Browse Source

update paper

master
nitowa 1 year ago
parent
commit
ae2c0fb984

+ 3
- 3
SemSEpaper/exercises.aux View File

@@ -5,7 +5,6 @@
5 5
 \@writefile{toc}{\contentsline {subsection}{\numberline {1.1}Solidity storage layout}{1}{}\protected@file@percent }
6 6
 \@writefile{toc}{\contentsline {subsection}{\numberline {1.2}The Weakness}{1}{}\protected@file@percent }
7 7
 \@writefile{loa}{\contentsline {algocf}{\numberline {1}{\ignorespaces A completely unchecked array write}}{1}{}\protected@file@percent }
8
-\newlabel{alg:agf-opt-merge}{{1}{1}}
9 8
 \citation{10.1145/3243734.3243780}
10 9
 \citation{10.1145/3578527.3578538}
11 10
 \citation{217464}
@@ -14,8 +13,9 @@
14 13
 \bibcite{9678888}{1}
15 14
 \bibcite{217464}{2}
16 15
 \bibcite{10.1145/3578527.3578538}{3}
17
-\bibcite{10.1145/3243734.3243780}{4}
16
+\@writefile{loa}{\contentsline {algocf}{\numberline {2}{\ignorespaces An incorrectly managed array length}}{2}{}\protected@file@percent }
18 17
 \@writefile{toc}{\contentsline {section}{\numberline {2}Vulnerable contracts in literature}{2}{}\protected@file@percent }
19 18
 \@writefile{toc}{\contentsline {section}{\numberline {3}Code properties and automatic detection}{2}{}\protected@file@percent }
20 19
 \@writefile{toc}{\contentsline {section}{\numberline {4}Exploit sketch}{2}{}\protected@file@percent }
21
-\gdef \@abspage@last{2}
20
+\bibcite{10.1145/3243734.3243780}{4}
21
+\gdef \@abspage@last{3}

+ 25
- 22
SemSEpaper/exercises.log View File

@@ -1,4 +1,4 @@
1
-This is pdfTeX, Version 3.141592653-2.6-1.40.25 (MiKTeX 23.5) (preloaded format=pdflatex 2023.6.4)  23 OCT 2023 19:58
1
+This is pdfTeX, Version 3.141592653-2.6-1.40.25 (MiKTeX 23.5) (preloaded format=pdflatex 2023.6.4)  23 OCT 2023 20:30
2 2
 entering extended mode
3 3
  restricted \write18 enabled.
4 4
  %&-line parsing enabled.
@@ -587,38 +587,41 @@ File: umsb.fd 2013/01/14 v3.01 AMS symbols B
587 587
 (d:\Users\Forest\AppData\Local\Programs\MiKTeX\tex/latex/listings\lstlang1.sty
588 588
 File: lstlang1.sty 2023/02/27 1.9 listings language file
589 589
 )
590
-Overfull \hbox (15.0pt too wide) detected at line 108
590
+Overfull \hbox (15.0pt too wide) detected at line 112
591
+[][] 
592
+ []
593
+
594
+
595
+Overfull \hbox (15.0pt too wide) detected at line 147
591 596
 [][] 
592 597
  []
593 598
 
594 599
 [1
595 600
 
596 601
 {C:/Users/Forest/AppData/Local/MiKTeX/fonts/map/pdftex/pdftex.map}]
597
-(exercises.bbl) [2] (exercises.aux) ) 
602
+(exercises.bbl [2]) [3] (exercises.aux) ) 
598 603
 Here is how much of TeX's memory you used:
599
- 16499 strings out of 476410
600
- 322428 string characters out of 5788642
601
- 1897845 words of memory out of 5000000
602
- 36581 multiletter control sequences out of 15000+600000
604
+ 16507 strings out of 476410
605
+ 322503 string characters out of 5788642
606
+ 1969845 words of memory out of 5000000
607
+ 36589 multiletter control sequences out of 15000+600000
603 608
  521468 words of font info for 72 fonts, out of 8000000 for 9000
604 609
  1141 hyphenation exceptions out of 8191
605 610
  99i,9n,94p,442b,2016s stack positions out of 10000i,1000n,20000p,200000b,200000s
606
-<d:/Users/Forest/AppData/Local/Programs/Mi
607
-KTeX/fonts/type1/public/amsfonts/cm/cmbx10.pfb><d:/Users/Forest/AppData/Local/P
608
-rograms/MiKTeX/fonts/type1/public/amsfonts/cm/cmbx12.pfb><d:/Users/Forest/AppDa
609
-ta/Local/Programs/MiKTeX/fonts/type1/public/amsfonts/cm/cmmi10.pfb><d:/Users/Fo
610
-rest/AppData/Local/Programs/MiKTeX/fonts/type1/public/amsfonts/cm/cmr10.pfb><d:
611
-/Users/Forest/AppData/Local/Programs/MiKTeX/fonts/type1/public/amsfonts/cm/cmr1
612
-2.pfb><d:/Users/Forest/AppData/Local/Programs/MiKTeX/fonts/type1/public/amsfont
613
-s/cm/cmr17.pfb><d:/Users/Forest/AppData/Local/Programs/MiKTeX/fonts/type1/publi
614
-c/amsfonts/cm/cmr5.pfb><d:/Users/Forest/AppData/Local/Programs/MiKTeX/fonts/typ
615
-e1/public/amsfonts/cm/cmr7.pfb><d:/Users/Forest/AppData/Local/Programs/MiKTeX/f
616
-onts/type1/public/amsfonts/cm/cmsy10.pfb><d:/Users/Forest/AppData/Local/Program
617
-s/MiKTeX/fonts/type1/public/amsfonts/cm/cmti10.pfb><d:/Users/Forest/AppData/Loc
618
-al/Programs/MiKTeX/fonts/type1/public/amsfonts/cm/cmtt8.pfb>
619
-Output written on exercises.pdf (2 pages, 150128 bytes).
611
+<d:/Users/Forest/AppData/Local/Program
612
+s/MiKTeX/fonts/type1/public/amsfonts/cm/cmbx10.pfb><d:/Users/Forest/AppData/Loc
613
+al/Programs/MiKTeX/fonts/type1/public/amsfonts/cm/cmbx12.pfb><d:/Users/Forest/A
614
+ppData/Local/Programs/MiKTeX/fonts/type1/public/amsfonts/cm/cmmi10.pfb><d:/User
615
+s/Forest/AppData/Local/Programs/MiKTeX/fonts/type1/public/amsfonts/cm/cmr10.pfb
616
+><d:/Users/Forest/AppData/Local/Programs/MiKTeX/fonts/type1/public/amsfonts/cm/
617
+cmr12.pfb><d:/Users/Forest/AppData/Local/Programs/MiKTeX/fonts/type1/public/ams
618
+fonts/cm/cmr17.pfb><d:/Users/Forest/AppData/Local/Programs/MiKTeX/fonts/type1/p
619
+ublic/amsfonts/cm/cmr5.pfb><d:/Users/Forest/AppData/Local/Programs/MiKTeX/fonts
620
+/type1/public/amsfonts/cm/cmti10.pfb><d:/Users/Forest/AppData/Local/Programs/Mi
621
+KTeX/fonts/type1/public/amsfonts/cm/cmtt8.pfb>
622
+Output written on exercises.pdf (3 pages, 137405 bytes).
620 623
 PDF statistics:
621
- 67 PDF objects out of 1000 (max. 8388607)
624
+ 60 PDF objects out of 1000 (max. 8388607)
622 625
  0 named destinations out of 1000 (max. 500000)
623 626
  13 words of extra memory for PDF output out of 10000 (max. 10000000)
624 627
 

