ソースを参照

update paper

master
nitowa 1年前
コミット
0bef45dcda
8個のファイルの変更232行の追加155行の削除
  1. 18
    4
      SemSEpaper/exercise.bib
  2. 17
    13
      SemSEpaper/exercises.aux
  3. 11
    4
      SemSEpaper/exercises.bbl
  4. 29
    29
      SemSEpaper/exercises.blg
  5. 77
    54
      SemSEpaper/exercises.log
  6. バイナリ
      SemSEpaper/exercises.pdf
  7. バイナリ
      SemSEpaper/exercises.synctex.gz
  8. 80
    51
      SemSEpaper/exercises.tex

+ 18
- 4
SemSEpaper/exercise.bib ファイルの表示

@@ -1,4 +1,4 @@
1
-@INPROCEEDINGS{9678888,
1
+@INPROCEEDINGS{smartian,
2 2
 	author={Choi, Jaeseung and Kim, Doyeon and Kim, Soomin and Grieco, Gustavo and Groce, Alex and Cha, Sang Kil},
3 3
 	booktitle={2021 36th IEEE/ACM International Conference on Automated Software Engineering (ASE)}, 
4 4
 	title={SMARTIAN: Enhancing Smart Contract Fuzzing with Static and Dynamic Data-Flow Analyses}, 
@@ -8,7 +8,7 @@
8 8
 	pages={227-239},
9 9
 	doi={10.1109/ASE51524.2021.9678888}}
10 10
 
11
-@inproceedings{10.1145/3578527.3578538,
11
+@inproceedings{fuzzdrivegen,
12 12
 	author = {Pani, Siddhasagar and Nallagonda, Harshita Vani and Vigneswaran and Medicherla, Raveendra Kumar and Rajan M},
13 13
 	title = {SmartFuzzDriverGen: Smart Contract Fuzzing Automation for Golang},
14 14
 	year = {2023},
@@ -26,7 +26,7 @@
26 26
 	series = {ISEC '23}
27 27
 }
28 28
 
29
-@inproceedings {217464,
29
+@inproceedings {teether,
30 30
 	author = {Johannes Krupp and Christian Rossow},
31 31
 	title = {{teEther}: Gnawing at Ethereum to Automatically Exploit Smart Contracts},
32 32
 	booktitle = {27th USENIX Security Symposium (USENIX Security 18)},
@@ -39,7 +39,7 @@
39 39
 	month = aug
40 40
 }
41 41
 
42
-@inproceedings{10.1145/3243734.3243780,
42
+@inproceedings{securify,
43 43
 	author = {Tsankov, Petar and Dan, Andrei and Drachsler-Cohen, Dana and Gervais, Arthur and B\"{u}nzli, Florian and Vechev, Martin},
44 44
 	title = {Securify: Practical Security Analysis of Smart Contracts},
45 45
 	year = {2018},
@@ -56,3 +56,17 @@
56 56
 	location = {Toronto, Canada},
57 57
 	series = {CCS '18}
58 58
 }
59
+
60
+@MISC{
61
+	doughoyte,
62
+	author = {doughoyte},
63
+	title = {MerdeToken: It's Some Hot Shit},
64
+	note = {\url{https://github.com/Arachnid/uscc/tree/master/submissions-2017/doughoyte} [Accessed: Oct. 27th 2023]}
65
+}
66
+
67
+@misc{CiteDrive2022,
68
+	title        = {CiteDrive brings reference management to Overleaf},
69
+	author       = {CiteDrive, Inc},
70
+	year         = 2022,
71
+	note         = {\url{https://www.citedrive.com/overleaf} [Accessed: (Use the date of access)]}
72
+}

