Securing smart contract with runtime validation

We present Solythesis, a source to source Solidity compiler which takes a smart contract code and a user specified invariant as the input and produces an instrumented contract that rejects all transactions that violate the invariant. The design of Solythesis is driven by our observation that the consensus protocol and the storage layer are the primary and the secondary performance bottlenecks of Ethereum, respectively. Solythesis operates with our novel delta update and delta check techniques to minimize the overhead caused by the instrumented storage access statements. Our experimental results validate our hypothesis that the overhead of runtime validation, which is often too expensive for other domains, is in fact negligible for smart contracts. The CPU overhead of Solythesis is only 0.1% on average for our 23 benchmark contracts.

[1]  Howard Barringer,et al.  Quantified Event Automata: Towards Expressive and Efficient Runtime Monitors , 2012, FM.

[2]  Fan Long,et al.  Automatic runtime error repair and containment via recovery shepherding , 2014, PLDI.

[3]  LhotákOndřej,et al.  Adding trace matching with free variables to AspectJ , 2005 .

[4]  Ao Li,et al.  Detecting Standard Violation Errors in Smart Contracts , 2018, ArXiv.

[5]  Fan Long,et al.  Securing Smart Contract On The Fly , 2019, ArXiv.

[6]  Satoshi Nakamoto Bitcoin : A Peer-to-Peer Electronic Cash System , 2009 .

[7]  Silvio Micali,et al.  Algorand: Scaling Byzantine Agreements for Cryptocurrencies , 2017, IACR Cryptol. ePrint Arch..

[8]  Mislav Balunovic,et al.  Learning to Fuzz from Symbolic Execution with Application to Smart Contracts , 2019, CCS.

[9]  Grigore Rosu,et al.  𝕂: A Semantic Framework for Programming Languages and Formal Analysis Tools , 2017, Dependable Software Systems Engineering.

[10]  Philipp Jovanovic,et al.  OmniLedger: A Secure, Scale-Out, Decentralized Ledger via Sharding , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[11]  Rajeev Barua,et al.  MemSafe: Ensuring the Spatial and Temporal Memory Safety of C at Runtime , 2010, 2010 10th IEEE Working Conference on Source Code Analysis and Manipulation.

[12]  Deian Stefan,et al.  CT-wasm: type-driven secure cryptography for the web ecosystem , 2018, Proc. ACM Program. Lang..

[13]  Nikhil Swamy,et al.  Formal Verification of Smart Contracts: Short Paper , 2016, PLAS@CCS.

[14]  Brad A. Myers,et al.  Obsidian: Typestate and Assets for Safer Blockchain Programming , 2019, ACM Trans. Program. Lang. Syst..

[15]  Prateek Saxena,et al.  Making Smart Contracts Smarter , 2016, IACR Cryptol. ePrint Arch..

[16]  Daniel Davis Wood,et al.  ETHEREUM: A SECURE DECENTRALISED GENERALISED TRANSACTION LEDGER , 2014 .

[17]  Ilya Sergey,et al.  Safer smart contract programming with Scilla , 2019, Proc. ACM Program. Lang..

[18]  Emin Gün Sirer,et al.  Scalable and Probabilistic Leaderless BFT Consensus through Metastability , 2019, ArXiv.

[19]  E AndersonThomas,et al.  Efficient software-based fault isolation , 1993 .

[20]  Yi Zhang,et al.  KEVM: A Complete Formal Semantics of the Ethereum Virtual Machine , 2018, 2018 IEEE 31st Computer Security Foundations Symposium (CSF).

[21]  Prateek Saxena,et al.  OHIE: Blockchain Scaling Made Simple , 2018, 2020 IEEE Symposium on Security and Privacy (SP).

[22]  Prateek Saxena,et al.  Exploiting the laws of order in smart contracts , 2018, ISSTA.

[23]  Dimitar Dimitrov,et al.  VerX: Safety Verification of Smart Contracts , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[24]  Ondrej Lhoták,et al.  Adding trace matching with free variables to AspectJ , 2005, OOPSLA '05.

[25]  Chengyu Zhang,et al.  Detecting nondeterministic payment bugs in Ethereum smart contracts , 2019, Proc. ACM Program. Lang..

[26]  Felix Klaedtke,et al.  MONPOLY: Monitoring Usage-Control Policies , 2011, RV.

[27]  Mathias Payer,et al.  HexType: Efficient Detection of Type Confusion Errors for C++ , 2017, CCS.

[28]  Mathias Payer,et al.  Control-Flow Integrity , 2017, ACM Comput. Surv..

[29]  Milo M. K. Martin,et al.  Everything You Want to Know About Pointer-Based Checking , 2015, SNAPL.

[30]  Grigore Rosu,et al.  IELE: A Rigorously Designed Language and Tool Ecosystem for the Blockchain , 2019, FM.

[31]  Fan Long,et al.  Control Jujutsu: On the Weaknesses of Fine-Grained Control Flow Integrity , 2015, CCS.

[32]  Ye Liu,et al.  ContractFuzzer: Fuzzing Smart Contracts for Vulnerability Detection , 2018, 2018 33rd IEEE/ACM International Conference on Automated Software Engineering (ASE).

[33]  Aviv Zohar,et al.  Secure High-Rate Transaction Processing in Bitcoin , 2015, Financial Cryptography.

[34]  Sreeram Kannan,et al.  Deconstructing the Blockchain to Approach Physical Limits , 2018, IACR Cryptol. ePrint Arch..

[35]  Grigore Rosu,et al.  JavaMOP: Efficient parametric runtime monitoring framework , 2012, 2012 34th International Conference on Software Engineering (ICSE).

[36]  VARUN CHANDOLA,et al.  Anomaly detection: A survey , 2009, CSUR.

[37]  Nikolai Kosmatov,et al.  An Optimized Memory Monitoring for Runtime Assertion Checking of C Programs , 2013, RV.

[38]  Emery D. Berger,et al.  DieHard: probabilistic memory safety for unsafe languages , 2006, PLDI '06.

[39]  Rastislav Bodík,et al.  DITTO: automatic incrementalization of data structure invariant checks (in Java) , 2007, PLDI '07.

[40]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[41]  Sukrit Kalra,et al.  ZEUS: Analyzing Safety of Smart Contracts , 2018, NDSS.

[42]  Grigore Rosu,et al.  A Language-Independent Approach to Smart Contract Verification , 2018, ISoLA.

[43]  Wei Xu,et al.  Scaling Nakamoto Consensus to Thousands of Transactions per Second , 2018, ArXiv.

[44]  Gordon J. Pace,et al.  Runtime Verification of Ethereum Smart Contracts , 2018, 2018 14th European Dependable Computing Conference (EDCC).

[45]  Yuxing Tang,et al.  SODA: A Generic Online Detection Framework for Smart Contracts , 2020, NDSS.

[46]  Prateek Saxena,et al.  Finding The Greedy, Prodigal, and Suicidal Contracts at Scale , 2018, ACSAC.

[47]  Abhishek Dubey,et al.  VeriSolid: Correct-by-Design Smart Contracts for Ethereum , 2019, Financial Cryptography.

[48]  Ghassan O. Karame,et al.  Sereum: Protecting Existing Smart Contracts Against Re-Entrancy Attacks , 2018, NDSS.

[49]  Petar Tsankov,et al.  Securify: Practical Security Analysis of Smart Contracts , 2018, CCS.