sereum: protecting existing smart contracts against re ... … · 4.5 million ethereum blocks...
TRANSCRIPT
![Page 1: Sereum: Protecting Existing Smart Contracts Against Re ... … · 4.5 Million Ethereum blocks Successful detection of The DAO incident ~50k flagged transactions ~2k true attack transactions](https://reader033.vdocuments.mx/reader033/viewer/2022050607/5fadfdcf80e064053e3cfcb8/html5/thumbnails/1.jpg)
Sereum: Protecting Existing Smart Contracts Against Re-Entrancy Attacks
Michael Rodler 1, Wenting Li 2, Ghassan O. Karame 2, Lucas Davi 1
1 University of Duisburg-Essen2 NEC Laboratories Europe
26th Network and Distributed System Security Symposium (NDSS19)
![Page 2: Sereum: Protecting Existing Smart Contracts Against Re ... … · 4.5 Million Ethereum blocks Successful detection of The DAO incident ~50k flagged transactions ~2k true attack transactions](https://reader033.vdocuments.mx/reader033/viewer/2022050607/5fadfdcf80e064053e3cfcb8/html5/thumbnails/2.jpg)
The DAO Hack17 June 2016
3.6 Million Ether Stolen
worth $50 Million5% of all available Ether
2
![Page 3: Sereum: Protecting Existing Smart Contracts Against Re ... … · 4.5 Million Ethereum blocks Successful detection of The DAO incident ~50k flagged transactions ~2k true attack transactions](https://reader033.vdocuments.mx/reader033/viewer/2022050607/5fadfdcf80e064053e3cfcb8/html5/thumbnails/3.jpg)
Ethereum Classic ETCEthereum ETH
The DAO Aftermath
3
Hard-Fork
![Page 4: Sereum: Protecting Existing Smart Contracts Against Re ... … · 4.5 Million Ethereum blocks Successful detection of The DAO incident ~50k flagged transactions ~2k true attack transactions](https://reader033.vdocuments.mx/reader033/viewer/2022050607/5fadfdcf80e064053e3cfcb8/html5/thumbnails/4.jpg)
Ξ
splitDAO(…)
The DAO Attack
Check Attacker Balance
Update Attacker Balance
Balance: 1000
Attacker Balance: 100
Balance: 0The DAO
Child DAO Attacker
1009008000
1000200100
4
Transfer Amount
Withdraw to Child DAO
Ξ
![Page 5: Sereum: Protecting Existing Smart Contracts Against Re ... … · 4.5 Million Ethereum blocks Successful detection of The DAO incident ~50k flagged transactions ~2k true attack transactions](https://reader033.vdocuments.mx/reader033/viewer/2022050607/5fadfdcf80e064053e3cfcb8/html5/thumbnails/5.jpg)
Can we automatically detectre-entrancy vulnerabilities?
5
![Page 6: Sereum: Protecting Existing Smart Contracts Against Re ... … · 4.5 Million Ethereum blocks Successful detection of The DAO incident ~50k flagged transactions ~2k true attack transactions](https://reader033.vdocuments.mx/reader033/viewer/2022050607/5fadfdcf80e064053e3cfcb8/html5/thumbnails/6.jpg)
Static analysis
Verification
Runtime CheckingSymbolic execution
Prior Research onBug Finding and Exploitation in Smart Contracts
Oyente[Luu et al., CCS16]
Securify[Tsankov et al., CCS18]
ECFChecker[Grossman et al., POPL18]
TeEther[Krupp+Rossow, USENIX SEC 18]
MAIAN[Nikolic et al., ACSAC18]
ZEUS[Kalra et al., NDSS18]
OSIRIS[Torres et al., ACSAC18]
Manticore(Trail of Bits)
Mythril(ConsenSys)
6 Detects Re-Entrancy
SmartCheck[Tikhomirov et al., CCS18]
![Page 7: Sereum: Protecting Existing Smart Contracts Against Re ... … · 4.5 Million Ethereum blocks Successful detection of The DAO incident ~50k flagged transactions ~2k true attack transactions](https://reader033.vdocuments.mx/reader033/viewer/2022050607/5fadfdcf80e064053e3cfcb8/html5/thumbnails/7.jpg)
Current Bug Finding Tools
7
![Page 8: Sereum: Protecting Existing Smart Contracts Against Re ... … · 4.5 Million Ethereum blocks Successful detection of The DAO incident ~50k flagged transactions ~2k true attack transactions](https://reader033.vdocuments.mx/reader033/viewer/2022050607/5fadfdcf80e064053e3cfcb8/html5/thumbnails/8.jpg)
