Browse Source

update paper

master
nitowa 1 year ago
parent
commit
0bef45dcda

+ 18
- 4
SemSEpaper/exercise.bib View File

1
-@INPROCEEDINGS{9678888,
1
+@INPROCEEDINGS{smartian,
2
 	author={Choi, Jaeseung and Kim, Doyeon and Kim, Soomin and Grieco, Gustavo and Groce, Alex and Cha, Sang Kil},
2
 	author={Choi, Jaeseung and Kim, Doyeon and Kim, Soomin and Grieco, Gustavo and Groce, Alex and Cha, Sang Kil},
3
 	booktitle={2021 36th IEEE/ACM International Conference on Automated Software Engineering (ASE)}, 
3
 	booktitle={2021 36th IEEE/ACM International Conference on Automated Software Engineering (ASE)}, 
4
 	title={SMARTIAN: Enhancing Smart Contract Fuzzing with Static and Dynamic Data-Flow Analyses}, 
4
 	title={SMARTIAN: Enhancing Smart Contract Fuzzing with Static and Dynamic Data-Flow Analyses}, 
8
 	pages={227-239},
8
 	pages={227-239},
9
 	doi={10.1109/ASE51524.2021.9678888}}
9
 	doi={10.1109/ASE51524.2021.9678888}}
10
 
10
 
11
-@inproceedings{10.1145/3578527.3578538,
11
+@inproceedings{fuzzdrivegen,
12
 	author = {Pani, Siddhasagar and Nallagonda, Harshita Vani and Vigneswaran and Medicherla, Raveendra Kumar and Rajan M},
12
 	author = {Pani, Siddhasagar and Nallagonda, Harshita Vani and Vigneswaran and Medicherla, Raveendra Kumar and Rajan M},
13
 	title = {SmartFuzzDriverGen: Smart Contract Fuzzing Automation for Golang},
13
 	title = {SmartFuzzDriverGen: Smart Contract Fuzzing Automation for Golang},
14
 	year = {2023},
14
 	year = {2023},
26
 	series = {ISEC '23}
26
 	series = {ISEC '23}
27
 }
27
 }
28
 
28
 
29
-@inproceedings {217464,
29
+@inproceedings {teether,
30
 	author = {Johannes Krupp and Christian Rossow},
30
 	author = {Johannes Krupp and Christian Rossow},
31
 	title = {{teEther}: Gnawing at Ethereum to Automatically Exploit Smart Contracts},
31
 	title = {{teEther}: Gnawing at Ethereum to Automatically Exploit Smart Contracts},
32
 	booktitle = {27th USENIX Security Symposium (USENIX Security 18)},
32
 	booktitle = {27th USENIX Security Symposium (USENIX Security 18)},
39
 	month = aug
39
 	month = aug
40
 }
40
 }
41
 
41
 
42
-@inproceedings{10.1145/3243734.3243780,
42
+@inproceedings{securify,
43
 	author = {Tsankov, Petar and Dan, Andrei and Drachsler-Cohen, Dana and Gervais, Arthur and B\"{u}nzli, Florian and Vechev, Martin},
43
 	author = {Tsankov, Petar and Dan, Andrei and Drachsler-Cohen, Dana and Gervais, Arthur and B\"{u}nzli, Florian and Vechev, Martin},
44
 	title = {Securify: Practical Security Analysis of Smart Contracts},
44
 	title = {Securify: Practical Security Analysis of Smart Contracts},
45
 	year = {2018},
45
 	year = {2018},
56
 	location = {Toronto, Canada},
56
 	location = {Toronto, Canada},
57
 	series = {CCS '18}
57
 	series = {CCS '18}
58
 }
58
 }
59
+
60
+@MISC{
61
+	doughoyte,
62
+	author = {doughoyte},
63
+	title = {MerdeToken: It's Some Hot Shit},
64
+	note = {\url{https://github.com/Arachnid/uscc/tree/master/submissions-2017/doughoyte} [Accessed: Oct. 27th 2023]}
65
+}
66
+
67
+@misc{CiteDrive2022,
68
+	title        = {CiteDrive brings reference management to Overleaf},
69
+	author       = {CiteDrive, Inc},
70
+	year         = 2022,
71
+	note         = {\url{https://www.citedrive.com/overleaf} [Accessed: (Use the date of access)]}
72
+}

