Conference:ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA)
CCF level:CCF A
Categories:Software Engineering/System Software/Programming Languages
Year:2024
Num:8
Conference time:Mon 16 - Fri 20 September 2024 Vienna, Austria
1
Title:
Following the "Thread": Toward Finding Manipulatable Bottlenecks In Blockchain Clients
追随"线程":寻找区块链客户端中可操作的瓶颈
Authors:****
Abstract:****
Blockchain clients are the fundamental element of blockchain network, each keeping a copy of the blockchain's ledger. They play a crucial role in ensuring the network's decentralization, integrity, and stability. As complex software systems, blockchain clients are not exempt from bottlenecks. Some bottlenecks create new attack surfaces, where attackers deliberately overload these weak points to congest client's execution, thereby causing denial of service (DoS). We call them manipulatable bottlenecks. Existing research primarily focuses on a few such bottlenecks, and heavily relies on manual analysis. To the best of our knowledge, there has not been any study proposing a systematic approach to identify manipulatable bottlenecks in blockchain clients. To bridge the gap, this paper delves into the primary causes of bottlenecks in software, and develops a novel tool named ThreadNeck to monitor the symptoms that signal these issues during client runtime. ThreadNeck models the clients as a number of threads, delineating their inter-relationship to accurately characterize client's behavior. Building on this, we can identify the suspicious bottlenecks and determine if they could be exploited by external attackers. After applying ThreadNeck to four mainstream clients developed in different programming languages, we totally discover 13 manipulatable bottlenecks, six of which are previously unknown. At the time of writing, three CVEs have been assigned.
区块链客户端是区块链网络的基本元素,每个客户端都保存着区块链账本的副本。它们在确保网络的去中心化、完整性和稳定性方面发挥着至关重要的作用。作为复杂的软件系统,区块链客户端也不能免受瓶颈的影响。一些瓶颈会产生新的攻击面,攻击者会故意使这些弱点超载,以阻塞客户端的执行,从而导致拒绝服务 (DoS)。我们称之为可操纵瓶颈。现有研究主要关注少数此类瓶颈,并且严重依赖于人工分析。据我们所知,还没有任何研究提出一种系统的方法来识别区块链客户端中的可操纵瓶颈。为了弥补这一差距,本文深入研究了软件瓶颈的主要原因,并开发了一种名为 ThreadNeck 的新工具来监控客户端运行时发出这些问题信号的症状。ThreadNeck 将客户端建模为多个线程,描述它们的相互关系以准确描述客户端的行为。在此基础上,我们可以识别可疑瓶颈并确定它们是否可能被外部攻击者利用。在将 ThreadNeck 应用于使用不同编程语言开发的四个主流客户端后,我们总共发现了 13 个可操纵的瓶颈,其中六个是以前未知的。在撰写本文时,已分配了三个 CVE。
2
Title:
Empirical Study of Move Smart Contract Security: Introducing MoveScan for Enhanced Analysis
Move 智能合约安全性实证研究:引入 MoveScan 进行增强分析
Authors:****
Abstract:****
Move, a programming language for smart contracts, stands out for its focus on security. However, the practical security efficacy of Move contracts remains an open question. This work conducts the first comprehensive empirical study on the security of Move contracts. Our initial step involved collaborating with a security company to manually audit 652 contracts from 92 Move projects. This process reveals eight types of defects, with half of them previously unreported. These defects present potential security risks or could result in the inefficient use of computational resources. To further evaluate the prevalence of these defects in real-world Move contracts, we present MoveScan, an automated analysis framework that translates bytecode into an intermediate representation (IR), extracts essential meta-information, and detects all eight defect types. By leveraging MoveScan, we uncover 97,169 defects across all 37,302 deployed contracts in the Aptos and Sui blockchains, indicating a high prevalence of defects. Experimental results demonstrate that the precision of MoveScan reaches 98.85%, with an average project analysis time of merely 5.45 milliseconds. This surpasses previous state-of-the-art tools MoveLint, which exhibits an accuracy of 87.50% with an average project analysis time of 71.72 milliseconds, and Move Prover, which has a recall rate of 6.02% and requires manual intervention. Our research also yields new observations and insights that aid in developing more secure Move contracts.
