A Critical-Path-Coverage-Based Vulnerability Detection Method for Smart Contracts

The second generation of blockchain represented by smart contracts has been developing vigorously in recent years. However, frequent smart contract vulnerability incidents pose a serious risk to blockchain ecosystem security. Since current symbol execution tools often fall into path explosion and thus lead to inefficient detection, this paper expands Mythril’s framework to optimize its performance. Firstly, it finds out potential vulnerable code regions using static analysis and identifies critical paths that may have security defects. Then, aiming at the problem that traditional search algorithms cannot actively locate and explore critical paths, this paper presents a multi-objective oriented path search (MOPS) strategy based on path priority. This strategy guides dynamic symbolic execution to cover critical paths quickly, avoiding blind traversal of program execution paths. Finally, it describes security rules and proposes corresponding detection logics for different vulnerability categories. This paper analyzes over 1000 smart contracts extracted from Etherscan. Compared with existing tools based on symbolic execution, the proposed method can reduce time consumption by around 35% while ensuring the accuracy of vulnerability detection. Moreover, existing tools often issue warnings that do not actually cause financial losses. But the proposed method only concentrates on code regions related to transfer of funds, so it can reduce the false alarm rate to some extent.

[1]  Xu Xiao,et al.  New Approach to Path Explosion Problem of Symbolic Execution , 2010, 2010 First International Conference on Pervasive Computing, Signal Processing and Applications.

[2]  Koushik Sen,et al.  CUTE and jCUTE: Concolic Unit Testing and Explicit Path Model-Checking Tools , 2006, CAV.

[3]  Nishant Rodrigues,et al.  KEVM: A Complete Semantics of the Ethereum Virtual Machine , 2017 .

[4]  Prateek Saxena,et al.  Finding The Greedy, Prodigal, and Suicidal Contracts at Scale , 2018, ACSAC.

[5]  Ricardo Corin,et al.  Taint Analysis of Security Code in the KLEE Symbolic Execution Engine , 2012, ICICS.

[6]  Chelsea C. White,et al.  A heuristic search algorithm for path determination with learning , 1998, IEEE Trans. Syst. Man Cybern. Part A.

[7]  Petar Tsankov,et al.  Securify: Practical Security Analysis of Smart Contracts , 2018, CCS.

[8]  Ye Liu,et al.  ContractFuzzer: Fuzzing Smart Contracts for Vulnerability Detection , 2018, 2018 33rd IEEE/ACM International Conference on Automated Software Engineering (ASE).

[9]  Christian Rossow,et al.  teEther: Gnawing at Ethereum to Automatically Exploit Smart Contracts , 2018, USENIX Security Symposium.

[10]  Guofei Gu,et al.  Checksum-Aware Fuzzing Combined with Dynamic Taint Analysis and Symbolic Execution , 2011, TSEC.

[11]  Koushik Sen DART: Directed Automated Random Testing , 2009, Haifa Verification Conference.

[12]  Sidney Amani,et al.  Towards verifying ethereum smart contract bytecode in Isabelle/HOL , 2018, CPP.

[13]  James Newsom,et al.  Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software, Network and Distributed System Security Symposium Conference Proceedings : 2005 , 2005 .

[14]  Yi Zhou,et al.  Erays: Reverse Engineering Ethereum's Opaque Smart Contracts , 2018, USENIX Security Symposium.

[15]  Ghassan O. Karame,et al.  Sereum: Protecting Existing Smart Contracts Against Re-Entrancy Attacks , 2018, NDSS.

[16]  Haibing Guan,et al.  Static program analysis assisted dynamic taint tracking for software vulnerability discovery , 2012, Comput. Math. Appl..

[17]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[18]  Daniel Davis Wood,et al.  ETHEREUM: A SECURE DECENTRALISED GENERALISED TRANSACTION LEDGER , 2014 .

[19]  David Brumley,et al.  Unleashing Mayhem on Binary Code , 2012, 2012 IEEE Symposium on Security and Privacy.

[20]  David Brumley,et al.  All You Ever Wanted to Know about Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask) , 2010, 2010 IEEE Symposium on Security and Privacy.

[21]  Elaine Shi,et al.  Step by Step Towards Creating a Safe Smart Contract: Lessons and Insights from a Cryptocurrency Lab , 2016, Financial Cryptography Workshops.

[22]  James C. King,et al.  Symbolic execution and program testing , 1976, CACM.

[23]  Massimo Bartoletti,et al.  A Survey of Attacks on Ethereum Smart Contracts (SoK) , 2017, POST.

[24]  Peng Jiang,et al.  A Survey on the Security of Blockchain Systems , 2017, Future Gener. Comput. Syst..

[25]  Zhenkai Liang,et al.  BitBlaze: A New Approach to Computer Security via Binary Analysis , 2008, ICISS.

[26]  Hiroki Watanabe,et al.  Blockchain contract: Securing a blockchain applied to smart contracts , 2016, 2016 IEEE International Conference on Consumer Electronics (ICCE).

[27]  Matteo Maffei,et al.  A Semantic Framework for the Security Analysis of Ethereum smart contracts , 2018, POST.

[28]  Paolo Tasca,et al.  Blockchain Technologies: The Foreseeable Impact on Society and Industry , 2017, Computer.

[29]  Nikhil Swamy,et al.  Formal Verification of Smart Contracts: Short Paper , 2016, PLAS@CCS.

[30]  Christopher Krügel,et al.  SOK: (State of) The Art of War: Offensive Techniques in Binary Analysis , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[31]  Prateek Saxena,et al.  Making Smart Contracts Smarter , 2016, IACR Cryptol. ePrint Arch..

[32]  Matteo Maffei,et al.  Foundations and Tools for the Static Analysis of Ethereum Smart Contracts , 2018, CAV.

[33]  George Candea,et al.  S2E: a platform for in-vivo multi-path analysis of software systems , 2011, ASPLOS XVI.