update paper

SemSEpaper/exercises.aux

@@ -5,7 +5,6 @@
 \@writefile{toc}{\contentsline {subsection}{\numberline {1.1}Solidity storage layout}{1}{}\protected@file@percent }
 \@writefile{toc}{\contentsline {subsection}{\numberline {1.2}The Weakness}{1}{}\protected@file@percent }
 \@writefile{loa}{\contentsline {algocf}{\numberline {1}{\ignorespaces A completely unchecked array write}}{1}{}\protected@file@percent }
-\newlabel{alg:agf-opt-merge}{{1}{1}}
 \citation{10.1145/3243734.3243780}
 \citation{10.1145/3578527.3578538}
 \citation{217464}
@@ -14,8 +13,9 @@
 \bibcite{9678888}{1}
 \bibcite{217464}{2}
 \bibcite{10.1145/3578527.3578538}{3}
-\bibcite{10.1145/3243734.3243780}{4}
+\@writefile{loa}{\contentsline {algocf}{\numberline {2}{\ignorespaces An incorrectly managed array length}}{2}{}\protected@file@percent }
 \@writefile{toc}{\contentsline {section}{\numberline {2}Vulnerable contracts in literature}{2}{}\protected@file@percent }
 \@writefile{toc}{\contentsline {section}{\numberline {3}Code properties and automatic detection}{2}{}\protected@file@percent }
 \@writefile{toc}{\contentsline {section}{\numberline {4}Exploit sketch}{2}{}\protected@file@percent }
-\gdef \@abspage@last{2}
+\bibcite{10.1145/3243734.3243780}{4}
+\gdef \@abspage@last{3}

SemSEpaper/exercises.log

@@ -1,4 +1,4 @@
-This is pdfTeX, Version 3.141592653-2.6-1.40.25 (MiKTeX 23.5) (preloaded format=pdflatex 2023.6.4)  23 OCT 2023 19:58
+This is pdfTeX, Version 3.141592653-2.6-1.40.25 (MiKTeX 23.5) (preloaded format=pdflatex 2023.6.4)  23 OCT 2023 20:30
 entering extended mode
  restricted \write18 enabled.
  %&-line parsing enabled.
@@ -587,38 +587,41 @@ File: umsb.fd 2013/01/14 v3.01 AMS symbols B
 (d:\Users\Forest\AppData\Local\Programs\MiKTeX\tex/latex/listings\lstlang1.sty
 File: lstlang1.sty 2023/02/27 1.9 listings language file
 )
-Overfull \hbox (15.0pt too wide) detected at line 108
+Overfull \hbox (15.0pt too wide) detected at line 112
+[][] 
+ []
+
+
+Overfull \hbox (15.0pt too wide) detected at line 147
 [][] 
  []
 
 [1
 
 {C:/Users/Forest/AppData/Local/MiKTeX/fonts/map/pdftex/pdftex.map}]
-(exercises.bbl) [2] (exercises.aux) ) 
+(exercises.bbl [2]) [3] (exercises.aux) ) 
 Here is how much of TeX's memory you used:
- 16499 strings out of 476410
- 322428 string characters out of 5788642
- 1897845 words of memory out of 5000000
- 36581 multiletter control sequences out of 15000+600000
+ 16507 strings out of 476410
+ 322503 string characters out of 5788642
+ 1969845 words of memory out of 5000000
+ 36589 multiletter control sequences out of 15000+600000
  521468 words of font info for 72 fonts, out of 8000000 for 9000
  1141 hyphenation exceptions out of 8191
  99i,9n,94p,442b,2016s stack positions out of 10000i,1000n,20000p,200000b,200000s
-<d:/Users/Forest/AppData/Local/Programs/Mi
-KTeX/fonts/type1/public/amsfonts/cm/cmbx10.pfb><d:/Users/Forest/AppData/Local/P
-rograms/MiKTeX/fonts/type1/public/amsfonts/cm/cmbx12.pfb><d:/Users/Forest/AppDa
-ta/Local/Programs/MiKTeX/fonts/type1/public/amsfonts/cm/cmmi10.pfb><d:/Users/Fo
-rest/AppData/Local/Programs/MiKTeX/fonts/type1/public/amsfonts/cm/cmr10.pfb><d:
-/Users/Forest/AppData/Local/Programs/MiKTeX/fonts/type1/public/amsfonts/cm/cmr1
-2.pfb><d:/Users/Forest/AppData/Local/Programs/MiKTeX/fonts/type1/public/amsfont
-s/cm/cmr17.pfb><d:/Users/Forest/AppData/Local/Programs/MiKTeX/fonts/type1/publi
-c/amsfonts/cm/cmr5.pfb><d:/Users/Forest/AppData/Local/Programs/MiKTeX/fonts/typ
-e1/public/amsfonts/cm/cmr7.pfb><d:/Users/Forest/AppData/Local/Programs/MiKTeX/f
-onts/type1/public/amsfonts/cm/cmsy10.pfb><d:/Users/Forest/AppData/Local/Program
-s/MiKTeX/fonts/type1/public/amsfonts/cm/cmti10.pfb><d:/Users/Forest/AppData/Loc
-al/Programs/MiKTeX/fonts/type1/public/amsfonts/cm/cmtt8.pfb>
-Output written on exercises.pdf (2 pages, 150128 bytes).
+<d:/Users/Forest/AppData/Local/Program
+s/MiKTeX/fonts/type1/public/amsfonts/cm/cmbx10.pfb><d:/Users/Forest/AppData/Loc
+al/Programs/MiKTeX/fonts/type1/public/amsfonts/cm/cmbx12.pfb><d:/Users/Forest/A
+ppData/Local/Programs/MiKTeX/fonts/type1/public/amsfonts/cm/cmmi10.pfb><d:/User
+s/Forest/AppData/Local/Programs/MiKTeX/fonts/type1/public/amsfonts/cm/cmr10.pfb
+><d:/Users/Forest/AppData/Local/Programs/MiKTeX/fonts/type1/public/amsfonts/cm/
+cmr12.pfb><d:/Users/Forest/AppData/Local/Programs/MiKTeX/fonts/type1/public/ams
+fonts/cm/cmr17.pfb><d:/Users/Forest/AppData/Local/Programs/MiKTeX/fonts/type1/p
+ublic/amsfonts/cm/cmr5.pfb><d:/Users/Forest/AppData/Local/Programs/MiKTeX/fonts
+/type1/public/amsfonts/cm/cmti10.pfb><d:/Users/Forest/AppData/Local/Programs/Mi
+KTeX/fonts/type1/public/amsfonts/cm/cmtt8.pfb>
+Output written on exercises.pdf (3 pages, 137405 bytes).
 PDF statistics:
- 67 PDF objects out of 1000 (max. 8388607)
+ 60 PDF objects out of 1000 (max. 8388607)
  0 named destinations out of 1000 (max. 500000)
  13 words of extra memory for PDF output out of 10000 (max. 10000000)
 