Move 是一种用于智能合约的编程语言,因其对安全性的关注而脱颖而出。然而,Move 合约的实际安全效力仍是一个悬而未决的问题。这项工作对 Move 合约的安全性进行了首次全面的实证研究。我们的第一步是与一家安全公司合作,手动审计来自 92 个 Move 项目的 652 份合约。这一过程发现了八种类型的缺陷,其中一半以前未报告过。这些缺陷存在潜在的安全风险,或可能导致计算资源的使用效率低下。为了进一步评估这些缺陷在现实世界的 Move 合约中的普遍性,我们提出了 MoveScan,这是一个自动分析框架,它将字节码转换为中间表示 (IR),提取必要的元信息,并检测所有八种缺陷类型。通过利用 MoveScan,我们在 Aptos 和 Sui 区块链中所有 37,302 个已部署合约中发现了 97,169 个缺陷,表明缺陷普遍存在。实验结果表明,MoveScan 的准确率达到 98.85%,平均项目分析时间仅为 5.45 毫秒。这超过了之前最先进的工具 MoveLint(准确率为 87.50%,平均项目分析时间为 71.72 毫秒)和 Move Prover(召回率为 6.02%,需要人工干预)。我们的研究还产生了新的观察和见解,有助于开发更安全的 Move 合约。
3
Title:
FunRedisp: Reordering Function Dispatch in Smart Contract to Reduce Invocation Gas Fees
FunRedisp:重新排序智能合约中的函数调度以降低调用 Gas 费用
Authors:****
Abstract:****
Smart contracts mostly written in Solidity are Turing-complete programs executed on the blockchain platforms such as Ethereum. To prevent resource abuse, a gas fee is required when users deploy or invoke smart contracts. Although saving gas consumption has received much attention, no work investigates the effect of function dispatch on the invocation gas consumption. In this paper, after demystifying how the function dispatch affects the invocation gas consumption, we present FunRedisp, a bytecode refactoring method and an open-source tool, to reduce the overall invocation gas consumption of smart contracts. At the source code level, FunRedisp initially identifies hot functions in a smart contract that have a big chance to be invoked, and then move them to the front of the function dispatch at the bytecode level. We implement FunRedisp and evaluate it on 50 real-world smart contracts randomly selected from Ethereum. The experimental results demonstrate that FunRedisp can save approximately 125.17 units of gas per transaction with the compilation overhead increased by only 0.37 seconds.
智能合约大多使用 Solidity 编写,是执行在以太坊等区块链平台上的图灵完备程序。为防止资源滥用,用户在部署或调用智能合约时需要支付 Gas 费。虽然节省 Gas 消耗受到广泛关注,但尚未有研究函数调度对调用 Gas 消耗的影响。本文在揭示函数调度如何影响调用 Gas 消耗之后,提出了一种字节码重构方法和开源工具 FunRedisp,以降低智能合约整体调用 Gas 消耗。在源代码级别,FunRedisp 首先识别智能合约中调用概率较大的热门函数,然后在字节码级别将其移至函数调度的最前面。我们实现了 FunRedisp,并在从以太坊中随机选择的 50 个真实智能合约上对其进行了评估。实验结果表明,FunRedisp 可以为每个交易节省大约 125.17 个 Gas,而编译开销仅增加 0.37 秒。
4
Title:
Identifying Smart Contract Security Issues in Code Snippets from Stack Overflow
从 Stack Overflow 代码片段中识别智能合约安全问题
Authors:****
Abstract:****
Smart contract developers frequently seak solutions to developmental challenges on Q&A platforms such as Stack Overflow (SO). Although community responses often provide viable solutions, the embedded code snippets can also contain hidden vulnerabilities. Integrating such code directly into smart contracts may make them susceptible to malicious attacks. We conducted an online survey and received 74 responses from smart contract developers. The results of this survey indicate that the majority (86.4%) of participants do not sufficiently consider security when reusing SO code snippets. Despite the existence of various tools designed to detect vulnerabilities in smart contracts, these tools are typically developed for analyzing fully-completed smart contracts and thus are ineffective for analyzing typical code snippets as found on SO. We introduce SOChecker, the first tool designed to identify potential vulnerabilities in incomplete SO smart contract code snippets. SOChecker first leverages a fine-tuned Llama2 model for code completion, followed by the application of symbolic execution methods for vulnerability detection. Our experimental results, derived from a dataset comprising 897 code snippets collected from smart contract-related SO posts, demonstrate that SOChecker achieves an F1 score of 68.2%, greatly surpassing GPT-3.5 and GPT-4 (20.9% and 33.2% F1 Scores respectively). Our findings underscore the need to improve the security of code snippets from Q&A websites.
