securify practical security analysis of smart contracts
play

Securify: Practical Security Analysis of Smart Contracts - PowerPoint PPT Presentation

Nov 15, 2023 •157 likes •518 views

Securify: Practical Security Analysis of Smart Contracts https://securify.ch Dana Martin Petar Andrei Arthur Florian Drachsler- Vechev Tsankov Dan Gervais Bnzli Cohen Grant: Startup: What is a smart contract? mapping(address

  1. Securify: Practical Security Analysis of Smart Contracts https://securify.ch Dana Martin Petar Andrei Arthur Florian Drachsler- Vechev Tsankov Dan Gervais Bünzli Cohen Grant: Startup:

  2. What is a smart contract? mapping(address => uint) balances; function withdraw() { uint amount = balances[msg.sender]; msg.sender.call.value(amount)(); balances[msg.sender] = 0; Transfer funds } to the caller - Small programs that handle cryptocurrencies - Written in high-level languages (e.g., Solidity) - Usually no patching after release What can go wrong when programs handle billions worth of USD? 2

  3. Smart contract bugs bugs in the news 3

  4. Smart contract bugs bugs in the news 3

  5. Smart contract bugs bugs in the news 1 week ago 3

  6. June 2016: The DAO hack

  7. The DAO hack User Contract DAO Contract function moveBalance() { mapping(address => uint) balances; dao.withdraw(); } function withdraw() { ... uint amount = balances[msg.sender]; msg.sender.call.value(amount)(); function () payable { balances[msg.sender] = 0; // log payment } } withdraw() 10 ether Later… withdraw() 0 ether 4

  8. The DAO hack User Contract DAO Contract function moveBalance() { mapping(address => uint) balances; calls the default dao.withdraw(); "fallback” function } function withdraw() { ... uint amount = balances[msg.sender]; msg.sender.call.value(amount)(); function () payable { balances[msg.sender] = 0; // log payment } } balance is zeroed after transfer withdraw() 10 ether Later… withdraw() 0 ether 4

  9. The DAO hack User Contract DAO Contract function moveBalance() { mapping(address => uint) balances; dao.withdraw(); } function withdraw() { ... uint amount = balances[msg.sender]; msg.sender.call.value(amount)(); function () payable { balances[msg.sender] = 0; dao.withdraw(); } } calls withdraw() withdraw() before balance is set to 0 10 ether withdraw() 10 ether ... 4

  10. Many critical vulnerabilities Unexpected ether flows In 2017, more than $300M Unprivileged writes Use of unsafe inputs have been lost due Reentrant method calls to these issues Transaction reordering 5

  11. Wanted: Automated security analysis

  12. function withdraw() { The DAO hack uint amount = balances[msg.sender]; msg.sender.call.value(amount)(); balances[msg.sender] = 0; } Security property: No state changes after call instructions Unsafe calls Safe calls Can we automatically find all unsafe calls? 6

  13. function withdraw() { The DAO hack uint amount = balances[msg.sender]; msg.sender.call.value(amount)(); balances[msg.sender] = 0; } Security property: No state changes after call instructions Unsafe calls Safe calls Can we automatically find all unsafe calls? No, smart contracts are Turing-complete 6

  14. function withdraw() { The DAO hack uint amount = balances[msg.sender]; msg.sender.call.value(amount)(); balances[msg.sender] = 0; } Security property: No state changes after call instructions Unsafe calls Safe calls Unsafe call instruction Safe call instruction Can we automatically find all unsafe calls? No, smart contracts are Turing-complete Existing solutions focus on bug finding and can miss issues 6

  15. Insight When contracts satisfy/violate a security property, they often satisfy/violate a simpler property

  16. function withdraw() { The DAO hack uint amount = balances[msg.sender]; msg.sender.call.value(amount)(); balances[msg.sender] = 0; } Security property: No state changes after call instructions Unsafe calls Safe calls Verifies 91% of all calls A write always No writes follows may follow call.value() call.value() Violation pattern Compliance pattern 7

  17. www.securify.ch Scalable and fully automated verifier for Ethereum smart contracts

  18. Impact Used daily by security auditors 1K+ subscribers (29K+ contracts scanned so far) Grants: New startup: 8

  19. Securify: System overview push 0x04 1: a = 0x04 dataload 1. decompile 2: b = load (a) push 0x08 3: abi_00 (b) jump 4: stop jumpdest abi_00 (b) stop 5: c = 0x00 jumpdest 6: sstore (c,b) ⋮ ⋮ EVM bytecode Intermediate representation 2. infer facts assign (1, a, 0x04) follow (2, 1) mayDepOn (b, a) load (2, b, a) follow (3,2) follow (5,3) 3. check patterns ⋮ Security report Semantic representation 9

