A Large-Scale Empirical Study on Control Flow Identification of Smart Contracts

Background: Millions of smart contracts have been deployed to Ethereum for providing various applications. Recent studies discovered many severe security and performance issues in smart contracts by applying static program analysis techniques to them. Given a smart contract, the majority of these analysis techniques need to first construct its control flow graph, which connects basic blocks through control flow transfers (CFTs), before conducting further analysis. Aims: The objective of this work is to understand the capabilities of static program analysis techniques to identify CFTs, and to investigate how static program analysis techniques can be improved if the CFTs are complemented. Method: We perform a comprehensive empirical study on six widely-used tools for smart contract analysis by using all deployed smart contracts to understand their capabilities to recognize CFTs. We capture all execution traces of all smart contracts to evaluate the number of CFTs covered by traces that are not found by those tools. We enhance a state-of-the-art tool, OYENTE for discovering vulnerabilities in smart contracts with the CFTs covered by traces to investigate how the tool is improved. Results: These studied tools fail to identify all CFTs due to several reasons, e.g., incomplete code patterns. Execution traces effectively complement these tool in recognizing CFTs. By including the CFTs covered by traces, the false negative rate of OYENTE can be reduced by up to 30%. Conclusions: Our study underlines the ineffectiveness of static analysis techniques due to the incapabilities of CFT identification.

[1]  Ye Liu,et al.  ContractFuzzer: Fuzzing Smart Contracts for Vulnerability Detection , 2018, 2018 33rd IEEE/ACM International Conference on Automated Software Engineering (ASE).

[2]  Xi Chen,et al.  An In-Depth Analysis of Disassembly on Full-Scale x86/x64 Binaries , 2016, USENIX Security Symposium.

[3]  Trent Jaeger,et al.  CFG Construction Soundness in Control-Flow Integrity , 2017, PLAS@CCS.

[4]  Xiaodong Lin,et al.  Understanding Ethereum via Graph Analysis , 2018, IEEE INFOCOM 2018 - IEEE Conference on Computer Communications.

[5]  Radu State,et al.  Osiris: Hunting for Integer Bugs in Ethereum Smart Contracts , 2018, ACSAC.

[6]  Christopher Krügel,et al.  SOK: (State of) The Art of War: Offensive Techniques in Binary Analysis , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[7]  Denys Poshyvanyk,et al.  Feature location via information retrieval based filtering of a single scenario execution trace , 2007, ASE.

[8]  Byung-Gon Chun,et al.  CloneCloud: elastic execution between mobile device and cloud , 2011, EuroSys '11.

[9]  Sergei Tikhomirov,et al.  SmartCheck: Static Analysis of Ethereum Smart Contracts , 2018, 2018 IEEE/ACM 1st International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB).

[10]  Sukrit Kalra,et al.  ZEUS: Analyzing Safety of Smart Contracts , 2018, NDSS.

[11]  Jean-Francois Collard Reasoning about program transformations - imperative programming and flow of data , 2002 .

[12]  Sebastian Schinzel,et al.  kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels , 2017, USENIX Security Symposium.

[13]  Petar Tsankov,et al.  Securify: Practical Security Analysis of Smart Contracts , 2018, CCS.

[14]  Christian Rossow,et al.  teEther: Gnawing at Ethereum to Automatically Exploit Smart Contracts , 2018, USENIX Security Symposium.

[15]  Daniel Davis Wood,et al.  ETHEREUM: A SECURE DECENTRALISED GENERALISED TRANSACTION LEDGER , 2014 .

[16]  Bo Gao,et al.  sCompile: Critical Path Identification and Analysis for Smart Contracts , 2018, ICFEM.

[17]  Matteo Maffei,et al.  Foundations and Tools for the Static Analysis of Ethereum Smart Contracts , 2018, CAV.

[18]  Xiapu Luo,et al.  Under-optimized smart contracts devour your money , 2017, 2017 IEEE 24th International Conference on Software Analysis, Evolution and Reengineering (SANER).

[19]  James C. King,et al.  Symbolic execution and program testing , 1976, CACM.

[20]  Prateek Saxena,et al.  Finding The Greedy, Prodigal, and Suicidal Contracts at Scale , 2018, ACSAC.

[21]  Trent Jaeger,et al.  GRIFFIN: Guarding Control Flows Using Intel Processor Trace , 2017, ASPLOS.

[22]  Bhavani M. Thuraisingham,et al.  Differentiating Code from Data in x86 Binaries , 2011, ECML/PKDD.

[23]  Alessandro Orso,et al.  BugRedux: Reproducing field failures for in-house debugging , 2012, 2012 34th International Conference on Software Engineering (ICSE).

[24]  Prateek Saxena,et al.  Making Smart Contracts Smarter , 2016, IACR Cryptol. ePrint Arch..

[25]  Code Willing In Code We Trust , 2019, Wilmott Magazine.

[26]  Jan Vitek,et al.  Tests from traces: automated unit test extraction for R , 2018, ISSTA.

[27]  Christopher Krügel,et al.  Static Disassembly of Obfuscated Binaries , 2004, USENIX Security Symposium.