+ 17
- 13
SemSEpaper/exercises.aux View File

4
 \@writefile{toc}{\contentsline {section}{\numberline {1}Weakness and consequences}{1}{}\protected@file@percent }
4
 \@writefile{toc}{\contentsline {section}{\numberline {1}Weakness and consequences}{1}{}\protected@file@percent }
5
 \@writefile{toc}{\contentsline {subsection}{\numberline {1.1}Solidity storage layout}{1}{}\protected@file@percent }
5
 \@writefile{toc}{\contentsline {subsection}{\numberline {1.1}Solidity storage layout}{1}{}\protected@file@percent }
6
 \@writefile{toc}{\contentsline {subsection}{\numberline {1.2}The Weakness}{1}{}\protected@file@percent }
6
 \@writefile{toc}{\contentsline {subsection}{\numberline {1.2}The Weakness}{1}{}\protected@file@percent }
7
-\@writefile{loa}{\contentsline {algocf}{\numberline {1}{\ignorespaces A completely unchecked array write}}{1}{}\protected@file@percent }
8
-\citation{10.1145/3243734.3243780}
9
-\citation{10.1145/3578527.3578538}
10
-\citation{217464}
11
-\citation{9678888}
12
-\bibdata{exercise.bib}
13
-\bibcite{9678888}{1}
14
-\bibcite{217464}{2}
15
-\bibcite{10.1145/3578527.3578538}{3}
7
+\citation{securify}
8
+\citation{teether}
9
+\@writefile{loa}{\contentsline {algocf}{\numberline {1}{\ignorespaces A completely unchecked array write}}{2}{}\protected@file@percent }
16
 \@writefile{loa}{\contentsline {algocf}{\numberline {2}{\ignorespaces An incorrectly managed array length}}{2}{}\protected@file@percent }
10
 \@writefile{loa}{\contentsline {algocf}{\numberline {2}{\ignorespaces An incorrectly managed array length}}{2}{}\protected@file@percent }
17
 \@writefile{toc}{\contentsline {section}{\numberline {2}Vulnerable contracts in literature}{2}{}\protected@file@percent }
11
 \@writefile{toc}{\contentsline {section}{\numberline {2}Vulnerable contracts in literature}{2}{}\protected@file@percent }
18
-\@writefile{toc}{\contentsline {section}{\numberline {3}Code properties and automatic detection}{2}{}\protected@file@percent }
19
-\@writefile{toc}{\contentsline {section}{\numberline {4}Exploit sketch}{2}{}\protected@file@percent }
20
-\bibcite{10.1145/3243734.3243780}{4}
21
-\gdef \@abspage@last{3}
12
+\citation{securify}
13
+\citation{teether}
14
+\citation{fuzzdrivegen}
15
+\citation{smartian}
16
+\citation{doughoyte}
17
+\bibdata{exercise.bib}
18
+\bibcite{smartian}{1}
19
+\bibcite{doughoyte}{2}
20
+\bibcite{teether}{3}
21
+\bibcite{fuzzdrivegen}{4}
22
+\@writefile{toc}{\contentsline {section}{\numberline {3}Code properties and automatic detection}{3}{}\protected@file@percent }
23
+\@writefile{toc}{\contentsline {section}{\numberline {4}Exploit sketch}{3}{}\protected@file@percent }
24
+\bibcite{securify}{5}
25
+\gdef \@abspage@last{4}

+ 11
- 4
SemSEpaper/exercises.bbl View File

1
 \begin{thebibliography}{1}
1
 \begin{thebibliography}{1}
2
 
2
 
3
-\bibitem{9678888}
3
+\bibitem{smartian}
4
 Jaeseung Choi, Doyeon Kim, Soomin Kim, Gustavo Grieco, Alex Groce, and Sang~Kil
4
 Jaeseung Choi, Doyeon Kim, Soomin Kim, Gustavo Grieco, Alex Groce, and Sang~Kil
5
   Cha.
5
   Cha.
6
 \newblock Smartian: Enhancing smart contract fuzzing with static and dynamic
6
 \newblock Smartian: Enhancing smart contract fuzzing with static and dynamic
8
 \newblock In {\em 2021 36th IEEE/ACM International Conference on Automated
8
 \newblock In {\em 2021 36th IEEE/ACM International Conference on Automated
9
   Software Engineering (ASE)}, pages 227--239, 2021.
9
   Software Engineering (ASE)}, pages 227--239, 2021.
10
 
10
 
11
-\bibitem{217464}
11
+\bibitem{doughoyte}
12
+doughoyte.
13
+\newblock Merdetoken: It's some hot shit.
14
+\newblock
15
+  \url{https://github.com/Arachnid/uscc/tree/master/submissions-2017/doughoyte}
16
+  [Accessed: Oct. 27th 2023].
17
+
18
+\bibitem{teether}
12
 Johannes Krupp and Christian Rossow.
19
 Johannes Krupp and Christian Rossow.
13
 \newblock {teEther}: Gnawing at ethereum to automatically exploit smart
20
 \newblock {teEther}: Gnawing at ethereum to automatically exploit smart
14
   contracts.
21
   contracts.
15
 \newblock In {\em 27th USENIX Security Symposium (USENIX Security 18)}, pages
22
 \newblock In {\em 27th USENIX Security Symposium (USENIX Security 18)}, pages
16
   1317--1333, Baltimore, MD, August 2018. USENIX Association.
23
   1317--1333, Baltimore, MD, August 2018. USENIX Association.
17
 