  20. Step 1: Decompilation push 0x04 1: a = 0x04 dataload 1. decompile 2: b = load (a) push 0x08 3: abi_00 (b) jump 4: stop jumpdest abi_00 (b) stop 5: c = 0x00 jumpdest 6: sstore (c,b) ⋮ ⋮ EVM bytecode Intermediate representation - Static single assignment form - Control-flow graph recovery 10

  21. Step 2: Inferring semantic facts 1: a = 0x04 2: b = load (a) 3: abi_00 (b) 4: stop abi_00 (b) 5: c = 0x00 6: sstore (c,b) ⋮ Intermediate representation 2. infer facts assign (1, a, 0x04) follow (2, 1) mayDepOn (b, a) load (2, b, a) follow (3,2) follow (5,3) ⋮ Semantic representation

  22. Step 2: Inferring semantic facts Scalable inference of semantic facts using Datalog solvers Datalog program !"#$%&&%' (, * ← $%&&%'((, *) !"#$%&&%' (, * ← $%&&%' (, . , !"#$%&&%'(., *) 1: a = 0x04 $%&&%'(2, 1) !"#$%&&%'(2, 1) 2: b = load (a) $%&&%'(3, 2) !"#$%&&%'(3, 1) 3: abi_00 (b) $%&&%'(5, 3) !"#$%&&%'(4, 1) 4: stop $%&&%'(6, 5) !"#$%&&%'(5, 1) abi_00 (b) 5: c = 0x00 $%&&%'(4, 6) !"#$%&&%'(6, 1) 6: sstore (c,b) ⋮ ⋮ IR Datalog input Datalog fixpoint 11

  23. Step 2: Inferring semantic facts Scalable inference of semantic facts using Datalog solvers Relevant semantic facts Control-flow analysis Datalog program !"#$%&&%' (, * ← $%&&%'((, *) Instruction at label 7 8 may follow that at label 7 9 6"#$%&&%'(7 8 , 7 9 ) !"#$%&&%' (, * ← $%&&%' (, . , !"#$%&&%'(., *) Instruction at label 7 8 must follow that at label 7 9 6:;<$%&&%'(7 8 , 7 9 ) Data-flow analysis The value of B may depend on tag C 6"#=>?@A(B, C) 1: a = 0x04 $%&&%'(2, 1) !"#$%&&%'(2, 1) 2: b = load (a) $%&&%'(3, 2) !"#$%&&%'(3, 1) The values of B and C are equal >D(B, C) 3: abi_00 (b) $%&&%'(5, 3) !"#$%&&%'(4, 1) 4: stop For different values of C the value of B is different E><F#(B, C) $%&&%'(6, 5) !"#$%&&%'(5, 1) abi_00 (b) 5: c = 0x00 $%&&%'(4, 6) !"#$%&&%'(6, 1) For real-world contracts, Securify infers 1 - 10M such facts 6: sstore (c,b) ⋮ ⋮ IR Datalog input Datalog fixpoint 11

  24. Step 3: Check patterns assign (1, a, 0x04) follow (2, 1) mayDepOn (b, a) load (2, b, a) follow (3,2) follow (5,3) 3. check patterns ⋮ Security report Semantic representation

  25. Security patterns language A pat pattern is a logical formula over semantic predicates: 4 ∷ = 718'9 :, ;, <, … , < !" X, T &!'() X, Y | ,-).!/01(X, Y) >?@@?A :, : | ,-)B?@@?A :, : ,C8'B?@@?A(:, :) ∃<. 4 ∃:. 4 ∃F. 4 ¬4 | 4 ∧ 4 see paper for details 12

  26. Example: No writes after calls function withdraw() { uint amount = balances[msg.sender]; msg.sender.call.value(amount)(); balances[msg.sender] = 0; } Security property: ! ≡ “No state changes after call instructions” Compliance pattern ! " ≡ ∀ %&'' ( ) , _, _ . ¬∃ //0123 ( 4 , _, _ . 5&671''18(( 4 , ( ) ) Violation pattern ! " ≡ ∃ %&'' ( ) , _, _ . ∃ //0123 ( 4 , _, _ . 5;/071''18(( 4 , ( ) ) We can (manually) prove that: ! " ⇒ ! and ! = ⇒ ¬! 13