1. Do existing tools cover all re-entrancy bugs?2. Can we protect deployed contracts?
Our Research Questions:
8
![Page 9: Sereum: Protecting Existing Smart Contracts Against Re ... … · 4.5 Million Ethereum blocks Successful detection of The DAO incident ~50k flagged transactions ~2k true attack transactions](https://reader033.vdocuments.mx/reader033/viewer/2022050607/5fadfdcf80e064053e3cfcb8/html5/thumbnails/9.jpg)
Runtime detection of re-entrancy attacks
Taint tracking engine for EVM bytecode
Our Contributions
Overlooked re-entrancy attack patterns
Sereum – Hardened Ethereum Client
Investigation of root causes for false positives
9
![Page 10: Sereum: Protecting Existing Smart Contracts Against Re ... … · 4.5 Million Ethereum blocks Successful detection of The DAO incident ~50k flagged transactions ~2k true attack transactions](https://reader033.vdocuments.mx/reader033/viewer/2022050607/5fadfdcf80e064053e3cfcb8/html5/thumbnails/10.jpg)
Overlooked re-entrancy problems
10
![Page 11: Sereum: Protecting Existing Smart Contracts Against Re ... … · 4.5 Million Ethereum blocks Successful detection of The DAO incident ~50k flagged transactions ~2k true attack transactions](https://reader033.vdocuments.mx/reader033/viewer/2022050607/5fadfdcf80e064053e3cfcb8/html5/thumbnails/11.jpg)
Attack 1: Cross-Function Re-Entrancy
A
MaliciousB
Victim Contract Attacker Contract
11
![Page 12: Sereum: Protecting Existing Smart Contracts Against Re ... … · 4.5 Million Ethereum blocks Successful detection of The DAO incident ~50k flagged transactions ~2k true attack transactions](https://reader033.vdocuments.mx/reader033/viewer/2022050607/5fadfdcf80e064053e3cfcb8/html5/thumbnails/12.jpg)
Attack 2: Delegated Re-Entrancy
A
Malicious
B
DELEGATECALL
Victim Contract Attacker Contract
Library Contract12
![Page 13: Sereum: Protecting Existing Smart Contracts Against Re ... … · 4.5 Million Ethereum blocks Successful detection of The DAO incident ~50k flagged transactions ~2k true attack transactions](https://reader033.vdocuments.mx/reader033/viewer/2022050607/5fadfdcf80e064053e3cfcb8/html5/thumbnails/13.jpg)
Attack 3: Create-Based Re-Entrancy
A
Malicious
Constructor
CREATE
Newly Created Contract
Victim Contract Attacker Contract
13
![Page 14: Sereum: Protecting Existing Smart Contracts Against Re ... … · 4.5 Million Ethereum blocks Successful detection of The DAO incident ~50k flagged transactions ~2k true attack transactions](https://reader033.vdocuments.mx/reader033/viewer/2022050607/5fadfdcf80e064053e3cfcb8/html5/thumbnails/14.jpg)
Overview on Re-Entrancy DetectionTool Same-
FunctionCross-Function
Delegated Create-based
Oyente[Luu et al., CCS16]
Securify[Tsankov et al., CCS18]
* *
ECFChecker[Grossman et al., POPL18]
Manticore(Trail of Bits)
Mythril(ConsenSys)
* *
14 * Conservative policy with high number of false positives
Sereum
![Page 15: Sereum: Protecting Existing Smart Contracts Against Re ... … · 4.5 Million Ethereum blocks Successful detection of The DAO incident ~50k flagged transactions ~2k true attack transactions](https://reader033.vdocuments.mx/reader033/viewer/2022050607/5fadfdcf80e064053e3cfcb8/html5/thumbnails/15.jpg)
Main Observation
Typically re-entrancy attacks exploit inconsistent state
at the time the vulnerable contract decides whether to take a branch
15
![Page 16: Sereum: Protecting Existing Smart Contracts Against Re ... … · 4.5 Million Ethereum blocks Successful detection of The DAO incident ~50k flagged transactions ~2k true attack transactions](https://reader033.vdocuments.mx/reader033/viewer/2022050607/5fadfdcf80e064053e3cfcb8/html5/thumbnails/16.jpg)
function withdraw(uint amount)
Sereum Approach
16
if (balance[msg.sender] >= amount)
