Run sFuzz with Customized EVM

Features should be supported by evm to integrate with sFuzz. Section 1 provides a high level of a required interface. Section 2 contains more details

1 Background

Normally, one contract in Ethereum can call external contracts. It is root cause of all vulnerabilities and thus sFuzz needs to keep track of all calls in call chain. E.g

SimpleDao.sol

pragma solidity 0.4.24;

contract SimpleDAO {
  mapping (address => uint) public credit;
    
  function donate(address to) payable public{
    credit[to] += msg.value;
  }
    
  function withdraw(uint amount) public{
    if (credit[msg.sender]>= amount) {
      if(msg.sender.call.value(amount)()) {
         credit[msg.sender]-=amount;
      }
    }
  }  

  function queryCredit(address to) view public returns(uint){
    return credit[to];
  }
}

ReentrancyAttacker.sol

pragma solidity ^0.4.2;

contract ReentrancyAttacker {
  uint counter = 0;
  function() payable {
    counter ++;
    if (counter <= 2) {
      msg.sender.call(bytes4(255));
    }
    revert();
  }

A normal user call to withdraw(), then Ethereum will be sent back to that user at line 12. A call chain should be:

withdraw() of SimpleDao --> fallback() of msg.sender

We use above contracts to explain supporting features of evm

• Deploy and execute contract directly without mining process,

  • E.g: sFuzz can directly set byte codes of SimpleDAO contract to evm and execute bothconstructor and withdraw functions.

• Monitor all calls in a call chain.

  • E.g: sFuzz has to know the results of all functions: withdraw() and fallback() in above call chain. The result should contain exception whenever it happens.

• Edit parameters in each call of call chain.

  • E.g: in line 8 of ReentrancyAttacker.sol file, parameter of call is bytes4(255). It is a trash value but sFuzz changes it to signature of any function to trigger abnormal call chain.

• Keep track of executed opcodes including program counter, stack, memory

2 Interface

These following methods should be supported by evm to make sFuzz fit to your system.

Module	Method	Property	Description
block	update	block.number block.timestamp gas limit	directly set value to global variables of solidity such as block number or timestamp
account (contract/ wallet)	create read update delete	balance address byte codes	manipulate account system to create account pool
contract storage	read update delete		each contract has its isolated storage. sFuzz must update it to prepare for next execution
function	function call parameter customization	gas caller callee wei function signature function payload function result exception type	call chain is recorded to analyze. Parameters of function can be changed to trigger abnormal call chain
execution callback	register a callback to listen to function execution	program counter stack memory instruction current address stack depth	Whenever one opcode is executed, EVM should provide enough information to sFuzz in callback function.