  27. Security report Unsafe calls Safe calls Violation ¬! ! Compliance pattern pattern ! " ! # Violation Warning Safe violations or wa All unsafe calls are reported as either vi warnings 14

  28. Security report Patterns for relevant security properties Unsafe behaviors Safe behaviors Violation ¬! ! Compliance pattern pattern ! " ! # Violation Warning Safe violations or wa All unsafe behaviors are reported as either vi warnings 14

  29. Evaluation 1. Is Securify precise for relevant security properties? 2. How does Securify compare to other contract checkers? 15

  30. How precise is Securify? Dataset - First 100 real-world contracts uploaded to https://securify.ch in 2018 Security properties - 9 critical vulnerabilities (reentrancy, …) Experiment: - Measure % of violations , safe behaviors , and warnings - Manually classify warnings into true warnings and false warnings 16

  31. How precise is Securify? % of all potential vulnerabilities 100 80 False warnings 60 True warnings Violations 40 20 0 TT TR TA NW RW HE VA RT LQ Security properties < 10% warnings for 6 out of 9 security properties 16

  32. How precise is Securify? > 90% verified % of all potential vulnerabilities 100 80 No warnings No warnings False warnings 60 True warnings Violations 40 20 0 TT TR TA NW RW HE VA RT LQ Security properties < 10% warnings for 6 out of 9 security properties 16

  33. How does Securify compare to other checkers? Oyente 60 Mythril 40 20 Violations 0 True warnings 20 False warnings 40 Unreported 60 vulnerabilities 80 Unhandled Unsafe TOD Reentrancy exception transfer 17

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Securify: Practical Security Analysis of Smart Contracts https://securify.ch Dr. Petar Tsankov

Securify: Practical Security Analysis of Smart Contracts https://securify.ch Dr. Petar Tsankov

Securify: Practical Security Analysis of Smart Contracts https://securify.ch Dr. Petar Tsankov Scientific Researcher, ICE center, ETH Zurich Co-founder and Chief Scientist, ChainSecurity AG http://www.ptsankov.com/ @ptsankov

407 views • 39 slides
Security analysis of smart contracts in Datalog https://securify.ch Dr. Petar Tsankov Senior

Security analysis of smart contracts in Datalog https://securify.ch Dr. Petar Tsankov Senior

Security analysis of smart contracts in Datalog https://securify.ch Dr. Petar Tsankov Senior researcher, SRI lab, ETH Zurich Co-founder and Chief Scientist, ChainSecurity Inter-disciplinary research at Next-generation blockchain security ETH

1.22k views • 32 slides
Declarative Static Analysis of Smart Contracts securify.ch Quentin Hibon Blockchain Security

Declarative Static Analysis of Smart Contracts securify.ch Quentin Hibon Blockchain Security

Declarative Static Analysis of Smart Contracts securify.ch Quentin Hibon Blockchain Security Engineer, ChainSecurity Smart Contract Bugs in the News Low-level Code High-level languages Solidity Vyper compilation Low-level code

306 views • 28 slides
Smart Contract Security Assessing Solidity smart contracts About Me Evangelos Deirmentzoglou

Smart Contract Security Assessing Solidity smart contracts About Me Evangelos Deirmentzoglou

Smart Contract Security Assessing Solidity smart contracts About Me Evangelos Deirmentzoglou Security Consultant Smart contract audits Nmap/Ncrack contributor Certs: OSCE, OSCP, OSWP Blockchain Basics Front Running

642 views • 30 slides
SECURIFY: A COMPOSITIONAL APPROACH OF BUILDING SECURITY VERIFIED SYSTEM Liu Yang, Associate

SECURIFY: A COMPOSITIONAL APPROACH OF BUILDING SECURITY VERIFIED SYSTEM Liu Yang, Associate

1 SECURIFY: A COMPOSITIONAL APPROACH OF BUILDING SECURITY VERIFIED SYSTEM Liu Yang, Associate Professor, NTU SG-CRC 2018 28 March 2018 2 Securify Approach Compositional Security Securify Architecture Reasoning with Untrusted Components

418 views • 13 slides
Quantitative Analysis of Smart Contracts Krishnendu Chatterjee 1 Amir Goharshady 1 Yaron Velner 2 1

Quantitative Analysis of Smart Contracts Krishnendu Chatterjee 1 Amir Goharshady 1 Yaron Velner 2 1

