Empirical Vulnerability Analysis of Automated Smart Contracts Security Testing on Blockchains

The emerging blockchain technology supports decentralized computing paradigm shift and is a rapidly approaching phenomenon. While blockchain is thought primarily as the basis of Bitcoin, its application has grown far beyond cryptocurrencies due to the introduction of smart contracts. Smart contracts are self-enforcing pieces of software, which reside and run over a hosting blockchain. Using blockchain-based smart contracts for secure and transparent management to govern interactions (authentication, connection, and transaction) in Internet-enabled environments, mostly IoT, is a niche area of research and practice. However, writing trustworthy and safe smart contracts can be tremendously challenging because of the complicated semantics of underlying domain-specific languages and its testability. There have been high-profile incidents that indicate blockchain smart contracts could contain various code-security vulnerabilities, instigating financial harms. When it involves security of smart contracts, developers embracing the ability to write the contracts should be capable of testing their code, for diagnosing security vulnerabilities, before deploying them to the immutable environments on blockchains. However, there are only a handful of security testing tools for smart contracts. This implies that the existing research on automatic smart contracts security testing is not adequate and remains in a very stage of infancy. With a specific goal to more readily realize the application of blockchain smart contracts in security and privacy, we should first understand their vulnerabilities before widespread implementation. Accordingly, the goal of this paper is to carry out a far-reaching experimental assessment of current static smart contracts security testing tools, for the most widely used blockchain, the Ethereum and its domain-specific programming language, Solidity, to provide the first body of knowledge for creating more secure blockchain-based software.

[1]  Peter McBurney,et al.  Validation and Verification of Smart Contracts: A Research Agenda , 2017, Computer.

[2]  Abdul Azim Abdul Ghani,et al.  Automated test generation technique for aspectual features in AspectJ , 2015, Inf. Softw. Technol..

[3]  Ari Juels,et al.  Enter the Hydra: Towards Principled Bug Bounties and Exploit-Resistant Smart Contracts , 2018, IACR Cryptol. ePrint Arch..

[4]  Axel Legay,et al.  Statistical Model Checking: An Overview , 2010, RV.

[5]  Gregory Epiphaniou,et al.  Nonreciprocity Compensation Combined With Turbo Codes for Secret Key Generation in Vehicular Ad Hoc Social IoT Networks , 2018, IEEE Internet of Things Journal.

[6]  Nikhil Swamy,et al.  Formal Verification of Smart Contracts: Short Paper , 2016, PLAS@CCS.

[7]  Ali Dehghantanha,et al.  A Two-Layer Dimension Reduction and Two-Tier Classification Model for Anomaly-Based Intrusion Detection in IoT Backbone Networks , 2019, IEEE Transactions on Emerging Topics in Computing.

[8]  Aron Laszka,et al.  Tool Demonstration: FSolidM for Designing Secure Ethereum Smart Contracts , 2018, POST.

[9]  Kei-Léo Brousmiche,et al.  Formal Verification of Smart Contracts Based on Users and Blockchain Behaviors Models , 2018, 2018 9th IFIP International Conference on New Technologies, Mobility and Security (NTMS).

[10]  Xiaohong Jiang,et al.  Smart Contract-Based Access Control for the Internet of Things , 2018, IEEE Internet of Things Journal.

[11]  Ali Dehghantanha,et al.  Smart Contract Programming Languages on Blockchains: An Empirical Evaluation of Usability and Security , 2018, ICBC.

[12]  Ali Dehghantanha,et al.  Digital forensics: the missing piece of the Internet of Things promise , 2016 .

[13]  W. Youden,et al.  Index for rating diagnostic tests , 1950, Cancer.

[14]  Guido Governatori,et al.  Evaluation of Logic-Based Smart Contracts for Blockchain Systems , 2016, RuleML.

[15]  D. Culler,et al.  WAVE : A Decentralized Authorization System for IoT via Blockchain Smart Contracts , 2017 .

[16]  Fan Wu,et al.  Benchmark Requirements for Assessing Software Security Vulnerability Testing Tools , 2018, 2018 IEEE 42nd Annual Computer Software and Applications Conference (COMPSAC).

[17]  Rusli Abdullah,et al.  Empirical evaluation of the fault detection effectiveness and test effort efficiency of the automated AOP testing approaches , 2011, Inf. Softw. Technol..

[18]  Jian Shen,et al.  A Novel Security Scheme Based on Instant Encrypted Transmission for Internet of Things , 2018, Secur. Commun. Networks.

[19]  Sukrit Kalra,et al.  ZEUS: Analyzing Safety of Smart Contracts , 2018, NDSS.

[20]  Massimo Bartoletti,et al.  A Survey of Attacks on Ethereum Smart Contracts (SoK) , 2017, POST.

[21]  Ali Dehghantanha,et al.  Internet of Things security and forensics: Challenges and opportunities , 2018, Future Gener. Comput. Syst..

[22]  Gary McGraw,et al.  Static Analysis for Security , 2004, IEEE Secur. Priv..

[23]  Jin Li,et al.  Privacy-preserving Naive Bayes classifiers secure against the substitution-then-comparison attack , 2018, Inf. Sci..

[24]  Michael Devetsikiotis,et al.  Blockchains and Smart Contracts for the Internet of Things , 2016, IEEE Access.

[25]  Rusli Abdullah,et al.  On the applicability of random testing for aspect-oriented programs. , 2009 .

[26]  Prateek Saxena,et al.  Making Smart Contracts Smarter , 2016, IACR Cryptol. ePrint Arch..

[27]  Ali Dehghantanha,et al.  Robust Malware Detection for Internet of (Battlefield) Things Devices Using Deep Eigenspace Learning , 2019, IEEE Transactions on Sustainable Computing.

[28]  Joseph Sifakis,et al.  Modeling Heterogeneous Real-time Components in BIP , 2006, Fourth IEEE International Conference on Software Engineering and Formal Methods (SEFM'06).

[29]  Joseph Sifakis,et al.  D-Finder: A Tool for Compositional Deadlock Detection and Verification , 2009, CAV.

[30]  Witawas Srisa-an,et al.  Significant Permission Identification for Machine-Learning-Based Android Malware Detection , 2018, IEEE Transactions on Industrial Informatics.

[31]  Yuanzhang Li,et al.  A Covert Channel Over VoLTE via Adjusting Silence Periods , 2018, IEEE Access.

[32]  Aron Laszka,et al.  Designing Secure Ethereum Smart Contracts: A Finite State Machine Based Approach , 2017, Financial Cryptography.

[33]  Gerard Salton,et al.  Term-Weighting Approaches in Automatic Text Retrieval , 1988, Inf. Process. Manag..

[34]  Arun Kumar Sangaiah,et al.  Sensitivity Analysis of an Attack-Pattern Discovery Based Trusted Routing Scheme for Mobile Ad-Hoc Networks in Industrial IoT , 2018, IEEE Access.

[35]  Matteo Maffei,et al.  A Semantic Framework for the Security Analysis of Ethereum smart contracts , 2018, POST.

[36]  Algirdas A. Avi The Methodology of N-Version Programming , 1995 .

[37]  Robert M. Hierons,et al.  Smart contracts vulnerabilities: a call for blockchain software engineering? , 2018, 2018 International Workshop on Blockchain Oriented Software Engineering (IWBOSE).