24
 
18
-\bibitem{10.1145/3578527.3578538}
25
+\bibitem{fuzzdrivegen}
19
 Siddhasagar Pani, Harshita~Vani Nallagonda, Vigneswaran, Raveendra~Kumar
26
 Siddhasagar Pani, Harshita~Vani Nallagonda, Vigneswaran, Raveendra~Kumar
20
   Medicherla, and Rajan M.
27
   Medicherla, and Rajan M.
21
 \newblock Smartfuzzdrivergen: Smart contract fuzzing automation for golang.
28
 \newblock Smartfuzzdrivergen: Smart contract fuzzing automation for golang.
23
   Conference}, ISEC '23, New York, NY, USA, 2023. Association for Computing
30
   Conference}, ISEC '23, New York, NY, USA, 2023. Association for Computing
24
   Machinery.
31
   Machinery.
25
 
32
 
26
-\bibitem{10.1145/3243734.3243780}
33
+\bibitem{securify}
27
 Petar Tsankov, Andrei Dan, Dana Drachsler-Cohen, Arthur Gervais, Florian
34
 Petar Tsankov, Andrei Dan, Dana Drachsler-Cohen, Arthur Gervais, Florian
28
   B\"{u}nzli, and Martin Vechev.
35
   B\"{u}nzli, and Martin Vechev.
29
 \newblock Securify: Practical security analysis of smart contracts.
36
 \newblock Securify: Practical security analysis of smart contracts.

+ 29
- 29
SemSEpaper/exercises.blg View File

5
 The style file: plain.bst
5
 The style file: plain.bst
6
 Reallocating 'name_of_file' (item size: 1) to 13 items.
6
 Reallocating 'name_of_file' (item size: 1) to 13 items.
7
 Database file #1: exercise.bib
7
 Database file #1: exercise.bib
8
-You've used 4 entries,
8
+You've used 5 entries,
9
             2118 wiz_defined-function locations,
9
             2118 wiz_defined-function locations,
10
-            525 strings with 5122 characters,
11
-and the built_in function-call counts, 2044 in all, are:
12
-= -- 206
13
-> -- 107
10
+            528 strings with 5241 characters,
11
+and the built_in function-call counts, 2246 in all, are:
12
+= -- 224
13
+> -- 114
14
 < -- 3
14
 < -- 3
15
-+ -- 42
16
-- -- 38
17
-* -- 137
18
-:= -- 313
19
-add.period$ -- 15
20
-call.type$ -- 4
21
-change.case$ -- 31
15
++ -- 45
16
+- -- 40
17
+* -- 142
18
+:= -- 346
19
+add.period$ -- 18
20
+call.type$ -- 5
21
+change.case$ -- 35
22
 chr.to.int$ -- 0
22
 chr.to.int$ -- 0
23
-cite$ -- 4
24
-duplicate$ -- 91
25
-empty$ -- 144
26
-format.name$ -- 38
27
-if$ -- 458
23
+cite$ -- 5
24
+duplicate$ -- 98
25
+empty$ -- 166
26
+format.name$ -- 40
27
+if$ -- 502
28
 int.to.chr$ -- 0
28
 int.to.chr$ -- 0
29
-int.to.str$ -- 4
29
+int.to.str$ -- 5
30
 missing$ -- 4
30
 missing$ -- 4
31
-newline$ -- 23
32
-num.names$ -- 8
33
-pop$ -- 38
31
+newline$ -- 28
32
+num.names$ -- 10
33
+pop$ -- 49
34
 preamble$ -- 1
34
 preamble$ -- 1
35
-purify$ -- 27
35
+purify$ -- 30
36
 quote$ -- 0
36
 quote$ -- 0
37
-skip$ -- 75
37
+skip$ -- 81
38
 stack$ -- 0
38
 stack$ -- 0
39
-substring$ -- 102
40
-swap$ -- 40
39
+substring$ -- 107
40
+swap$ -- 41
41
 text.length$ -- 3
41
 text.length$ -- 3
42
 text.prefix$ -- 0
42
 text.prefix$ -- 0
43
 top$ -- 0
43
 top$ -- 0
44
-type$ -- 16
44
+type$ -- 20
45
 warning$ -- 0
45
 warning$ -- 0
46
-while$ -- 14
47
-width$ -- 5
48
-write$ -- 53
46
+while$ -- 16
47
+width$ -- 6
48
+write$ -- 62

+ 77
- 54
SemSEpaper/exercises.log View File

1
-This is pdfTeX, Version 3.141592653-2.6-1.40.25 (MiKTeX 23.5) (preloaded format=pdflatex 2023.6.4)  23 OCT 2023 20:33
1
+This is pdfTeX, Version 3.141592653-2.6-1.40.25 (MiKTeX 23.5) (preloaded format=pdflatex 2023.6.4)  27 OCT 2023 11:03
2
 entering extended mode
2
 entering extended mode
3
  restricted \write18 enabled.
3
  restricted \write18 enabled.
4
  %&-line parsing enabled.
4
  %&-line parsing enabled.
515
 \c@algocf=\count297
515
 \c@algocf=\count297
516
 \algocf@algoframe=\box70
516
 \algocf@algoframe=\box70
517
 \algocf@algobox=\box71
517
 \algocf@algobox=\box71
518
+) (d:\Users\Forest\AppData\Local\Programs\MiKTeX\tex/latex/float\float.sty
519
+Package: float 2001/11/08 v1.3d Float enhancements (AL)
520
+\c@float@type=\count298
521
+\float@exts=\toks34
522
+\float@box=\box72
523
+\@float@everytoks=\toks35
524
+\@floatcapt=\box73
518
 )
525
 )
519
-\c@theorem=\count298
526
+\c@theorem=\count299
520
 