智能合约开发人员经常在 Stack Overflow (SO) 等问答平台上寻求开发挑战的解决方案。尽管社区响应通常提供可行的解决方案,但嵌入的代码片段也可能包含隐藏的漏洞。将此类代码直接集成到智能合约中可能会使它们容易受到恶意攻击。我们进行了一项在线调查,收到了来自智能合约开发人员的 74 份回复。调查结果表明,大多数 (86.4%) 参与者在重用 SO 代码片段时没有充分考虑安全性。尽管存在各种旨在检测智能合约漏洞的工具,但这些工具通常是为分析完全完成的智能合约而开发的,因此对于分析 SO 上发现的典型代码片段无效。我们介绍了 SOChecker,这是第一个旨在识别不完整 SO 智能合约代码片段中潜在漏洞的工具。SOChecker 首先利用经过微调的 Llama2 模型进行代码完成,然后应用符号执行方法来检测漏洞。我们的实验结果来自一个包含从智能合约相关 SO 帖子中收集的 897 个代码片段的数据集,结果表明 SOChecker 的 F1 得分为 68.2%,大大超过了 GPT-3.5 和 GPT-4(F1 得分分别为 20.9% 和 33.2%)。我们的研究结果强调了提高问答网站代码片段安全性的必要性。
5
Title:
LENT-SSE: Leveraging Executed and Near Transactions for Speculative Symbolic Execution of Smart Contracts
LENT-SSE:利用已执行和即将执行的交易进行智能合约的投机性符号执行
Authors:****
Abstract:****
Symbolic execution has proven effective for code analytics in smart contracts. However, for smart contracts, existing symbolic tools use multiple-transaction symbolic execution, which differs from traditional symbolic tools and also exacerbates the path explosion problem. In this paper, we first quantitatively analyze the bottleneck of symbolic execution in multiple transactions (TXs), finding the redundancy of the paths of TXs. Based on this finding, we propose LENT-SSE as a new speculation heuristic for Speculative Symbolic Execution of smart contracts, which leverages the executed and near TXs for skipping and recalling the SMT solving of paths. LENT-SSE uses an executed-transaction-based skipping algorithm to reduce the time required for SMT solving by leveraging the redundancy between executed and executing paths. Moreover, LENT-SSE uses a near-transaction-based recalling algorithm to reduce false skipping of the solving paths. Experimental results on the SmartBugs dataset show that LENT-SSE can reduce the total time by 37.4% and the solving time of paths by 65.2% on average without reducing the reported bugs. On the other dataset of 1000 realistic contracts, the total time and solving time are reduced by 38.1% and 54.7%.
