Siddhasagar Pani
ABSTRACT
Greybox fuzzers require intermediate programs called fuzz drivers to test smart contract APIs. These fuzz drivers use the semi-random inputs (bytes) generated by fuzzers to prepare suitable inputs required to test APIs. Further, fuzz driver also uses this input to decide sequence in which APIs to be invoked and enables the fuzzer to execute the APIs in that sequence to find the vulnerabilities, if any. Manually writing such complex and intelligent fuzz drivers is laborious, requires deep technical skills, hence can be cumbersome and error prone. In this paper, we propose SmartFuzzDriverGen framework to automatically generate fuzz drivers which invoke smart contract APIs using different strategies: unit-level, sequence-based (random, user-defined), and heuristics based. We evaluate the proposed framework by testing a prototype implementation of it with Golang smart contracts (targeted for Hyperledger Fabric platform) and study the effectiveness of the generated fuzz drivers in terms of code coverage as well as bug finding abilities. We observed that fuzzing of APIs in random sequences performed better than the other methods.
- Mouhamad Almakhour, Layth Sliman, Abed Ellatif Samhat, and Abdelhamid Mellouk. 2020. Verification of smart contracts: A survey. Pervasive and Mobile Computing 67 (2020), 101227.Google Scholar
Cross Ref
- Domagoj Babić, Stefan Bucur, Yaohui Chen, Franjo Ivančić, Tim King, Markus Kusano, Caroline Lemieux, László Szekeres, and Wei Wang. 2019. Fudge: fuzz driver generation at scale. In Proceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering. 975–985.Google ScholarDigital Library
- Bernhard Beckert, Mihai Herda, Michael Kirsten, and Jonas Schiffl. 2018. Formal specification and verification of Hyperledger Fabric chaincode. In 3rd Symposium on Distributed Ledger Technology (SDLT-2018) co-located with ICFEM. 44–48.Google Scholar
- Jialiang Chang. 2020. Software Quality Control Through Formal Method. Western Michigan University.Google Scholar
- Jaeseung Choi, Doyeon Kim, Soomin Kim, Gustavo Grieco, Alex Groce, and Sang Kil Cha. 2021. SMARTIAN: Enhancing smart contract fuzzing with static and dynamic data-flow analyses. In 2021 36th IEEE/ACM International Conference on Automated Software Engineering (ASE). IEEE, 227–239.Google ScholarDigital Library
- Ahaan Dabholkar and Vishal Saraswat. 2019. Ripping the fabric: Attacks and mitigations on hyperledger fabric. In International Conference on Applications and Techniques in Information Security. Springer, 300–311.Google ScholarCross Ref
- Mengjie Ding, Peiru Li, Shanshan Li, and He Zhang. 2021. Hfcontractfuzzer: Fuzzing hyperledger fabric smart contracts for vulnerability detection. In Evaluation and Assessment in Software Engineering. 321–328.Google Scholar
- Hyperledger Fabric. 2022. Hyperledger Fabric Samples. https://github.com/hyperledger/fabric-samples.Google Scholar
- Hyperledger Fabric. 2022. World-State. https://hyperledger-fabric.readthedocs.io/en/release-2.2/ledger/ledger.html#world-state.Google Scholar
- Josselin Feist. 2018. Contract upgrade anti-patterns. https://blog.trailofbits.com/2018/09/05/contract-upgrade-anti-patterns/.Google Scholar
- Klint Finley. 2016. A $50 Million Hack Just Showed That the DAO Was All Too Human. https://www.wired.com/2016/06/50-million-hack-just-showed-dao-human.Google Scholar
- ForAllSecure. 2022. The Roles of SAST and DAST and Fuzzing in Application Security. https://forallsecure.com/blog/sast-and-dast-in-application-security.Google Scholar
- Jens-Rene Giesen, Sebastien Andreina, Michael Rodler, Ghassan O. Karame, and Lucas Davi. 2022. Practical Mitigation of Smart Contract Bugs. In Arxiv. 1–17.Google Scholar
- Golang. 2022. Go Native Fuzzing. https://go.dev/security/fuzz/.Google Scholar
- Dan Goodin. 2021. Really stupid “smart contract” bug let hackers steal $31 million in digital coin. https://arstechnica.com/information-technology/2021/12/hackers-drain-31-million-from-cryptocurrency-service-monox-finance.Google Scholar