527
 
521
 (d:\Users\Forest\AppData\Local\Programs\MiKTeX\tex/latex/l3backend\l3backend-pd
528
 (d:\Users\Forest\AppData\Local\Programs\MiKTeX\tex/latex/l3backend\l3backend-pd
522
 ftex.def
529
 ftex.def
523
 File: l3backend-pdftex.def 2023-04-19 L3 backend support: PDF output (pdfTeX)
530
 File: l3backend-pdftex.def 2023-04-19 L3 backend support: PDF output (pdfTeX)
524
-\l__color_backend_stack_int=\count299
525
-\l__pdf_internal_box=\box72
531
+\l__color_backend_stack_int=\count300
532
+\l__pdf_internal_box=\box74
526
 ) (exercises.aux)
533
 ) (exercises.aux)
527
 \openout1 = `exercises.aux'.
534
 \openout1 = `exercises.aux'.
528
 
535
 
529
-LaTeX Font Info:    Checking defaults for OML/cmm/m/it on input line 69.
530
-LaTeX Font Info:    ... okay on input line 69.
531
-LaTeX Font Info:    Checking defaults for OMS/cmsy/m/n on input line 69.
532
-LaTeX Font Info:    ... okay on input line 69.
533
-LaTeX Font Info:    Checking defaults for OT1/cmr/m/n on input line 69.
534
-LaTeX Font Info:    ... okay on input line 69.
535
-LaTeX Font Info:    Checking defaults for T1/cmr/m/n on input line 69.
536
-LaTeX Font Info:    ... okay on input line 69.
537
-LaTeX Font Info:    Checking defaults for TS1/cmr/m/n on input line 69.
538
-LaTeX Font Info:    ... okay on input line 69.
539
-LaTeX Font Info:    Checking defaults for OMX/cmex/m/n on input line 69.
540
-LaTeX Font Info:    ... okay on input line 69.
541
-LaTeX Font Info:    Checking defaults for U/cmr/m/n on input line 69.
542
-LaTeX Font Info:    ... okay on input line 69.
536
+LaTeX Font Info:    Checking defaults for OML/cmm/m/it on input line 70.
537
+LaTeX Font Info:    ... okay on input line 70.
538
+LaTeX Font Info:    Checking defaults for OMS/cmsy/m/n on input line 70.
539
+LaTeX Font Info:    ... okay on input line 70.
540
+LaTeX Font Info:    Checking defaults for OT1/cmr/m/n on input line 70.
541
+LaTeX Font Info:    ... okay on input line 70.
542
+LaTeX Font Info:    Checking defaults for T1/cmr/m/n on input line 70.
543
+LaTeX Font Info:    ... okay on input line 70.
544
+LaTeX Font Info:    Checking defaults for TS1/cmr/m/n on input line 70.
545
+LaTeX Font Info:    ... okay on input line 70.
546
+LaTeX Font Info:    Checking defaults for OMX/cmex/m/n on input line 70.
547
+LaTeX Font Info:    ... okay on input line 70.
548
+LaTeX Font Info:    Checking defaults for U/cmr/m/n on input line 70.
549
+LaTeX Font Info:    ... okay on input line 70.
543
 
550
 
544
 (d:\Users\Forest\AppData\Local\Programs\MiKTeX\tex/context/base/mkii\supp-pdf.m
551
 (d:\Users\Forest\AppData\Local\Programs\MiKTeX\tex/context/base/mkii\supp-pdf.m
545
 kii
552
 kii
546
 [Loading MPS to PDF converter (version 2006.09.02).]
553
 [Loading MPS to PDF converter (version 2006.09.02).]
547
-\scratchcounter=\count300
554
+\scratchcounter=\count301
548
 \scratchdimen=\dimen263
555
 \scratchdimen=\dimen263
549
-\scratchbox=\box73
550
-\nofMPsegments=\count301
551
-\nofMParguments=\count302
552
-\everyMPshowfont=\toks34
553
-\MPscratchCnt=\count303
556
+\scratchbox=\box75
557
+\nofMPsegments=\count302
558
+\nofMParguments=\count303
559
+\everyMPshowfont=\toks36
560
+\MPscratchCnt=\count304
554
 \MPscratchDim=\dimen264
561
 \MPscratchDim=\dimen264
555
-\MPnumerator=\count304
556
-\makeMPintoPDFobject=\count305
557
-\everyMPtoPDFconversion=\toks35
562
+\MPnumerator=\count305
563
+\makeMPintoPDFobject=\count306
564
+\everyMPtoPDFconversion=\toks37
558
 )
565
 )
559
 (d:\Users\Forest\AppData\Local\Programs\MiKTeX\tex/latex/epstopdf-pkg\epstopdf-
566
 (d:\Users\Forest\AppData\Local\Programs\MiKTeX\tex/latex/epstopdf-pkg\epstopdf-
560
 base.sty
567
 base.sty
566
 cfg
573
 cfg
567
 File: epstopdf-sys.cfg 2021/03/18 v2.0 Configuration of epstopdf for MiKTeX
574
 File: epstopdf-sys.cfg 2021/03/18 v2.0 Configuration of epstopdf for MiKTeX
568
 ))
575
 ))
569
-\c@lstlisting=\count306
570
-LaTeX Font Info:    Trying to load font information for U+lasy on input line 72
576
+\c@lstlisting=\count307
577
+LaTeX Font Info:    Trying to load font information for U+lasy on input line 73
571
 .
578
 .
572
  (d:\Users\Forest\AppData\Local\Programs\MiKTeX\tex/latex/base\ulasy.fd
579
  (d:\Users\Forest\AppData\Local\Programs\MiKTeX\tex/latex/base\ulasy.fd
573
 File: ulasy.fd 1998/08/17 v2.2e LaTeX symbol font definitions
580
 File: ulasy.fd 1998/08/17 v2.2e LaTeX symbol font definitions
574
 )
581
 )
575
-LaTeX Font Info:    Trying to load font information for U+msa on input line 72.
582
+LaTeX Font Info:    Trying to load font information for U+msa on input line 73.
576
 