+ 17
- 13
SemSEpaper/exercises.aux ファイルの表示

@@ -4,18 +4,22 @@
4 4
 \@writefile{toc}{\contentsline {section}{\numberline {1}Weakness and consequences}{1}{}\protected@file@percent }
5 5
 \@writefile{toc}{\contentsline {subsection}{\numberline {1.1}Solidity storage layout}{1}{}\protected@file@percent }
6 6
 \@writefile{toc}{\contentsline {subsection}{\numberline {1.2}The Weakness}{1}{}\protected@file@percent }
7
-\@writefile{loa}{\contentsline {algocf}{\numberline {1}{\ignorespaces A completely unchecked array write}}{1}{}\protected@file@percent }
8
-\citation{10.1145/3243734.3243780}
9
-\citation{10.1145/3578527.3578538}
10
-\citation{217464}
11
-\citation{9678888}
12
-\bibdata{exercise.bib}
13
-\bibcite{9678888}{1}
14
-\bibcite{217464}{2}
15
-\bibcite{10.1145/3578527.3578538}{3}
7
+\citation{securify}
8
+\citation{teether}
9
+\@writefile{loa}{\contentsline {algocf}{\numberline {1}{\ignorespaces A completely unchecked array write}}{2}{}\protected@file@percent }
16 10
 \@writefile{loa}{\contentsline {algocf}{\numberline {2}{\ignorespaces An incorrectly managed array length}}{2}{}\protected@file@percent }
17 11
 \@writefile{toc}{\contentsline {section}{\numberline {2}Vulnerable contracts in literature}{2}{}\protected@file@percent }
18
-\@writefile{toc}{\contentsline {section}{\numberline {3}Code properties and automatic detection}{2}{}\protected@file@percent }
19
-\@writefile{toc}{\contentsline {section}{\numberline {4}Exploit sketch}{2}{}\protected@file@percent }
20
-\bibcite{10.1145/3243734.3243780}{4}
21
-\gdef \@abspage@last{3}
12
+\citation{securify}
13
+\citation{teether}
14
+\citation{fuzzdrivegen}
15
+\citation{smartian}
16
+\citation{doughoyte}
17
+\bibdata{exercise.bib}
18
+\bibcite{smartian}{1}
19
+\bibcite{doughoyte}{2}
20
+\bibcite{teether}{3}
21
+\bibcite{fuzzdrivegen}{4}
22
+\@writefile{toc}{\contentsline {section}{\numberline {3}Code properties and automatic detection}{3}{}\protected@file@percent }
23
+\@writefile{toc}{\contentsline {section}{\numberline {4}Exploit sketch}{3}{}\protected@file@percent }
24
+\bibcite{securify}{5}
25
+\gdef \@abspage@last{4}

+ 11
- 4
SemSEpaper/exercises.bbl ファイルの表示

@@ -1,6 +1,6 @@
1 1
 \begin{thebibliography}{1}
2 2
 
3
-\bibitem{9678888}
3
+\bibitem{smartian}
4 4
 Jaeseung Choi, Doyeon Kim, Soomin Kim, Gustavo Grieco, Alex Groce, and Sang~Kil
5 5
   Cha.
6 6
 \newblock Smartian: Enhancing smart contract fuzzing with static and dynamic
@@ -8,14 +8,21 @@ Jaeseung Choi, Doyeon Kim, Soomin Kim, Gustavo Grieco, Alex Groce, and Sang~Kil
8 8
 \newblock In {\em 2021 36th IEEE/ACM International Conference on Automated
9 9
   Software Engineering (ASE)}, pages 227--239, 2021.
10 10
 
11
-\bibitem{217464}
11
+\bibitem{doughoyte}
12
+doughoyte.
13
+\newblock Merdetoken: It's some hot shit.
14
+\newblock
15
+  \url{https://github.com/Arachnid/uscc/tree/master/submissions-2017/doughoyte}
16
+  [Accessed: Oct. 27th 2023].
17
+
18
+\bibitem{teether}
12 19
 Johannes Krupp and Christian Rossow.
13 20
 \newblock {teEther}: Gnawing at ethereum to automatically exploit smart
14 21
   contracts.
15 22
 \newblock In {\em 27th USENIX Security Symposium (USENIX Security 18)}, pages
16 23
   1317--1333, Baltimore, MD, August 2018. USENIX Association.
17 24
 
18
-\bibitem{10.1145/3578527.3578538}
25
+\bibitem{fuzzdrivegen}
19 26
 Siddhasagar Pani, Harshita~Vani Nallagonda, Vigneswaran, Raveendra~Kumar
20 27
   Medicherla, and Rajan M.
21 28
 \newblock Smartfuzzdrivergen: Smart contract fuzzing automation for golang.
@@ -23,7 +30,7 @@ Siddhasagar Pani, Harshita~Vani Nallagonda, Vigneswaran, Raveendra~Kumar
23 30
   Conference}, ISEC '23, New York, NY, USA, 2023. Association for Computing
24 31
   Machinery.
25 32
 
26
-\bibitem{10.1145/3243734.3243780}
33
+\bibitem{securify}
27 34
 Petar Tsankov, Andrei Dan, Dana Drachsler-Cohen, Arthur Gervais, Florian
28 35
   B\"{u}nzli, and Martin Vechev.
29 36
 \newblock Securify: Practical security analysis of smart contracts.

