Conference:ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA)
Location:Vienna, Austria
Conference time:Mon 16 – Fri 20 September 2024
Website:https://2024.issta.org/track/issta-2024-papers#event-overview
1、Towards Identifying Exploitable Bottlenecks in Blockchain Clients
寻找区块链客户端中可利用的瓶颈
Blockchain clients serve as foundational components of blockchain networks, each maintaining a replica of the blockchain ledger. They are crucial for ensuring network decentralization, integrity, and stability. However, like all complex software systems, blockchain clients are susceptible to bottlenecks. Certain bottlenecks create vulnerabilities, allowing attackers to intentionally overload these weak points and congest client execution, leading to denial of service (DoS) attacks. We refer to these vulnerabilities as exploitable bottlenecks.Existing research primarily focuses on a limited number of such bottlenecks and often relies on manual analysis. To address this gap, this paper investigates the root causes of bottlenecks in software and introduces a novel tool named ThreadWatch. ThreadWatch monitors runtime symptoms indicative of these issues by modeling clients as a set of threads and delineating their interactions to accurately characterize client behavior. Leveraging ThreadWatch, we identify suspicious bottlenecks and assess their potential for exploitation by external attackers.Applying ThreadWatch to four mainstream blockchain clients developed in different programming languages, we discover a total of 13 exploitable bottlenecks, six of which were previously unknown. As of the time of writing, three CVEs have been assigned based on our findings, highlighting the practical impact of our approach.
区块链客户端是区块链网络的基础组成部分,每个客户端都维护着区块链账本的副本。它们对于确保网络的去中心化、完整性和稳定性至关重要。然而,像所有复杂的软件系统一样,区块链客户端容易受到瓶颈的影响。某些瓶颈会产生漏洞,允许攻击者故意超载这些弱点并阻塞客户端执行,从而发动拒绝服务 (DoS) 攻击。我们将这些漏洞称为可利用的瓶颈。现有研究主要集中在少数此类瓶颈上,并且通常依赖于人工分析。为填补这一空白,本文探讨了软件瓶颈的根本原因,并引入了一种名为 ThreadWatch 的新工具。ThreadWatch 通过将客户端建模为一组线程,并描述它们的交互,以准确描述客户端行为并监控这些问题的运行时症状。利用 ThreadWatch,我们识别出可疑的瓶颈并评估它们被外部攻击者利用的潜力。将 ThreadWatch 应用于使用不同编程语言开发的四个主流区块链客户端后,我们发现了总共 13 个可利用的瓶颈,其中六个是以前未知的。截至撰写本文时,基于我们的发现已经分配了三个 CVE,突显了我们方法的实际影响。
2、Empirical Analysis of Move Smart Contract Security and the Introduction of MoveScan
Move 智能合约安全性的实证分析与 MoveScan 的引入
Move, a smart contract programming language, is renowned for its security-oriented design. However, the real-world security effectiveness of Move contracts has not been thoroughly examined. This study presents the first extensive empirical analysis of Move contract security. Our initial efforts included a manual audit of 652 contracts from 92 Move projects in collaboration with a security firm. This audit uncovered eight distinct defect types, with half being previously undocumented. These defects pose potential security threats or could lead to inefficient use of computational resources. To assess the prevalence of these defects in live Move contracts, we developed MoveScan, an automated analysis framework that translates bytecode into an intermediate representation (IR), extracts vital meta-information, and identifies all eight defect types. Using MoveScan, we identified 97,169 defects across 37,302 deployed contracts on the Aptos and Sui blockchains, highlighting a significant occurrence of defects. Experimental results show that MoveScan achieves a precision rate of 98.85%, with an average analysis time per project of only 5.45 milliseconds. This performance surpasses that of previous state-of-the-art tools, such as MoveLint, which has an accuracy of 87.50% and an average analysis time of 71.72 milliseconds, and Move Prover, which has a recall rate of 6.02% and requires manual intervention. Our findings provide new insights and recommendations for enhancing the security of Move contracts.