符号执行已被证明是智能合约代码分析的有效方法。然而,对于智能合约,现有的符号工具采用多交易符号执行,这与传统符号工具不同,也加剧了路径爆炸问题。在本文中,我们首先定量分析了多交易 (TX) 中符号执行的瓶颈,发现了 TX 路径的冗余。基于这一发现,我们提出了 LENT-SSE 作为智能合约推测符号执行的一种新推测启发式算法,它利用已执行和邻近 TX 来跳过和调用路径的 SMT 求解。LENT-SSE 使用基于已执行交易的跳过算法,通过利用已执行路径和正在执行路径之间的冗余来减少 SMT 求解所需的时间。此外,LENT-SSE 使用基于邻近交易的调用算法来减少对求解路径的错误跳过。在SmartBugs数据集上的实验结果表明,在不减少报告的bug数量的前提下,LENT-SSE平均可以将总时间减少37.4%,路径求解时间减少65.2%;在1000个真实合约的数据集上,总时间和求解时间分别减少了38.1%和54.7%。
6
Title:
Midas: Mining Profitable Exploits in On-Chain Smart Contracts via Feedback-Driven Fuzzing and Differential Analysis
Midas:通过反馈驱动的模糊测试和差异分析挖掘链上智能合约中的有利可图的漏洞
Authors:****
Abstract:****
In the context of boosting smart contract applications, prioritizing their security becomes paramount. Smart contract exploits often result in notable financial losses. Ensuring their security is by no means trivial. Rather than resulting in program crashes, most attacks in on-chain smart contracts aim to induce financial loss, referred to as profitable exploits. By constructing seemingly innocuous inputs, profitable exploits try to extract extra profit or compromise the interests of others. However, due to the complexity of call chains in on-chain smart contracts and the need for effective oracles for profitable exploits, smart contract fuzzing suffers from low efficiency and low effectiveness in finding profitable exploits. In this paper, we present Midas, a novel feedback-driven fuzzing framework to mine profitable exploits in on-chain smart contracts effectively. Midas consists of two modules: diverse validity fuzzing and profitable transaction identification. The diverse validity fuzzing module applies two waypoints to efficiently generate valid transactions, addressing the complexity of on-chain smart contract call chains. The profitable transaction identification module applies differential analysis to effectively identify profitable exploits, addressing the limitation of ad-hoc oracles. Evaluation of Midas over on-chain smart contracts showed it effectively identified 40 real-world exploits with a precision of 80%, outperforming state-of-the-art tools (i.e., ItyFuzz and Slither) in both efficiency and effectiveness. Particularly, Midas effectively mines five unknown exploits in valuable smart contracts, and two of them have already been confirmed by their DApp developers.
在推动智能合约应用发展的背景下,确保智能合约的安全性变得至关重要。智能合约漏洞往往会造成显著的财务损失。确保其安全性绝非易事。链上智能合约中的大多数攻击并非导致程序崩溃,而是为了诱发财务损失,即所谓的有利可图的漏洞利用。通过构造看似无害的输入,有利可图的漏洞利用试图获取额外利润或损害他人的利益。然而,由于链上智能合约调用链的复杂性以及有利可图的漏洞利用需要有效的预言机,智能合约模糊测试在寻找有利可图的漏洞利用方面效率低下且效果不佳。在本文中,我们提出了一种新颖的反馈驱动的模糊测试框架 Midas,以有效挖掘链上智能合约中的有利可图的漏洞利用。Midas 包含两个模块:多样化有效性模糊测试和有利可图的交易识别。多样化有效性模糊测试模块应用两个路径点来有效地生成有效交易,解决了链上智能合约调用链的复杂性。盈利交易识别模块采用差异分析来有效识别盈利漏洞,解决了临时预言机的局限性。对链上智能合约的 Midas 评估表明,它有效地识别了 40 个现实世界的漏洞,准确率为 80%,在效率和有效性方面都优于最先进的工具(即 ItyFuzz 和 Slither)。特别是,Midas 有效地挖掘了有价值的智能合约中的五个未知漏洞,其中两个已经得到其 DApp 开发人员的确认。
7
Title:
DeFort: Automatic Detection and Analysis of Price Manipulation Attacks in DeFi Applications
DeFort:DeFi 应用中价格操纵攻击的自动检测和分析
Authors:****
Abstract:****
Although Decentralized Finance (DeFi) applications facilitate tamper-proof transactions among multiple anonymous users, since attackers can access the smart contract bytecode directly, vulnerabilities in the transaction mechanism, contract code, or third-party components can be easily exploited to manipulate token prices, leading to financial losses. Since price manipulation often relies on specific states and complex trading sequences, existing detection tools have limitations in addressing this problem. In addition, to swiftly identify the root cause of an attack and implement targeted defense and remediation measures, auditors typically prioritize understanding the methodology behind the attack, emphasizing `how' it occurred rather than simply confirming its existence. To address these problems, this paper presents a novel automatic price manipulation detection and analysis framework, named DeFort, which contains a price manipulation behavior model to guide on-chain detection, multiple price monitoring strategies to detect pools with abnormal token prices, and various profit calculation mechanisms to confirm attacks. Based on behavioral models, DeFort can automatically locate transactions and functions that cause abnormal price fluctuations and identify attackers and victims. Experimental results demonstrate that DeFort can outperform state-of-the-art price manipulation detection methods. Furthermore, after monitoring 441 real-world projects for two months, DeFort successfully detected five price manipulation attacks.