+ 29
- 29
SemSEpaper/exercises.blg ファイルの表示

@@ -5,44 +5,44 @@ Reallocating 'name_of_file' (item size: 1) to 6 items.
5 5
 The style file: plain.bst
6 6
 Reallocating 'name_of_file' (item size: 1) to 13 items.
7 7
 Database file #1: exercise.bib
8
-You've used 4 entries,
8
+You've used 5 entries,
9 9
             2118 wiz_defined-function locations,
10
-            525 strings with 5122 characters,
11
-and the built_in function-call counts, 2044 in all, are:
12
-= -- 206
13
-> -- 107
10
+            528 strings with 5241 characters,
11
+and the built_in function-call counts, 2246 in all, are:
12
+= -- 224
13
+> -- 114
14 14
 < -- 3
15
-+ -- 42
16
-- -- 38
17
-* -- 137
18
-:= -- 313
19
-add.period$ -- 15
20
-call.type$ -- 4
21
-change.case$ -- 31
15
++ -- 45
16
+- -- 40
17
+* -- 142
18
+:= -- 346
19
+add.period$ -- 18
20
+call.type$ -- 5
21
+change.case$ -- 35
22 22
 chr.to.int$ -- 0
23
-cite$ -- 4
24
-duplicate$ -- 91
25
-empty$ -- 144
26
-format.name$ -- 38
27
-if$ -- 458
23
+cite$ -- 5
24
+duplicate$ -- 98
25
+empty$ -- 166
26
+format.name$ -- 40
27
+if$ -- 502
28 28
 int.to.chr$ -- 0
29
-int.to.str$ -- 4
29
+int.to.str$ -- 5
30 30
 missing$ -- 4
31
-newline$ -- 23
32
-num.names$ -- 8
33
-pop$ -- 38
31
+newline$ -- 28
32
+num.names$ -- 10
33
+pop$ -- 49
34 34
 preamble$ -- 1
35
-purify$ -- 27
35
+purify$ -- 30
36 36
 quote$ -- 0
37
-skip$ -- 75
37
+skip$ -- 81
38 38
 stack$ -- 0
39
-substring$ -- 102
40
-swap$ -- 40
39
+substring$ -- 107
40
+swap$ -- 41
41 41
 text.length$ -- 3
42 42
 text.prefix$ -- 0
43 43
 top$ -- 0
44
-type$ -- 16
44
+type$ -- 20
45 45
 warning$ -- 0
46
-while$ -- 14
47
-width$ -- 5
48
-write$ -- 53
46
+while$ -- 16
47
+width$ -- 6
48
+write$ -- 62

+ 77
- 54
SemSEpaper/exercises.log ファイルの表示

@@ -1,4 +1,4 @@
1
-This is pdfTeX, Version 3.141592653-2.6-1.40.25 (MiKTeX 23.5) (preloaded format=pdflatex 2023.6.4)  23 OCT 2023 20:33
1
+This is pdfTeX, Version 3.141592653-2.6-1.40.25 (MiKTeX 23.5) (preloaded format=pdflatex 2023.6.4)  27 OCT 2023 11:03
2 2
 entering extended mode
3 3
  restricted \write18 enabled.
4 4
  %&-line parsing enabled.
@@ -515,46 +515,53 @@ Package: relsize 2013/03/29 ver 4.1
515 515
 \c@algocf=\count297
516 516
 \algocf@algoframe=\box70
517 517
 \algocf@algobox=\box71
518
+) (d:\Users\Forest\AppData\Local\Programs\MiKTeX\tex/latex/float\float.sty
519
+Package: float 2001/11/08 v1.3d Float enhancements (AL)
520
+\c@float@type=\count298
521
+\float@exts=\toks34
522
+\float@box=\box72
523
+\@float@everytoks=\toks35
524
+\@floatcapt=\box73
518 525
 )
519
-\c@theorem=\count298
526
+\c@theorem=\count299
520 527
 
521 528
 (d:\Users\Forest\AppData\Local\Programs\MiKTeX\tex/latex/l3backend\l3backend-pd
522 529
 ftex.def
523 530
 File: l3backend-pdftex.def 2023-04-19 L3 backend support: PDF output (pdfTeX)
524
-\l__color_backend_stack_int=\count299
525
-\l__pdf_internal_box=\box72
531
+\l__color_backend_stack_int=\count300
532
+\l__pdf_internal_box=\box74
526 533
 ) (exercises.aux)
527 534
 \openout1 = `exercises.aux'.
528 535
 
