SMARTSHIELD: Automatic Smart Contract Protection Made Easy Yuyao - - PowerPoint PPT Presentation

smartshield automatic smart contract
SMART_READER_LITE
LIVE PREVIEW

SMARTSHIELD: Automatic Smart Contract Protection Made Easy Yuyao - - PowerPoint PPT Presentation

Jan 10, 2023 363 likes •678 views

SMARTSHIELD: Automatic Smart Contract Protection Made Easy Yuyao Zhang 1 , Siqi Ma 2 , Juanru Li 1 , Kailai Li 1 , Surya Nepal 2 , Dawu Gu 1 1 Shanghai Jiao Tong University, Shanghai, China 2 Data61, CSIRO, Sydney, Australia Outline Background 1

slide-1
SLIDE 1

SMARTSHIELD: Automatic Smart Contract Protection Made Easy

Yuyao Zhang1, Siqi Ma2, Juanru Li1, Kailai Li1, Surya Nepal2, Dawu Gu1

1Shanghai Jiao Tong University, Shanghai, China 2Data61, CSIRO, Sydney, Australia

slide-2
SLIDE 2

Outline

1

Background

2

Motivation

3

Automated Rectification with SMARTSHIELD

4

Evaluation

5

Conclusion

slide-3
SLIDE 3

Outline

1

Background

2

Motivation

3

Automated Rectification with SMARTSHIELD

4

Evaluation

5

Conclusion

slide-4
SLIDE 4

▪ A decentralized and distributed system. ▪ Secured using cryptography. ▪ Trust arises from the majority of peers, not an authority. ▪ Blockchain 1.0:

▪ Cryptocurrency (Bitcoin)

▪ Blockchain 2.0:

▪ Smart Contract (Ethereum)

Blockch ckchain ain

slide-5
SLIDE 5

▪ Programs that permanently exist and automatically run

  • n the blockchain.

▪ Enabling the encoding of complex logic: ▪ Payoff schedule ▪ Investment assumptions ▪ Interest policy ▪ ……

Ethereum hereum Sma mart t Contr ntract act

slide-6
SLIDE 6

▪ Written in high-level languages (e.g., Solidity). ▪ Compiled to low-level bytecode. ▪ Executed on the Ethereum Virtual Machine (EVM).

Ethereum hereum Sma mart t Contr ntract act

0000: 0002: 0004: 0005: 0007: 0008: 000A: 000B: 000C: 000F: 0010: 0011: 0012: 0014: 0015: PUSH1 0x01 PUSH1 0xFF AND PUSH1 0x80 MSTORE PUSH1 0X80 MLOAD ISZERO PUSH2 0x0011 JUMPI STOP JUMPDEST PUSH1 0x00 DUP1 REVERT 6001 60FF 16 6080 52 6080 51 15 61008A 57 00 5B 6000 80 FD 1 2 3 4 5 6 7 mapping(address => uint) public balances; ... function send(address receiver, uint amount) public { require(amount <= balances[msg.sender]); balances[msg.sender] -= amount; balances[receiver] += amount; }

slide-7
SLIDE 7

Outline

1

Background

2

Motivation

3

Automated Rectification with SMARTSHIELD

4

Evaluation

5

Conclusion

slide-8
SLIDE 8

Attack acks s on Sma mart rt Contr ntracts acts

slide-9
SLIDE 9

Mo Motivat ivation ion

  • A smart contract can never be updated after its deployment to the

blockchain.

  • Existing tools only locate smart contract bugs instead of helping

developers fix the buggy code.

  • A large portion of smart contract bugs share common code patterns,

indicating that they can be fixed through a unified approach. Key Insights

slide-10
SLIDE 10

Insecure ecure Code de Patterns terns in Sma mart t Contr ntracts acts

▪ Code Pattern 1: State Changes after External Calls. ▪ A state variable is updated after an external function call. ▪ May result in a re-entrancy bug.

1 2 3 4 5 6 7 8 mapping (address => uint) public userBalances; ... function withdrawBalance(uint amountToWithdraw) public { require(userBalances[msg.sender] >= amountToWithDraw); + userBalances[msg.sender] -= amountToWithdraw; msg.sender.call.value(amountToWithdraw)();

  • userBalances[msg.sender] -= amountToWithdraw;

}

slide-11
SLIDE 11

Insecure ecure Code de Patterns terns in Sma mart t Contr ntracts acts

▪ Code Pattern 2: Missing Checks for Out-of-Bound Arithmetic Operations. ▪ An arithmetic operation is executed without checking the data validity in advance. ▪ May cause an arithmetic bug.