尽管去中心化金融(DeFi)应用促进了多个匿名用户之间的防篡改交易,但由于攻击者可以直接访问智能合约字节码,交易机制、合约代码或第三方组件中的漏洞很容易被利用来操纵代币价格,从而导致财务损失。由于价格操纵通常依赖于特定状态和复杂的交易序列,现有的检测工具在解决这一问题方面存在局限性。此外,为了迅速确定攻击的根本原因并实施有针对性的防御和补救措施,审计人员通常优先了解攻击背后的方法,强调攻击"如何"发生,而不是简单地确认其存在。为了解决这些问题,本文提出了一种新颖的自动价格操纵检测和分析框架 DeFort,其中包含一个价格操纵行为模型来指导链上检测,多种价格监控策略来检测代币价格异常的池,以及各种利润计算机制来确认攻击。基于行为模型,DeFort 可以自动定位导致价格异常波动的交易和功能并识别攻击者和受害者。实验结果表明,DeFort 的表现优于最先进的价格操纵检测方法。此外,在对 441 个真实项目进行两个月的监控后,DeFort 成功检测到了五次价格操纵攻击。
8
Title:
DAppFL: Just-in-Time Fault Localization for Decentralized Applications in Web3
DAppFL:Web3 中去中心化应用程序的即时故障定位
Authors:****
Abstract:****
Web3 describes an idea for the next evolution of the Internet, where blockchain technology enables the Internet of Value. As Web3 software, decentralized applications (DApps) have emerged in recent years. There exists a natural link between DApps and cryptocurrencies, where faults in DApps could directly lead to monetary losses associated with cryptocurrencies. Hence, efficient fault localization technology is of paramount importance for urgent DApp rescue operations and the mitigation of financial losses. However, fault localization methods applied in traditional applications are not well-suited for this specific field, due to their inability to identify DApp-specific fault features, e.g., a substantial amount of cryptocurrency is transferred from DApps to hackers. In order to explore the root cause of DApp faults, some researchers try to identify suspicious code snippets through mutation testing. Nonetheless, applying mutation testing for DApp fault localization is time-consuming and thus limited in practice. This paper conducts the first comprehensive study of DApp fault localization. We introduce DAppFL, a learning-based DApp fault localization tool that performs reverse engineering to gather executed source code and then trace cryptocurrency flow to assist in locating faulty functions. We also present the inaugural dataset for DApp fault localization, providing a new benchmark for this domain.Our experimental results demonstrate that DAppFL locates 63% of faults within the Top-5, 23%#dappfl. more than the state-of-the-art method. To facilitate further research, our code and dataset are freely available online: https://github.com/xplanet-sysu/awesome-works
Web3 描述了互联网下一次演进的理念,区块链技术使价值互联网成为可能。作为 Web3 软件,去中心化应用程序 (DApp) 近年来应运而生。DApp 和加密货币之间存在着天然的联系,DApp 中的故障可能直接导致与加密货币相关的金钱损失。因此,高效的故障定位技术对于紧急的 DApp 救援行动和减轻财务损失至关重要。然而,传统应用中应用的故障定位方法并不适合这一特定领域,因为它们无法识别 DApp 特定的故障特征,例如,大量加密货币从 DApp 转移到黑客手中。为了探究 DApp 故障的根本原因,一些研究人员尝试通过突变测试来识别可疑的代码片段。然而,将突变测试应用于 DApp 故障定位非常耗时,因此在实践中受到限制。本文对 DApp 故障定位进行了首次全面研究。我们推出了 DAppFL,这是一种基于学习的 DApp 故障定位工具,它执行逆向工程以收集已执行的源代码,然后跟踪加密货币流以协助定位故障功能。我们还提供了 DApp 故障定位的首个数据集,为该领域提供了新的基准。我们的实验结果表明,DAppFL 将 63% 的故障定位在 Top-5 中,比最先进的方法高出 23%#dappfl。为了方便进一步研究,我们的代码和数据集可在线免费获取:https://github.com/xplanet-sysu/awesome-works
详情:https://2024.issta.org/track/issta-2024-papers#event-overview
后续论文pdf可看,本号将第一时间分享
,持续接收区块链最新论文
洞察区块链技术发展趋势
Follow us to keep receiving the latest blockchain papers
Insight into Blockchain Technology Trends