Uncovering Smart Contract VM Bugs Via Differential Fuzzing

Reversing and Offensive-Oriented Trends Symposium Pub Date : 2021-11-18 DOI:10.1145/3503921.3503923

D. Maier, F. Fäßler, Jean-Pierre Seifert

{"title":"Uncovering Smart Contract VM Bugs Via Differential Fuzzing","authors":"D. Maier, F. Fäßler, Jean-Pierre Seifert","doi":"10.1145/3503921.3503923","DOIUrl":null,"url":null,"abstract":"The ongoing public interest in blockchains and smart contracts has brought a rise to a magnitude of different blockchain implementations. The rate at which new concepts are envisioned and implemented makes it hard to vet their impact on security. Especially smart contract platforms, executing untrusted code, are very complex by design. Still, people put their trust and money into chains that may lack proper testing. A behavior deviation for edge cases of single op-codes is a critical bug class in this brave new world. It can be abused for Denial of Service against the blockchain, chain splits, double-spending, or direct attacks on applications operating on the blockchain. In this paper, we propose an automated methodology to uncover such differences. Through coverage-guided and state-guided fuzzing, we explore smart contract virtual machine behavior against multiple VMs in parallel. We develop NeoDiff, the first framework for feedback-guided differential fuzzing of smart contract VMs. We discuss real, monetary consequences our tool prevents. NeoDiff can be ported to new smart contract platforms with ease. Apart from fuzzing Ethereum VMs, NeoDiff found a range of critical differentials in VMs for the Neo blockchain. Moreover, through a higher-layer semantics mutator, we uncovered semantic discrepancies between Neo smart contracts written in Python when executed on the blockchain vs. classic CPython. Along the way, NeoDiff uncovered memory corruptions in the C# Neo VM.","PeriodicalId":379610,"journal":{"name":"Reversing and Offensive-Oriented Trends Symposium","volume":"3 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2021-11-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Reversing and Offensive-Oriented Trends Symposium","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3503921.3503923","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 2

Abstract

The ongoing public interest in blockchains and smart contracts has brought a rise to a magnitude of different blockchain implementations. The rate at which new concepts are envisioned and implemented makes it hard to vet their impact on security. Especially smart contract platforms, executing untrusted code, are very complex by design. Still, people put their trust and money into chains that may lack proper testing. A behavior deviation for edge cases of single op-codes is a critical bug class in this brave new world. It can be abused for Denial of Service against the blockchain, chain splits, double-spending, or direct attacks on applications operating on the blockchain. In this paper, we propose an automated methodology to uncover such differences. Through coverage-guided and state-guided fuzzing, we explore smart contract virtual machine behavior against multiple VMs in parallel. We develop NeoDiff, the first framework for feedback-guided differential fuzzing of smart contract VMs. We discuss real, monetary consequences our tool prevents. NeoDiff can be ported to new smart contract platforms with ease. Apart from fuzzing Ethereum VMs, NeoDiff found a range of critical differentials in VMs for the Neo blockchain. Moreover, through a higher-layer semantics mutator, we uncovered semantic discrepancies between Neo smart contracts written in Python when executed on the blockchain vs. classic CPython. Along the way, NeoDiff uncovered memory corruptions in the C# Neo VM.

查看原文本刊更多论文

通过差分模糊测试发现智能合约虚拟机漏洞

公众对区块链和智能合约的持续兴趣已经带来了不同区块链实现规模的上升。新概念被设想和实现的速度使得很难审查它们对安全的影响。特别是智能合约平台，执行不受信任的代码，从设计上来说非常复杂。尽管如此，人们还是把信任和金钱投入到可能缺乏适当测试的链条中。在这个美丽的新世界中，单个操作码的边缘情况的行为偏差是一个关键的bug类。它可以被滥用于针对区块链的拒绝服务，链分裂，双重支出或直接攻击在区块链上运行的应用程序。在本文中，我们提出了一种自动化的方法来发现这些差异。通过覆盖引导和状态引导模糊测试，我们并行探索了针对多个虚拟机的智能合约虚拟机行为。我们开发了NeoDiff，这是智能合约虚拟机反馈引导差分模糊测试的第一个框架。我们讨论我们的工具可以防止的真实的、金钱的后果。NeoDiff可以轻松移植到新的智能合约平台。除了对以太坊虚拟机进行模糊测试外，NeoDiff还发现了Neo区块链虚拟机的一系列关键差异。此外，通过更高层的语义突变器，我们发现了在b区块链上执行时用Python编写的Neo智能合约与经典CPython之间的语义差异。在此过程中，NeoDiff发现了c# Neo VM中的内存损坏。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Reversing and Offensive-Oriented Trends Symposium

自引率

0.00%

发文量