learning to fuzz from symbolic execution with application
play

Learning to Fuzz from Symbolic Execution with Application to Smart - PowerPoint PPT Presentation

Oct 22, 2023 •340 likes •633 views

Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav Nodar Petar Martin He Balunovic Ambroladze Tsankov Vechev Random Fuzzing vs. Symbolic Execution Random Fuzzing Symbolic Execution Fast Slow

  1. Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav Nodar Petar Martin He Balunovic Ambroladze Tsankov Vechev

  2. Random Fuzzing vs. Symbolic Execution Random Fuzzing Symbolic Execution Fast Slow Speed Inputs Ineffective Effective Coverage Low Low 1

  3. Smart Contract Testing: Challenge Initial , deposit(), P ether . . . . . . , setOwner( ) . . . . . . , withdraw(P) . . . . . . steals P ether from 2

  4. Smart Contract Testing: Challenge Wanted: Transaction sequences that thoroughly explore the state space 3

  5. 4

  6. Random Fuzzing vs. Symbolic Execution Imitation Learning based Fuzzer ~120K contracts ~16K clusters - Analyzing Ethereum’s Contract Topology. Kiffer et al.. IMC ’18 Random Fuzzing Symbolic Execution ILF (this work) Fast Slow Fast Speed Inputs Effective Effective Ineffective Coverage Low High Low 5

  7. Imitation Learning Demonstration Robot Human expert Demonstration Fuzzer Symbolic execution 6

  8. Learning to Fuzz from Symbolic Execution Symbolic execution expert ≈ 15K contracts Smart contracts Transaction sequences Training Fuzzing Coverage Vulnerability New contract Fuzzing policy Report (neural networks) 7

  9. Learning to Fuzz from Symbolic Execution Symbolic execution expert Smart contracts Transaction sequences Training Fuzzing Coverage Vulnerability New contract Fuzzing policy Report (neural networks) 8

  10. ̅ ̅ Smart Contract Fuzzing Policy + + + = may modify blockchain state ! = ($ & , ()*+),, -./0*!) ()*+), -./0*! $ & Example: a Uniformly Random Policy Transaction : 2*3$/,.(4) : 2*3$/,.(536*-!0,)($)) Fuzzing Tested Policy Contract : 2*3$/,.(5JKLJM5) Feedback 72*3$/,. 0, 9: $ is payable : C(0) = 1 otherwise 9

  11. ̅ Neural Network Fuzzing Policy Features of 4 GRU fuzz FCN func $ Q at step 3 − 1 hidden ℎ QRS state GRU int + & Q FCN int GRU fuzz Feature hidden state at step 3 of $ ℎ Q QRS FCN sender ()*+), Q ℎ Q GRU fuzz -./0*! Q FCN amount at step 3 + 1 10

  12. Neural Network Fuzzing Policy – Fuzzing State GRU fuzz at step 3 − 1 e.g., Coverage, opcodes, Last function name. (can be dynamic) hidden [3.5, 0.3, 4.0, …] state Current hidden state Feature of $ QRS GRU fuzz [1, 6.2, 5, …] [1.2, 8.7, 2.5, …] at step 3 11

  13. ̅ Neural Network Fuzzing Policy Features of 4 GRU fuzz FCN func $ Q at step 3 − 1 hidden ℎ QRS state GRU int + & Q FCN int GRU fuzz Feature hidden state at step 3 of $ ℎ Q QRS FCN sender ()*+), Q ℎ Q GRU fuzz -./0*! Q FCN amount at step 3 + 1 12

  14. Neural Network Fuzzing Policy – Function [[1, 6.2, 5, …], [4, 3.7, 6, …], Feature of 4 … SetOwner FCN func [2, 9.2, 7, …]] + Withdraw Deposit Softmax Withdraw Current hidden state [1.2, 8.7, 2.5, …] 13

  15. ̅ Neural Network Fuzzing Policy Features of 4 GRU fuzz FCN func $ Q at step 3 − 1 hidden ℎ QRS state GRU int + & Q FCN int GRU fuzz Feature hidden state at step 3 of $ ℎ Q QRS FCN sender ()*+), Q ℎ Q GRU fuzz -./0*! Q FCN amount at step 3 + 1 14