529
-LaTeX Font Info:    Checking defaults for OML/cmm/m/it on input line 69.
530
-LaTeX Font Info:    ... okay on input line 69.
531
-LaTeX Font Info:    Checking defaults for OMS/cmsy/m/n on input line 69.
532
-LaTeX Font Info:    ... okay on input line 69.
533
-LaTeX Font Info:    Checking defaults for OT1/cmr/m/n on input line 69.
534
-LaTeX Font Info:    ... okay on input line 69.
535
-LaTeX Font Info:    Checking defaults for T1/cmr/m/n on input line 69.
536
-LaTeX Font Info:    ... okay on input line 69.
537
-LaTeX Font Info:    Checking defaults for TS1/cmr/m/n on input line 69.
538
-LaTeX Font Info:    ... okay on input line 69.
539
-LaTeX Font Info:    Checking defaults for OMX/cmex/m/n on input line 69.
540
-LaTeX Font Info:    ... okay on input line 69.
541
-LaTeX Font Info:    Checking defaults for U/cmr/m/n on input line 69.
542
-LaTeX Font Info:    ... okay on input line 69.
536
+LaTeX Font Info:    Checking defaults for OML/cmm/m/it on input line 70.
537
+LaTeX Font Info:    ... okay on input line 70.
538
+LaTeX Font Info:    Checking defaults for OMS/cmsy/m/n on input line 70.
539
+LaTeX Font Info:    ... okay on input line 70.
540
+LaTeX Font Info:    Checking defaults for OT1/cmr/m/n on input line 70.
541
+LaTeX Font Info:    ... okay on input line 70.
542
+LaTeX Font Info:    Checking defaults for T1/cmr/m/n on input line 70.
543
+LaTeX Font Info:    ... okay on input line 70.
544
+LaTeX Font Info:    Checking defaults for TS1/cmr/m/n on input line 70.
545
+LaTeX Font Info:    ... okay on input line 70.
546
+LaTeX Font Info:    Checking defaults for OMX/cmex/m/n on input line 70.
547
+LaTeX Font Info:    ... okay on input line 70.
548
+LaTeX Font Info:    Checking defaults for U/cmr/m/n on input line 70.
549
+LaTeX Font Info:    ... okay on input line 70.
543 550
 
544 551
 (d:\Users\Forest\AppData\Local\Programs\MiKTeX\tex/context/base/mkii\supp-pdf.m
545 552
 kii
546 553
 [Loading MPS to PDF converter (version 2006.09.02).]
547
-\scratchcounter=\count300
554
+\scratchcounter=\count301
548 555
 \scratchdimen=\dimen263
549
-\scratchbox=\box73
550
-\nofMPsegments=\count301
551
-\nofMParguments=\count302
552
-\everyMPshowfont=\toks34
553
-\MPscratchCnt=\count303
556
+\scratchbox=\box75
557
+\nofMPsegments=\count302
558
+\nofMParguments=\count303
559
+\everyMPshowfont=\toks36
560
+\MPscratchCnt=\count304
554 561
 \MPscratchDim=\dimen264
555
-\MPnumerator=\count304
556
-\makeMPintoPDFobject=\count305
557
-\everyMPtoPDFconversion=\toks35
562
+\MPnumerator=\count305
563
+\makeMPintoPDFobject=\count306
564
+\everyMPtoPDFconversion=\toks37
558 565
 )
559 566
 (d:\Users\Forest\AppData\Local\Programs\MiKTeX\tex/latex/epstopdf-pkg\epstopdf-
560 567
 base.sty
@@ -566,19 +573,19 @@ Package epstopdf-base Info: Redefining graphics rule for `.eps' on input line 4
566 573
 cfg
567 574
 File: epstopdf-sys.cfg 2021/03/18 v2.0 Configuration of epstopdf for MiKTeX
568 575
 ))
569
-\c@lstlisting=\count306
570
-LaTeX Font Info:    Trying to load font information for U+lasy on input line 72
576
+\c@lstlisting=\count307
577
+LaTeX Font Info:    Trying to load font information for U+lasy on input line 73
571 578
 .
572 579
  (d:\Users\Forest\AppData\Local\Programs\MiKTeX\tex/latex/base\ulasy.fd
573 580
 File: ulasy.fd 1998/08/17 v2.2e LaTeX symbol font definitions
574 581
 )
575
-LaTeX Font Info:    Trying to load font information for U+msa on input line 72.
582
+LaTeX Font Info:    Trying to load font information for U+msa on input line 73.
576 583
 
