Browse Source

update paper

master
nitowa 1 year ago
parent
commit
ae2c0fb984

+ 3
- 3
SemSEpaper/exercises.aux View File

5
 \@writefile{toc}{\contentsline {subsection}{\numberline {1.1}Solidity storage layout}{1}{}\protected@file@percent }
5
 \@writefile{toc}{\contentsline {subsection}{\numberline {1.1}Solidity storage layout}{1}{}\protected@file@percent }
6
 \@writefile{toc}{\contentsline {subsection}{\numberline {1.2}The Weakness}{1}{}\protected@file@percent }
6
 \@writefile{toc}{\contentsline {subsection}{\numberline {1.2}The Weakness}{1}{}\protected@file@percent }
7
 \@writefile{loa}{\contentsline {algocf}{\numberline {1}{\ignorespaces A completely unchecked array write}}{1}{}\protected@file@percent }
7
 \@writefile{loa}{\contentsline {algocf}{\numberline {1}{\ignorespaces A completely unchecked array write}}{1}{}\protected@file@percent }
8
-\newlabel{alg:agf-opt-merge}{{1}{1}}
9
 \citation{10.1145/3243734.3243780}
8
 \citation{10.1145/3243734.3243780}
10
 \citation{10.1145/3578527.3578538}
9
 \citation{10.1145/3578527.3578538}
11
 \citation{217464}
10
 \citation{217464}
14
 \bibcite{9678888}{1}
13
 \bibcite{9678888}{1}
15
 \bibcite{217464}{2}
14
 \bibcite{217464}{2}
16
 \bibcite{10.1145/3578527.3578538}{3}
15
 \bibcite{10.1145/3578527.3578538}{3}
17
-\bibcite{10.1145/3243734.3243780}{4}
16
+\@writefile{loa}{\contentsline {algocf}{\numberline {2}{\ignorespaces An incorrectly managed array length}}{2}{}\protected@file@percent }
18
 \@writefile{toc}{\contentsline {section}{\numberline {2}Vulnerable contracts in literature}{2}{}\protected@file@percent }
17
 \@writefile{toc}{\contentsline {section}{\numberline {2}Vulnerable contracts in literature}{2}{}\protected@file@percent }
19
 \@writefile{toc}{\contentsline {section}{\numberline {3}Code properties and automatic detection}{2}{}\protected@file@percent }
18
 \@writefile{toc}{\contentsline {section}{\numberline {3}Code properties and automatic detection}{2}{}\protected@file@percent }
20
 \@writefile{toc}{\contentsline {section}{\numberline {4}Exploit sketch}{2}{}\protected@file@percent }
19
 \@writefile{toc}{\contentsline {section}{\numberline {4}Exploit sketch}{2}{}\protected@file@percent }
21
-\gdef \@abspage@last{2}
20
+\bibcite{10.1145/3243734.3243780}{4}
21
+\gdef \@abspage@last{3}

+ 25
- 22
SemSEpaper/exercises.log View File

1
-This is pdfTeX, Version 3.141592653-2.6-1.40.25 (MiKTeX 23.5) (preloaded format=pdflatex 2023.6.4)  23 OCT 2023 19:58
1
+This is pdfTeX, Version 3.141592653-2.6-1.40.25 (MiKTeX 23.5) (preloaded format=pdflatex 2023.6.4)  23 OCT 2023 20:30
2
 entering extended mode
2
 entering extended mode
3
  restricted \write18 enabled.
3
  restricted \write18 enabled.
4
  %&-line parsing enabled.
4
  %&-line parsing enabled.
587
 (d:\Users\Forest\AppData\Local\Programs\MiKTeX\tex/latex/listings\lstlang1.sty
587
 (d:\Users\Forest\AppData\Local\Programs\MiKTeX\tex/latex/listings\lstlang1.sty
588
 File: lstlang1.sty 2023/02/27 1.9 listings language file
588
 File: lstlang1.sty 2023/02/27 1.9 listings language file
589
 )
589
 )
590
-Overfull \hbox (15.0pt too wide) detected at line 108
590
+Overfull \hbox (15.0pt too wide) detected at line 112
591
+[][] 
592
+ []
593
+
594
+
595
+Overfull \hbox (15.0pt too wide) detected at line 147
591
 [][] 
596
 [][] 
592
  []
597
  []
593
 
