Making smart contract smarter Loi Luu, Duc-Hiep Chu, Hrishi Olickel, - - PowerPoint PPT Presentation
Making smart contract smarter Loi Luu, Duc-Hiep Chu, Hrishi Olickel, Prateek Saxena, Aquinas Hobor <EE817/IS893: Blockchain and Cryptocurrency> Presented by Daejun Kim (2019. 05) Index Background Introduction Security bugs in
Loi Luu, Duc-Hiep Chu, Hrishi Olickel, Prateek Saxena, Aquinas Hobor
<EE817/IS893: Blockchain and Cryptocurrency> Presented by Daejun Kim (2019. 05)
2 / 74
3 / 74
*Image from Narayanan, Arvind, and Jeremy Clark. "Bitcoin's academic pedigree." Communications of the ACM 60.12 (2017): 36-45.
4 / 74
[2016]
"Making smart contracts smarter." ACM CCS. [2017]
5 / 74
[2018] - Contβd
chael Bailey. "Erays: reverse engineering ethereum's opaque smart contracts.β, USENIX
ing safety of smart contracts.β, NDSS
utomatically exploit smart contracts.β, USENIX
6 / 74
[2018]
., Dan, A., Drachsler-Cohen, D., Gervais, A., Buenzli, F., & Vechev,
& Alexandrov, Y. βSmartcheck: Static analysis of ethereum smart contracts.β. WETSEB
7 / 74
*Image from βSmart Contract λΆμκ³Ό PLβ, Jonghyup Lee
8 / 74
use decentralized applications that run on blockchain technology.β (aka. 2nd generation cryptocurrency)
Issued date
Market capitalization β$18 billion (2019. 04) Block Time About 12 seconds Block reward 5 ETH (Ethereum) Consensus Algorithm PoW
*Market capitalization from Coinmarketcap (https://coinmarketcap.com)
9 / 74
the terms of a contract.β (Szabo, Nick. "Smart contracts." Unpublished manuscript (1994))
application)
$ Alice Bob
10 / 74
state-machineβ
Application to the Entscheidungs problem, 1936." B. Jack Copeland (2004): 58.)
11 / 74
contracts
target the Ethereum Virtual Machine (EVM).
12 / 74
it will take to execute certain operations.β
$ + (gas) Alice Bob
13 / 74
π
π
β πππ¦ β πππ ππ π‘π£ππ’
If π‘πππ π»ππ‘ ππ πππ, Gas Limit comparison
π
π
1 β 109 ππ 2 β 109
If π‘πππ π»ππ‘ πππππ’, Gas Price comparison
14 / 74
block.
pays all gas limit to the miner. (counter-measure against resource- exhausting attacks)
(gas consume) Alice Bob
Fail
15 / 74
EVM Code on Blockchain Program Counter Gas Stack 256 bits * 1024 Memory linear memory Storage key-value store (256 β 256 bits) Persistent Volatile
16 / 74
EVM Code example Byte Code | Assembly ================== 6009 | PUSH1 09 34 | CALLVALUE 6007 | PUSH1 07 57 | JUMPI 00 | STOP 5b | JUMPDEST 56 | JUMP 5b | JUMPDEST 00 | STOP
Gas consumes
*Gas consumes: https://docs.google.com/spreadsheets/d/1n6mRqkBz3iWcOlRem_mO09GtSKEKrAsfO7Frgx18pNU/edit
17 / 74
18 / 74
symbolic execution tool.
19 / 74
Smart Contract
and propose recommendations as solutions for the documented bugs.
Ethereum smart contracts to detect bugs, in real Ethereum network.
20 / 74
Annual Network and Distributed System Security Symposium, NDSS. 2018. Transaction Order Dependence Block / Transaction state dependence Unchecked send Reentrancy Failed send Integer overflow / underflow 8,890 / 19,366 (45.9%, 1,758 unique contract) 21,281 / 22,493 (94.6%, 1,524 unique contract)
21 / 74
22 / 74
Attack #1. Transaction-Ordering Dependence (TOD)
π
π
β πππ¦ β πππ ππ π‘π£ππ’ If π‘πππ π»ππ‘ ππ πππ, Gas Limit comparison π
π
1 β 109 ππ 2 β 109 If π‘πππ π»ππ‘ πππππ’, Gas Price comparison Alice Bob (???) Whoβs first?
23 / 74
Attack #1. TOD
when you send the right answer.
24 / 74
Attack #1. TOD - Example
Alice π»ππ‘ππ πππ = 1 β 109 I found the answer! It is 96
25 / 74
Attack #1. TOD - Example
Alice I found the answer! It is 96 π»ππ‘ππ πππ = 1 β 109 Bob
<Blockchain info> Alice: I found the answer! It is 96 (1) Read ASAP 2 π»ππ‘ππ πππ = π β 109
96 Bob is first.
26 / 74
<Blockchain info> Alice: I found the answer! It is 96
Attack #1. TOD - Example
Alice I found the answer! It is 96 π»ππ‘ππ πππ = 1 β 109 Bob 96 Bob is first. Bob or Bobβs partner
(1) Read ASAP 2 π»ππ‘ππ πππ = π β 109
27 / 74
Attack #2. Timestamp Dependence
block is used to create a random value.