Quantitative Analysis of Smart Contracts Krishnendu Chatterjee 1 Amir Goharshady 1 Yaron Velner 2 1 IST Austria 2 Hebrew University of Jerusalem ESOP 2018 Outline Smart Contracts Bugs in Smart Contracts Language Design Games and Abstraction

1.06k views • 73 slides
Writing Smart Contracts Dionysis Zindros Smart Contracts Day Athens, March 2017 We talked all

Writing Smart Contracts Dionysis Zindros Smart Contracts Day Athens, March 2017 We talked all

Writing Smart Contracts Dionysis Zindros Smart Contracts Day Athens, March 2017 We talked all about what smart contracts are... ...but what does a real smart contract look like? Lets talk about writing actual Smart Contracts with code

809 views • 50 slides
Back To The Future Of f Soft ftware Security Developing Secure Smart Contracts Final -

Back To The Future Of f Soft ftware Security Developing Secure Smart Contracts Final -

Back To The Future Of f Soft ftware Security Developing Secure Smart Contracts Final - OWASP Toronto January 23, 2019 Whoami Jamie Baxter, M. Eng., OSCP, OSCE, CISSP, GPEN Independent Information Security Consultant focusing on

764 views • 52 slides
Security Analysis of Emerging Smart Home Applications Earlence Fernandes, Jaeyeon Jung, Atul

Security Analysis of Emerging Smart Home Applications Earlence Fernandes, Jaeyeon Jung, Atul

Security Analysis of Emerging Smart Home Applications Earlence Fernandes, Jaeyeon Jung, Atul Prakash IEEE Security and Privacy 24 May 2016 Smart Door Locks CO Sensors Connected Ovens Smart Plugs IP Cameras Emerging Smart Home Frameworks

502 views • 35 slides
Smart Contracts Jrgen Modin The two building blocks of smart contracts Digital signatures

Smart Contracts Jrgen Modin The two building blocks of smart contracts Digital signatures

Smart Contracts Jrgen Modin The two building blocks of smart contracts Digital signatures The blockchain What does the blockchain do? One timestamp, and one context for each signature You can detect if someone is promising

289 views • 7 slides
Enter Hydra towards (more) secure smart contracts Philip Daian, Ari Juels Cornell [Tech] .

Enter Hydra towards (more) secure smart contracts Philip Daian, Ari Juels Cornell [Tech] .

Enter Hydra towards (more) secure smart contracts Philip Daian, Ari Juels Cornell [Tech] . Lorenz Breidenbach ETH Zurich, Cornell [Tech] . Florian Tramer . Stanford . Smart Contract Security - The Prongs Formal Verification (+Specification)

960 views • 28 slides
Smart Contracts and Ethereum Winter School on Cryptocurrency Loi Luu and Blockchain Technologies

Smart Contracts and Ethereum Winter School on Cryptocurrency Loi Luu and Blockchain Technologies

Smart Contracts and Ethereum Winter School on Cryptocurrency Loi Luu and Blockchain Technologies National University of Singapore Shanghai, Jan. 15-17 2017 Some slides are courtesy of Vitalik Buterin 1 Agenda Smart contracts and

1.12k views • 79 slides
Bitcoin Smart Contracts Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of Electrical

Bitcoin Smart Contracts Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of Electrical

Bitcoin Smart Contracts Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of Electrical Engineering Indian Institute of Technology Bombay August 26, 2019 1 / 17 Smart Contracts Computer protocols which help execution/enforcement of

288 views • 17 slides
Ethereum Transactions and Smart Contracts Prof. Tom Austin San Jos State University

Ethereum Transactions and Smart Contracts Prof. Tom Austin San Jos State University

Cryptocurrencies &amp; Security on the Blockchain Ethereum Transactions and Smart Contracts Prof. Tom Austin San Jos State University Transactions Transactions Signed messages triggered by EOA Atomic If they fail, they roll back

536 views • 22 slides
Security Analysis of Emerging Smart Home Applica6ons Earlence Fernandes, Jaeyeon Jung, Atul

Security Analysis of Emerging Smart Home Applica6ons Earlence Fernandes, Jaeyeon Jung, Atul

Security Analysis of Emerging Smart Home Applica6ons Earlence Fernandes, Jaeyeon Jung, Atul Prakash Presented by: Gohar Irfan Chaudhry IEEE Security and Privacy 24 May 2016 Smart Door Locks nsors Connected Ovens Plugs IP Cameras Emerging