583
 
577
 
584
 
578
 (d:\Users\Forest\AppData\Local\Programs\MiKTeX\tex/latex/amsfonts\umsa.fd
585
 (d:\Users\Forest\AppData\Local\Programs\MiKTeX\tex/latex/amsfonts\umsa.fd
579
 File: umsa.fd 2013/01/14 v3.01 AMS symbols A
586
 File: umsa.fd 2013/01/14 v3.01 AMS symbols A
580
 )
587
 )
581
-LaTeX Font Info:    Trying to load font information for U+msb on input line 72.
588
+LaTeX Font Info:    Trying to load font information for U+msb on input line 73.
582
 
589
 
583
 
590
 
584
 (d:\Users\Forest\AppData\Local\Programs\MiKTeX\tex/latex/amsfonts\umsb.fd
591
 (d:\Users\Forest\AppData\Local\Programs\MiKTeX\tex/latex/amsfonts\umsb.fd
587
 (d:\Users\Forest\AppData\Local\Programs\MiKTeX\tex/latex/listings\lstlang1.sty
594
 (d:\Users\Forest\AppData\Local\Programs\MiKTeX\tex/latex/listings\lstlang1.sty
588
 File: lstlang1.sty 2023/02/27 1.9 listings language file
595
 File: lstlang1.sty 2023/02/27 1.9 listings language file
589
 )
596
 )
590
-Overfull \hbox (15.0pt too wide) detected at line 112
597
+Overfull \hbox (15.0pt too wide) detected at line 117
591
 [][] 
598
 [][] 
592
  []
599
  []
593
 
600
 
601
+[1
594
 
602
 
595
-Overfull \hbox (15.0pt too wide) detected at line 147
603
+{C:/Users/Forest/AppData/Local/MiKTeX/fonts/map/pdftex/pdftex.map}]
604
+Overfull \hbox (15.0pt too wide) detected at line 156
596
 [][] 
605
 [][] 
597
  []
606
  []
598
 
607
 
599
-[1
608
+[2] (exercises.bbl
609
+! Undefined control sequence.
610
+l.15   \url
611
+           {https://github.com/Arachnid/uscc/tree/master/submissions-2017/do...
612
+The control sequence at the end of the top line
613
+of your error message was never \def'ed. If you have
614
+misspelled it (e.g., `\hobx'), type `I' and the correct
615
+spelling (e.g., `I\hbox'). Otherwise just continue,
616
+and I'll forget about whatever was undefined.
600
 
