blockchain | 论文阅读 | sFuzz: An Efficient Adaptive Fuzzer for Solidity Smart Contracts

blockchain | 论文阅读 | sFuzz: An Efficient Adaptive Fuzzer for Solidity Smart Contracts

sFuzz: An Efficient Adaptive Fuzzer for Solidity Smart Contracts

from ICSE

https://doi.org/10.1145/3377811.3380334

文章提出sfuzz工具用于对solidity语言编写的合约进行模糊测试,说效果好。

背景

智能合约应用前景广,solidity使用率高。

一旦部署,无法更改。

提到了The DAO硬分叉的那次攻击。

现在也有使用代理合约进行修改的方式,数据和代码分离进行操作。

因此,在合约进行部署前进行漏洞检测是很重要的。

提出3个重点问题:

  1. 怎么自动化跑测试用例
  2. 怎么进行测试
  3. 怎么检测漏洞

提到了3个之前的模型:

  1. ContractFuzzer。利用网络模型进行漏洞检测
  2. Oyente。利用符号执行和约束求解进行漏洞检测
  3. teEther。利用符号执行对金融交易漏洞进行检测

本文项目:从AFL项目出发,补充了基于符号执行的测试引擎,这种模糊测试高效但是也有一定的限制。

关于AFL我之前没有了解过,但是这个文章比较好:AFL漏洞挖掘技术漫谈(一):用AFL开始你的第一次Fuzzing - FreeBuf网络安全行业门户

为了解决这个问题,sFuzz采用了一种轻量的种子选择策略。

sFuzz项目基于Aleth项目开发(一个c++以太坊虚拟机)这个项目和AFL有着相似的系统架构和可扩展性。

这个项目在2021年最后一次更新,大部分的代码在19年就完成了并且没有更改。

例子

这节一开头说,sFuzz只需要用evm字节码就能进行测试,但是我看文章摘要的感觉是对源代码进行测试,感觉很迷。

例子1:

猜密码游戏:

image

这个例子并不好,直接读取最开始的那次交易就可以提取出_answer原来的值了。

测试了一手:

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;

contract Game {
string public question;
address questionSender;
bytes32 responseHash;

constructor(string memory _question, string memory _answer) public {
 responseHash = keccak256(abi.encode(_answer));
 question = _question;
 questionSender = msg.sender;
}

function Try(string memory _response) payable public returns(bool){
 if (responseHash == keccak256(abi.encode(_response)) && msg.value == 0.0001 ether){
   (payable(msg.sender)).transfer(address(this).balance);
   return true;
 }
 return false;
}
}

部署以后查看部署的交易:

