nitowa
/
Seminar-Security-Blockchain
Прати 1
Волим 0
Креирај огранак 0
Код Дискусије 0 Захтеви за спајање 0 Издања 0 Вики Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7 Комити
1 Грана
Дрво: bd51871e95
Гране Ознаке
${ item.name }
Create branch ${ searchTerm }
from 'bd51871e95'
${ noResults }
Seminar-Security-Blockchain/SemSEpaper/exercises.tex

exercises.tex 4.1KB
Историја Датотека

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134 
  1. \documentclass [10pt]{article}

  2. 

  3.   

  4. \usepackage{latexsym}

  5. \usepackage{amssymb}

  6. \usepackage{epsfig} 

  7. \usepackage{fullpage}

  8. \usepackage{enumerate}

  9. \usepackage{xspace}

  10. \usepackage{todonotes}

  11. \usepackage{listings}

  12. \newcommand{\true}{true}

  13. \newcommand{\false}{false}

  14. \usepackage[ruled,linesnumbered]{algorithm2e} % Enables the writing of pseudo code.

  15. 

  16.    \pagestyle{plain}

  17.    \bibliographystyle{plain}

  18. 

  19. 

  20. \title{192.127 Seminar in Software Engineering (Smart Contracts) \\

  21.  SWC-124: Write to Arbitrary Storage Location}

  22. \author{Exercises}

  23. 

  24. \date{WT 2023/24}

  25. 

  26. \author{\textbf{*** YOUR NAME AND STUDENT ID ***}}

  27. 

  28.   \newtheorem{theorem}{Theorem}

  29.   \newtheorem{lemma}[theorem]{Lemma}

  30.   \newtheorem{corollary}[theorem]{Corollary}

  31.   \newtheorem{proposition}[theorem]{Proposition}

  32.   \newtheorem{conjecture}[theorem]{Conjecture}

  33.   \newtheorem{definition}[theorem]{Definition}

  34.   \newtheorem{example}[theorem]{Example}

  35.   \newtheorem{remark}[theorem]{Remark}

  36.   \newtheorem{exercise}[theorem]{Exercise}

  37. 

  38. 

  39. \renewcommand{\labelenumi}{(\alph{enumi})}

  40. 

  41. \usepackage{xcolor}

  42. 

  43. \definecolor{codegreen}{rgb}{0,0.6,0}

  44. \definecolor{codegray}{rgb}{0.5,0.5,0.5}

  45. \definecolor{codepurple}{rgb}{0.58,0,0.82}

  46. \definecolor{backcolour}{rgb}{0.95,0.95,0.92}

  47. 

  48. \lstdefinestyle{mystyle}{ 

  49. 	backgroundcolor=\color{backcolour},   

  50. 	commentstyle=\color{codegreen},

  51. 	keywordstyle=\color{magenta},

  52. 	numberstyle=\tiny\color{codegray},

  53. 	stringstyle=\color{codepurple},

  54. 	basicstyle=\ttfamily\footnotesize,

  55. 	breakatwhitespace=false,         

  56. 	breaklines=true,                 

  57. 	captionpos=b,                    

  58. 	keepspaces=true,                 

  59. 	numbers=left,                    

  60. 	numbersep=5pt,                  

  61. 	showspaces=false,                

  62. 	showstringspaces=false,

  63. 	showtabs=false,                  

  64. 	tabsize=2	

  65. }

  66. 

  67. 

  68. 

  69. \begin{document}

  70. 

  71. 

  72. \maketitle

  73. 

  74. \section{Weakness and consequences}

  75. 

  76. \subsection{Solidity storage layout}

  77. 

  78. Any contract's storage is a continuous 256-bit address space consisting of 32-bit values. In order to implement dynamically sized data structures like maps and arrays, Solidity distributes their entries in a pseudo-random location. Due to the vast 256-bit range of addresses collisions are statistically extremely improbable and of no practical relevance.

  79. 

  80. \medspace

  81. 

  82. In the case of a dynamic array at variable slot $p$, data is written to continuous locations starting at $keccak(p)$. The array itself contains the length information. It is worth noting that Solidity does not come with utility functions to manipulate arrays, and the developer is required to correctly maintain the length value in order to keep track of the array's state.

  83. 

  84. \medspace

  85. 

  86. For maps stored in variable slot $p$ the data for index $k$ can be found at $keccak(k . p)$ where $.$ is the concatenation operator.

  87. 

  88. \subsection{The Weakness}

  89. 

  90. Any unchecked array write is potentially dangerous, as the storage-location of all variables is publicly known and an unconstrained array index can be reverse engineered to target them.

  91. 

  92. \lstset{style=mystyle}

  93. \begin{algorithm}

  94. 	\begin{lstlisting}[language=Octave]

  95. 		pragma solidity 0.4.25;

  96. 		

  97. 		contract MyContract {

  98. 			uint[] private arr;

  99. 			address private owner;

  100. 			

  101. 			function write(unit index, uint value) {

  102. 				arr[index] = value;

  103. 			}

  104. 		}

  105. 	\end{lstlisting}

  106. 	\caption{A completely unchecked array write}

  107. 	\label{alg:agf-opt-merge}

  108. \end{algorithm}

  109. 

  110. In the case of dynamic arrays an improper constraint of the $length$ can be dangerous. As $length$ is unsigned, it is possible to underflow it past $2^{256} - 1$ by decrementing the length below zero, thereby effectively marking the whole address space as part of it.

  111. 

  112. \section{Vulnerable contracts in literature}

  113. 

  114. collect vulnerable contracts used by different papers to motivate/illustrate the weakness

  115. 

  116. \section{Code properties and automatic detection}

  117. 

  118. summarize the code properties that tools are looking for so that they can detect the weakness

  119. 

  120. \section{Exploit sketch}

  121. 

  122. sketch ways to potentially exploit the different variants of the weakness.

  123. 

  124. %remove this later%

  125. \cite{10.1145/3243734.3243780}

  126. \cite{10.1145/3578527.3578538}

  127. \cite{217464}

  128. \cite{9678888}

  129. 

  130. \bibliography{exercise.bib}

  131. 

  132. \end{document}

  133.