617
 
601
-{C:/Users/Forest/AppData/Local/MiKTeX/fonts/map/pdftex/pdftex.map}]
602
-(exercises.bbl [2]) [3] (exercises.aux) ) 
618
+
619
+Overfull \hbox (1.15688pt too wide) in paragraph at lines 12--17
620
+[]\OT1/cmr/m/n/10 doughoyte.  Merdeto-ken: It's some hot shit.  https://github.
621
+com/Arachnid/uscc/tree/master/submissions-
622
+ []
623
+
624
+[3]) [4] (exercises.aux) ) 
603
 Here is how much of TeX's memory you used:
625
 Here is how much of TeX's memory you used:
604
- 16507 strings out of 476410
605
- 322636 string characters out of 5788642
606
- 1969845 words of memory out of 5000000
607
- 36589 multiletter control sequences out of 15000+600000
626
+ 16580 strings out of 476410
627
+ 323857 string characters out of 5788642
628
+ 2009845 words of memory out of 5000000
629
+ 36658 multiletter control sequences out of 15000+600000
608
  521468 words of font info for 72 fonts, out of 8000000 for 9000
630
  521468 words of font info for 72 fonts, out of 8000000 for 9000
609
  1141 hyphenation exceptions out of 8191
631
  1141 hyphenation exceptions out of 8191
610
- 99i,9n,94p,442b,2016s stack positions out of 10000i,1000n,20000p,200000b,200000s
611
-<d:/Users/Forest/AppData/Local/Program
612
-s/MiKTeX/fonts/type1/public/amsfonts/cm/cmbx10.pfb><d:/Users/Forest/AppData/Loc
613
-al/Programs/MiKTeX/fonts/type1/public/amsfonts/cm/cmbx12.pfb><d:/Users/Forest/A
614
-ppData/Local/Programs/MiKTeX/fonts/type1/public/amsfonts/cm/cmmi10.pfb><d:/User
615
-s/Forest/AppData/Local/Programs/MiKTeX/fonts/type1/public/amsfonts/cm/cmr10.pfb
616
-><d:/Users/Forest/AppData/Local/Programs/MiKTeX/fonts/type1/public/amsfonts/cm/
617
-cmr12.pfb><d:/Users/Forest/AppData/Local/Programs/MiKTeX/fonts/type1/public/ams
618
-fonts/cm/cmr17.pfb><d:/Users/Forest/AppData/Local/Programs/MiKTeX/fonts/type1/p
619
-ublic/amsfonts/cm/cmr5.pfb><d:/Users/Forest/AppData/Local/Programs/MiKTeX/fonts
620
-/type1/public/amsfonts/cm/cmti10.pfb><d:/Users/Forest/AppData/Local/Programs/Mi
621
-KTeX/fonts/type1/public/amsfonts/cm/cmtt8.pfb>
622
-Output written on exercises.pdf (3 pages, 137405 bytes).
632
+ 99i,9n,94p,510b,1991s stack positions out of 10000i,1000n,20000p,200000b,200000s
633
+<d:/Users/Forest/AppData/Local/Programs/MiKTeX/fonts/
634
+type1/public/amsfonts/cm/cmbx10.pfb><d:/Users/Forest/AppData/Local/Programs/MiK
635
+TeX/fonts/type1/public/amsfonts/cm/cmbx12.pfb><d:/Users/Forest/AppData/Local/Pr
636
+ograms/MiKTeX/fonts/type1/public/amsfonts/cm/cmmi10.pfb><d:/Users/Forest/AppDat
637
+a/Local/Programs/MiKTeX/fonts/type1/public/amsfonts/cm/cmr10.pfb><d:/Users/Fore
638
+st/AppData/Local/Programs/MiKTeX/fonts/type1/public/amsfonts/cm/cmr12.pfb><d:/U
639
+sers/Forest/AppData/Local/Programs/MiKTeX/fonts/type1/public/amsfonts/cm/cmr17.
640
+pfb><d:/Users/Forest/AppData/Local/Programs/MiKTeX/fonts/type1/public/amsfonts/
641
+cm/cmr5.pfb><d:/Users/Forest/AppData/Local/Programs/MiKTeX/fonts/type1/public/a
642
+msfonts/cm/cmr7.pfb><d:/Users/Forest/AppData/Local/Programs/MiKTeX/fonts/type1/
643
+public/amsfonts/cm/cmti10.pfb><d:/Users/Forest/AppData/Local/Programs/MiKTeX/fo
644
+nts/type1/public/amsfonts/cm/cmtt8.pfb>
645
+Output written on exercises.pdf (4 pages, 150280 bytes).
623
 PDF statistics:
646
 PDF statistics:
624
- 60 PDF objects out of 1000 (max. 8388607)
647
+ 68 PDF objects out of 1000 (max. 8388607)
625
  0 named destinations out of 1000 (max. 500000)
648
  0 named destinations out of 1000 (max. 500000)
626
  13 words of extra memory for PDF output out of 10000 (max. 10000000)
649
  13 words of extra memory for PDF output out of 10000 (max. 10000000)
627
 
650
 

BIN
SemSEpaper/exercises.pdf View File


BIN
SemSEpaper/exercises.synctex.gz View File


+ 80
- 51
SemSEpaper/exercises.tex View File

9
 \usepackage{xspace}
9
 \usepackage{xspace}
10
 \usepackage{todonotes}
10
 \usepackage{todonotes}
11
 \usepackage{listings}
11
 \usepackage{listings}
12
-\newcommand{\true}{true}
13
-\newcommand{\false}{false}
14
 \usepackage[ruled,linesnumbered]{algorithm2e} % Enables the writing of pseudo code.
12
 \usepackage[ruled,linesnumbered]{algorithm2e} % Enables the writing of pseudo code.
13
+\usepackage{float}% http://ctan.org/pkg/float
15
 
14
 
16
-   \pagestyle{plain}
17
-   \bibliographystyle{plain}
15
+\newcommand{\true}{true}
16
+\newcommand{\false}{false}
17
+\pagestyle{plain}
18
+\bibliographystyle{plain}
18
 
19
 
19
 
20
 
20
 \title{192.127 Seminar in Software Engineering (Smart Contracts) \\
21
 \title{192.127 Seminar in Software Engineering (Smart Contracts) \\
25
 
26
 
26
 \author{\textbf{*** YOUR NAME AND STUDENT ID ***}}
27
 \author{\textbf{*** YOUR NAME AND STUDENT ID ***}}
27
 