- Google. 2022. gofuzz. https://github.com/google/gofuzz.Google Scholar
- LLVM Compiler Infrastructure. 2022. libFuzzer. https://llvm.org/docs/LibFuzzer.html.Google Scholar
- Kyriakos Ispoglou, Daniel Austin, Vishwath Mohan, and Mathias Payer. 2020. FuzzGen: Automatic Fuzzer Generation. In 29th USENIX Security Symposium (USENIX Security 20). 2271–2287.Google Scholar
- Tobias Kaiser. 2018. Chaincode Scanner. https://hgf18.sched.com/event/G8rZ/security-vulnerabilities-in-chaincode-tobias-kaiser-chainsecurity.Google Scholar
- George Klees, Andrew Ruef, Benji Cooper, Shiyi Wei, and Michael Hicks. 2018. Evaluating fuzz testing. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. 2123–2138.Google ScholarDigital Library
- OpenZeppelin. 2022. Upgrading smart contracts. https://docs.openzeppelin.com/learn/upgrading-smart-contracts.Google Scholar
- Alfrick Opidi. 2022. How To Address SAST False Positives In Application Security Testing. https://www.mend.io/resources/blog/resources-blog-sast-false-positives/.Google Scholar
- Santiago Palladino. 2017. The Parity Wallet Hack Explained. https://blog.openzeppelin.com/on-the-parity-wallet-multisig-hack-405a8c12e8f7.Google Scholar
- Siddhasagar Pani, Harshita Vani Nallagonda, Saumya Prakash, R Vigneswaran, Raveendra Kumar Medicherla, and MA Rajan. 2022. Smart Contract Fuzzing for Enterprises: The Language Agnostic Way. In 2022 14th International Conference on COMmunication Systems & NETworkS (COMSNETS). IEEE, 1–6.Google Scholar
- Sergey Petrov. 2017. Another Parity Wallet hack explained. https://medium.com/@Pr0Ger/another-parity-wallet-hack-explained-847ca46a2e1c.Google Scholar
- Subhajit Roy, Awanish Pandey, Brendan Dolan-Gavitt, and Yu Hu. 2018. Bug synthesis: Challenging bug-finding tools with deep faults. In Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering. 224–234.Google ScholarDigital Library
- sivachokkapu. 2020. Revive - CC. https://github.com/sivachokkapu/revive-cc.Google Scholar
- Dmitry Vyukov. 2022. go-fuzz. https://github.com/dvyukov/go-fuzz.Google Scholar
- Wikipedia. 2022. Fisher-Yates shuffle algorithm. https://en.wikipedia.org/wiki/Fisher-Yates_shuffle.Google Scholar
- Kazuhiro Yamashita, Yoshihide Nomura, Ence Zhou, Bingfeng Pi, and Sun Jun. 2019. Potential risks of hyperledger fabric smart contracts. In 2019 IEEE International Workshop on Blockchain Oriented Software Engineering (IWBOSE). IEEE, 1–10.Google ScholarCross Ref
- Michal Zalewski. 2022. American Fuzzy Lop (AFL). https://github.com/google/AFL.Google Scholar
- Mingrui Zhang, Jianzhong Liu, Fuchen Ma, Huafeng Zhang, and Yu Jiang. 2021. IntelliGen: Automatic driver synthesis for fuzz testing. In 2021 IEEE/ACM 43rd International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP). IEEE, 318–327.Google ScholarDigital Library
Index Terms
- SmartFuzzDriverGen: Smart Contract Fuzzing Automation for Golang
Recommendations
ContractFuzzer: fuzzing smart contracts for vulnerability detection
ASE '18: Proceedings of the 33rd ACM/IEEE International Conference on Automated Software EngineeringDecentralized cryptocurrencies feature the use of blockchain to transfer values among peers on networks without central agency. Smart contracts are programs running on top of the blockchain consensus protocol to enable people make agreements while ...
Hopper: Interpretative Fuzzing for Libraries
CCS '23: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications SecurityDespite the fact that the state-of-the-art fuzzers can generate inputs efficiently, existing fuzz drivers still cannot adequately cover entries in libraries. Most of these fuzz drivers are crafted manually by developers, and their quality depends on the ...
echidna-parade: a tool for diverse multicore smart contract fuzzing
ISSTA 2021: Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and AnalysisEchidna is a widely used fuzzer for Ethereum Virtual Machine (EVM) compatible blockchain smart contracts that generates transaction sequences of calls to smart contracts. While Echidna is an essentially single-threaded tool, it is possible for multiple ...
Comments