598
 
594
 [1
599
 [1
595
 
600
 
596
 {C:/Users/Forest/AppData/Local/MiKTeX/fonts/map/pdftex/pdftex.map}]
601
 {C:/Users/Forest/AppData/Local/MiKTeX/fonts/map/pdftex/pdftex.map}]
597
-(exercises.bbl) [2] (exercises.aux) ) 
602
+(exercises.bbl [2]) [3] (exercises.aux) ) 
598
 Here is how much of TeX's memory you used:
603
 Here is how much of TeX's memory you used:
599
- 16499 strings out of 476410
600
- 322428 string characters out of 5788642
601
- 1897845 words of memory out of 5000000
602
- 36581 multiletter control sequences out of 15000+600000
604
+ 16507 strings out of 476410
605
+ 322503 string characters out of 5788642
606
+ 1969845 words of memory out of 5000000
607
+ 36589 multiletter control sequences out of 15000+600000
603
  521468 words of font info for 72 fonts, out of 8000000 for 9000
608
  521468 words of font info for 72 fonts, out of 8000000 for 9000
604
  1141 hyphenation exceptions out of 8191
609
  1141 hyphenation exceptions out of 8191
605
  99i,9n,94p,442b,2016s stack positions out of 10000i,1000n,20000p,200000b,200000s
610
  99i,9n,94p,442b,2016s stack positions out of 10000i,1000n,20000p,200000b,200000s
606
-<d:/Users/Forest/AppData/Local/Programs/Mi
607
-KTeX/fonts/type1/public/amsfonts/cm/cmbx10.pfb><d:/Users/Forest/AppData/Local/P
608
-rograms/MiKTeX/fonts/type1/public/amsfonts/cm/cmbx12.pfb><d:/Users/Forest/AppDa
609
-ta/Local/Programs/MiKTeX/fonts/type1/public/amsfonts/cm/cmmi10.pfb><d:/Users/Fo
610
-rest/AppData/Local/Programs/MiKTeX/fonts/type1/public/amsfonts/cm/cmr10.pfb><d:
611
-/Users/Forest/AppData/Local/Programs/MiKTeX/fonts/type1/public/amsfonts/cm/cmr1
612
-2.pfb><d:/Users/Forest/AppData/Local/Programs/MiKTeX/fonts/type1/public/amsfont
613
-s/cm/cmr17.pfb><d:/Users/Forest/AppData/Local/Programs/MiKTeX/fonts/type1/publi
614
-c/amsfonts/cm/cmr5.pfb><d:/Users/Forest/AppData/Local/Programs/MiKTeX/fonts/typ
615
-e1/public/amsfonts/cm/cmr7.pfb><d:/Users/Forest/AppData/Local/Programs/MiKTeX/f
616
-onts/type1/public/amsfonts/cm/cmsy10.pfb><d:/Users/Forest/AppData/Local/Program
617
-s/MiKTeX/fonts/type1/public/amsfonts/cm/cmti10.pfb><d:/Users/Forest/AppData/Loc
618
-al/Programs/MiKTeX/fonts/type1/public/amsfonts/cm/cmtt8.pfb>
619
-Output written on exercises.pdf (2 pages, 150128 bytes).
611
+<d:/Users/Forest/AppData/Local/Program
612
+s/MiKTeX/fonts/type1/public/amsfonts/cm/cmbx10.pfb><d:/Users/Forest/AppData/Loc
613
+al/Programs/MiKTeX/fonts/type1/public/amsfonts/cm/cmbx12.pfb><d:/Users/Forest/A
614
+ppData/Local/Programs/MiKTeX/fonts/type1/public/amsfonts/cm/cmmi10.pfb><d:/User
615
+s/Forest/AppData/Local/Programs/MiKTeX/fonts/type1/public/amsfonts/cm/cmr10.pfb
616
+><d:/Users/Forest/AppData/Local/Programs/MiKTeX/fonts/type1/public/amsfonts/cm/
617
+cmr12.pfb><d:/Users/Forest/AppData/Local/Programs/MiKTeX/fonts/type1/public/ams
618
+fonts/cm/cmr17.pfb><d:/Users/Forest/AppData/Local/Programs/MiKTeX/fonts/type1/p
619
+ublic/amsfonts/cm/cmr5.pfb><d:/Users/Forest/AppData/Local/Programs/MiKTeX/fonts
620
+/type1/public/amsfonts/cm/cmti10.pfb><d:/Users/Forest/AppData/Local/Programs/Mi
621
+KTeX/fonts/type1/public/amsfonts/cm/cmtt8.pfb>
622
+Output written on exercises.pdf (3 pages, 137405 bytes).
620
 PDF statistics:
623
 PDF statistics:
621
- 67 PDF objects out of 1000 (max. 8388607)
624
+ 60 PDF objects out of 1000 (max. 8388607)
622
  0 named destinations out of 1000 (max. 500000)
625
  0 named destinations out of 1000 (max. 500000)
623
  13 words of extra memory for PDF output out of 10000 (max. 10000000)
626
  13 words of extra memory for PDF output out of 10000 (max. 10000000)
624
 