  16. Neural Network Fuzzing Policy – Arguments 1 1 0x800 0x800 0x200 1 0x10 0x10 0x200 . . . 0x200 . . . Distribution over 50 seed integer values from expert FCN int FCN int . . . Current hidden state GRU int GRU int [1.2, 8.7, 2.5, …] at step 0 at step 1 One-hot [0, 0, 1, 0, …] 15

  17. ̅ Neural Network Fuzzing Policy Features of 4 GRU fuzz FCN func $ Q at step 3 − 1 hidden ℎ QRS state GRU int + & Q FCN int GRU fuzz Feature hidden state at step 3 of $ ℎ Q QRS FCN sender ()*+), Q ℎ Q GRU fuzz -./0*! Q FCN amount at step 3 + 1 16

  18. Learning to Fuzz from Symbolic Execution Symbolic execution expert Smart contracts Transaction sequences Training Fuzzing Coverage Vulnerability New contract Fuzzing policy Report (neural networks) 17

  19. Symbolic Execution Expert Revisit Revisit Revisit T QUQV T S T W ! S Execute . . . e t u c e x E ! W Symbolic : VerX S&P 2020 18

  20. Learning to Fuzz from Symbolic Execution Symbolic execution expert Smart contracts Transaction sequences Training Fuzzing Coverage Vulnerability New contract Fuzzing policy Report (neural networks) 19

  21. ̅ Training Neural Network Fuzzing Policy NN Policy at step 3 − 1 Cross-Entropy loss Back Prop. Hidden $ Q State & Q Features Inference NN Policy ! Q by expert ()*+), at step 3 Q -./0*! Q ! Q by expert 20

  22. Learning to Fuzz from Symbolic Execution Symbolic execution expert Smart contracts Transaction sequences Training Fuzzing Coverage Vulnerability New contract Fuzzing policy Report (neural networks) 21

  23. ILF System: Coverage & Vulnerability Detection • Instruction coverage. • Basic block coverage. • Locking : The contract cannot send out but can receive ether. • Leaking : An attacker can steal ether from the contract. • Suicidal : An attacker can deconstruct the contract. • Block Dependency : Ether transfer depends on block state variables. • Unhandled Exception : Root call does not catch exceptions from child calls. • Controlled Delegatecall : Transaction parameters explicitly flow into arguments of a delegatecall instruction. 22

  24. Evaluation • 18,496 Contracts (5,013 Large & 13,483 Small) • 5-fold Cross Validation • UNIF • Echidna • ContractFuzzer • EXPERT • MAIAN • Coverage & Speed • Vulnerability Detection • Fuzzing Components • Case Study 23

  25. Coverage: ILF vs. Fuzzers Instr. Coverage Instr. Coverage 100% 100% 80% 80% 60% 60% 40% 40% 20% 20% 0% 0% 0 200 400 600 800 1000 0 200 400 600 800 1000 Number of Transactions Number of Transactions ILF UNIF Echidna ILF UNIF Echidna Small contracts Large contracts 24

  26. Coverage: ILF vs. Symbolic Expert Instr. Coverage 100% Small: 30 txs, 547s 90% Large: 49 txs, 2,580s 80% EXPERT ILF (#tx same as EXPERT) 70% ILF (2k txs) 60% Small: 13s 50% Large: 17s Small Contracts Large Contracts 148 txs/s 25

  27. Vulnerability Detection ILF: 0 FPs ∪ ∪ 13 FPs % of True Vulnerabilities % of True Vulnerabilities 100% 100% 80% 80% 60% 60% 6 FPs 40% 40% 20% 20% 0% 0% Leaking Suicidal Locking Block Unhandled Controlled Dependency Exception Delegatecall ILF UNIF MAIAN ILF UNIF ContractFuzzer 26

  28. Importance of Policy Components All components are necessary 100% 90% ILF Most ILF-func important 80% ILF-args 70% ILF-sender 60% ILF-amount 50% Coverage Leaking 27