image

{
blockHash: "0x2d55f4e702ab812f5785b4c4909440b9f459e7a59dcbd675f859c48fc0352941",
blockNumber: 5414,
chainId: "0xf",
from: "0xda8e0a6becd46e3c1d25bebcc0e8f6723cf2f924",
gas: 1000000,
gasPrice: 10000000000,
hash: "0x1db1956aa706628b75971be13bce3283e916b9d55db7abc643fa6ec77dde1bde",
input: "0x60806040523480156200001157600080fd5b50604051620008b4380380620008b48339818101604052810190620000379190620001ea565b806040516020016200004a91906200029e565b6040516020818303038152906040528051906020012060028190555081600090805190602001906200007e929190620000c8565b5033600160006101000a81548173ffffffffffffffffffffffffffffffffffffffff021916908373ffffffffffffffffffffffffffffffffffffffff160217905550505062000420565b828054620000d6906200037b565b90600052602060002090601f016020900481019282620000fa576000855562000146565b82601f106200011557805160ff191683800117855562000146565b8280016001018555821562000146579182015b828111156200014557825182559160200191906001019062000128565b5b50905062000155919062000159565b5090565b5b80821115620001745760008160009055506001016200015a565b5090565b60006200018f6200018984620002f6565b620002c2565b905082815260208101848484011115620001a857600080fd5b620001b584828562000345565b509392505050565b600082601f830112620001cf57600080fd5b8151620001e184826020860162000178565b91505092915050565b60008060408385031215620001fe57600080fd5b600083015167ffffffffffffffff8111156200021957600080fd5b6200022785828601620001bd565b925050602083015167ffffffffffffffff8111156200024557600080fd5b6200025385828601620001bd565b9150509250929050565b60006200026a8262000329565b62000276818562000334565b93506200028881856020860162000345565b62000293816200040f565b840191505092915050565b60006020820190508181036000830152620002ba81846200025d565b905092915050565b6000604051905081810181811067ffffffffffffffff82111715620002ec57620002eb620003e0565b5b8060405250919050565b600067ffffffffffffffff821115620003145762000313620003e0565b5b601f19601f8301169050602081019050919050565b600081519050919050565b600082825260208201905092915050565b60005b838110156200036557808201518184015260208101905062000348565b8381111562000375576000848401525b50505050565b600060028204905060018216806200039457607f821691505b60208210811415620003ab57620003aa620003b1565b5b50919050565b7f4e487b7100000000000000000000000000000000000000000000000000000000600052602260045260246000fd5b7f4e487b7100000000000000000000000000000000000000000000000000000000600052604160045260246000fd5b6000601f19601f8301169050919050565b61048480620004306000396000f3fe6080604052600436106100295760003560e01c80633853682c1461002e5780633fad9ae01461005e575b600080fd5b6100486004803603810190610043919061021c565b610089565b60405161005591906102a5565b60405180910390f35b34801561006a57600080fd5b50610073610126565b60405161008091906102c0565b60405180910390f35b60008160405160200161009c91906102c0565b604051602081830303815290604052805190602001206002541480156100c75750655af3107a400034145b1561011c573373ffffffffffffffffffffffffffffffffffffffff166108fc479081150290604051600060405180830381858888f19350505050158015610112573d6000803e3d6000fd5b5060019050610121565b600090505b919050565b60008054610133906103ad565b80601f016020809104026020016040519081016040528092919081815260200182805461015f906103ad565b80156101ac5780601f10610181576101008083540402835291602001916101ac565b820191906000526020600020905b81548152906001019060200180831161018f57829003601f168201915b505050505081565b60006101c76101c284610313565b6102e2565b9050828152602081018484840111156101df57600080fd5b6101ea84828561036b565b509392505050565b600082601f83011261020357600080fd5b81356102138482602086016101b4565b91505092915050565b60006020828403121561022e57600080fd5b600082013567ffffffffffffffff81111561024857600080fd5b610254848285016101f2565b91505092915050565b6102668161035f565b82525050565b600061027782610343565b610281818561034e565b935061029181856020860161037a565b61029a8161043d565b840191505092915050565b60006020820190506102ba600083018461025d565b92915050565b600060208201905081810360008301526102da818461026c565b905092915050565b6000604051905081810181811067ffffffffffffffff821117156103095761030861040e565b5b8060405250919050565b600067ffffffffffffffff82111561032e5761032d61040e565b5b601f19601f8301169050602081019050919050565b600081519050919050565b600082825260208201905092915050565b60008115159050919050565b82818337600083830152505050565b60005b8381101561039857808201518184015260208101905061037d565b838111156103a7576000848401525b50505050565b600060028204905060018216806103c557607f821691505b602082108114156103d9576103d86103df565b5b50919050565b7f4e487b7100000000000000000000000000000000000000000000000000000000600052602260045260246000fd5b7f4e487b7100000000000000000000000000000000000000000000000000000000600052604160045260246000fd5b6000601f19601f830116905091905056fea26469706673582212205a8e754473686da250aefe4bcd4661f7b56d76bb49ade84731305cc514eabf8a64736f6c63430008000033000000000000000000000000000000000000000000000000000000000000004000000000000000000000000000000000000000000000000000000000000000800000000000000000000000000000000000000000000000000000000000000015776861742064617920697320697420746f6461793f000000000000000000000000000000000000000000000000000000000000000000000000000000000000085468757273646179000000000000000000000000000000000000000000000000",
nonce: 134,
r: "0x1e3c138123a01f8930b2cc87807fe6781596c20294997cabcc18628b741847c1",
s: "0x133aa06a6d58ec9b6e2ed4a22ac73a83f5e0e6d7724ab977513f83e18a220208",
to: null,
transactionIndex: 0,
type: "0x0",
v: "0x41",
value: 0
}

提取参数得到答案:

image

image

这里它说通过选择种子和迭代140代不断接近第10行的条件,然后揭露这个call fallback的漏洞,我并不能明白具体是怎么迭代出来的,我也不知道它是怎么满足hash相等的那个条件的。

主要的漏洞数据来源:

image

实现

部署两个攻击合约,一个拒绝收款,一个尝试重入(reentrancy attacker)。

进行xxx测试。

算法2:

image

我感觉这里面有一个很玄学的东西是distance函数,这怎么判定的?

然后我才发现这个,但是这部分的解释我还是看不太明白:

image

conclusion&argue

感觉这篇文章本质上就是提出了一个基于AFL的Fuzz测试模型,使用了aleth的evm环境,设计了一个优化了一点的种子选择策略,仅此而已。

duytai/sFuzz (github.com) 这个应该是项目的地址

https://github.com/ethereum/aleth/ 项目使用的c++ evm环境

https://github.com/crytic/echidna/ 找到的一个fuzz框架,还没有仔细看。

posted @ 2023-09-07 17:14  Mz1  阅读(177)  评论(0编辑  收藏  举报