Move 是一种智能合约编程语言,以其安全导向的设计而闻名。然而,Move 合约在现实世界中的安全性效力尚未得到彻底检验。本研究首次对 Move 合约安全性进行了广泛的实证分析。我们最初的工作包括与一家安全公司合作,手动审计来自 92 个 Move 项目的 652 份合约。这次审计发现了八种不同类型的缺陷,其中一半以前未有文献记录。这些缺陷可能带来潜在的安全威胁或导致计算资源的低效利用。为了评估这些缺陷在实际 Move 合约中的普遍性,我们开发了 MoveScan,这是一个自动分析框架,可以将字节码转换为中间表示 (IR),提取重要的元信息,并识别所有八种缺陷类型。通过使用 MoveScan,我们在 Aptos 和 Sui 区块链上部署的 37,302 份合约中发现了 97,169 个缺陷,突显了缺陷的显著存在。实验结果表明,MoveScan 的精确率达到 98.85%,每个项目的平均分析时间仅为 5.45 毫秒。这一性能超过了之前最先进的工具,如 MoveLint(准确率为 87.50%,平均分析时间为 71.72 毫秒)和 Move Prover(召回率为 6.02%,需要人工干预)。我们的研究结果提供了新的见解和建议,有助于增强 Move 合约的安全性。
3、Optimizing Function Call Order in Smart Contracts to Minimize Gas Fees
优化智能合约中的函数调用顺序以减少 Gas 费用
Smart contracts, primarily written in Solidity, are Turing-complete programs executed on blockchain platforms like Ethereum. To prevent resource misuse, users are required to pay a gas fee when deploying or invoking smart contracts. While reducing gas consumption has garnered significant attention, the impact of function call order on invocation gas fees has not been thoroughly studied. In this paper, we elucidate how function dispatch influences gas consumption during contract invocation. We introduce OptiDispatch, a bytecode refactoring method and open-source tool designed to minimize the overall gas fees associated with smart contract invocations. At the source code level, OptiDispatch identifies frequently invoked functions within a smart contract and reorders them at the bytecode level to optimize their dispatch order. We implemented OptiDispatch and evaluated its performance on 50 randomly selected real-world smart contracts from Ethereum. The experimental results indicate that OptiDispatch can save approximately 125.17 gas units per transaction, with an additional compilation overhead of only 0.37 seconds.
智能合约主要用 Solidity 编写,是在以太坊等区块链平台上执行的图灵完备程序。为防止资源滥用,用户在部署或调用智能合约时需要支付 Gas 费用。尽管减少 Gas 消耗受到了广泛关注,但函数调用顺序对调用 Gas 费用的影响尚未得到充分研究。本文阐明了函数调度如何影响合约调用过程中的 Gas 消耗。我们介绍了 OptiDispatch,这是一种字节码重构方法和开源工具,旨在尽量减少与智能合约调用相关的整体 Gas 费用。在源代码级别,OptiDispatch 识别智能合约中频繁调用的函数,并在字节码级别重新排序以优化其调度顺序。我们实现了 OptiDispatch 并在从以太坊随机选择的 50 个真实智能合约上评估了其性能。实验结果表明,OptiDispatch 可以为每个交易节省约 125.17 个 Gas 单位,而编译开销仅增加 0.37 秒。
4、Detecting Security Flaws in Smart Contract Code Snippets from Stack Overflow
从Stack Overflow代码片段中检测智能合约安全漏洞
Smart contract developers frequently turn to Q&A platforms such as Stack Overflow (SO) for solutions to their coding challenges. While the community often provides helpful advice, the shared code snippets can sometimes contain hidden vulnerabilities. Integrating these snippets directly into smart contracts can expose them to malicious attacks. To investigate this issue, we conducted an online survey and received 74 responses from smart contract developers. The survey revealed that a significant majority (86.4%) of respondents do not adequately consider security when reusing code snippets from SO. Although there are several tools available to detect vulnerabilities in smart contracts, these tools are generally designed to analyze complete contracts and are not effective for analyzing typical code snippets found on SO. We present SOChecker, the first tool specifically designed to identify potential vulnerabilities in incomplete smart contract code snippets from SO. SOChecker uses a fine-tuned Llama2 model for code completion, followed by symbolic execution methods for vulnerability detection. Our experiments, conducted on a dataset of 897 code snippets collected from smart contract-related SO posts, show that SOChecker achieves an F1 score of 68.2%, significantly outperforming GPT-3.5 and GPT-4, which scored 20.9% and 33.2% respectively. These results highlight the importance of improving the security of code snippets from Q&A websites.