  29. Summary Q & A ? 28

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Symbolic Execution and Fuzz Testing ISSISP Summer School 2018 Prof. Abhik Roychoudhury National

Symbolic Execution and Fuzz Testing ISSISP Summer School 2018 Prof. Abhik Roychoudhury National

Symbolic Execution and Fuzz Testing ISSISP Summer School 2018 Prof. Abhik Roychoudhury National University of Singapore 1 Thanks to organizers and ISSISP Steve Blackburn Adrian Herrera ISSISP Summer School 2018 Tony Hosking

1.17k views • 99 slides
Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

A tool for the Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all program branches. Inputs are considered symbolic variables. Symbols remain uninstantiated and become constrained at execution

451 views • 24 slides
Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is appealingly simple and useful , but computationally expensive ! We will see how the effective use of symbolic execution boils down to a kind of

494 views • 24 slides
Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on symbolic execution have found serious errors and security vulnerabilities in various systems: Network servers File systems Device drivers

733 views • 40 slides
Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution / / Sbastien Bardin & Richard Bonichon 20180409 CEA LIST 1 1,1,L Model Source qb int foo (int t ) { 0,1,L 0,1,L int y = t * t - 4 * t ;

567 views • 34 slides
Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution?

Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution?

CSE 403: Software Engineering, Winter 2016 courses.cs.washington.edu/courses/cse403/16wi/ Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution? How does it work? State-of-the-art tools 2

637 views • 34 slides
Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem

Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem

Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem Visser) Docker Image Install Docker Download: https://docs.docker.com/engine/installation/ Check: docker --version

446 views • 10 slides
Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College

Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College

Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College London Invited talk at SMT 2015 18 July, San Francisco, CA, USA Dynamic Symbolic Execution Dynamic symbolic execution is a technique for

660 views • 53 slides
Symbolic Execution Builds predicates that characterize Conditions for executing paths

Symbolic Execution Builds predicates that characterize Conditions for executing paths

Symbolic Execution Builds predicates that characterize Conditions for executing paths Symbolic Execution and Proof of Effects of the execution on program state Properties Bridges program behavior to logic Finds important

309 views • 6 slides
Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with

Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with

Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with Benedikt Becker, Claude

1.71k views • 115 slides
An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar

An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar

An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar Department of Computing Imperial College London 14 th TAROT Summer School UCL, London, 3 July 2018 Dynamic Symbolic Execution Dynamic symbolic

856 views • 56 slides
Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank

Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank

Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank Busse Cristian Cadar Imperial College London 1 Symbolic Execution Program analysis technique Active research area Used in

1.04k views • 70 slides
Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef

Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef

Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef @vanhoefm USENIX WOOT, Baltimore, US, 14 August 2018 Overview Symbolic Execution 4-way handshake Handling Crypto Results 2 Overview Symbolic

446 views • 41 slides
Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson,

Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson,

Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson, "Applications of Symbolic Evaluation," Journal of Systems and Software, 5 (1), January 1985, pp.15-35. Symbolic Evaluation/Execution

1.07k views • 60 slides
Efficient Symbolic Execution for Software Testing Johannes Kinder Royal Holloway, University of

Efficient Symbolic Execution for Software Testing Johannes Kinder Royal Holloway, University of

Efficient Symbolic Execution for Software Testing Johannes Kinder Royal Holloway, University of London Joint work with: Stefan Bucur, George Candea, Volodymyr Kuznetsov @ EPFL Symbolic Execution Automatically explore program paths

2.34k views • 200 slides
JANUS: Fast and Flexible Deep Learning via Symbolic Graph Execution of Imperative Programs Eunji

JANUS: Fast and Flexible Deep Learning via Symbolic Graph Execution of Imperative Programs Eunji

JANUS: Fast and Flexible Deep Learning via Symbolic Graph Execution of Imperative Programs Eunji Jeong , Sungwoo Cho, Gyeong-In Yu, Joo Seong Jeong, Dong-Jin Shin, Byung-Gon Chun Demo 1 Introduction Challenge Solution Results Deep Neural