484 views • 31 slides
Designing Secure Ethereum Smart Contracts: A Finite State Machine Based Approach Anastasia

Designing Secure Ethereum Smart Contracts: A Finite State Machine Based Approach Anastasia

Designing Secure Ethereum Smart Contracts: A Finite State Machine Based Approach Anastasia Mavridou 1 and Aron Laszka 2 1 Vanderbilt University 2 University of Houston 2 Smart Contract Insecurity Smart contracts are riddled with bugs and

575 views • 21 slides
First steps towards cryptographically sound confidentiality analysis of cryptographic protocols

First steps towards cryptographically sound confidentiality analysis of cryptographic protocols

First steps towards cryptographically sound confidentiality analysis of cryptographic protocols Peeter Laud peeter l@ut.ee Tartu Ulikool Cybernetica AS Teooriap aevad Arulas, 3.-5.02.2003 p.1/27 Overview Cryptographic protocols.

570 views • 27 slides
Overview of 2016 10:15a.m. 11:45a.m. Materiality Threshold &amp; Reporting Companies Time

Overview of 2016 10:15a.m. 11:45a.m. Materiality Threshold &amp; Reporting Companies Time

Overview of 2016 10:15a.m. 11:45a.m. Materiality Threshold &amp; Reporting Companies Time Period Total ONRR Materiality Annual # of Revenues Threshold Payments Companies CY 2013 $12.4 billion 83% $50.0 million 45 FY 2015 $8.9

174 views • 6 slides
Combining Verification and Conformance Testing for Validating Reactive Systems Vlad Rusu, Thierry

Combining Verification and Conformance Testing for Validating Reactive Systems Vlad Rusu, Thierry

Combining Verification and Conformance Testing for Validating Reactive Systems Vlad Rusu, Thierry Jron, and Herv Marchand First.Last@irisa.fr IRISA/INRIA Rennes, project Vertecs http://www.irisa.fr/vertecs Combining verification and

632 views • 38 slides
EGOS and process.c CS 4411 Spring 2020 Announcements EGOS source code update Cornell

EGOS and process.c CS 4411 Spring 2020 Announcements EGOS source code update Cornell

EGOS and process.c CS 4411 Spring 2020 Announcements EGOS source code update Cornell Undergraduate Research advertisements Outline for Today EGOS Concepts Kernel and user processes Message passing Process.c overview

297 views • 15 slides
View The Email to Get Hacked: Attacking SMS-based Two-Factor Authentication Philipp Markert,

View The Email to Get Hacked: Attacking SMS-based Two-Factor Authentication Philipp Markert,

View The Email to Get Hacked: Attacking SMS-based Two-Factor Authentication Philipp Markert, Florian Farke, and Markus Drmuth Santa Clara, California, USA | WAY 2019 | August 11, 2019 Two-Factor Authentication 1 1 2 1 Gmail 2FA

415 views • 28 slides
DISE: DISTRIBUTED SYMMETRIC-KEY ENCRYTION Shashank Agrawal Payman Mohassel Pratyay Mukherjee

DISE: DISTRIBUTED SYMMETRIC-KEY ENCRYTION Shashank Agrawal Payman Mohassel Pratyay Mukherjee

DISE: DISTRIBUTED SYMMETRIC-KEY ENCRYTION Shashank Agrawal Payman Mohassel Pratyay Mukherjee Peter Rindal Threshold Cryto Has focused on public-key crypto Symmetric-key encryption got less attention Symmetric keys dont stay

338 views • 31 slides
Librecast Privacy and Decentralisation with Multicast IPv6 Multicast and the Next Generation

Librecast Privacy and Decentralisation with Multicast IPv6 Multicast and the Next Generation

Librecast Privacy and Decentralisation with Multicast IPv6 Multicast and the Next Generation Internet Brett Sheffield, Librecast Project @brett sheffield #FOSDEM2020 Before we begin... Librecast Librecast Librecast Developers

841 views • 58 slides
Lab 8: Firewalls &amp; Intrusion Detec6on Systems Fengwei Zhang Wayne State University CSC

Lab 8: Firewalls &amp; Intrusion Detec6on Systems Fengwei Zhang Wayne State University CSC

Lab 8: Firewalls &amp; Intrusion Detec6on Systems Fengwei Zhang Wayne State University CSC Course: Cyber Security Prac6ce 1 Firewall &amp; IDS Firewall A device or applica6on that analyzes packet headers and enforces policy based on

496 views • 20 slides

More recommend