Securify: Practical Security Analysis of Smart Contracts - - PowerPoint PPT Presentation

securify practical security analysis of smart contracts
SMART_READER_LITE
LIVE PREVIEW

Securify: Practical Security Analysis of Smart Contracts - - PowerPoint PPT Presentation

Oct 31, 2022 17 likes •408 views

Securify: Practical Security Analysis of Smart Contracts https://securify.ch Dr. Petar Tsankov Scientific Researcher, ICE center, ETH Zurich Co-founder and Chief Scientist, ChainSecurity AG http://www.ptsankov.com/ @ptsankov

slide-1
SLIDE 1
  • Dr. Petar Tsankov

Scientific Researcher, ICE center, ETH Zurich Co-founder and Chief Scientist, ChainSecurity AG http://www.ptsankov.com/ @ptsankov

Securify: Practical Security Analysis of Smart Contracts

https://securify.ch

slide-2
SLIDE 2
  • Prof. Martin

Vechev

  • Prof. Laurent

Vanbever

  • Dr. Petar

Tsankov

  • Dr. Dana

Drachsler Timon Gehr Ahmed El-Hassany Maria Apostolaki Rüdiger Birkner Samuel Steffan Roland Meier Johannes Kapfhammer

Inter-disciplinary and inter-department research center at ETH Zurich

http://ice.ethz.ch

slide-3
SLIDE 3

Research @ ICE

Programmable networks Security and privacy Blockchain security Safe and interpretable AI

slide-4
SLIDE 4

Research @ ICE

Programmable networks Security and privacy Blockchain security Safe and interpretable AI

slide-5
SLIDE 5

What is a Smart Contract?

§ Small programs that handle cryptocurrencies § Written in high-level languages (e.g., Solidity, Vyper) § Executed on the blockchain (e.g. Ethereum) § Usually no patching after release

mapping(address => uint) balances; function withdraw() { uint amount = balances[msg.sender]; msg.sender.call.value(amount); balances[msg.sender] = 0; }

Transfer ETH to the caller

What can happen when programs handle billions worth of USD?

slide-6
SLIDE 6

Smart Contract Security Bugs in the News

2 days ago

slide-7
SLIDE 7

June 2016: The DAO hack

slide-8
SLIDE 8

The DAO hack : Reentrancy

Bank Contract

mapping(address => uint) balances; function withdraw() { uint amount = balances[msg.sender]; msg.sender.call.value(amount)(); balances[msg.sender] = 0; }

User Contract

function moveBalance() { bank.withdraw(); } ...

withdraw() 10 ether

function () payable { // log payment }

withdraw() 0 ether

Can the user contract withdraw more than its balance?

calls the default "fallback” function balance is zeroed after ether transfer

Later…

slide-9
SLIDE 9

mapping(address => uint) balances; function withdraw() { uint amount = balances[msg.sender]; msg.sender.call.value(amount)(); balances[msg.sender] = 0; } function moveBalance() { bank.withdraw(); } ...

The DAO hack: Reentrancy

Bank Contract User Contract calls withdraw() before balance is set to 0

An attacker used this bug to steal 3.6M ether (> 1B USD today)

function () payable { bank.withdraw(); }

withdraw() 10 ether withdraw() 10 ether

...

slide-10
SLIDE 10

July 2017: Parity Multisig Bug 1

slide-11
SLIDE 11

Parity Multisig Bug 1: Unprivileged Write to Storage

address owner = ...; function initWallet(address _owner) {

  • wner = _owner;

} function withdraw(uint _amount) { if (msg.sender == owner) { msg.sender.transfer(_amount); } }

Wallet Contract Any user may change the wallet’s owner Only the owner can withdraw ether

An attacker used a similar bug to steal $30M in July 2017

slide-12
SLIDE 12

Four months later… Parity Multisig Bug 2

slide-13
SLIDE 13

Parity Multisig Bug 2: Frozen Wallets

address walletLibrary = ... // address function() payable { walletLibrary.delegatecall(msg.data); } function withdraw(uint amount) { walletLibrary.delegatecall(msg.data); }

Wallet Contract

function() payable { // fallback } function withdraw(uint amount) { // withdraw funds }

Wallet Library Execute the code in the wallet library

However, in Ethereum, smart contracts can be killed!

slide-14
SLIDE 14

Parity Multisig Bug 2: Frozen Wallets

A user froze $170M by deleting the wallet library

address walletLibrary = ... // address function() payable { walletLibrary.delegatecall(msg.data); } function withdraw(uint amount) { walletLibrary.delegatecall(msg.data); }

Wallet Contract

... function() payable { // fallback } function withdraw(uint amount) { // withdraw funds }

Wallet Library An attacker deleted the library No withdraws are possible

slide-15
SLIDE 15

Relevant Security Properties…

Manipulating ether flows via transaction reordering Reentrant method calls (e.g., DAO bug) Insecure coding, such as unprivileged writes Unexpected ether flows Use of unsafe inputs (e.g., reflection, hashing, …)