577 584
 
578 585
 (d:\Users\Forest\AppData\Local\Programs\MiKTeX\tex/latex/amsfonts\umsa.fd
579 586
 File: umsa.fd 2013/01/14 v3.01 AMS symbols A
580 587
 )
581
-LaTeX Font Info:    Trying to load font information for U+msb on input line 72.
588
+LaTeX Font Info:    Trying to load font information for U+msb on input line 73.
582 589
 
583 590
 
584 591
 (d:\Users\Forest\AppData\Local\Programs\MiKTeX\tex/latex/amsfonts\umsb.fd
@@ -587,41 +594,57 @@ File: umsb.fd 2013/01/14 v3.01 AMS symbols B
587 594
 (d:\Users\Forest\AppData\Local\Programs\MiKTeX\tex/latex/listings\lstlang1.sty
588 595
 File: lstlang1.sty 2023/02/27 1.9 listings language file
589 596
 )
590
-Overfull \hbox (15.0pt too wide) detected at line 112
597
+Overfull \hbox (15.0pt too wide) detected at line 117
591 598
 [][] 
592 599
  []
593 600
 
601
+[1
594 602
 
595
-Overfull \hbox (15.0pt too wide) detected at line 147
603
+{C:/Users/Forest/AppData/Local/MiKTeX/fonts/map/pdftex/pdftex.map}]
604
+Overfull \hbox (15.0pt too wide) detected at line 156
596 605
 [][] 
597 606
  []
598 607
 
599
-[1
608
+[2] (exercises.bbl
609
+! Undefined control sequence.
610
+l.15   \url
611
+           {https://github.com/Arachnid/uscc/tree/master/submissions-2017/do...
612
+The control sequence at the end of the top line
613
+of your error message was never \def'ed. If you have
614
+misspelled it (e.g., `\hobx'), type `I' and the correct
615
+spelling (e.g., `I\hbox'). Otherwise just continue,
616
+and I'll forget about whatever was undefined.
600 617
 