智能合约开发人员经常在 Stack Overflow (SO) 等问答平台上寻求编码挑战的解决方案。尽管社区通常提供有用的建议,但共享的代码片段有时可能包含隐藏的漏洞。将这些片段直接集成到智能合约中可能会使其暴露于恶意攻击。为调查这一问题,我们进行了在线调查,并收到了来自智能合约开发人员的 74 份回复。调查显示,绝大多数 (86.4%) 受访者在重用 SO 代码片段时没有充分考虑安全性。尽管有几种工具可用于检测智能合约中的漏洞,但这些工具通常是为分析完整合约而设计的,对于分析 SO 上典型的代码片段并不有效。我们介绍了 SOChecker,这是第一个专门用于识别 SO 上不完整智能合约代码片段中潜在漏洞的工具。SOChecker 首先利用经过微调的 Llama2 模型进行代码补全,然后应用符号执行方法进行漏洞检测。我们在一个包含从智能合约相关 SO 帖子中收集的 897 个代码片段的数据集上进行了实验,结果表明 SOChecker 的 F1 得分为 68.2%,显著超过了 GPT-3.5 和 GPT-4,它们的得分分别为 20.9% 和 33.2%。这些结果突显了提高问答网站代码片段安全性的重要性。
5、A Novel Approach to Speculative Symbolic Execution of Smart Contracts by Leveraging Executed and Near Transactions
通过利用已执行和即将执行的交易进行智能合约投机性符号执行的新方法
Symbolic execution has demonstrated its effectiveness for code analysis in smart contracts. However, current symbolic tools for smart contracts utilize multiple-transaction symbolic execution, which not only differs from traditional symbolic tools but also exacerbates the path explosion problem. This paper quantitatively analyzes the bottlenecks of symbolic execution in multiple transactions (TXs) and identifies the redundancy of TX paths. Based on these findings, we introduce LENT-SSE, a new speculative heuristic for Speculative Symbolic Execution of smart contracts, which leverages executed and near TXs to skip and recall SMT solving paths. LENT-SSE employs an executed-transaction-based skipping algorithm to reduce SMT solving time by exploiting the redundancy between executed and executing paths. Additionally, LENT-SSE utilizes a near-transaction-based recalling algorithm to minimize false skips in solving paths. Experimental results on the SmartBugs dataset demonstrate that LENT-SSE can reduce total execution time by 37.4% and path solving time by 65.2% on average without decreasing the number of reported bugs. On a separate dataset of 1000 realistic contracts, total execution time and path solving time were reduced by 38.1% and 54.7%, respectively.
符号执行已被证明是智能合约代码分析的有效方法。然而,现有的智能合约符号工具采用多交易符号执行,这与传统符号工具不同,并加剧了路径爆炸问题。本文首先定量分析了多交易(TX)中符号执行的瓶颈,发现了TX路径的冗余。基于这一发现,我们提出了LENT-SSE,作为智能合约推测符号执行的一种新推测启发式算法,它利用已执行和邻近TX来跳过和调用路径的SMT求解。LENT-SSE使用基于已执行交易的跳过算法,通过利用已执行路径和正在执行路径之间的冗余来减少SMT求解时间。此外,LENT-SSE使用基于邻近交易的调用算法来减少对求解路径的错误跳过。在SmartBugs数据集上的实验结果表明,在不减少报告的bug数量的前提下,LENT-SSE平均可以将总执行时间减少37.4%,路径求解时间减少65.2%;在1000个真实合约的数据集上,总执行时间和路径求解时间分别减少了38.1%和54.7%。
6、Discovering Lucrative Vulnerabilities in On-Chain Smart Contracts using Feedback-Driven Fuzzing and Differential Analysis
利用反馈驱动的模糊测试和差异分析发现链上智能合约中的有利漏洞
In the context of advancing smart contract applications, ensuring their security is crucial. Exploits in smart contracts often lead to significant financial losses. Securing them is far from trivial. Unlike crashes, most attacks on on-chain smart contracts aim to cause financial losses, known as profitable exploits. By crafting seemingly innocuous inputs, profitable exploits seek to extract additional profit or compromise others’ interests. However, due to the complexity of call chains in on-chain smart contracts and the necessity for effective oracles for profitable exploits, smart contract fuzzing suffers from low efficiency and effectiveness in detecting profitable exploits. This paper introduces Midas, a novel feedback-driven fuzzing framework designed to effectively uncover profitable exploits in on-chain smart contracts. Midas comprises two modules: diverse validity fuzzing and profitable