28 / 74
Attack #2. Timestamp Dependence
block is used to create a random value.
with pre-computed value (Randomness)
Bob or Bobβs partner
block.timestamp <= now + 900 && block.timestamp >= parent.timestamp
29 / 74
Attack #2. Timestamp Dependence
block is used to create a random value.
with pre-computed value (Randomness)
*Info ref. Wood, Gavin. "ETHEREUM: A SECURE DECENTRALISED GENERALISED TRANSACTION LEDGER BYZANTIUM VERSION." Internet: https://github. com/ethereum/yellowpaper,[Apr. 17, 2019] (2019). *geth is the the command line interface for running a full ethereum node implemented in Go (https://github.com/ethereum/go-Ethereum)
block.timestamp <= now + 900 && block.timestamp >= parent.timestamp
Allow only 15 seconds. (geth code: consensys.go) There is no time limit.
cuz of 3 years ago paper ο
Bob or Bobβs partner
30 / 74
Attack #2. Timestamp Dependence
block is used to create a random value.
with pre-computed value (Randomness)
*Info ref. Wood, Gavin. "ETHEREUM: A SECURE DECENTRALISED GENERALISED TRANSACTION LEDGER BYZANTIUM VERSION." Internet: https://github. com/ethereum/yellowpaper,[Apr. 17, 2019] (2019). *geth is the the command line interface for running a full ethereum node implemented in Go (https://github.com/ethereum/go-Ethereum)
block.timestamp <= now + 900 && block.timestamp >= parent.timestamp
Allow only 15 seconds. (parity code: verification.rs)
Bob or Bobβs partner
There is no time limit.
cuz of 3 years ago paper ο
31 / 74
Attack #3. Mishandled Exception
32 / 74
Attack #3. Mishandled Exception
assign the new king
$
33 / 74
Attack #3. Mishandled Exception
assign the new king
check the return values after calling other contracts via send.
Revert (out of gas)
34 / 74
Attack #4. Reentrancy Vulnerability
waits for the call to finish.
*code from https://hackernoon.com/smart-contract-security-part-1-reentrancy-attacks-ddb3b2429302
35 / 74
Attack #4. Reentrancy Vulnerability
*code from (TheDAO) https://etherscan.io/address/0xbb9bc244d798123fde783fcc1c72d3bb8c189413#code
splitDAO(proposal, address) withdrawRewardFor(msg.sender) rewardAccount.payout(_account, reward) balances[msg.sender] = 0;
<Attacker> DAO.splitDao(proposal, address)
36 / 74
37 / 74
Blocks Transactions
38 / 74
$ Alice Bob
π πβ²β² π πβ²β²
39 / 74
40 / 74
Ownerβs πb updatePrice() Higher price Userβ²s π
a buy()
Vulnerable! (1) (2) Block #1
41 / 74
Ownerβs πb updatePrice() Higher price Userβ²s π
a buy()
π β‘ (Value = Price) Safety (1) (2) Block #1
42 / 74
approximately every 12 seconds in Ethereum
43 / 74
yet possible in Solidity.
*Code from https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Statements/try...catch *info from https://solidity.readthedocs.io/en/v0.5.7/control-structures.html#error-handling-assert-require-revert-and-exceptions
44 / 74
*info from https://solidity.readthedocs.io/en/v0.5.7/units-and-global-variables.html#error-handling
45 / 74
*code from https://hackernoon.com/smart-contract-security-part-1-reentrancy-attacks-ddb3b2429302
46 / 74
Compare with teEther
Krupp, Johannes, and Christian Rossow. "teether: Gnawing at ethereum to automatically exploit smart contracts." 27th USENIX Security Symposium. 2018.
47 / 74
upon symbolic execution
does not scale to large programs. (But, targets of ππ§πππ’π are smart contracts)
*Code from https://www.lazenca.net/pages/viewpage.action?pageId=6324534
48 / 74
49 / 74
attacker can call the money-related instruction
contractβs current balance to address
50 / 74
51 / 74
*Krupp, Johannes, and Christian Rossow. "teether: Gnawing at ethereum to automatically exploit smart contracts." 27th {USENIX} Security Symposium ({USENIX} Security 18). 2018.
52 / 74
F T F T T F F T
6060604052123123123528.....
*Image from βMaking Smart Contracts Smarter: Oyente β Loi Luu (slide pptx)β, Devcon 2016
53 / 74
JUMPDEST JUMPI JUMP
unconditional jump conditional jump Markers jump target 3460576060565b606060565b 50565b00151600β¦
*Image from βteether: Gnawing at ethereum to automatically exploit smart contracts (slide pptx)β, Johannes.krupp@cispa, USENIX 2018
54 / 74
F T F T T F F T
6060604052123123123528.....