452 views • 21 slides
Philosophy UNIVERSALS & OUR KNOWLEDGE OF THEM February 2 Today : 1. Review A Priori

Philosophy UNIVERSALS & OUR KNOWLEDGE OF THEM February 2 Today : 1. Review A Priori

Russells Problems of Philosophy UNIVERSALS & OUR KNOWLEDGE OF THEM February 2 Today : 1. Review A Priori Knowledge 2. The Case for Universals 3. Universals to the Rescue! 4. On Philosophy Essays 5. Next Lecture 1.0 Review A

308 views • 27 slides
Event Generator Physics Peter Skands (CERN) Joliot Curie School 2013, Frejus, France In these

Event Generator Physics Peter Skands (CERN) Joliot Curie School 2013, Frejus, France In these

Event Generator Physics Peter Skands (CERN) Joliot Curie School 2013, Frejus, France In these two lectures, we will discuss the physics of Monte Carlo event generators and their mathematical foundations, at an introductory level. We shall

373 views • 3 slides
Coevolution of habitat use in stochastic environments Sebastian J. Schreiber Department of

Coevolution of habitat use in stochastic environments Sebastian J. Schreiber Department of

Coevolution of habitat use in stochastic environments Sebastian J. Schreiber Department of Evolution & Ecology University of California, Davis http://schreiber.faculty.ucdavis.edu In collaboration with Alex Hening (Tufts) and Dang Nguyen

1.19k views • 103 slides
METEOR PROCESS Krzysztof Burdzy University of Washington Krzysztof Burdzy METEOR PROCESS

METEOR PROCESS Krzysztof Burdzy University of Washington Krzysztof Burdzy METEOR PROCESS

METEOR PROCESS Krzysztof Burdzy University of Washington Krzysztof Burdzy METEOR PROCESS Collaborators and preprints Joint work with Sara Billey, Soumik Pal and Bruce E. Sagan. Math Arxiv: http://arxiv.org/abs/1308.2183

559 views • 54 slides
Southern Spectroscopy for Dark Energy From Cosmic Visions Report: The Stage V DE has large

Southern Spectroscopy for Dark Energy From Cosmic Visions Report: The Stage V DE has large

Southern Spectroscopy for Dark Energy From Cosmic Visions Report: The Stage V DE has large improvements compared to Stage 4. See Joshs slides. Main Question: On what telescope? Is Possible next step in Prefer a big telescope

599 views • 10 slides
Introd u ction IN TR OD U C TION TO DATA VISU AL IZATION W ITH G G P L OT 2 Rick Sca v e a

Introd u ction IN TR OD U C TION TO DATA VISU AL IZATION W ITH G G P L OT 2 Rick Sca v e a

Introd u ction IN TR OD U C TION TO DATA VISU AL IZATION W ITH G G P L OT 2 Rick Sca v e a Fo u nder , Sca v e a Academ y Yo u r instr u ctor - Rick Sca v etta - e - mail : o ce @ sca v e a . academ y - T w i er : @ Rick _ Sca

577 views • 41 slides
DevOps from the Ground Up @patkua DevOps from the Ground Up @patkua @patkua works for and is

DevOps from the Ground Up @patkua DevOps from the Ground Up @patkua @patkua works for and is

DevOps from the Ground Up @patkua DevOps from the Ground Up @patkua @patkua works for and is author of develops helps with My story ... DevOps What is DevOps I do not think it means what you think it means Dev Ops Dev Ops

1.28k views • 74 slides
The Drupal 8 The Drupal 8 Theming Experience Theming Experience Scott Reeves (Cottser)

The Drupal 8 The Drupal 8 Theming Experience Theming Experience Scott Reeves (Cottser)

The Drupal 8 The Drupal 8 Theming Experience Theming Experience Scott Reeves (Cottser) bit.ly/d8txdca16 Scott Reeves Scott Reeves Drupal 8 theme system and Stable (co-)maintainer Provisional Drupal 8 core committer Team Lead @ Digital

254 views • 24 slides

More recommend