fuzzing the solidity compiler
play

Fuzzing the Solidity Compiler Bhargava Shastry @ibags Ethereum - PowerPoint PPT Presentation

Dec 19, 2022 •153 likes •441 views

Fuzzing the Solidity Compiler Bhargava Shastry @ibags Ethereum Foundation bshastry Fuzzcon Europe 2020 | Fuzzing the Solidity Compiler 2 whoami Security engineer, Solidity team Semantic testing of Solidity compiler Find

  1. Fuzzing the Solidity Compiler Bhargava Shastry @ibags Ethereum Foundation bshastry Fuzzcon Europe 2020 | Fuzzing the Solidity Compiler

  2. 2 whoami ● Security engineer, Solidity team ● Semantic testing of Solidity compiler Find security-critical bugs in the compiler before it is shipped Fuzzcon Europe 2020 | Fuzzing the Solidity Compiler

  3. 3 tl;dr: ● Threat model: Incorrect code generation ● Randomly generated valid Solidity (yul) programs test compiler ● Found 10 bugs using semantic fuzzing ● Continuous fuzzing for early bug discovery Fuzzcon Europe 2020 | Fuzzing the Solidity Compiler

  4. 4 Introduction Fuzzcon Europe 2020 | Fuzzing the Solidity Compiler

  5. 5 Threat model ● Compiler user (programmer) is not malicious ● Bugs introduced by the optimizer Fuzzcon Europe 2020 | Fuzzing the Solidity Compiler

  6. 6 Fuzz testing in a nutshell while not ctrl + c do input=gen_input() runProgram(input) done Fuzzcon Europe 2020 | Fuzzing the Solidity Compiler

  7. 7 Limitation of random fuzzing contract C { contract C { function foo() fu#!3ion foo() public { puX^&c { do_something(); do_something(); Mutation } } } } Accepted by parser Rejected by parser Fuzzcon Europe 2020 | Fuzzing the Solidity Compiler

  8. 8 Fuzzing a compiler requires generating valid programs... … generating a valid program requires structure awareness Fuzzcon Europe 2020 | Fuzzing the Solidity Compiler

  9. 9 Approach Fuzzcon Europe 2020 | Fuzzing the Solidity Compiler

  10. 10 Write a specification Specification written in protobuf language message Block { repeated Statement stmts; } ... message program { repeated Block blocks; } Full spec: https://github.com/ethereum/solidity/blob/develop/test/tools/ossfuzz/yulProto.proto Fuzzcon Europe 2020 | Fuzzing the Solidity Compiler

  11. 11 Input generation ● Input generated and mutated by libprotobuf-mutator ● Each input is a tree blocks { stmts { ifstmt { condition { binaryOp { eq { op1: varref{id: 0} op2: 0} } } } } } Fuzzcon Europe 2020 | Fuzzing the Solidity Compiler

  12. 12 Input conversion ● Converter is source-to-source translator ● Input: protobuf serialization format ● Output: yul program Fuzzcon Europe 2020 | Fuzzing the Solidity Compiler

  13. 13 Example blocks { stmts { ifstmt { condition { binaryOp { eq { op1: varref{id: 0} op2: 0} } } } } } Conversion if x_0 == 0 Fuzzcon Europe 2020 | Fuzzing the Solidity Compiler

  14. 14 Test program generation { Libprotobuf function f() Protobuf Message func { { + Block b = 1; ... Converter } mutator } } Protobuf Test program specification Fuzzcon Europe 2020 | Fuzzing the Solidity Compiler

  15. 15 Correctness testing requires encoding expectation somehow Fuzzcon Europe 2020 | Fuzzing the Solidity Compiler

  16. 16 Differential fuzzing ● Track side-effects of execution ● Run program ● Run optimized program ● Compare side-effects Fuzzcon Europe 2020 | Fuzzing the Solidity Compiler

  17. 17 Yul interpreter ● Interprets arbitrary yul program ● Outputs side-effects as a trace (string) Fuzzcon Europe 2020 | Fuzzing the Solidity Compiler

  18. 18 Yul interpreter { function f() MLOAD { MSTORE Interpreter ... … } DATACOPY } Test program Execution trace Fuzzcon Europe 2020 | Fuzzing the Solidity Compiler

  19. 19 Fuzzing Setup Program MLOAD MSTORE generator … DATACOPY == Interpreter MLOAD MSTORE Optimizer … DATACOPY Trace Fuzzcon Europe 2020 | Fuzzing the Solidity Compiler

  20. 20 Custom Fuzz Mutator Program Custom Generator Mutator if x_0 == 0 if x_0 != 0 Fuzzcon Europe 2020 | Fuzzing the Solidity Compiler

  21. 21 Results Fuzzcon Europe 2020 | Fuzzing the Solidity Compiler

  22. 22 Bugs by component 3 7 Fuzzcon Europe 2020 | Fuzzing the Solidity Compiler

  23. 23 Bugs by impact 5 5 Fuzzcon Europe 2020 | Fuzzing the Solidity Compiler

  24. 24 Bugs by severity Found via custom 1 mutation 2 6 1 Fuzzcon Europe 2020 | Fuzzing the Solidity Compiler

