An Effective Blockchain Aware Fuzzing Framework to Test Smart Contracts
一種面向區塊鏈的高效智能合約模糊測試框架
Student thesis: Doctoral Thesis
Author(s)
Related Research Unit(s)
Detail(s)
Awarding Institution | |
---|---|
Supervisors/Advisors |
|
Award date | 28 Nov 2023 |
Link(s)
Permanent Link | https://scholars.cityu.edu.hk/en/theses/theses(ab9476cc-bd24-4111-b8cf-d671db6b7064).html |
---|---|
Other link(s) | Links |
Abstract
Ethereum smart contracts are programs that are deployed and executed on the Ethereum blockchain platform. They are prone to security vulnerabilities, and fuzz testing has been successfully employed in recent years to detect them. However, many existing fuzz testing frameworks are unaware of the working mechanism of the underlying Ethereum platform and face two key challenges: (i) they are unaware of the key design factors related to the blockchain environment that affect the effectiveness of the smart contract fuzzers built on these frameworks, and (ii) they are unable to connect test cases by harvesting the potentials of blockchain relevant features such as occurrences of storage access patterns to achieve increased code coverage with a faster rate of security vulnerability detection.
This thesis presents a series of novel fuzzing techniques to address these challenges.
The first contribution is a systematic empirical study conducted in two parts on three important blockchain-aware design factors that affect the effectiveness of a smart contract test framework. In part one, a controlled experiment is conducted on blackbox fuzzing to study three previously under-studied and closely related design factors, including sender addressing, execution order, and resource allocation, in fuzzing a set of smart contracts. These are studied on four, two, and two levels, respectively, resulting in 16 configurations, each representing a unique blackbox fuzzing technique. Among them, only three were previously studied. Our results show that each factor is a significant factor in affecting the cost-effectiveness of a blackbox fuzzer, and the top four fuzzing techniques are all proposals of this thesis. The most effective technique detects 33% more security vulnerabilities than the technique modeled after ContractFuzzer and sFuzz. In part two, a case study is conducted to explore the applicability of the result of part one to greybox fuzzing. Upon applying the most effective configuration to American Fuzzy Lop (AFL), 19.7% more security vulnerabilities are detected.
The second contribution is StAGFuzzer, a novel greybox fuzzing technique to test smart contracts with increased code coverage targeting to trigger security vulnerabilities. StAGFuzzer incorporates a novel phase-alternating mechanism on a coverage-guided phase and a probabilistic follow-up phase. In the coverage-guided phase, a test case from the seed queue is mutated to generate a new test case, aiming to quickly discover new code blocks. In the follow-up phase, selected test cases (based on state access signatures) are extracted from the seed queue and then probabilistically selected for mutation to generate a follow-up test case that boosts the achieved code coverage and the effectiveness in triggering security vulnerabilities. These signatures are encoded over a pair of a coverage-guided test case and its follow-up test case via our novel suite of state access patterns. The experiment shows that StAGFuzzer discovers more unique branches than AFL in 75% of smart contracts and achieved a 32% higher fault detection rate once the test case mutation is started. StAGFuzzer also discovers 15,137 more branches using only 4.7% of the test cases used by sFuzz and improves the fault detection rate as high as 25.4% on larger smart contracts.
The third contribution is GasFuzzer. This technique explores the effects of another design factor, i.e., manipulating the gas allowance, to effectively expose gas-oriented exceptions among smart contracts in two phases. The first phase introduces a gas-greedy strategy to prioritize transactions having higher gas consumption for mutation to obtain test cases with different gas consumptions. The second phase introduces a novel notion of fractional gas consumption coverage and a novel gas-leveling strategy. In the experiment, GasFuzzer detects 7 more security vulnerabilities in comparison to ContractFuzzer in the first phase, while an additional 6 exception disorder security vulnerabilities are detected in the second phase. This thesis demonstrates that this design factor is important in improving the rate of security vulnerability detection.
In summary, this thesis presents a novel suite of fuzzing techniques based on important blockchain-aware design factors and state access patterns to effectively explore the code regions of smart contracts, which improves the cost-effectiveness and detection rate in exposing security vulnerabilities.
This thesis presents a series of novel fuzzing techniques to address these challenges.
The first contribution is a systematic empirical study conducted in two parts on three important blockchain-aware design factors that affect the effectiveness of a smart contract test framework. In part one, a controlled experiment is conducted on blackbox fuzzing to study three previously under-studied and closely related design factors, including sender addressing, execution order, and resource allocation, in fuzzing a set of smart contracts. These are studied on four, two, and two levels, respectively, resulting in 16 configurations, each representing a unique blackbox fuzzing technique. Among them, only three were previously studied. Our results show that each factor is a significant factor in affecting the cost-effectiveness of a blackbox fuzzer, and the top four fuzzing techniques are all proposals of this thesis. The most effective technique detects 33% more security vulnerabilities than the technique modeled after ContractFuzzer and sFuzz. In part two, a case study is conducted to explore the applicability of the result of part one to greybox fuzzing. Upon applying the most effective configuration to American Fuzzy Lop (AFL), 19.7% more security vulnerabilities are detected.
The second contribution is StAGFuzzer, a novel greybox fuzzing technique to test smart contracts with increased code coverage targeting to trigger security vulnerabilities. StAGFuzzer incorporates a novel phase-alternating mechanism on a coverage-guided phase and a probabilistic follow-up phase. In the coverage-guided phase, a test case from the seed queue is mutated to generate a new test case, aiming to quickly discover new code blocks. In the follow-up phase, selected test cases (based on state access signatures) are extracted from the seed queue and then probabilistically selected for mutation to generate a follow-up test case that boosts the achieved code coverage and the effectiveness in triggering security vulnerabilities. These signatures are encoded over a pair of a coverage-guided test case and its follow-up test case via our novel suite of state access patterns. The experiment shows that StAGFuzzer discovers more unique branches than AFL in 75% of smart contracts and achieved a 32% higher fault detection rate once the test case mutation is started. StAGFuzzer also discovers 15,137 more branches using only 4.7% of the test cases used by sFuzz and improves the fault detection rate as high as 25.4% on larger smart contracts.
The third contribution is GasFuzzer. This technique explores the effects of another design factor, i.e., manipulating the gas allowance, to effectively expose gas-oriented exceptions among smart contracts in two phases. The first phase introduces a gas-greedy strategy to prioritize transactions having higher gas consumption for mutation to obtain test cases with different gas consumptions. The second phase introduces a novel notion of fractional gas consumption coverage and a novel gas-leveling strategy. In the experiment, GasFuzzer detects 7 more security vulnerabilities in comparison to ContractFuzzer in the first phase, while an additional 6 exception disorder security vulnerabilities are detected in the second phase. This thesis demonstrates that this design factor is important in improving the rate of security vulnerability detection.
In summary, this thesis presents a novel suite of fuzzing techniques based on important blockchain-aware design factors and state access patterns to effectively explore the code regions of smart contracts, which improves the cost-effectiveness and detection rate in exposing security vulnerabilities.