BIN
SemSEpaper/exercises.pdf View File


BIN
SemSEpaper/exercises.synctex.gz View File


+ 44
- 6
SemSEpaper/exercises.tex View File

@@ -79,7 +79,7 @@ Any contract's storage is a continuous 256-bit address space consisting of 32-bi
79 79
 
80 80
 \medspace
81 81
 
82
-In the case of a dynamic array at variable slot $p$, data is written to continuous locations starting at $keccak(p)$. The array itself contains the length information. It is worth noting that Solidity does not come with utility functions to manipulate arrays, and the developer is required to correctly maintain the length value in order to keep track of the array's state.
82
+In the case of a dynamic array at variable slot $p$, data is written to continuous locations starting at $keccak(p)$. The array itself contains the length information.
83 83
 
84 84
 \medspace
85 85
 
@@ -89,25 +89,63 @@ For maps stored in variable slot $p$ the data for index $k$ can be found at $kec
89 89
 
90 90
 Any unchecked array write is potentially dangerous, as the storage-location of all variables is publicly known and an unconstrained array index can be reverse engineered to target them.
91 91
 
92
+\lstset{style=mystyle}
93
+\begin{algorithm}
94
+	\begin{lstlisting}[language=Octave]
95
+	pragma solidity 0.4.25;
96
+	
97
+	contract MyContract {
98
+		address private owner;
99
+		uint[] private arr;
100
+		
101
+		constructor() public {
102
+			arr = new uint[](0);
103
+			owner = msg.sender;
104
+		}
105
+		
106
+		function write(unit index, uint value) {
107
+			arr[index] = value;
108
+		}
109
+	}
110
+	\end{lstlisting}
111
+	\caption{A completely unchecked array write}
112
+\end{algorithm}
113
+
114
+In the following example the $pop$ function incorrectly checks for an array $length >= 0$, thereby allowing the value to underflow when called with an empty array. Once this weakness is exploited $update$ in Algorithm 2 behaves just like $write$ did in Algorithm 1. 
115
+
92 116
 \lstset{style=mystyle}
93 117
 \begin{algorithm}
94 118
 	\begin{lstlisting}[language=Octave]
95 119
 		pragma solidity 0.4.25;
96 120
 		
97 121
 		contract MyContract {
98
-			uint[] private arr;
99 122
 			address private owner;
123
+			uint[] private arr;
124
+			
125
+			constructor() public {
126
+				arr = new uint[](0);
127
+				owner = msg.sender;
128
+			}
100 129
 			
101
-			function write(unit index, uint value) {
130
+			function push(value) {
131
+				arr[arr.length] = value;
132
+				arr.length++;
133
+			}
134
+			
135
+			function pop() {
136
+				require(arr.length >= 0);
137
+				arr.length--;
138
+			}
139
+			
140
+			function update(unit index, uint value) {
141
+				require(index < arr.length);
102 142
 				arr[index] = value;
103 143
 			}
104 144
 		}
105 145
 	\end{lstlisting}
106
-	\caption{A completely unchecked array write}
107
-	\label{alg:agf-opt-merge}
146
+	\caption{An incorrectly managed array length}
108 147
 \end{algorithm}
109 148
 
110
-In the case of dynamic arrays an improper constraint of the $length$ can be dangerous. As $length$ is unsigned, it is possible to underflow it past $2^{256} - 1$ by decrementing the length below zero, thereby effectively marking the whole address space as part of it.
111 149
 
112 150
 \section{Vulnerable contracts in literature}
113 151
 

Loading…
Cancel
Save