msg.sender.call.value(amount)("");balance[msg.sender] -= amount;
return;
F T
Mark variables that influence branching decisions as critical
Prevent further updates with write-
locks
![Page 17: Sereum: Protecting Existing Smart Contracts Against Re ... … · 4.5 Million Ethereum blocks Successful detection of The DAO incident ~50k flagged transactions ~2k true attack transactions](https://reader033.vdocuments.mx/reader033/viewer/2022050607/5fadfdcf80e064053e3cfcb8/html5/thumbnails/17.jpg)
Sereum Architecture
Ethereum Virtual Machine (EVM)go-ethereum
Transaction Manager
Taint Engine
Sereum
Bytecode Interpreter
Attack Detector
Enforcement:Transaction roll-back on detected attack
17
![Page 18: Sereum: Protecting Existing Smart Contracts Against Re ... … · 4.5 Million Ethereum blocks Successful detection of The DAO incident ~50k flagged transactions ~2k true attack transactions](https://reader033.vdocuments.mx/reader033/viewer/2022050607/5fadfdcf80e064053e3cfcb8/html5/thumbnails/18.jpg)
AttackerVictim
Check Balance
Transfer Ether
Attacker Victim(re-entered)
Re-enterA
A
A
Write-lock “attacker balance”
at 0x12345…
18
Check Balance
Transfer Ether
CALL(…,0xA,…)
x = SLOAD(0x12345…)cond = LT(x, …)JUMPI(0x140, cond)
Update Balance
Update Balance
SSTORE(0x12345…, …)
Alert:Write to locked
variable
Mark “attacker balance”
at 0x12345... as critical variable.
Return
STOP
SereumWrite Locks
UnlockedLocked0x12345…
![Page 19: Sereum: Protecting Existing Smart Contracts Against Re ... … · 4.5 Million Ethereum blocks Successful detection of The DAO incident ~50k flagged transactions ~2k true attack transactions](https://reader033.vdocuments.mx/reader033/viewer/2022050607/5fadfdcf80e064053e3cfcb8/html5/thumbnails/19.jpg)
Evaluation Results
19
Evaluation on first 4.5 Million Ethereum blocks
Successful detection of The DAO incident
~50k flagged transactions
~2k true attacktransactions
Developers hacked theirown contract
7 days before The DAO incident
New Finding: The curios case of
DSEthToken
Manual reverse-engineering and
analysis of flagged transactions 14 distinct contracts
result in false positive
![Page 20: Sereum: Protecting Existing Smart Contracts Against Re ... … · 4.5 Million Ethereum blocks Successful detection of The DAO incident ~50k flagged transactions ~2k true attack transactions](https://reader033.vdocuments.mx/reader033/viewer/2022050607/5fadfdcf80e064053e3cfcb8/html5/thumbnails/20.jpg)
Questions?
Sereum: Protecting Existing Smart Contracts Against Re-Entrancy Attacks
Michael Rodler 1, Wenting Li 2, Ghassan O. Karame 2, Lucas Davi 1
1 University Duisburg-Essen2 NEC Laboratories Germany
github.com/uni-due-syssec/eth-reentrancy-attack-patterns @f0rki
![Page 21: Sereum: Protecting Existing Smart Contracts Against Re ... … · 4.5 Million Ethereum blocks Successful detection of The DAO incident ~50k flagged transactions ~2k true attack transactions](https://reader033.vdocuments.mx/reader033/viewer/2022050607/5fadfdcf80e064053e3cfcb8/html5/thumbnails/21.jpg)
Backup Slides
![Page 22: Sereum: Protecting Existing Smart Contracts Against Re ... … · 4.5 Million Ethereum blocks Successful detection of The DAO incident ~50k flagged transactions ~2k true attack transactions](https://reader033.vdocuments.mx/reader033/viewer/2022050607/5fadfdcf80e064053e3cfcb8/html5/thumbnails/22.jpg)
Sereum Performance
Benchmark: Execute 50 Blocks in Batch (10 000 repetitions)
Sereum – mean 2494.5 ms (σ = 174.8 ms)
Geth – mean 2277.0 ms (σ = 146.7 ms)
Mean overhead: 9.6 %
Average memory consumption: geth 9252MB, Sereum 9767MB
Timings on newer blocks (around block ~6 700 000)
Average 5 sec to process block with Sereum (about 150 TX)
New block every ~15 sec
Sereum can keep up with network!
