Seminar-Security-Blockchain/SemSEpresentation/slides.tex

\documentclass{beamer}
%\documentclass[aspectratio=169]{beamer}

% You have to install the theme first!

% corporate design of TU Wien
\usetheme[font=helvetica]{tuw}
% background "TU main building" on title page
%\usetheme[tuw_background]{tuw}
% individual background on title page
%\usetheme[tuw_image=TU_Background]{tuw}
% white logo if you have a dark background image
%\usetheme[tuw_image=TU_Background,tuw_whitelogo]{tuw}
% sidebar (not in TU Wien CD! but nice for long presentations)
% width of the sidebar can be changed with option: "width=2cm"
%\usetheme[outer=sidebar]{tuw}
% move frametitle up (beside logo)
%\usetheme[tuw_frametitletotop]{tuw}

% if you use german umlaute use T1 encoding:
%\usepackage[T1]{fontenc}
% default Latex fonts are not T1 supported -> bitmaps used, this is not nice on
% screen; you can use the lmodern package instead
%\usepackage{lmodern}
\usepackage[utf8]{inputenc}
\usepackage{listings}
\usepackage{booktabs}
\usepackage{url}
\usepackage{xcolor}
\usepackage{graphicx}
\graphicspath{ {./} }

\definecolor{codegreen}{rgb}{0,0.6,0}
\definecolor{codegray}{rgb}{0.5,0.5,0.5}
\definecolor{codepurple}{rgb}{0.58,0,0.82}
\definecolor{backcolour}{rgb}{0.95,0.95,0.92}
\definecolor{verylightgray}{rgb}{.97,.97,.97}

\lstdefinelanguage{Solidity}{
	keywords=[1]{anonymous, assembly, assert, balance, break, call, callcode, case, catch, class, constant, continue, constructor, contract, debugger, default, delegatecall, delete, do, else, emit, event, experimental, export, external, false, finally, for, function, gas, if, implements, import, in, indexed, instanceof, interface, internal, is, length, library, log0, log1, log2, log3, log4, memory, modifier, new, payable, pragma, private, protected, public, pure, push, require, return, returns, revert, selfdestruct, send, solidity, storage, struct, suicide, super, switch, then, this, throw, transfer, true, try, typeof, using, value, view, while, with, addmod, ecrecover, keccak256, mulmod, ripemd160, sha256, sha3}, % generic keywords including crypto operations
	keywordstyle=[1]\color{blue}\bfseries,
	keywords=[2]{address, bool, byte, bytes, bytes1, bytes2, bytes3, bytes4, bytes5, bytes6, bytes7, bytes8, bytes9, bytes10, bytes11, bytes12, bytes13, bytes14, bytes15, bytes16, bytes17, bytes18, bytes19, bytes20, bytes21, bytes22, bytes23, bytes24, bytes25, bytes26, bytes27, bytes28, bytes29, bytes30, bytes31, bytes32, enum, int, int8, int16, int24, int32, int40, int48, int56, int64, int72, int80, int88, int96, int104, int112, int120, int128, int136, int144, int152, int160, int168, int176, int184, int192, int200, int208, int216, int224, int232, int240, int248, int256, mapping, string, uint, uint8, uint16, uint24, uint32, uint40, uint48, uint56, uint64, uint72, uint80, uint88, uint96, uint104, uint112, uint120, uint128, uint136, uint144, uint152, uint160, uint168, uint176, uint184, uint192, uint200, uint208, uint216, uint224, uint232, uint240, uint248, uint256, var, void, ether, finney, szabo, wei, days, hours, minutes, seconds, weeks, years},	% types; money and time units
	keywordstyle=[2]\color{teal}\bfseries,
	keywords=[3]{block, blockhash, coinbase, difficulty, gaslimit, number, timestamp, msg, data, gas, sender, sig, value, now, tx, gasprice, origin},	% environment variables
	keywordstyle=[3]\color{violet}\bfseries,
	identifierstyle=\color{black},
	sensitive=true,
	comment=[l]{//},
	morecomment=[s]{/*}{*/},
	commentstyle=\color{gray}\ttfamily,
	stringstyle=\color{red}\ttfamily,
	morestring=[b]',
	morestring=[b]"
}

\lstset{
	language=Solidity,
	backgroundcolor=\color{verylightgray},
	extendedchars=true,
	basicstyle=\footnotesize\ttfamily,
	showstringspaces=false,
	showspaces=false,
	numbers=left,
	numberstyle=\footnotesize,
	numbersep=9pt,
	tabsize=2,
	breaklines=true,
	showtabs=false,
	captionpos=b
}

%%% title page settings
\title[SWC-124]{%
  SWC-124: Write to Arbitrary Storage Location
}
\subtitle{192.127 Seminar in Software Engineering (Smart Contracts)}
\author{Ivaylo Ivanov \& Peter Millauer}
\date{\today}

%%% slides start here
\begin{document}

% first frame must include the title page!
\begin{frame}
  \titlepage
\end{frame}

% table of contents if you have a long presentation (uses 'part' and 'section'
% elements)
\begin{frame}{Outline}
  \tableofcontents
\end{frame}

\section{Introduction}

\subsection[SWC-124: Weakness Outline]{SWC-124: Weakness Outline}
\begin{frame}[fragile]
  \frametitle{SWC-124: Weakness Outline}
  SWC-124 is a weakness that allows attackers to write to places in the storage where they should not be able to.
  It can be used to gain unauthorized access, overwrite data, steal funds etc.
\end{frame}

\begin{frame}[fragile]
  \frametitle{SWC-124: Weakness Outline}
  We generally differentiate three types of SWC-124:
\begin{itemize}
  \item unchecked array write
  \item incorrect array length check
  \item unchecked assembly code
\end{itemize}

  Examples follow, use in production at your own risk ;)
\end{frame}

\begin{frame}[fragile]
	\frametitle{Why this works}
	A dynamic array in storage slot $p$ stores its data at continuous addresses starting at $keccak(p)$. 
	