  25. 25 Current work Antlr based custom mutator { { function f() function g() Antlr Solidity { { ... g() unparser mutator } } } } Test program Mutation Fuzzcon Europe 2020 | Fuzzing the Solidity Compiler

  26. 26 Conclusion Fuzzcon Europe 2020 | Fuzzing the Solidity Compiler

  27. 27 Conclusion ● Continuous structure-aware fuzzing for early bug discovery ● Useful for testing optimizer and data en/decoding ● Decent assurance ○ Evidence that it works ○ No formal guarantees though Fuzzcon Europe 2020 | Fuzzing the Solidity Compiler

  28. 28 Thank you! ethereum/solidity.git gitter.im/ethereum/solidity-dev Fuzzcon Europe 2020 | Fuzzing the Solidity Compiler

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Compiler Fuzzing: How Much Does It Matter? Michal Marcozzi* Qiyi Tang* Alastair F.

Compiler Fuzzing: How Much Does It Matter? Michal Marcozzi* Qiyi Tang* Alastair F.

Compiler Fuzzing: How Much Does It Matter? Michal Marcozzi* Qiyi Tang* Alastair F. Donaldson Cristian Cadar * The presented experimental study has been carried out equally by M. Marcozzi and Q. Tang. Outline 1. Context: compiler

684 views • 45 slides
Compiler Fuzzing: How Much Does It Matter? ~ research published at the SPLASH19 OOPSLA

Compiler Fuzzing: How Much Does It Matter? ~ research published at the SPLASH19 OOPSLA

Sminaire VERIMAG Grenoble, 21/02/2020 Compiler Fuzzing: How Much Does It Matter? ~ research published at the SPLASH19 OOPSLA conference ~ *Michal Marcozzi 1 *Qiyi Tang 2 Alastair F. Donaldson 3,1 Cristian Cadar 1 * The presented experimental

894 views • 73 slides
Solidity Pt. 1 Solidity idity Javascript-like programming language for writing programs that

Solidity Pt. 1 Solidity idity Javascript-like programming language for writing programs that

Solidity Pt. 1 Solidity idity Javascript-like programming language for writing programs that run on the Ethereum Virtual Machine Domain-specific language that supports abstractions required for operation of smart contracts e.g.

763 views • 44 slides
Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me

Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me

Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me Motivation Introduction of fuzzing and afl fuzzer Necessary changes to the core and configuration Testing setup Example SIP messages and

1.03k views • 35 slides
Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is

Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is

Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is fuzzing/fuzz testing? Why AFL? How does it work with GNAT Pro/Ada? Premise: Fuzz Testing Definition: Stable Software Software that is highly

649 views • 16 slides
Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101 Agenda GEEKZONE Overview of fuzzing techniques Tutorials on specific open-source fuzzers Demonstrations DIY fuzzing! Who

825 views • 50 slides
2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid

2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid

From Blackbox Fuzzing to Whitebox Fuzzing towards Verification 2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid Microsoft Research ISSTA2010 Page 1 July 2010 Acknowledgments Joint work with:

633 views • 38 slides
Solidity 0.5: when typed does not mean type-safe S. Crafa M. Di Pirro Universit di Padova,

Solidity 0.5: when typed does not mean type-safe S. Crafa M. Di Pirro Universit di Padova,

Solidity 0.5: when typed does not mean type-safe S. Crafa M. Di Pirro Universit di Padova, Italy Kynetics, Italy crafa@math.unipd.it matteo.dipirro@kynetics.com FMBC - 11 October 2019 - Porto Agenda Smart contracts and Solidity

588 views • 32 slides
Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico

Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico

Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico Politecnico di Milano October 25, 2018 1 Index Coverage-guided fuzzing An overview of rev.ng Experimental results 2 Fuzzing 3 Fuzzing 1 Generate

1.36k views • 72 slides
Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange

Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange

Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange Division R&D firstname dot lastname at orange-ftgroup dot com research & development Forewords Wi-Fi Fuzzing/BlackHat EU 2007/Laurent Butti p

1.05k views • 78 slides
Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing

Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing

Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing what is fuzzing, why fuzz, fuzzing types How to fuzz fuzz target, fuzzing engine, libFuzzer Media processing as a target

551 views • 19 slides
11/8/2012 The Structure of a Compiler (2) The Structure of a Compiler (1) Any compiler must

11/8/2012 The Structure of a Compiler (2) The Structure of a Compiler (1) Any compiler must

11/8/2012 The Structure of a Compiler (2) The Structure of a Compiler (1) Any compiler must perform two major tasks Sourc rce Progra ram Tokens Syntactic Semantic Scanner Parser Structure re Routines (Chara racter r St Stre

690 views • 22 slides
T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1

T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1

T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1 2 Fuzzing as a bug finding approach Fuzzing is highly effective in finding bugs (CVEs) Developers use it as proactive defense measure:

844 views • 32 slides
FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr.

FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr.

MASTER SEMINAR WS16/17 PROF. DR. ALEXANDER PRETSCHNER SAAHIL OGNAWALA FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr. Alexander Pretschner Head of Chair XXII Software Engineering @TUM since

489 views • 21 slides
Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction

Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction

Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction Fuzzing Media Content in Android Data Generation Fuzzing the Stagefright Framework Logging & Triage Mechanisms 2 Introduction Fuzzing

1.12k views • 38 slides
NEUZZ: Efficient Fuzzing with Neural Program Smoothing Dongdong She, Kexin Pei, Dave Epstein,

NEUZZ: Efficient Fuzzing with Neural Program Smoothing Dongdong She, Kexin Pei, Dave Epstein,

NEUZZ: Efficient Fuzzing with Neural Program Smoothing Dongdong She, Kexin Pei, Dave Epstein, Junfeng Yang, Baishakhi Ray, and Suman Jana Columbia University 1 Fuzzing: a popular way to uncover bugs [Liang et al. 2019] 2 Evolutionary Fuzzing

1.02k views • 26 slides
Trace Abstraction (Recap) Andreas Podelski University of Freiburg, Germany Tuesday, December 15,

Trace Abstraction (Recap) Andreas Podelski University of Freiburg, Germany Tuesday, December 15,

Trace Abstraction (Recap) Andreas Podelski University of Freiburg, Germany Tuesday, December 15, 2011 Preliminaries: Programs program = graph if (x==0) 0 : 0 x==0 x!=0 y:=1 1 : 2 : 1 3 else y:=1 y:=2 3 : y:=2

323 views • 29 slides
Semantic Trace-based Malware Variants Detection Khalid Alzarooni CREST - DCS - UCL April 6,

Semantic Trace-based Malware Variants Detection Khalid Alzarooni CREST - DCS - UCL April 6,

Overview Trace-based approach Experiments Semantic Trace-based Malware Variants Detection Khalid Alzarooni CREST - DCS - UCL April 6, 2011 Overview Trace-based approach Experiments Outline Overview Trace-based approach Experiments

688 views • 31 slides
Refinement of Trace Abstraction for Real-Time Programs September 9, 2017 Franck Cassez 2 , Peter

Refinement of Trace Abstraction for Real-Time Programs September 9, 2017 Franck Cassez 2 , Peter

Refinement of Trace Abstraction for Real-Time Programs September 9, 2017 Franck Cassez 2 , Peter G. Jensen 1 , 2 and Kim G. Larsen 1 pgj@cs.aau.dk Department of Computer Science, Aalborg University Department of Computing, Macquarie University

293 views • 28 slides
Recursion: How It Works 7 January 2019 OSU CSE 1 Question Considered Before How should you

Recursion: How It Works 7 January 2019 OSU CSE 1 Question Considered Before How should you

Recursion: How It Works 7 January 2019 OSU CSE 1 Question Considered Before How should you think about recursion so you can use it to develop elegant recursive methods to solve certain problems? Answer : Pretend there is a FreeLunch

843 views • 50 slides
Vision/Color II, Virtual Trackball Week 5, Wed Feb 7 http://www.ugrad.cs.ubc.ca/~cs314/Vjan2007

Vision/Color II, Virtual Trackball Week 5, Wed Feb 7 http://www.ugrad.cs.ubc.ca/~cs314/Vjan2007

University of British Columbia CPSC 314 Computer Graphics Jan-Apr 2007 Tamara Munzner Vision/Color II, Virtual Trackball Week 5, Wed Feb 7 http://www.ugrad.cs.ubc.ca/~cs314/Vjan2007 Reading for Last Time & Today RB Chap Color

642 views • 27 slides
Game development for the ColecoVision and Sega 8-bit systems Developing for Z80-based video game

Game development for the ColecoVision and Sega 8-bit systems Developing for Z80-based video game

Game development for the ColecoVision and Sega 8-bit systems Developing for Z80-based video game systems using modern free tools Philipp Klaus Krause February 4, 2018 Table of Contents 1 Consoles 2 SDCC 3 Library 4 Tools 5 Summary Table of

590 views • 20 slides
433-324 Graphics and Interaction Kinds of Interfaces Adrian Pearce Department of Computer

433-324 Graphics and Interaction Kinds of Interfaces Adrian Pearce Department of Computer

Interface Categories and Styles Key-Modal Direct Manipulation Linguistic 433-324 Graphics and Interaction Kinds of Interfaces Adrian Pearce Department of Computer Science and Software Engineering University of Melbourne The University of

296 views • 11 slides
Overview What is GUI? A graphical user interface (GUI) is a set of visual elements that

Overview What is GUI? A graphical user interface (GUI) is a set of visual elements that

Android User Interface Overview What is GUI? A graphical user interface (GUI) is a set of visual elements that allows a user to interact with the application For Android, some of the GUI elements you can use are shown on the next slide

567 views • 30 slides

More recommend