123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134 |
- \documentclass [10pt]{article}
-
-
- \usepackage{latexsym}
- \usepackage{amssymb}
- \usepackage{epsfig}
- \usepackage{fullpage}
- \usepackage{enumerate}
- \usepackage{xspace}
- \usepackage{todonotes}
- \usepackage{listings}
- \newcommand{\true}{true}
- \newcommand{\false}{false}
- \usepackage[ruled,linesnumbered]{algorithm2e} % Enables the writing of pseudo code.
-
- \pagestyle{plain}
- \bibliographystyle{plain}
-
-
- \title{192.127 Seminar in Software Engineering (Smart Contracts) \\
- SWC-124: Write to Arbitrary Storage Location}
- \author{Exercises}
-
- \date{WT 2023/24}
-
- \author{\textbf{*** YOUR NAME AND STUDENT ID ***}}
-
- \newtheorem{theorem}{Theorem}
- \newtheorem{lemma}[theorem]{Lemma}
- \newtheorem{corollary}[theorem]{Corollary}
- \newtheorem{proposition}[theorem]{Proposition}
- \newtheorem{conjecture}[theorem]{Conjecture}
- \newtheorem{definition}[theorem]{Definition}
- \newtheorem{example}[theorem]{Example}
- \newtheorem{remark}[theorem]{Remark}
- \newtheorem{exercise}[theorem]{Exercise}
-
-
- \renewcommand{\labelenumi}{(\alph{enumi})}
-
- \usepackage{xcolor}
-
- \definecolor{codegreen}{rgb}{0,0.6,0}
- \definecolor{codegray}{rgb}{0.5,0.5,0.5}
- \definecolor{codepurple}{rgb}{0.58,0,0.82}
- \definecolor{backcolour}{rgb}{0.95,0.95,0.92}
-
- \lstdefinestyle{mystyle}{
- backgroundcolor=\color{backcolour},
- commentstyle=\color{codegreen},
- keywordstyle=\color{magenta},
- numberstyle=\tiny\color{codegray},
- stringstyle=\color{codepurple},
- basicstyle=\ttfamily\footnotesize,
- breakatwhitespace=false,
- breaklines=true,
- captionpos=b,
- keepspaces=true,
- numbers=left,
- numbersep=5pt,
- showspaces=false,
- showstringspaces=false,
- showtabs=false,
- tabsize=2
- }
-
-
-
- \begin{document}
-
-
- \maketitle
-
- \section{Weakness and consequences}
-
- \subsection{Solidity storage layout}
-
- Any contract's storage is a continuous 256-bit address space consisting of 32-bit values. In order to implement dynamically sized data structures like maps and arrays, Solidity distributes their entries in a pseudo-random location. Due to the vast 256-bit range of addresses collisions are statistically extremely improbable and of no practical relevance.
-
- \medspace
-
- In the case of a dynamic array at variable slot $p$, data is written to continuous locations starting at $keccak(p)$. The array itself contains the length information. It is worth noting that Solidity does not come with utility functions to manipulate arrays, and the developer is required to correctly maintain the length value in order to keep track of the array's state.
-
- \medspace
-
- For maps stored in variable slot $p$ the data for index $k$ can be found at $keccak(k . p)$ where $.$ is the concatenation operator.
-
- \subsection{The Weakness}
-
- Any unchecked array write is potentially dangerous, as the storage-location of all variables is publicly known and an unconstrained array index can be reverse engineered to target them.
-
- \lstset{style=mystyle}
- \begin{algorithm}
- \begin{lstlisting}[language=Octave]
- pragma solidity 0.4.25;
-
- contract MyContract {
- uint[] private arr;
- address private owner;
-
- function write(unit index, uint value) {
- arr[index] = value;
- }
- }
- \end{lstlisting}
- \caption{A completely unchecked array write}
- \label{alg:agf-opt-merge}
- \end{algorithm}
-
- In the case of dynamic arrays an improper constraint of the $length$ can be dangerous. As $length$ is unsigned, it is possible to underflow it past $2^{256} - 1$ by decrementing the length below zero, thereby effectively marking the whole address space as part of it.
-
- \section{Vulnerable contracts in literature}
-
- collect vulnerable contracts used by different papers to motivate/illustrate the weakness
-
- \section{Code properties and automatic detection}
-
- summarize the code properties that tools are looking for so that they can detect the weakness
-
- \section{Exploit sketch}
-
- sketch ways to potentially exploit the different variants of the weakness.
-
- %remove this later%
- \cite{10.1145/3243734.3243780}
- \cite{10.1145/3578527.3578538}
- \cite{217464}
- \cite{9678888}
-
- \bibliography{exercise.bib}
-
- \end{document}
-
|