Fraunhofer-Gesellschaft

Publica

Hier finden Sie wissenschaftliche Publikationen aus den Fraunhofer-Instituten.

Osiris: Hunting for integer bugs in ethereum smart contracts

 
: Torres, C.F.; Schütte, J.; State, R.

:

Association for Computing Machinery -ACM-; Applied Computer Security Associates -ACSA-:
34th Annual Computer Security Applications Conference, ACSAC 2018. Proceedings : San Juan, Puerto Rico, USA, 3-7 December 2018
New York: ACM, 2018
ISBN: 978-1-4503-6569-7
S.664-676
Annual Computer Security Applications Conference (ACSAC) <34, 2018, San Juan/Puerto Rico>
Englisch
Konferenzbeitrag
Fraunhofer AISEC ()

Abstract
The capability of executing so-called smart contracts in a decentralised manner is one of the compelling features of modern blockchains. Smart contracts are fully fledged programs which cannot be changed once deployed to the blockchain. They typically implement the business logic of distributed apps and carry billions of dollars worth of coins. In that respect, it is imperative that smart contracts are correct and have no vulnerabilities or bugs. However, research has identified different classes of vulnerabilities in smart contracts, some of which led to prominent multi-million dollar fraud cases. In this paper we focus on vulnerabilities related to integer bugs, a class of bugs that is particularly difficult to avoid due to some characteristics of the Ethereum Virtual Machine and the Solidity programming language.

In this paper we introduce Osiris -- a framework that combines symbolic execution and taint analysis, in order to accurately find integer bugs in Ethereum smart contracts. Osiris detects a greater range of bugs than existing tools, while providing a better specificity of its detection. We have evaluated its performance on a large experimental dataset containing more than 1.2 million smart contracts. We found that 42,108 contracts contain integer bugs. Besides being able to identify several vulnerabilities that have been reported in the past few months, we were also able to identify a yet unknown critical vulnerability in a couple of smart contracts that are currently deployed on the Ethereum blockchain.

: http://publica.fraunhofer.de/dokumente/N-581453.html