invest (0) invest(9999) claimRefund()

... ... claimRefund()

Fuzzing

Checked states Missed states

To Tools: ChainFuzz, Echidna, ContractFuzzer, Harvey, …

slide-15
SLIDE 15

Initial state

invest(0) invest(9999)

invest (0) invest(9999) claimRefund()

... ... claimRefund()

Symbolic execution

To Tools: Oyente, Manticore, Mythril, MAIAN, …

Checked states Missed states

slide-16
SLIDE 16

Formal verification Automated testing Manual review

RELIABILITY

Methods and guarantees

  • Time consuming
  • Ca

Can miss errors

  • Fuzzing
  • Symbolic execution
  • Ca

Can mi miss er errors

  • Automated program

verification

  • Pr

Prove ves absence of errors

slide-17
SLIDE 17

invest(0) invest(9999)

invest (0) invest(9999) claimRefund()

... ... claimRefund()

Formal verification

invest(0) invest(9999)

invest (0) invest(9999) claimRefund()

... ... claimRefund()

Checked states

VerX

slide-18
SLIDE 18

Automated formal verification with VerX

“Investors can claim refunds only if the sum

  • f deposits never exceeded 10,000 ether “

Smart contract

mapping(address => uint) deposits; function claimRefund(){..}

(always Escrow.claimRefund ==> !before(sum(deposits) >= 10000)

Formal property Ve Verified Ma May not t hold

slide-19
SLIDE 19

Expressive and intuitive specifications

Access control

always Escrow.deposit(address) ==> (msg.sender == Escrow.owner)

slide-20
SLIDE 20

Expressive and intuitive specifications

Access control

always Escrow.deposit(address) ==> (msg.sender == Escrow.owner) always (now > Vault.refundTime + 1 week) ==> ! Vault.refund(uint256)

State-based properties

slide-21
SLIDE 21

Expressive and intuitive specifications

Access control

always Escrow.deposit(address) ==> (msg.sender == Escrow.owner) always (now > Vault.refundTime + 1 week) ==> ! Vault.refund(uint256)

State-based properties

always !(once(state == REFUND) && once(state == FINALIZED)

State machine properties

slide-22
SLIDE 22

Expressive and intuitive specifications

Access control

always Escrow.deposit(address) ==> (msg.sender == Escrow.owner) always (now > Vault.refundTime + 1 week) ==> ! Vault.refund(uint256)

State-based properties

always totalSupply == sum(balances)

Invariants over aggregates

always !(once(state == REFUND) && once(state == FINALIZED)

State machine properties

slide-23
SLIDE 23

Expressive and intuitive specifications

Access control

always Escrow.deposit(address) ==> (msg.sender == Escrow.owner) always (now > Vault.refundTime + 1 week) ==> ! Vault.refund(uint256)

State-based properties

always totalSupply == sum(balances)

Invariants over aggregates

always !(once(state == REFUND) && once(state == FINALIZED)

State machine properties

always Token.totalSupply >= Sale.issuance

Multi-contract invariants

slide-24
SLIDE 24

Expressive and intuitive specifications

Access control

always Escrow.deposit(address) ==> (msg.sender == Escrow.owner) always (now > Vault.refundTime + 1 week) ==> ! Vault.refund(uint256)

State-based properties

always totalSupply == sum(balances)

Invariants over aggregates

always (! once(state == REFUND) && once(state == FINALIZED)

State machine properties

always Token.totalSupply >= Sale.issuance

Multi-contract invariants

Solid formal foundation (Temporal logic)

slide-25
SLIDE 25

Dealing with unbo unbounde unded state spaces

Initial state

invest(X) claimRefund(Y)

Use symbolic (not concrete) values

invest(X) claimRefund(Y)

Bounded depth Feasible width

Use program abstraction

slide-26
SLIDE 26

Sound symbolic reasoning

  • Hash-based storage allocation
  • Gas mechanics
  • Calls to untrusted contracts
  • Dynamically constructed contracts
slide-27
SLIDE 27

Impact and experience

Benefits:

  • Ce

Certif tify what works (go beyond bug finding)

  • Re

Re-us use libraries of common specifications

  • Re

Re-ce certi rtificati cation is cheap Fa Fast and sc scalable formal verification of Ethereum contracts

(157+ contracts, 100+ properties, ~1 min / property)

slide-28
SLIDE 28

How to get access to VerX?

Demo: http://verx.ch VerX as a service: contact@chainsecurity.com

slide-29
SLIDE 29

One more announcement…

slide-30
SLIDE 30

First automated framework for testing Solidity compilers

slide-31
SLIDE 31

First automated framework for testing Solidity compilers

slide-32
SLIDE 32

First automated framework for testing Solidity compilers

https://github.com/eth-sri/soltix https://discord.gg/XKSVavS

slide-33
SLIDE 33

“Investors can claim refunds only if the sum of deposits never exceeded 10,000 ether “

Smart contract

mapping(address => uint) deposits; function claimRefund(){..}

(always Escrow.claimRefund ==> !before(sum(deposits) >= 10000)

Formal property Ve Verified Ma May not hold

Initial state

invest(X) claimRefund(Y) invest(X) claimRefund(Y)

Bounded depth Feasible width

Formal verification Automated testing Manual review

RELIABILITY

  • Time consuming
  • Ca

Can miss errors

  • Fuzzing
  • Symbolic execution
  • Ca

Can mis miss er errors

  • Automated program

verification

  • Pr

Proves absence of errors

contract Token { mapping(addr=>uint) balances; function balanceOf(address a){ return balances[a]; } function transfer(address to, uint n){ balances[msg.sender] -= n; balances[to] += n; }

Must not fail!

Safety certification of contracts Methods and techniques VerX: Automated formal verification Symbolic reasoning + abstraction