22
![Page 23: Sereum: Protecting Existing Smart Contracts Against Re ... … · 4.5 Million Ethereum blocks Successful detection of The DAO incident ~50k flagged transactions ~2k true attack transactions](https://reader033.vdocuments.mx/reader033/viewer/2022050607/5fadfdcf80e064053e3cfcb8/html5/thumbnails/23.jpg)
Evaluation of Sereum
1. We verified that Sereum successfully detects the new attack patterns
2. Evaluation on the Ethereum blockchain
We re-executed all blocks up until block number 4 500 000 (77 987 922 transactions)
We detected attacks related to “the DAO”
Sereum flagged 49 080 transactions as re-entrancy attacks
3. We manually reverse-engineered and analyzed detected contracts/attacks
We identified 2 337 true attack transactions
Sereum has an overall false positive rate as low as 0.06%
We identified 5 major classes of root-causes of false positives(see details in the paper)
23
![Page 24: Sereum: Protecting Existing Smart Contracts Against Re ... … · 4.5 Million Ethereum blocks Successful detection of The DAO incident ~50k flagged transactions ~2k true attack transactions](https://reader033.vdocuments.mx/reader033/viewer/2022050607/5fadfdcf80e064053e3cfcb8/html5/thumbnails/24.jpg)
False Positive Causes
I. Lack of field-sensitivity on the EVM level Small types packed densely into one storage address
II. Storage Deallocation Deallocation: overwrite with zero
III. Constructor Callbacks Instead of passing data as argument, retrieved
IV. Tight Contract Coupling Contract execution passes between two or more contracts
V. Manual Re-Entrancy Locking Manual locking is identical to malicious re-entrancy pattern
![Page 25: Sereum: Protecting Existing Smart Contracts Against Re ... … · 4.5 Million Ethereum blocks Successful detection of The DAO incident ~50k flagged transactions ~2k true attack transactions](https://reader033.vdocuments.mx/reader033/viewer/2022050607/5fadfdcf80e064053e3cfcb8/html5/thumbnails/25.jpg)
Sereum Usage
Detection mode
Developer continuously runs Sereum
Re-play all public Ethereum transactions, looking for attacks
Developer reacts to attacks
Enforcement mode
Integrate Sereum into all Ethereum clients
For example: private blockchain based on Ethereum
25
![Page 26: Sereum: Protecting Existing Smart Contracts Against Re ... … · 4.5 Million Ethereum blocks Successful detection of The DAO incident ~50k flagged transactions ~2k true attack transactions](https://reader033.vdocuments.mx/reader033/viewer/2022050607/5fadfdcf80e064053e3cfcb8/html5/thumbnails/26.jpg)
References L. Luu, D.-H. Chu, H. Olickel, P. Saxena, and A. Hobor, “Making Smart Contracts
Smarter”, ACM CSS 2016 P. Tsankov, A. Dan, D. D. Cohen, A. Gervais, F. Buenzli, and M. Vechev, “Securify:
Practical Security Analysis of Smart Contracts”, ACM CCS 2018 S. Kalra, S. Goel, M. Dhawan, and S. Sharma, “ZEUS: Analyzing Safety of Smart
Contracts”, NDSS 2018 J. Krupp and C. Rossow, “TeEther: Gnawing at Ethereum to Automatically Exploit
Smart Contracts,” USENIX Security 2018 I. Nikolic, A. Kolluri, I. Sergey, P. Saxena, and A. Hobor, “Finding The Greedy,
Prodigal, and Suicidal Contracts at Scale”, ACSAC 2018 S. Grossman et al., “Online Detection of Effectively Callback Free Objects with
Applications to Smart Contracts”, POPL 2018. S. Tikhomirov, E. Voskresenskaya, I. Ivanitskiy, R. Takhaviev, E. Marchenko, and Y.
Alexandrov, “SmartCheck: Static Analysis of Ethereum Smart Contracts,” 2018.
26