601
-{C:/Users/Forest/AppData/Local/MiKTeX/fonts/map/pdftex/pdftex.map}]
602
-(exercises.bbl [2]) [3] (exercises.aux) ) 
618
+
619
+Overfull \hbox (1.15688pt too wide) in paragraph at lines 12--17
620
+[]\OT1/cmr/m/n/10 doughoyte.  Merdeto-ken: It's some hot shit.  https://github.
621
+com/Arachnid/uscc/tree/master/submissions-
622
+ []
623
+
624
+[3]) [4] (exercises.aux) ) 
603 625
 Here is how much of TeX's memory you used:
604
- 16507 strings out of 476410
605
- 322636 string characters out of 5788642
606
- 1969845 words of memory out of 5000000
607
- 36589 multiletter control sequences out of 15000+600000
626
+ 16580 strings out of 476410
627
+ 323857 string characters out of 5788642
628
+ 2009845 words of memory out of 5000000
629
+ 36658 multiletter control sequences out of 15000+600000
608 630
  521468 words of font info for 72 fonts, out of 8000000 for 9000
609 631
  1141 hyphenation exceptions out of 8191
610
- 99i,9n,94p,442b,2016s stack positions out of 10000i,1000n,20000p,200000b,200000s
611
-<d:/Users/Forest/AppData/Local/Program
612
-s/MiKTeX/fonts/type1/public/amsfonts/cm/cmbx10.pfb><d:/Users/Forest/AppData/Loc
613
-al/Programs/MiKTeX/fonts/type1/public/amsfonts/cm/cmbx12.pfb><d:/Users/Forest/A
614
-ppData/Local/Programs/MiKTeX/fonts/type1/public/amsfonts/cm/cmmi10.pfb><d:/User
615
-s/Forest/AppData/Local/Programs/MiKTeX/fonts/type1/public/amsfonts/cm/cmr10.pfb
616
-><d:/Users/Forest/AppData/Local/Programs/MiKTeX/fonts/type1/public/amsfonts/cm/
617
-cmr12.pfb><d:/Users/Forest/AppData/Local/Programs/MiKTeX/fonts/type1/public/ams
618
-fonts/cm/cmr17.pfb><d:/Users/Forest/AppData/Local/Programs/MiKTeX/fonts/type1/p
619
-ublic/amsfonts/cm/cmr5.pfb><d:/Users/Forest/AppData/Local/Programs/MiKTeX/fonts
620
-/type1/public/amsfonts/cm/cmti10.pfb><d:/Users/Forest/AppData/Local/Programs/Mi
621
-KTeX/fonts/type1/public/amsfonts/cm/cmtt8.pfb>
622
-Output written on exercises.pdf (3 pages, 137405 bytes).
632
+ 99i,9n,94p,510b,1991s stack positions out of 10000i,1000n,20000p,200000b,200000s
633
+<d:/Users/Forest/AppData/Local/Programs/MiKTeX/fonts/
634
+type1/public/amsfonts/cm/cmbx10.pfb><d:/Users/Forest/AppData/Local/Programs/MiK
635
+TeX/fonts/type1/public/amsfonts/cm/cmbx12.pfb><d:/Users/Forest/AppData/Local/Pr
636
+ograms/MiKTeX/fonts/type1/public/amsfonts/cm/cmmi10.pfb><d:/Users/Forest/AppDat
637
+a/Local/Programs/MiKTeX/fonts/type1/public/amsfonts/cm/cmr10.pfb><d:/Users/Fore
638
+st/AppData/Local/Programs/MiKTeX/fonts/type1/public/amsfonts/cm/cmr12.pfb><d:/U
639
+sers/Forest/AppData/Local/Programs/MiKTeX/fonts/type1/public/amsfonts/cm/cmr17.
640
+pfb><d:/Users/Forest/AppData/Local/Programs/MiKTeX/fonts/type1/public/amsfonts/
641
+cm/cmr5.pfb><d:/Users/Forest/AppData/Local/Programs/MiKTeX/fonts/type1/public/a
642
+msfonts/cm/cmr7.pfb><d:/Users/Forest/AppData/Local/Programs/MiKTeX/fonts/type1/
643
+public/amsfonts/cm/cmti10.pfb><d:/Users/Forest/AppData/Local/Programs/MiKTeX/fo
644
+nts/type1/public/amsfonts/cm/cmtt8.pfb>
645
+Output written on exercises.pdf (4 pages, 150280 bytes).
623 646
 PDF statistics:
624
- 60 PDF objects out of 1000 (max. 8388607)
647
+ 68 PDF objects out of 1000 (max. 8388607)
625 648
  0 named destinations out of 1000 (max. 500000)
626 649
  13 words of extra memory for PDF output out of 10000 (max. 10000000)
627 650
 

バイナリ
SemSEpaper/exercises.pdf ファイルの表示


バイナリ
SemSEpaper/exercises.synctex.gz ファイルの表示


+ 80
- 51
SemSEpaper/exercises.tex ファイルの表示

@@ -9,12 +9,13 @@
9 9
 \usepackage{xspace}
10 10
 \usepackage{todonotes}
11 11
 \usepackage{listings}
12
-\newcommand{\true}{true}
13
-\newcommand{\false}{false}
14 12
 \usepackage[ruled,linesnumbered]{algorithm2e} % Enables the writing of pseudo code.
13
+\usepackage{float}% http://ctan.org/pkg/float
15 14
 
16
-   \pagestyle{plain}
17
-   \bibliographystyle{plain}
15
+\newcommand{\true}{true}
16
+\newcommand{\false}{false}
17
+\pagestyle{plain}
18
+\bibliographystyle{plain}
18 19
 
19 20
 
20 21
 \title{192.127 Seminar in Software Engineering (Smart Contracts) \\
@@ -25,15 +26,15 @@
25 26
 
26 27
 \author{\textbf{*** YOUR NAME AND STUDENT ID ***}}
27 28
 
28
-  \newtheorem{theorem}{Theorem}
29
-  \newtheorem{lemma}[theorem]{Lemma}
30
-  \newtheorem{corollary}[theorem]{Corollary}
31
-  \newtheorem{proposition}[theorem]{Proposition}
32
-  \newtheorem{conjecture}[theorem]{Conjecture}
33
-  \newtheorem{definition}[theorem]{Definition}
34
-  \newtheorem{example}[theorem]{Example}
35
-  \newtheorem{remark}[theorem]{Remark}
36
-  \newtheorem{exercise}[theorem]{Exercise}
29
+\newtheorem{theorem}{Theorem}
30
+\newtheorem{lemma}[theorem]{Lemma}
31
+\newtheorem{corollary}[theorem]{Corollary}
32
+\newtheorem{proposition}[theorem]{Proposition}
33
+\newtheorem{conjecture}[theorem]{Conjecture}
34
+\newtheorem{definition}[theorem]{Definition}
35
+\newtheorem{example}[theorem]{Example}
36
+\newtheorem{remark}[theorem]{Remark}
37
+\newtheorem{exercise}[theorem]{Exercise}
37 38
 