T T F T
π¦ π·1: π¦ > 0 π·2: π¨ <15 π·3:z<8 π¨ = π¦ + 2;
π·1 β π·2 β π·3β(z = x + 2)
*Image from βMaking Smart Contracts Smarter: Oyente β Loi Luu (slide pptx)β, Devcon 2016
55 / 74
with a path constraint and auxiliary data that the analyses in later phase require.
eliminate provably infeasible traces from consideration.
F T F T T F F T
6060604052123123123528.....
T T F T
π¦ π·1: π¦ > 0 π·2: π¨ <15 π·3:z<8 π¨ = π¦ + 2;
π·1 β π·2 β π·3β(z = x + 2) π3
False True π¦ = 10
*Image from βMaking Smart Contracts Smarter: Oyente β Loi Luu (slide pptx)β, Devcon 2016
56 / 74
challenges.
3460576060565b606060565b 50565b00151600β¦
π3
*Image from βteether: Gnawing at ethereum to automatically exploit smart contracts (slide pptx)β, Johannes.krupp@cispa, USENIX 2018
CRITICAL = ['CALL', 'DELEGATECALL', 'CALLCODE', 'SELFDESTRUCT']
57 / 74
*Image from βteether: Gnawing at ethereum to automatically exploit smart contracts (slide pptx)β, Johannes.krupp@cispa, USENIX 2018
58 / 74
(1) mark SSTORE instructions (2) compute backward slices of argument(s) (3) generate path through a slice (4) execute path symbolically (collect path constraints)
*Image from βteether: Gnawing at ethereum to automatically exploit smart contracts (slide pptx)β, Johannes.krupp@cispa, USENIX 2018
59 / 74
*Image from βteether: Gnawing at ethereum to automatically exploit smart contracts (slide pptx)β, Johannes.krupp@cispa, USENIX 2018
60 / 74
(1) Remove dependent constraints (2) Solve reduced set (3) Compute hash values (4) Replace dependent constraints (5) Repeat.
*Image from βteether: Gnawing at ethereum to automatically exploit smart contracts (slide pptx)β, Johannes.krupp@cispa, USENIX 2018
61 / 74
flow for each trace.
*Image from βMaking Smart Contracts Smarter: Oyente β Loi Luu (slide pptx)β, Devcon 2016
62 / 74
F T F T T F F T
*Image from βMaking Smart Contracts Smarter: Oyente β Loi Luu (slide pptx)β, Devcon 2016
63 / 74
A contract is flagged as timestamp-dependent vulnerability.
*Image from βMaking Smart Contracts Smarter: Oyente β Loi Luu (slide pptx)β, Devcon 2016
F T F T T F F T
π
64 / 74
Caller Callee CALL Contract β¦ β¦ β¦ EVM Code β¦ β¦ β¦ β¦ β¦ Stack β¦
65 / 74
Caller Callee CALL Contract ISZERO β¦ β¦ EVM Code β¦ β¦ β¦ β¦ β¦ Stack Failed!
66 / 74
Caller Callee CALL Contract β¦ β¦ β¦ EVM Code β¦ β¦ β¦ β¦ β¦ Stack Failed!
67 / 74
the execution before the CALL is executed.
still holds (i.e., if the call can be executed again)
*Image from βMaking Smart Contracts Smarter: Oyente β Loi Luu (slide pptx)β, Devcon 2016
68 / 74
splitDAO(proposal, address) withdrawRewardFor(msg.sender) rewardAccount.payout(_account, reward) balances[msg.sender] = 0;
Vulnerable
F T F T T F F T
*Image from βMaking Smart Contracts Smarter: Oyente β Loi Luu (slide pptx)β, Devcon 2016
69 / 74
70 / 74
contracts
Detected TheDAO bug
71 / 74
Smart Contract
and propose recommendations as solutions for the documented bugs.
Ethereum smart contracts to detect bugs, in real Ethereum network.
72 / 74
73 / 74
Smart contract User Node General Language Logic Consensus Wallet
74 / 74
Thanks.
β assignment
execution.) β big-step evaluation small-step evaluation Ο state (address and account state mapping) Ξ Transaction flow <BC, Ο> Ethereum state as a pair <Blockchain, state> But, do not model miner rewards. (for simplicity)
οΌOnly one βelected leaderβ executes the ππ ππππ‘π rule at time.
οΌOther miners use the π΅πππππ’ rule to βrepeatβ the transitions after the leader broadcasts block B (Timestamp-dependence)
οΌsome inevitable order among ππ (Transaction-ordering dependence)
EVM Code on Blockchain
Program Counter
Gas Stack 256 bits * 1024 Memory linear memory Storage key-value store (256 β 256 bits)
Persistent Volatile π‘ π π‘π’π ππ π
Example
π πβ² per π[ππ·]