SemSEpaper/exercises.tex

@@ -79,7 +79,7 @@ Any contract's storage is a continuous 256-bit address space consisting of 32-bi
 
 \medspace
 
-In the case of a dynamic array at variable slot $p$, data is written to continuous locations starting at $keccak(p)$. The array itself contains the length information. It is worth noting that Solidity does not come with utility functions to manipulate arrays, and the developer is required to correctly maintain the length value in order to keep track of the array's state.
+In the case of a dynamic array at variable slot $p$, data is written to continuous locations starting at $keccak(p)$. The array itself contains the length information.
 
 \medspace
 
@@ -89,25 +89,63 @@ For maps stored in variable slot $p$ the data for index $k$ can be found at $kec
 
 Any unchecked array write is potentially dangerous, as the storage-location of all variables is publicly known and an unconstrained array index can be reverse engineered to target them.
 
+\lstset{style=mystyle}
+\begin{algorithm}
+	\begin{lstlisting}[language=Octave]
+	pragma solidity 0.4.25;
+	
+	contract MyContract {
+		address private owner;
+		uint[] private arr;
+		
+		constructor() public {
+			arr = new uint[](0);
+			owner = msg.sender;
+		}
+		
+		function write(unit index, uint value) {
+			arr[index] = value;
+		}
+	}
+	\end{lstlisting}
+	\caption{A completely unchecked array write}
+\end{algorithm}
+
+In the following example the $pop$ function incorrectly checks for an array $length >= 0$, thereby allowing the value to underflow when called with an empty array. Once this weakness is exploited $update$ in Algorithm 2 behaves just like $write$ did in Algorithm 1. 
+
 \lstset{style=mystyle}
 \begin{algorithm}
 	\begin{lstlisting}[language=Octave]
 		pragma solidity 0.4.25;
 		
 		contract MyContract {
-			uint[] private arr;
 			address private owner;
+			uint[] private arr;
+			
+			constructor() public {
+				arr = new uint[](0);
+				owner = msg.sender;
+			}
 			
-			function write(unit index, uint value) {
+			function push(value) {
+				arr[arr.length] = value;
+				arr.length++;
+			}
+			
+			function pop() {
+				require(arr.length >= 0);
+				arr.length--;
+			}
+			
+			function update(unit index, uint value) {
+				require(index < arr.length);
 				arr[index] = value;
 			}
 		}
 	\end{lstlisting}
-	\caption{A completely unchecked array write}
-	\label{alg:agf-opt-merge}
+	\caption{An incorrectly managed array length}
 \end{algorithm}
 
-In the case of dynamic arrays an improper constraint of the $length$ can be dangerous. As $length$ is unsigned, it is possible to underflow it past $2^{256} - 1$ by decrementing the length below zero, thereby effectively marking the whole address space as part of it.
 
 \section{Vulnerable contracts in literature}