38 39
 
39 40
 \renewcommand{\labelenumi}{(\alph{enumi})}
@@ -75,22 +76,26 @@
75 76
 
76 77
 \subsection{Solidity storage layout}
77 78
 
78
-Any contract's storage is a continuous 256-bit address space consisting of 32-bit values. In order to implement dynamically sized data structures like maps and arrays, Solidity distributes their entries in a pseudo-random location. Due to the vast 256-bit range of addresses collisions are statistically extremely improbable and of no practical relevance.
79
+Any contract's storage is a continuous 256-bit address space consisting of 32-bit values. In order to implement dynamically sized data structures like maps and arrays, Solidity distributes their entries in a pseudo-random location. Due to the vast 256-bit range of addresses collisions are statistically extremely improbable and of little practical relevance in safely implemented contracts.
79 80
 
80 81
 \medspace
81 82
 
82
-In the case of a dynamic array at variable slot $p$, data is written to continuous locations starting at $keccak(p)$. The array itself contains the length information.
83
+In the case of a dynamic array at variable slot $p$, data is written to continuous locations starting at $keccak(p)$. The array itself contains the length information as an $uint256$ value. Even enormous arrays are unlikely to produce collisions due to the vast address space, although an improperly managed array may store data to an unbounded user-controlled offset, thereby allowing arbitrary overwriting of data.
83 84
 
84 85
 \medspace
85 86
 
86
-For maps stored in variable slot $p$ the data for index $k$ can be found at $keccak(k . p)$ where $.$ is the concatenation operator.
87
+For maps stored in variable slot $p$ the data for index $k$ can be found at $keccak(k . p)$ where $.$ is the concatenation operator. This is a statistically safe approach, as the chance of intentionally finding a value for $keccak(k . p)$ s.t. for a known stored variable $x$, $keccak(k . p) == storage\_address(x)$ is about one in $2^{256}$ and $keccak$ is believed to be a cryptographically secure hash function.
87 88
 
88 89
 \subsection{The Weakness}
89 90
 
90
-Any unchecked array write is potentially dangerous, as the storage-location of all variables is publicly known and an unconstrained array index can be reverse engineered to target them.
91
+Any unchecked array write is potentially dangerous, as the storage-location of all variables is publicly known and an unconstrained array index can be reverse engineered to target them. This can be achieved by using the known array storage location $p$, target-variable $x$, and computing the offset-value $o$ such that $keccac(p) + o == storage\_address(x)$.
92
+
93
+\medspace
94
+
95
+A trivial example of such a vulnerable write operation is shown in Algorithm 1.
91 96
 
92 97
 \lstset{style=mystyle}
93
-\begin{algorithm}
98
+\begin{algorithm}[H]
94 99
 	\begin{lstlisting}[language=Octave]
95 100
 	pragma solidity 0.4.25;
96 101
 	
@@ -111,37 +116,41 @@ Any unchecked array write is potentially dangerous, as the storage-location of a
111 116
 	\caption{A completely unchecked array write}
112 117
 \end{algorithm}
113 118
 
114
-In the following example the $pop$ function incorrectly checks for an array $length >= 0$, thereby allowing the value to underflow when called with an empty array. Once this weakness is exploited $update$ in Algorithm 2 behaves just like $write$ did in Algorithm 1. 
119
+\medspace
120
+
121
+In the following example (Algorithm 2) the $pop$ function incorrectly checks for an array $length >= 0$, thereby allowing the $length$ value to underflow when called with an empty array. Once this weakness is triggered, $update$ in Algorithm 2 behaves just like $write$ did in Algorithm 1. 
122
+
123
+\medspace
115 124
 
116 125
 \lstset{style=mystyle}
117
-\begin{algorithm}
126
+\begin{algorithm}[H]
118 127
 	\begin{lstlisting}[language=Octave]
119
-		pragma solidity 0.4.25;
128
+	pragma solidity 0.4.25;
129
+	
130
+	contract MyContract {
131
+		address private owner;
132
+		uint[] private arr;
133
+		
134
+		constructor() public {
135
+			arr = new uint[](0);
136
+			owner = msg.sender;
137
+		}
138
+		
139
+		function push(value) {
140
+			arr[arr.length] = value;
141
+			arr.length++;
142
+		}
120 143
 		