28
 
28
-  \newtheorem{theorem}{Theorem}
29
-  \newtheorem{lemma}[theorem]{Lemma}
30
-  \newtheorem{corollary}[theorem]{Corollary}
31
-  \newtheorem{proposition}[theorem]{Proposition}
32
-  \newtheorem{conjecture}[theorem]{Conjecture}
33
-  \newtheorem{definition}[theorem]{Definition}
34
-  \newtheorem{example}[theorem]{Example}
35
-  \newtheorem{remark}[theorem]{Remark}
36
-  \newtheorem{exercise}[theorem]{Exercise}
29
+\newtheorem{theorem}{Theorem}
30
+\newtheorem{lemma}[theorem]{Lemma}
31
+\newtheorem{corollary}[theorem]{Corollary}
32
+\newtheorem{proposition}[theorem]{Proposition}
33
+\newtheorem{conjecture}[theorem]{Conjecture}
34
+\newtheorem{definition}[theorem]{Definition}
35
+\newtheorem{example}[theorem]{Example}
36
+\newtheorem{remark}[theorem]{Remark}
37
+\newtheorem{exercise}[theorem]{Exercise}
37
 
38
 
38
 
39
 
39
 \renewcommand{\labelenumi}{(\alph{enumi})}
40
 \renewcommand{\labelenumi}{(\alph{enumi})}
75
 
76
 
76
 \subsection{Solidity storage layout}
77
 \subsection{Solidity storage layout}
77
 
78
 
78
-Any contract's storage is a continuous 256-bit address space consisting of 32-bit values. In order to implement dynamically sized data structures like maps and arrays, Solidity distributes their entries in a pseudo-random location. Due to the vast 256-bit range of addresses collisions are statistically extremely improbable and of no practical relevance.
79
+Any contract's storage is a continuous 256-bit address space consisting of 32-bit values. In order to implement dynamically sized data structures like maps and arrays, Solidity distributes their entries in a pseudo-random location. Due to the vast 256-bit range of addresses collisions are statistically extremely improbable and of little practical relevance in safely implemented contracts.
79
 
80
 
80
 \medspace
81
 \medspace
81
 
82
 
82
-In the case of a dynamic array at variable slot $p$, data is written to continuous locations starting at $keccak(p)$. The array itself contains the length information.
83
+In the case of a dynamic array at variable slot $p$, data is written to continuous locations starting at $keccak(p)$. The array itself contains the length information as an $uint256$ value. Even enormous arrays are unlikely to produce collisions due to the vast address space, although an improperly managed array may store data to an unbounded user-controlled offset, thereby allowing arbitrary overwriting of data.
83
 
84
 
84
 \medspace
85
 \medspace
85
 
86
 
86
-For maps stored in variable slot $p$ the data for index $k$ can be found at $keccak(k . p)$ where $.$ is the concatenation operator.
87
+For maps stored in variable slot $p$ the data for index $k$ can be found at $keccak(k . p)$ where $.$ is the concatenation operator. This is a statistically safe approach, as the chance of intentionally finding a value for $keccak(k . p)$ s.t. for a known stored variable $x$, $keccak(k . p) == storage\_address(x)$ is about one in $2^{256}$ and $keccak$ is believed to be a cryptographically secure hash function.
87
 
88
 
88
 \subsection{The Weakness}
89
 \subsection{The Weakness}
89
 
90
 
90
-Any unchecked array write is potentially dangerous, as the storage-location of all variables is publicly known and an unconstrained array index can be reverse engineered to target them.
91
+Any unchecked array write is potentially dangerous, as the storage-location of all variables is publicly known and an unconstrained array index can be reverse engineered to target them. This can be achieved by using the known array storage location $p$, target-variable $x$, and computing the offset-value $o$ such that $keccac(p) + o == storage\_address(x)$.
92
+
93
+\medspace
94
+
95
+A trivial example of such a vulnerable write operation is shown in Algorithm 1.
91
 
96
 
92
 \lstset{style=mystyle}
97
 \lstset{style=mystyle}
93
-\begin{algorithm}
98
+\begin{algorithm}[H]
94
 	\begin{lstlisting}[language=Octave]
99
 	\begin{lstlisting}[language=Octave]
95
 	pragma solidity 0.4.25;
100
 	pragma solidity 0.4.25;
96
 	
101
 	
111
 	\caption{A completely unchecked array write}
116
 	\caption{A completely unchecked array write}
112
 \end{algorithm}
117
 \end{algorithm}
113
 
118
 
114
-In the following example the $pop$ function incorrectly checks for an array $length >= 0$, thereby allowing the value to underflow when called with an empty array. Once this weakness is exploited $update$ in Algorithm 2 behaves just like $write$ did in Algorithm 1. 
119
+\medspace
120
+
121
+In the following example (Algorithm 2) the $pop$ function incorrectly checks for an array $length >= 0$, thereby allowing the $length$ value to underflow when called with an empty array. Once this weakness is triggered, $update$ in Algorithm 2 behaves just like $write$ did in Algorithm 1. 
122
+
123
+\medspace
115
 
