FSFC: An input filter-based secure framework for smart contract

Abstract Discovering vulnerabilities in smart contracts, particularly those that can be exploited, is challenging. Existing research efforts tend to focus on pre-tests or are not capable of dynamically protecting the deployed contracts without impacting on the availability of the contracts. Thus in this paper, we propose and implement a high-availability and unified input F ilter-based S ecure F ramework for Ethereum smart C ontract (hereafter referred to as FSFC). FSFC is designed to allow the deployed smart contracts to continue running normally even when faced with potential attacks (due to vulnerability exploitation). Specifically, the proposed approach allows one to dynamically identify and discard bad inputs before getting processed. In other words, the owner can protect the contract by deploying filters through FSFC, regardless of the vulnerability discovered in the deployed contract, and without suspending the contract service. We also evaluate the security of FSFC. Then, using integer vulnerability as a case study, we demonstrate how FSFC can be deployed and evaluate its utility using real-world smart contracts with known integer vulnerability. For example, a comparative summary demonstrates that in comparison to the plain Geth, FSFC only incurs minimal additional overhead for the miners and less than 2% extra gas consumption for normal users.

[1]  Vamsi Paruchuri,et al.  Threat modeling using attack trees , 2008 .

[2]  Marijn Janssen,et al.  Challenges of blockchain technology adoption for e-government: a systematic literature review , 2018, DG.O.

[3]  Miguel Castro,et al.  Bouncer: securing software by blocking bad input , 2007, SOSP.

[4]  Ye Liu,et al.  ContractFuzzer: Fuzzing Smart Contracts for Vulnerability Detection , 2018, 2018 33rd IEEE/ACM International Conference on Automated Software Engineering (ASE).

[5]  Kim-Kwang Raymond Choo,et al.  Blockchain in healthcare applications: Research challenges and opportunities , 2019, J. Netw. Comput. Appl..

[6]  Lei Zhang,et al.  Blockchain based secure data sharing system for Internet of vehicles: A position paper , 2019, Veh. Commun..

[7]  Fenghua Li,et al.  DESC: enabling secure data exchange based on smart contracts , 2017, Science China Information Sciences.

[8]  Prateek Saxena,et al.  Finding The Greedy, Prodigal, and Suicidal Contracts at Scale , 2018, ACSAC.

[9]  Helen J. Wang,et al.  Shield: vulnerability-driven network filters for preventing known vulnerability exploits , 2004, SIGCOMM 2004.

[10]  Miguel Castro,et al.  Vigilante: end-to-end containment of internet worms , 2005, SOSP '05.

[11]  Jason Teutsch,et al.  Demystifying Incentives in the Consensus Computer , 2015, CCS.

[12]  Radu State,et al.  Osiris: Hunting for Integer Bugs in Ethereum Smart Contracts , 2018, ACSAC.

[13]  Indrajit Ray,et al.  Using Attack Trees to Identify Malicious Attacks from Authorized Insiders , 2005, ESORICS.

[14]  Andrew Lippman,et al.  MedRec: Using Blockchain for Medical Data Access and Permission Management , 2016, 2016 2nd International Conference on Open and Big Data (OBD).

[15]  Petar Tsankov,et al.  Securify: Practical Security Analysis of Smart Contracts , 2018, CCS.

[16]  Ghassan O. Karame,et al.  Sereum: Protecting Existing Smart Contracts Against Re-Entrancy Attacks , 2018, NDSS.

[17]  Sukrit Kalra,et al.  ZEUS: Analyzing Safety of Smart Contracts , 2018, NDSS.

[18]  Sophia Drossopoulou,et al.  Writing safe smart contracts in Flint , 2018, Programming.

[19]  Athanasios V. Vasilakos,et al.  BSeIn: A blockchain-based secure mutual authentication with fine-grained access control system for industry 4.0 , 2018, J. Netw. Comput. Appl..

[20]  S. Matthew Weinberg,et al.  Arbitrum: Scalable, private smart contracts , 2018, USENIX Security Symposium.

[21]  Fan Long,et al.  Sound input filter generation for integer overflow errors , 2014, POPL.

[22]  Prateek Saxena,et al.  Making Smart Contracts Smarter , 2016, IACR Cryptol. ePrint Arch..

[23]  Michael J. Coblenz Obsidian: A Safer Blockchain Programming Language , 2017, 2017 IEEE/ACM 39th International Conference on Software Engineering Companion (ICSE-C).

[24]  Konrad Wrona,et al.  Does NATO Need a Blockchain? , 2018, MILCOM 2018 - 2018 IEEE Military Communications Conference (MILCOM).