EVM: From Offline Detection to Online Reinforcement for Ethereum Virtual Machine

Ma, Fuchen; Fu, Ying; Ren, Meng; Wang, Mingzhe; Jiang, Yu; Zhang, Kaixiang; Li, Huizhong; Shi, Xiang

doi:10.1109/saner.2019.8668038

Cited by 34 publications

(23 citation statements)

References 6 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Fourth, P1 and Sereum have different sets of false positives because they apply different techniques [30]. EVM * inserts protection code into EVM to prevent integer overflow bugs and timestamp bugs from being exploited [35]. However, the extension of EVM * to support other attacks is not easy because EVM should be modified by inserting new protection code, which is technically challenging.…”

Section: A Online Approachesmentioning

confidence: 99%

“…However, the extension of EVM * to support other attacks is not easy because EVM should be modified by inserting new protection code, which is technically challenging. Besides, EVM * lacks comprehensive evaluations about its effectiveness and efficiency; instead, EVM * is tested by just 10 selected smart contracts [35].…”

Section: A Online Approachesmentioning

confidence: 99%

“…The second category inserts protection code into the runtime of smart contracts (e.g., EVM) [30], [34]- [37]. However, these approaches cannot be easily extended to detect new attacks [30], [35], or lack detailed design, implementations and evaluations [34], [36], or are resource-consuming and could miss many attacks [37]. We detail existing approaches in §VIII.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

SODA: A Generic Online Detection Framework for Smart Contracts

Chen

Cao

et al. 2020

Proceedings 2020 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Smart contracts have become lucrative and profitable targets for attackers because they can hold a great amount of money. Unfortunately, existing offline approaches for discovering the vulnerabilities in smart contracts or checking the correctness of smart contracts cannot conduct online detection of attacking transactions. Besides, existing online approaches only focus on specific attacks and cannot be easily extended to detect other attacks. Moreover, developing a new online detection system for smart contracts from scratch is time-consuming and requires deep understanding of blockchain internals, thus making it difficult to quickly implement and deploy mechanisms to detect new attacks. In this paper, we propose a novel generic online detection framework named SODA for smart contracts on any blockchains that support Ethereum virtual machine (EVM). SODA distinguishes itself from existing online approaches through its capability, efficiency, and compatibility. First, SODA empowers users to easily develop apps for detecting various attacks online (i.e., when attacks happen) by separating information collection and attack detection with layered design. At the higher layer, SODA provides unified interfaces to develop detection apps against various attacks. At the lower layer, SODA instruments EVM to collect all primitive information necessary to detect various attacks and constructs 11 kinds of structural information for the ease of developing apps. Based on SODA, users can develop new apps in a few lines of code without modifying EVM. Second, SODA is efficient, because we design on-demand information retrieval to reduce the overhead of information collection and adopt dynamic linking to eliminate the overhead of inter-process communication. Such design allows users to develop detection apps using any programming languages that can generate dynamic link libraries. Third, since more and more blockchains adopt EVM as smart contract runtime, SODA can be easily migrated to such blockchains without modifying apps. Based on SODA, we develop 8 detection apps to detect the attacks exploiting major vulnerabilities in smart contracts, and integrate SODA (including all apps) into 3 popular blockchains: Ethereum, Expanse and Wanchain. The extensive experimental results demonstrate the effectiveness and efficiency of SODA and our detection apps.

show abstract

Section: A Online Approachesmentioning

confidence: 99%

Section: A Online Approachesmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

SODA: A Generic Online Detection Framework for Smart Contracts

Chen

Cao

et al. 2020

Proceedings 2020 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…It primarily simulates the operations of compiled bytecodes to help users optimize smart contract and understand how EVM and smart contract work, which covers 88.2% of the codes. Fuchen Ma, Ying Fu et al [22] presents a method for the problem of contract code vulnerability detection by strengthening EVM. EVM will automatically stop unsafe transactions to prevent economical losses, but the types of covered errors are limited.…”

Section: Related Workmentioning

confidence: 99%

Function-Level Dynamic Monitoring and Analysis System for Smart Contract

et al. 2020

View full text Add to dashboard Cite

The close integration of blockchain and smart contract technology has become an important foundation for current trusted applications. High-quality, high-efficiency and high-security codes have become basic requirements for smart contract applications because they are not easy to be modified after being deployed on blockchain. This paper proposes a function-level dynamic monitoring and analysis method for smart contract, and implements a prototype system. The method adds a "shadow stack" and related data structures to virtual machine of testing blockchain platform by analyzing the principle of function management with original stack, then monitors the bytecode after code instrumentation, records the function calling relationships as well as the relevant metrics of time, instruction number and gas consumption. The prototype system identifies contract inefficient behaviors using visualization and intelligent analysis methods, then forms a smart contract optimization closed loop through iterative improvement. Finally, the paper verified the high feasibility and applicability of the monitoring and analyzing method as well as prototype system's performance through experiments.

show abstract

“…Despite all the security enhancements and security tools [7], [8], blockchain still faces challenges to cope with various pernicious attacks [9]. A range of attacks are constantly initiated to obstruct the natural flow or even fully destroy the network [10].…”

Section: Introductionmentioning

confidence: 99%

Smart Contract: Attacks and Protections

2020

View full text Add to dashboard Cite

Smart contracts are programs that reside within decentralized blockchains and are executed pursuant to triggered instructions. A smart contract acts in a similar way to a traditional agreement but negates the necessity for the involvement of a third party. Smart contracts are capable of initiating their commands automatically, thus eliminating the involvement of a regulatory body. As a consequence of blockchain's immutable feature, smart contracts are developed in a manner that is distinct from traditional software. Once deployed to the blockchain, a smart contract cannot be modified or updated for security patches, thus encouraging developers to implement strong security strategies before deployment in order to avoid potential exploitation at a later time. However, the most recent dreadful attacks and the multifarious existing vulnerabilities which result as a consequence of the absence of security patches have challenged the sustainability of this technology. Attacks such as the Decentralized Autonomous Organization (DAO) attack and the Parity Wallet hack have cost millions of dollars simply as a consequence of naïve bugs in the smart contract code. In this paper, we classify blockchain exploitation techniques into 4 categories based on the attack rationale; attacking consensus protocols, bugs in the smart contract, malware running in the operating system, and fraudulent users. We then focus on smart contract vulnerabilities, analyzing the 7 most important attack techniques to determine the real impact on smart contract technology. We reveal that even adopting the 10 most widely used tools to detect smart contract vulnerabilities, these still contain known vulnerabilities, providing a dangerously false sense of security. We conclude the paper with a discussion about recommendations and future research lines to progress towards a secure smart contract solution.

show abstract

EVM: From Offline Detection to Online Reinforcement for Ethereum Virtual Machine

Cited by 34 publications

References 6 publications

SODA: A Generic Online Detection Framework for Smart Contracts

SODA: A Generic Online Detection Framework for Smart Contracts

Function-Level Dynamic Monitoring and Analysis System for Smart Contract

Smart Contract: Attacks and Protections

Contact Info

Product

Resources

About