121
-		contract MyContract {
122
-			address private owner;
123
-			uint[] private arr;
124
-			
125
-			constructor() public {
126
-				arr = new uint[](0);
127
-				owner = msg.sender;
128
-			}
129
-			
130
-			function push(value) {
131
-				arr[arr.length] = value;
132
-				arr.length++;
133
-			}
134
-			
135
-			function pop() {
136
-				require(arr.length >= 0);
137
-				arr.length--;
138
-			}
139
-			
140
-			function update(unit index, uint value) {
141
-				require(index < arr.length);
142
-				arr[index] = value;
143
-			}
144
+		function pop() {
145
+			require(arr.length >= 0);
146
+			arr.length--;
144 147
 		}
148
+		
149
+		function update(unit index, uint value) {
150
+			require(index < arr.length);
151
+			arr[index] = value;
152
+		}
153
+	}
145 154
 	\end{lstlisting}
146 155
 	\caption{An incorrectly managed array length}
147 156
 \end{algorithm}
@@ -153,17 +162,37 @@ collect vulnerable contracts used by different papers to motivate/illustrate the
153 162
 
154 163
 \section{Code properties and automatic detection}
155 164
 
156
-summarize the code properties that tools are looking for so that they can detect the weakness
165
+Automatic detection tools can be broadly categorized into ones employing static analysis and those who use fuzzing, i.e. application of semi-random inputs. Notable static analysis tools include Securify \cite{securify} and teEther \cite{teether} which both function in a similar manner:
166
+
167
+\medspace
168
+
169
+Initially, the given EVM byte-code is disassembled into a control-flow-graph (CFG). In the second step, the tools identify potentially risky instructions. In the case of arbitrary writes, the instruction of note is $sstore(k,v)$ where both $k$ and $v$ are input-controlled. The tools differ in the way they identify whether or not the values are input-controlled. 
170
+
171
+\medspace
172
+
173
+In the case of Securify \cite{securify}, the CFG is translated into what the authors call "semantic facts" to which an elaborate set of so-called security patterns is applied. These patterns consist of building blocks in the form of predicates, which allows the tool to simply generate output based on the (transitively) matched patterns.
174
+
175
+\medspace
176
+
177
+teEther \cite{teether} employs a similar approach, but instead the authors opt to build a graph of dependent variables. If the graph arrives at a $sstore(k,v)$ instruction and a path can be found leading to user-controlled inputs, the tool infers a set of constraints which are then used to automatically generate an exploit.
178
+
179
+\medspace
180
+
181
+The fuzz-driven approach to vulnerability detection is more abstract, as general-purpose fuzzing tools generally don't have knowledge of the analysed program. For the tool SmartFuzzDriverGenerator \cite{fuzzdrivegen}, a multitude of these fuzzing libraries can be used. The problem at hand is, however, that the technique cannot interface with a smart contract out of the box. The "glue" between fuzzer and program is called a driver, hence the name of "driver-generator".
182
+
183
+\medspace
184
+
185
+SmartFuzzDriverGenerator aims to automatically generate such a driver by %TODO: I have no idea how it does this actually%
186
+
187
+\medspace
188
+
189
+The Smartian tool \cite{smartian} attempts to find a middle-ground between static and dynamic analysis by first transforming the EVM bytecode into control-flow facts. Based on this information, a set of seed-inputs is generated that are expected to have a high probability of yielding useable results. Should no exploit be found, the seed-inputs are then mutated in order to yield a higher code coverage. %TODO: This is probably extemely inprecise and should be re-written%
157 190
 
158 191
 \section{Exploit sketch}
159 192
 
160
-sketch ways to potentially exploit the different variants of the weakness.
193
+\cite{doughoyte}
194
+%TODO: just explain what this guy does: https://github.com/Arachnid/uscc/tree/master/submissions-2017/doughoyte%
161 195
 
162
-%remove this later%
163
-\cite{10.1145/3243734.3243780}
164
-\cite{10.1145/3578527.3578538}
165
-\cite{217464}
166
-\cite{9678888}
167 196
 
168 197
 \bibliography{exercise.bib}
169 198
 

読み込み中…
キャンセル
保存