transaction identification. The diverse validity fuzzing module employs dual waypoints to efficiently generate valid transactions, addressing the intricate call chains of on-chain smart contracts. The profitable transaction identification module utilizes differential analysis to effectively pinpoint profitable exploits, overcoming the limitations of ad-hoc oracles. Evaluation of Midas on various on-chain smart contracts demonstrated its ability to identify 40 real-world exploits with 80% precision, surpassing state-of-the-art tools (such as ItyFuzz and Slither) in both efficiency and effectiveness. Particularly, Midas successfully unearthed five previously unknown exploits in critical smart contracts, two of which have already been confirmed by their DApp developers.链上智能合约客户端是区块链网络的基本组成部分,每个客户端都维护着区块链账本的副本。它们对于确保网络的去中心化、完整性和稳定性至关重要。然而,与程序崩溃不同,链上智能合约中的大多数攻击旨在诱发财务损失,被称为有利可图的漏洞利用。这些漏洞利用通过看似无害的输入试图获取额外利润或损害他人的利益。然而,由于链上智能合约调用链的复杂性以及有利可图的漏洞利用需要有效的预言机,现有的智能合约模糊测试方法在发现有利可图的漏洞利用方面效率和效果不佳。本文介绍了GoldMine,一种新颖的反馈驱动的模糊测试框架,旨在有效挖掘链上智能合约中的有利可图的漏洞利用。GoldMine 包含两个核心模块:多样化有效性模糊测试和有利可图的交易识别。多样化有效性模糊测试模块采用双路径点来有效生成有效交易,解决链上智能合约调用链的复杂性。盈利交易识别模块利用差异分析来有效定位有利可图的漏洞利用,克服了临时预言机的局限性。对GoldMine在各种链上智能合约上的评估表明,它能够以80%的精度识别出40个真实世界的漏洞,在效率和有效性方面均优于ItyFuzz和Slither等最先进的工具。特别值得注意的是,GoldMine成功地发现了五个以前未知的有价值智能合约中的漏洞利用,其中两个漏洞利用在撰写本文时已被其相应的DApp开发人员确认。
在推动智能合约应用的同时,确保其安全性显得尤为重要。智能合约的漏洞通常会导致显著的财务损失,因此确保它们的安全性绝非易事。不同于简单的崩溃,链上智能合约中的大多数攻击旨在导致财务损失,即所谓的有利可图的漏洞利用。通过构造看似无害的输入,有利可图的漏洞利用试图获取额外利润或损害他人的利益。然而,由于链上智能合约调用链的复杂性以及有利可图的漏洞利用对有效预言机的需求,智能合约模糊测试在检测有利可图的漏洞利用方面效率和效果均不高。本文介绍了一种新颖的反馈驱动模糊测试框架 Midas,旨在有效挖掘链上智能合约中的有利可图的漏洞利用。Midas 包含两个模块:多样化有效性模糊测试和有利可图的交易识别。多样化有效性模糊测试模块采用双重路径点来高效生成有效交易,解决了链上智能合约调用链的复杂性问题。有利可图的交易识别模块利用差异分析来有效识别有利可图的漏洞利用,克服了临时预言机的局限性。在多个链上智能合约上对 Midas 的评估显示,它能够准确识别出 40 个真实世界的漏洞,准确率达到 80%,在效率和有效性上均优于现有的工具(如 ItyFuzz 和 Slither)。特别是,Midas 成功挖掘了五个先前未知的有价值智能合约中的漏洞,其中两个已经得到其 DApp 开发人员的确认。
7、Automated Detection and Analysis of Price Manipulation Attacks in Decentralized Finance (DeFi) Platforms
自动检测和分析 DeFi 平台中价格操纵攻击
Decentralized Finance (DeFi) applications facilitate tamper-proof transactions among anonymous users. However, vulnerabilities in transaction mechanisms, contract code, or third-party components can be exploited by attackers to manipulate token prices, leading to financial losses. Detecting price manipulation attacks, which often exploit specific states and complex trading sequences, remains challenging for existing detection tools. Auditors prioritize understanding the attack methodology to implement targeted defenses rather than merely confirming its occurrence. To address these challenges, this paper introduces DeFort, an innovative framework for automated detection and analysis of price manipulation attacks in DeFi platforms. DeFort employs a price manipulation behavior model for on-chain detection, diverse price monitoring strategies to identify pools with abnormal token prices, and various profit calculation mechanisms to validate attacks. Leveraging behavioral models, DeFort automatically identifies transactions and functions causing abnormal price fluctuations, enabling the identification of both attackers and victims. Experimental results demonstrate DeFort’s effectiveness over existing methods in detecting price manipulation. Over a two-month monitoring period of 441 real-world projects, DeFort successfully detected five price manipulation attacks.