627
 

BIN
SemSEpaper/exercises.pdf View File


BIN
SemSEpaper/exercises.synctex.gz View File


+ 44
- 6
SemSEpaper/exercises.tex View File

79
 
79
 
80
 \medspace
80
 \medspace
81
 
81
 
82
-In the case of a dynamic array at variable slot $p$, data is written to continuous locations starting at $keccak(p)$. The array itself contains the length information. It is worth noting that Solidity does not come with utility functions to manipulate arrays, and the developer is required to correctly maintain the length value in order to keep track of the array's state.
82
+In the case of a dynamic array at variable slot $p$, data is written to continuous locations starting at $keccak(p)$. The array itself contains the length information.
83
 
83
 
84
 \medspace
84
 \medspace
85
 
85
 
89
 
89
 
90
 Any unchecked array write is potentially dangerous, as the storage-location of all variables is publicly known and an unconstrained array index can be reverse engineered to target them.
90
 Any unchecked array write is potentially dangerous, as the storage-location of all variables is publicly known and an unconstrained array index can be reverse engineered to target them.
91
 
91
 
92
+\lstset{style=mystyle}
93
+\begin{algorithm}
94
+	\begin{lstlisting}[language=Octave]
95
+	pragma solidity 0.4.25;
96
+	
97
+	contract MyContract {
98
+		address private owner;
99
+		uint[] private arr;
100
+		
101
+		constructor() public {
102
+			arr = new uint[](0);
103
+			owner = msg.sender;
104
+		}
105
+		
106
+		function write(unit index, uint value) {
107
+			arr[index] = value;
108
+		}
109
+	}
110
+	\end{lstlisting}
111
+	\caption{A completely unchecked array write}
112
+\end{algorithm}
113
+
114
+In the following example the $pop$ function incorrectly checks for an array $length >= 0$, thereby allowing the value to underflow when called with an empty array. Once this weakness is exploited $update$ in Algorithm 2 behaves just like $write$ did in Algorithm 1. 
115
+
92
 \lstset{style=mystyle}
116
 \lstset{style=mystyle}
93
 \begin{algorithm}
117
 \begin{algorithm}
94
 	\begin{lstlisting}[language=Octave]
118
 	\begin{lstlisting}[language=Octave]
95
 		pragma solidity 0.4.25;
119
 		pragma solidity 0.4.25;
96
 		
120
 		
97
 		contract MyContract {
121
 		contract MyContract {
98
-			uint[] private arr;
99
 			address private owner;
122
 			address private owner;
123
+			uint[] private arr;
124
+			
125
+			constructor() public {
126
+				arr = new uint[](0);
127
+				owner = msg.sender;
128
+			}
100
 			
129
 			
101
-			function write(unit index, uint value) {
130
+			function push(value) {
131
+				arr[arr.length] = value;
132
+				arr.length++;
133
+			}
134
+			
135
+			function pop() {
136
+				require(arr.length >= 0);
137
+				arr.length--;
138
+			}
139
+			
140
+			function update(unit index, uint value) {
141
+				require(index < arr.length);
102
 				arr[index] = value;
142
 				arr[index] = value;
103
 			}
143
 			}
104
 		}
144
 		}
105
 	\end{lstlisting}
145
 	\end{lstlisting}
106
-	\caption{A completely unchecked array write}
107
-	\label{alg:agf-opt-merge}
146
+	\caption{An incorrectly managed array length}
108
 \end{algorithm}
147
 \end{algorithm}
109
 
148
 
110
-In the case of dynamic arrays an improper constraint of the $length$ can be dangerous. As $length$ is unsigned, it is possible to underflow it past $2^{256} - 1$ by decrementing the length below zero, thereby effectively marking the whole address space as part of it.
111
 
149
 
112
 \section{Vulnerable contracts in literature}
150
 \section{Vulnerable contracts in literature}
113
 
151
 

Loading…
Cancel
Save