Many of these are nontrivial trace-/hyper-properties

slide-16
SLIDE 16

Automated Security Analysis of Smart Contracts: Challenges and Gaps

slide-17
SLIDE 17

Security Analysis (high-level view)

All possible contract behaviors Security violations Minor issue J : Smart contracts are written in Turing-complete languages

slide-18
SLIDE 18

Automated Security Solutions

Testing Dynamic (symbolic) analysis Report true bugs Can miss bugs Can report false alarms No missed bugs Report true bugs Can miss bugs Oyente, Mythril, MAIAN WANTED: Automated Verifier Truffle

Bug finding Verification

slide-19
SLIDE 19

Domain-Specific Insight:

When contracts satisfy/violate a property, they often also satisfy/violate a much simpler property

slide-20
SLIDE 20

Example: The DAO Hack

Security property

No state changes after call instructions

function withdraw() { uint amount = balances[msg.sender]; msg.sender .call.value(amount)(); balances[msg.sender] = 0; }

Compliance pattern

No writes to storage may follow call instructions

Violation pattern

A write to storage must follow call instructions

Hard to verify in general Verifies 91% of all deployed contracts Easier to check automatically

slide-21
SLIDE 21

Classifying Behaviors using Compliance and Violation Patterns

Unsafe behaviors Safe behaviors

Violation pattern Compliance pattern All behaviors

Violation No violation Warning

All unsafe behaviors are reported

slide-22
SLIDE 22

www.securify.ch

A practical verifier for Ethereum smart contracts:

  • fully-automated
  • extensible
  • scalable
  • precise
  • publicly available
slide-23
SLIDE 23

DEMO

slide-24
SLIDE 24

www.securify.ch

Beta version released in Fall 2017

  • Regularly used by auditors to perform

professional security audits 95% positive feedback > 800 users signed up for updates > 8K uploaded smart contracts Interesting discussions on Reddit

New release coming up very soon

slide-25
SLIDE 25

Securify: Under the Hood

Infer facts Decompile Check patterns Intermediate Representation 00: x = Balance 02: y = 0x20 04: If (x == 0x00) 06: MStore(y, x) 08: z = y 0a: goto 0x42 ⋮ Semantic Representation MemTag(0x20, Balance) MemTag(0x40, Const) VarTag(z, Const) VarTag(k, Gas) Assign(s, 0x20) Call(s, k) ⋮ EVM Bytecode 00: 60 02: 5b 04: 42 06: 80 08: 90 0a: 56 ⋮

Fully automated, sound, scalable, extensible

slide-26
SLIDE 26

Securify: Under the Hood

Decompile Intermediate Representation 00: x = Balance 02: y = 0x20 04: If (x == 0x00) 06: MStore(y, x) 08: z = y 0a: goto 0x42 ⋮ EVM Bytecode 00: 60 02: 5b 04: 42 06: 80 08: 90 0a: 56 ⋮

slide-27
SLIDE 27

From EVM to CFG over SSA

Decompiling EVM bytecode:

§ Convert into static single assignment form (each variable is assigned once) § Perform partial evaluation (to resolve jump destination, memory/storage offsets) § Identify and inline methods (to enable context-sensitive analysis) § Construct control-flow graph

slide-28
SLIDE 28

Securify: Under the Hood

Infer facts Intermediate Representation 00: x = Balance 02: y = 0x20 04: If (x == 0x00) 06: MStore(y, x) 08: z = y 0a: goto 0x42 ⋮ Semantic Representation MemTag(0x20, Balance) MemTag(0x40, Const) VarTag(z, Const) VarTag(k, Gas) Assign(s, 0x20) Call(s, k) ⋮

Which facts are relevant for verifying smart contracts?

slide-29
SLIDE 29

Semantic Facts

Flow dependencies !"#$%&&%'(&, &’) The instruction at label & may follow that at label &’ !,-.$%&&%'(&, &’) The instruction at label & must follow that at label &’ Data dependencies !"#/0123(4, .) The value of 4 may depend on tag . /0.5#(4, .) For different values of . the value of 4 is different. A tag can be an instruction (e.g. Caller) or a variable

The inference of all semantic facts is declaratively specified in Datalog

Many properties can be checked on the contract’s dependency graph

slide-30
SLIDE 30

Example: !"#$%&&%'

!"#$%&&%' (, * ← $%&&%'((, *) !"#$%&&%' (, * ← $%&&%' (, . , !"#$%&&%'(., *)