去中心化金融(DeFi)应用支持匿名用户之间的防篡改交易。然而,攻击者可以利用交易机制、合约代码或第三方组件中的漏洞来操纵代币价格,导致财务损失。检测价格操纵攻击通常涉及特定状态和复杂的交易序列,这对现有检测工具构成了挑战。审计人员更重视理解攻击方法以实施有针对性的防御,而不仅仅是确认攻击的发生。为解决这些挑战,本文引入了DeFort,一种用于自动检测和分析 DeFi 平台中价格操纵攻击的创新框架。DeFort采用价格操纵行为模型进行链上检测,多种价格监控策略来识别存在异常代币价格的池,并利用各种利润计算机制验证攻击。利用行为模型,DeFort 可自动识别导致价格异常波动的交易和功能,实现攻击者和受害者的识别。实验结果表明,DeFort 在检测价格操纵方面优于现有方法。在对 441 个真实项目进行两个月的监控后,DeFort 成功检测到了五次价格操纵攻击。
8、Real-time Fault Localization for Decentralized Applications in Web3
Web3中去中心化应用程序的实时故障定位
Web3 represents the future evolution of the Internet, leveraging blockchain technology to enable the Internet of Value. Decentralized applications (DApps), pivotal in the Web3 ecosystem, have gained prominence in recent years. Given their inherent connection to cryptocurrencies, faults in DApps can lead to substantial financial losses. Hence, efficient fault localization is crucial for prompt DApp recovery and minimizing economic risks. Traditional fault localization methods often fall short in this domain due to their inability to identify DApp-specific fault patterns, such as unauthorized cryptocurrency transfers. To address this gap, researchers have explored techniques like mutation testing, though these methods are often impractical due to their time-intensive nature. This paper presents a pioneering study on fault localization for DApps. We introduce DAppFL, a learning-based tool that employs reverse engineering to capture executed source code and trace cryptocurrency flows, aiding in pinpointing faulty functions. Additionally, we introduce a benchmark dataset for DApp fault localization, enhancing research in this critical area. Experimental results demonstrate that DAppFL achieves a 63% Top-5 fault localization rate, surpassing current state-of-the-art methods by 23%.
Web3 描述了互联网的未来演进,利用区块链技术实现了价值互联网。作为 Web3 生态系统中的关键组成部分,去中心化应用程序(DApp)近年来日益重要。由于其与加密货币的固有联系,DApp 中的故障可能导致重大财务损失。因此,对于快速恢复 DApp 并最小化经济风险,高效的故障定位至关重要。传统的故障定位方法通常在这一领域表现不佳,因为它们无法识别 DApp 特有的故障模式,例如未经授权的加密货币转移。为了填补这一空白,研究人员探索了诸如突变测试之类的技术,尽管这些方法往往因其耗时性质而不切实际。本文首次对 DApp 的故障定位进行了深入研究。我们介绍了 DAppFL,这是一种基于学习的工具,通过逆向工程捕获执行的源代码并跟踪加密货币流,帮助准确定位故障函数。此外,我们还引入了一个用于 DApp 故障定位的基准数据集,增强了这一关键领域的研究。实验结果表明,DAppFL 在 Top-5 故障定位率达到了 63%,比当前最先进的方法提高了 23%。
文章来源:https://mp.weixin.qq.com/s/Uja3LRLifymn9qWKT0S6qw