	For example, if the variable $x$ is a dynamic array occupying storage slot 3, $x[o]$ can be found at $keccak(0x3)+o$.
	
	An attacker can use this information to overwrite any storage slot by finding an appropriate offset value.
\end{frame}

\begin{frame}[fragile]
	\frametitle{Why this works}
	
	\includegraphics[width=\textwidth]{storage}
	
\end{frame}

\subsection[Examples]{Examples}
\begin{frame}[fragile]
  \frametitle{Unchecked Array Write}
  \begin{lstlisting}[language=Solidity]
pragma solidity 0.4.25;

contract MyContract {
	address private owner;
	uint[] private arr;
	
	constructor() public {
		arr = new uint[](0);
		owner = msg.sender;
	}
	
	function write(unit index, uint value) {
		arr[index] = value;
	}
}
  \end{lstlisting}
\end{frame}
\begin{frame}[fragile]
  \frametitle{Incorrect Array Length Check}
	\begin{lstlisting}[language=Solidity, basicstyle=\tiny\ttfamily, numberstyle=\tiny]
pragma solidity 0.4.25;

contract MyContract {
  uint[] private arr;

  constructor() public {
    arr = new uint[](0);
  }

  function push(value) {
    arr[arr.length] = value;
    arr.length++;
  }

  function pop() {
    require(arr.length >= 0);
    arr.length--;
  }

  function update(unit index, uint value) {
    require(index < arr.length);
    arr[index] = value;
  }
}
	\end{lstlisting}
\end{frame}
\begin{frame}[fragile]
  \frametitle{Unchecked Assembly}
	\begin{lstlisting}[language=Solidity, basicstyle=\tiny\ttfamily, numberstyle=\tiny, breaklines=true]
pragma solidity 0.4.25;

contract MyContract {
  address private owner;
  mapping(address => bool) public managers;

  constructor() public {
    owner = msg.sender;
    setNextUserRole(msg.sender);
  }

  function setNextManager(address next) internal {
    uint256 slot;
    assembly {
      slot := managers.slot
      sstore(slot, next)
    }
    bytes32 location = keccak256(abi.encode(160, uint256(slot)));
    assembly {
      sstore(location, true)
    }
  }

  function registerUser(address user) {
    require(msg.sender == owner);
    setNextManager(user);
  }
}
	\end{lstlisting}
\end{frame}



\section{Detecting and Exploiting}
\subsection[Detecting SWC-124]{Detecting SWC-124}
\begin{frame}[fragile]
  \frametitle{SWC-124: Detection Heuristics 1}
  Any contract without dynamic arrays (or mappings with integer keys) or raw assembly including a SSTORE instruction can immediately be considered non-vulnerable.
\end{frame}

\begin{frame}[fragile]
  \frametitle{SWC-124: Detection Heuristics 2}
  If heuristic 1 does not hold, we can then apply a second heuristic: checking the solidity compiler version, specified at the top of the contract. Solidity version 0.8.0+ introduced integer under- and overflow protection, which are enabled per default and require extra work to be disabled.
\end{frame}

\begin{frame}[fragile]
  \frametitle{SWC-124: Detection Heuristics 2.1}
  If the version of the contract is higher than 0.8.0, we examine whether unchecked arithmetic has been used for modifying the arrays. If this is not the case, which it is not most of the time, we can then determine that the contract is non-vulnerable. Applying this heuristic, we found a contract that could have been vulnerable had it been compiled with a lower solidity version.

  \begin{block}{Note on assembly}
    Due to the nature of the examples given, we could not find reliable heuristics for unchecked assembly.
  \end{block}
\end{frame}


\begin{frame}[fragile]
  \frametitle{SWC-124: Detection Tools}
  \begin{itemize}
    \item existing static analysis tools were useless - most of them had no support for SWC-124
    \item \texttt{solc-select} - for changing solidity compiler versions
    \item \texttt{slither} - for printing contract variable layout
  \end{itemize}
\end{frame}

\begin{frame}[fragile]
	\texttt{\$ slither Bethorde.sol --print variable-order}

	\includegraphics[width=\textwidth]{slither}

\end{frame}

\subsection[Exploiting SWC-124]{Exploiting SWC-124}

% TODO: Exploitation is trivial, should we just go back and explain or should we go into memory layout? Can we handle it in time?

\begin{frame}[fragile]
  \frametitle{Vulnerable Examples}
  Using the previously mentioned heuristics, we could not find a vulnerable contract from the dataset.
\end{frame}

\section{Future Work}
\begin{frame}[fragile]
  \frametitle{Future Work}
\begin{itemize}
  \item add heuristics to static analysis tool like \texttt{slither} or \texttt{mythril}
  \item develop additional vulnerable and non-vulnerable contracts and test against heuristics
  \item train a model against the resulting dataset
  \item fine-tune heuristics
\end{itemize}
\end{frame}
\section{Conclusion}
\begin{frame}[fragile]
  Questions?
\end{frame}


\end{document}