1 2 3 4 5 6 7 8 9 10 11 12 13 uint public lockTime = now + 1 weeks; address public user; ... function increaseLockTime(uint timeToIncrease) public { require(msg.sender == user); + require(lockTime + timeToIncrease >= lockTime); lockTime += timeToIncrease; } ... function withdrawFunds() public { require(now > lockTime); user.transfer(address(this).balance); }

slide-12
SLIDE 12

Insecure ecure Code de Patterns terns in Sma mart t Contr ntracts acts

▪ Code Pattern 3: Missing Checks for Failing External Calls. ▪ The return value is not being checked after an external function call. ▪ May cause an unchecked return value bug.

1 2 3 4 5 6 7 8 9 10 bool public payedOut = false; address public winner; uint public bonus; ... function sendToWinner() public { require(!payedOut && msg.sender == winner);

  • msg.sender.send(bonus);

+ require(msg.sender.send(bonus)); payedOut = true; }

slide-13
SLIDE 13

Our Approac

  • ach

▪ Automatically fix insecure cases with typical patterns in smart contracts before their deployments. ▪ Challenges & Solutions: ▪ Compatibility → Bytecode-Level Program Analysis. ▪ Reliability → Semantic-Preserving Code Transformation. ▪ Economy → Gas Optimization.

Deploy Source Code Compile Contract Developer Automated Rectification Rectified Contract Attackers

slide-14
SLIDE 14

Outline

1

Background

2

Motivation

3

Automated Rectification with SMARTSHIELD

4

Evaluation

5

Conclusion

slide-15
SLIDE 15

Automa

  • mate

ted d Recti ctifi ficati cation

  • n with

th SMARTSHIELD MARTSHIELD

DataGuard Insertion Control Flow Transformation Bytecode Validation Bytecode Relocation Smart Contract Abstract Syntax Tree (AST) Unrectified EVM Bytecode

0000: 0002: 0003: 0004: 0007: 0008: 0009: PUSH1 0x80 MLOAD ISZERO PUSH2 0x0011 JUMPI STOP JUMPDEST ...

Rectified Contract Rectification Report Bytecode-Level Semantic Information

Semantic Extraction Contract Rectification

slide-16
SLIDE 16

▪ Take a smart contract as input. ▪ Output a secure EVM bytecode without any of the three insecure code patterns: ▪ State changes after external calls. ▪ Missing checks for out-of-bound arithmetic operations. ▪ Missing checks for failing external calls. ▪ Generate a rectification report to the developer.

High gh-Leve Level l Workfl kflow

  • w of SMARTSH

MARTSHIEL IELD

slide-17
SLIDE 17

▪ Bytecode-Level Semantic Information: ▪ Control and data dependencies among instructions in EVM bytecode. ▪ Necessary for further code transformation and secure bytecode generation. ▪ Extract bytecode-level semantic information from: ▪ Abstract Syntax Tree (AST): Control- and data-flow analysis. ▪ Unrectified EVM Bytecode: Abstractly emulate the execution of the contract bytecode.

Semant mantic ic Ext xtracti raction

  • n
slide-18
SLIDE 18

▪ Strategy 1: Control Flow Transformation. ▪ Revise state changes after external calls. ▪ Adjust the original control flow by moving state change operations to the front of external calls. ▪ Preserve the original dependencies among instructions in EVM bytecode.

Contr ntract act Recti ctifi ficati cation

  • n

0000: 0003: 0005: 0006: 0008: 0009: 000B: 000C: 001C: 001F: 0021: 0031: 0033: 0034: 0036: PUSH2 0x5B61 PUSH1 0x80 MSTORE PUSH1 0x80 MLOAD PUSH1 0x00 SSTORE CALL ... PUSH2 0x5B61 PUSH1 0x80 MSTORE ... PUSH1 0x80 MLOAD PUSH1 0x00 SSTORE + 615B61 + 6080 + 52 + 6080 + 51 + 6000 + 55 F1 ...

  • 615B61
  • 6080
  • 52

...

  • 6180
  • 51
  • 6000
  • 55

Data Dependency Rectification

slide-19
SLIDE 19

▪ Strategy 2: DataGuard Insertion. ▪ Fix missing checks for out-of-bound arithmetic

  • perations, and missing checks for failing

external calls. ▪ Dataguard: ▪ Sequences of instructions that perform certain data validity checks.

