search

Run sFuzz with Customized EVM

Features should be supported by evm to integrate with sFuzz. Section 1 provides a high level of a required interface. Section 2 contains more details

hashtag
1 Background

Normally, one contract in Ethereum can call external contracts. It is root cause of all vulnerabilities and thus sFuzz needs to keep track of all calls in call chain. E.g

pragma solidity 0.4.24;

contract SimpleDAO {
  mapping (address => uint) public credit;
    
  function donate(address to) payable public{
    credit[to] += msg.value;
  }
    
  function withdraw(uint amount) public{
    if (credit[msg.sender]>= amount) {
      if(msg.sender.call.value(amount)()) {
         credit[msg.sender]-=amount;
      }
    }
  }  

  function queryCredit(address to) view public returns(uint){
    return credit[to];
  }
}

A normal user call to withdraw(), then Ethereum will be sent back to that user at line 12. A call chain should be:

withdraw() of SimpleDao --> fallback() of msg.sender

We use above contracts to explain supporting features of evm

  • Deploy and execute contract directly without mining process,

    • E.g: sFuzz can directly set byte codes of SimpleDAO contract to evm and execute bothconstructor and withdraw functions.

  • Monitor all calls in a call chain.

    • E.g: sFuzz has to know the results of all functions: withdraw() and fallback() in above call chain. The result should contain exception whenever it happens.

  • Edit parameters in each call of call chain.

    • E.g: in line 8 of ReentrancyAttacker.sol file, parameter of call is bytes4(255). It is a trash value but sFuzz changes it to signature of any function to trigger abnormal call chain.

  • Keep track of executed opcodes including program counter, stack, memory

hashtag
2 Interface

These following methods should be supported by evm to make sFuzz fit to your system.

Module

Method

Property

Description

block

  • update

  • block.number

  • block.timestamp

  • gas limit

directly set value to global variables of solidity such as block number or timestamp

account (contract/ wallet)

  • create

  • read

  • update

  • delete

  • balance

  • address

  • byte codes

manipulate account system to create account pool

contract storage

  • read

  • update

  • delete

each contract has its isolated storage. sFuzz must update it to prepare for next execution

function

  • function call

  • parameter customization

  • gas

  • caller

  • callee

  • wei

  • function signature

  • function payload

  • function result

  • exception type

call chain is recorded to analyze. Parameters of function can be changed to trigger abnormal call chain

execution callback

  • register a callback to listen to function execution

  • program counter

  • stack

  • memory

  • instruction

  • current address

  • stack depth

Whenever one opcode is executed, EVM should provide enough information to sFuzz in callback function.

PrevioussFuzz OuputsNextVulnerabilities Fixed Thanks to sFuzz

Last updated