1: x := 10 2: y := x + 20 5: y := 0 6: return 3: y--; 4: return

$%&&%'(1,2) $%&&%'(2,3) $%&&%'(3,4) $%&&%'(2,5) $%&&%'(5,6) !"#$%&&%'(1,2) !"#$%&&%'(1,3) !"#$%&&%'(1,4) !"#$%&&%'(1,5) !"#$%&&%'(1,6) !"#$%&&%'(2,3) !"#$%&&%'(2,4) !"#$%&&%'(2,5) !"#$%&&%'(2,6) !"#$%&&%'(3,4) !"#$%&&%'(5,6) Datalog input Datalog fixpoint

slide-31
SLIDE 31

Deriving MayDepOn

1: x := Balance 2: Mstore(0x20, x) 3: y := MLoad(0x20) 4: z := x + y

!"##"$(1,2) !"##"$(2,3) !"##"$(3,4) ,--./0 1, 23#3045 6-7"0-8 0x20 ;<8"=5 2, 0x20, 1 ;>"3? 3, @, 0x20 AB 4, C, 1 AB 4, C, @

Derived from the Balance instruction Memory

  • perations

Capture that C is derived from 1 and @

;3@D5BA0 1, 8 ← ,--./0(1, 8) ;3@D5BA0 1, 8 ← AB(__, 1, 1G), ;3@D5BA0(1G, 8) ;3@D5BA0 1, 8 ← ;>"3? #, 1, " , .-7"0-8 #, " , ;5HI3/(#, ", 8) ;3@D5BA0 1, 8 ← ;>"3? #, 1, " , ¬.-7"0-8 #, " , ;5HI3/(#, __, 8) ;5HI3/ #, ", 8 ← ;<8"=5 #, ", 1 , .-7"0-8 " , ;3@D5BA0(1, 8) ;5HI3/ #, ⊤, 8 ← ;<8"=5 #, ", 1 , ¬.-7"0-8 " , ;3@D5BA0(1, 8) ;5HI3/ #, ", 8 ← !"##"$- #, #′ , ;5HI3/ #G, ", 8 , ¬;<8"=5(#, ", __)

slide-32
SLIDE 32

Securify: Under the Hood

Check patterns Semantic Representation MemTag(0x20, Balance) MemTag(0x40, Const) VarTag(z, Const) VarTag(k, Gas) Assign(s, 0x20) Call(s, k) ⋮

slide-33
SLIDE 33

Patterns DSL

(Labels) ! ∶≔ (labels) (Vars) $ ∶≔ (variables) (Tags) % ∶≔ ! | $ (Instr) ' ∶≔ (')%*(!, $, …, $) (Facts) / ∶≔ 01234!!45 !, ! | 06)%34!!45 !, ! | 012789:' $, % | 78%;2($, %) (Patterns) 9 ∶≔ / ∀ ':9 ∃':9 9 ∧ 9 ¬9

slide-34
SLIDE 34

Detecting the DAO Hack

!"## #, _, _, _ : ¬∃))*+,- #., _, _ . 0"12+##+3(#, #.) !"## #, _, _, _ : ∃))*+,- #., _, _ . 067*2+##+3(#, #.)

Compliance pattern Violation pattern

function withdraw() { uint amount = balances[msg.sender]; msg.sender .call.value(amount)(); balances[msg.sender] = 0; }

No state changes after call instructions

Security property:

Formalized as a trace property Call instruction followed by a write to storage

Proofs establish a formal logical relation between the property and its patterns

slide-35
SLIDE 35

Detecting Unrestricted Writes

!!"#$%(_, ), _): ,%"-. ), /011%$ !!"#$% 1, ), __ : ¬30.,%456 ), /011%$ ∧ ¬30.,%456(1, /011%$)

Compliance pattern Violation pattern

address owner = ...; function initWallet(address _owner) {

  • wner = _owner;

}

Unrestricted write No storage offset is writable by all users

Security property:

Formalized as a hyperproperty

slide-36
SLIDE 36

How well does this approach work in practice?

slide-37
SLIDE 37

Securify vs. Existing Solutions

State-of-the-art security checkers for Ethereum smart contracts

  • Oyente
  • Mythril

Dataset

  • 80 open-source smart contracts

Experiment

  • Run contracts using Securify, Oyente, and Mythril
  • Manually inspect each reported vulnerability
slide-38
SLIDE 38

Securify vs. Oyente vs. Mythril

  • 60

%

  • 40

%

  • 20

% 0% 20 % 40 % 60 %

Tr ue warnings Vi

  • l

a ti

  • n

False war nings Unrepo rted vulner abiliti e s Transaction reordering Reentrancy Handled exception Restricted transfer O y e n t e S e c u r i f y M y t h r i l S e c u r i f y O y e n t e S e c u r i f y M y t h r i l S e c u r i f y M y t h r i l O y e n t e

slide-39
SLIDE 39

Securing the blockchain contact@chainsecurity.com @chain_security http://jsnice.org http://apk-deguard.com http://securify.ch http://psisolver.org http://eventracer.org

Research

https://chainsecurity.com

Start-ups

jobs@chainsecurity.com

SECURE, RELIABLE, INTELLIGENT SYSTEMS LAB

http://ai2.ethz.ch