124
 
116
 \lstset{style=mystyle}
125
 \lstset{style=mystyle}
117
-\begin{algorithm}
126
+\begin{algorithm}[H]
118
 	\begin{lstlisting}[language=Octave]
127
 	\begin{lstlisting}[language=Octave]
119
-		pragma solidity 0.4.25;
128
+	pragma solidity 0.4.25;
129
+	
130
+	contract MyContract {
131
+		address private owner;
132
+		uint[] private arr;
133
+		
134
+		constructor() public {
135
+			arr = new uint[](0);
136
+			owner = msg.sender;
137
+		}
138
+		
139
+		function push(value) {
140
+			arr[arr.length] = value;
141
+			arr.length++;
142
+		}
120
 		
143
 		
121
-		contract MyContract {
122
-			address private owner;
123
-			uint[] private arr;
124
-			
125
-			constructor() public {
126
-				arr = new uint[](0);
127
-				owner = msg.sender;
128
-			}
129
-			
130
-			function push(value) {
131
-				arr[arr.length] = value;
132
-				arr.length++;
133
-			}
134
-			
135
-			function pop() {
136
-				require(arr.length >= 0);
137
-				arr.length--;
138
-			}
139
-			
140
-			function update(unit index, uint value) {
141
-				require(index < arr.length);
142
-				arr[index] = value;
143
-			}
144
+		function pop() {
145
+			require(arr.length >= 0);
146
+			arr.length--;
144
 		}
147
 		}
148
+		
149
+		function update(unit index, uint value) {
150
+			require(index < arr.length);
151
+			arr[index] = value;
152
+		}
153
+	}
145
 	\end{lstlisting}
154
 	\end{lstlisting}
146
 	\caption{An incorrectly managed array length}
155
 	\caption{An incorrectly managed array length}
147
 \end{algorithm}
156
 \end{algorithm}
153
 
162
 
154
 \section{Code properties and automatic detection}
163
 \section{Code properties and automatic detection}
155
 
164
 
156
-summarize the code properties that tools are looking for so that they can detect the weakness
165
+Automatic detection tools can be broadly categorized into ones employing static analysis and those who use fuzzing, i.e. application of semi-random inputs. Notable static analysis tools include Securify \cite{securify} and teEther \cite{teether} which both function in a similar manner:
166
+
167
+\medspace
168
+
169
+Initially, the given EVM byte-code is disassembled into a control-flow-graph (CFG). In the second step, the tools identify potentially risky instructions. In the case of arbitrary writes, the instruction of note is $sstore(k,v)$ where both $k$ and $v$ are input-controlled. The tools differ in the way they identify whether or not the values are input-controlled. 
170
+
171
+\medspace
172
+
173
+In the case of Securify \cite{securify}, the CFG is translated into what the authors call "semantic facts" to which an elaborate set of so-called security patterns is applied. These patterns consist of building blocks in the form of predicates, which allows the tool to simply generate output based on the (transitively) matched patterns.
174
+
175
+\medspace
176
+
177
+teEther \cite{teether} employs a similar approach, but instead the authors opt to build a graph of dependent variables. If the graph arrives at a $sstore(k,v)$ instruction and a path can be found leading to user-controlled inputs, the tool infers a set of constraints which are then used to automatically generate an exploit.
178
+
179
+\medspace
180
+
181
+The fuzz-driven approach to vulnerability detection is more abstract, as general-purpose fuzzing tools generally don't have knowledge of the analysed program. For the tool SmartFuzzDriverGenerator \cite{fuzzdrivegen}, a multitude of these fuzzing libraries can be used. The problem at hand is, however, that the technique cannot interface with a smart contract out of the box. The "glue" between fuzzer and program is called a driver, hence the name of "driver-generator".
182
+
183
+\medspace
184
+
185
+SmartFuzzDriverGenerator aims to automatically generate such a driver by %TODO: I have no idea how it does this actually%
186
+
187
+\medspace
188
+
189
+The Smartian tool \cite{smartian} attempts to find a middle-ground between static and dynamic analysis by first transforming the EVM bytecode into control-flow facts. Based on this information, a set of seed-inputs is generated that are expected to have a high probability of yielding useable results. Should no exploit be found, the seed-inputs are then mutated in order to yield a higher code coverage. %TODO: This is probably extemely inprecise and should be re-written%
157
 
190
 
158
 \section{Exploit sketch}
191
 \section{Exploit sketch}
159
 
192
 
160
-sketch ways to potentially exploit the different variants of the weakness.
193
+\cite{doughoyte}
194
+%TODO: just explain what this guy does: https://github.com/Arachnid/uscc/tree/master/submissions-2017/doughoyte%
161
 
195
 
162
-%remove this later%
163
-\cite{10.1145/3243734.3243780}
164
-\cite{10.1145/3578527.3578538}
165
-\cite{217464}
166
-\cite{9678888}
167
 
196
 
168
 \bibliography{exercise.bib}
197
 \bibliography{exercise.bib}
169
 
198
 

Loading…
Cancel
Save