Contr ntract act Recti ctifi ficati cation

  • n

0000: 0002: 0003: 0006: 0007: 000A: 000D: 000E: 008A: 009A: PUSH1 0x04 CALLDATALOAD PUSH2 0x93A8 ADD PUSH2 0x000E PUSH2 0x008A JUMP JUMPDEST ... JUMPDEST <Safe Function for Addition> JUMP 6004 35 6193A8

  • 01

+ 61000E + 61008A + 56 + 5B ... + 5B + + 56

Control Flow Transfer

slide-20
SLIDE 20

Recti ctifi fied ed Contr ntract act Ge Generat neration ion

▪ Bytecode Relocation: ▪ Update all unaligned target addresses of jump instructions. ▪ Bytecode Validation: ▪ Validate whether the other irrelevant functionalities are affected. ▪ Rectification Report: ▪ Record the concrete modifications for further manual verification or adjustments.

slide-21
SLIDE 21

Outline

1

Background

2

Motivation

3

Automated Rectification with SMARTSHIELD

4

Evaluation

5

Conclusion

slide-22
SLIDE 22

Resea search rch Qu Quest estions ions

▪ RQ1: Scalability. ▪ How scalable is SMARTSHIELD in rectifying real-world smart contracts? ▪ RQ2: Correctness. ▪ How effective and accurate is SMARTSHIELD in fixing insecure cases with typical patterns and assuring the functionality consistency between the rectified and the original contracts? ▪ RQ3: Cost. ▪ What is the additional cost of the rectified contract?

slide-23
SLIDE 23

Dataset set

▪ A snapshot of the first 7,000,000 blocks in the Ethereum Mainnet (ETH). ▪ 2,214,409 real-world smart contracts. ▪ Label insecure cases with the help of state-of-the-art smart contract analysis tools. ▪ 95,502 insecure cases in 28,621 contracts.

slide-24
SLIDE 24

RQ1 Q1: Scala alabil bility ity

▪ 87,346 (91.5%) insecure cases were fixed. ▪ 25,060 (87.6%) insecure contracts were fully rectified. ▪ The remaining insecure cases were marked as “unrectifiable” due to a conservative policy.

slide-25
SLIDE 25

RQ2 Q2: Correc rectn tness ess

▪ Part 1: Evaluate whether SMARTSHIELD actually fixed the insecure code in contracts. ▪ Leverage prevalent analysis techniques to examine each rectified contract. ▪ Replay exploits of existing high-profile attacks against rectified contracts.

slide-26
SLIDE 26

RQ2 Q2: Correc rectn tness ess

▪ Part 2: Validate whether the functionalities of each rectified contract are still executed consistently. ▪ Use historical transaction data to re-execute each rectified contract. ▪ Check whether the implemented functionalities are executed still as the same. ▪ 268,939 historical transactions were replayed. ▪ Only 13 contracts showed inconsistency due to incompatible issues.

slide-27
SLIDE 27

RQ3 Q3: Cost

▪ The average size increment for each contract is around 1.0% (49.3 bytes). ▪ The gas consumption for each rectified contract increases by 0.2% on average, that is, 0.0001 USD.

slide-28
SLIDE 28

Outline

1

Background

2

Motivation

3

Automated Rectification with SMARTSHIELD

4

Evaluation

5

Conclusion

slide-29
SLIDE 29

Conc nclus lusion ion

▪ A first step towards a general-purpose smart contract protection against attacks exploiting insecure contracts. ▪ An automated smart contract rectification system, SMARTSHIELD, to generate secure EVM bytecode without typical insecure patterns for deployment. ▪ An evaluation with 28,621 real-world buggy contracts—87,346 (91.5%) of insecure cases were automatically fixed. ▪ Effective and economical contract protection: ▪ The rectified contracts are secure against common attacks. ▪ The rectification only introduces a 0.2% average gas increment for each contract.

slide-30
SLIDE 30

In memory of medical staff who bravely fight COVID

During the new coronavirus infection in 2020:

  • Li Wenliang and 8 other doctors died of illness
  • More than 3,000 health workers infected

Pay the highest respect to all the medical staff !

slide-31
SLIDE 31

Qu Ques estions tions?

SMARTSHIEL MARTSHIELD: : Automa tomatic tic Sma mart t Contra ntract ct Pr Protection tection Ma Made de Easy

Yuyao Zhang1, Siqi Ma2, Juanru Li1, Kailai Li1, Surya Nepal2, Dawu Gu1

1Shanghai Jiao Tong University, Shanghai, China 2Data61, CSIRO, Sydney, Australia