Towards Smart Hybrid Fuzzing for Smart Contracts

Smart contracts are Turing-complete programs that are executed across a blockchain network. Unlike traditional programs, once deployed they cannot be modified. As smart contracts become more popular and carry more value, they become more of an interesting target for attackers. In recent years, smart contracts suffered major exploits, costing millions of dollars, due to programming errors. As a result, a variety of tools for detecting bugs has been proposed. However, majority of these tools often yield many false positives due to over-approximation or poor code coverage due to complex path constraints. Fuzzing or fuzz testing is a popular and effective software testing technique. However, traditional fuzzers tend to be more effective towards finding shallow bugs and less effective in finding bugs that lie deeper in the execution. In this work, we present CONFUZZIUS, a hybrid fuzzer that combines evolutionary fuzzing with constraint solving in order to execute more code and find more bugs in smart contracts. Evolutionary fuzzing is used to exercise shallow parts of a smart contract, while constraint solving is used to generate inputs which satisfy complex conditions that prevent the evolutionary fuzzing from exploring deeper paths. Moreover, we use data dependency analysis to efficiently generate sequences of transactions, that create specific contract states in which bugs may be hidden. We evaluate the effectiveness of our fuzzing strategy, by comparing CONFUZZIUS with state-of-the-art symbolic execution tools and fuzzers. Our evaluation shows that our hybrid fuzzing approach produces significantly better results than state-of-the-art symbolic execution tools and fuzzers.

[1]  Abhik Roychoudhury,et al.  Directed Greybox Fuzzing , 2017, CCS.

[2]  Sukrit Kalra,et al.  ZEUS: Analyzing Safety of Smart Contracts , 2018, NDSS.

[3]  Massimo Bartoletti,et al.  A Survey of Attacks on Ethereum Smart Contracts (SoK) , 2017, POST.

[4]  Prateek Saxena,et al.  Exploiting the laws of order in smart contracts , 2018, ISSTA.

[5]  Ittai Abraham,et al.  Online detection of effectively callback free objects with applications to smart contracts , 2017, Proc. ACM Program. Lang..

[6]  Christopher Krügel,et al.  Driller: Augmenting Fuzzing Through Selective Symbolic Execution , 2016, NDSS.

[7]  Radu State,et al.  Osiris: Hunting for Integer Bugs in Ethereum Smart Contracts , 2018, ACSAC.

[8]  D. Saari,et al.  The Copeland method , 1996 .

[9]  GUNAR E. LIEPINS,et al.  Representational issues in genetic optimization , 1990, J. Exp. Theor. Artif. Intell..

[10]  H. B. Mann,et al.  On a Test of Whether one of Two Random Variables is Stochastically Larger than the Other , 1947 .

[11]  Petar Tsankov,et al.  Securify: Practical Security Analysis of Smart Contracts , 2018, CCS.

[12]  Andrew Ruef,et al.  Evaluating Fuzz Testing , 2018, CCS.

[13]  Ye Liu,et al.  ContractFuzzer: Fuzzing Smart Contracts for Vulnerability Detection , 2018, 2018 33rd IEEE/ACM International Conference on Automated Software Engineering (ASE).

[14]  Abhik Roychoudhury,et al.  Coverage-Based Greybox Fuzzing as Markov Chain , 2016, IEEE Transactions on Software Engineering.

[15]  Prateek Saxena,et al.  Making Smart Contracts Smarter , 2016, IACR Cryptol. ePrint Arch..

[16]  A. Vargha,et al.  A Critique and Improvement of the CL Common Language Effect Size Statistics of McGraw and Wong , 2000 .

[17]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[18]  Prateek Saxena,et al.  Finding The Greedy, Prodigal, and Suicidal Contracts at Scale , 2018, ACSAC.

[19]  Barton P. Miller,et al.  An empirical study of the reliability of UNIX utilities , 1990, Commun. ACM.

[20]  Hao Chen,et al.  Matryoshka: Fuzzing Deeply Nested Branches , 2019, CCS.

[21]  Herbert Bos,et al.  VUzzer: Application-aware Evolutionary Fuzzing , 2017, NDSS.

[22]  Mislav Balunovic,et al.  Learning to Fuzz from Symbolic Execution with Application to Smart Contracts , 2019, CCS.

[23]  Valentin Wüstholz,et al.  Harvey: a greybox fuzzer for smart contracts , 2019, ESEC/SIGSOFT FSE.

[24]  David A. Patterson,et al.  Computer Architecture: A Quantitative Approach , 1969 .

[25]  Antonio Ken Iannillo,et al.  Chizpurfle: A Gray-Box Android Fuzzer for Vendor Service Customizations , 2017, 2017 IEEE 28th International Symposium on Software Reliability Engineering (ISSRE).

[26]  Sven Apel,et al.  Views on Internal and External Validity in Empirical Software Engineering , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[27]  Seoyoung Kim,et al.  Intriguer: Field-Level Constraint Solving for Hybrid Fuzzing , 2019, CCS.

[28]  Patrice Godefroid,et al.  Automated Whitebox Fuzz Testing , 2008, NDSS.

[29]  R.SIVARAJ,et al.  A REVIEW OF SELECTION METHODS IN GENETIC ALGORITHM , 2011 .

[30]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[31]  Daniel Davis Wood,et al.  ETHEREUM: A SECURE DECENTRALISED GENERALISED TRANSACTION LEDGER , 2014 .