Watch / Birthmarking Your Smart Contracts For Vulnerability Search

Birthmarking Your Smart Contracts For Vulnerability Search

  • YouTube
  • IPFS
  • Details

Birthmarking Your Smart Contracts For Vulnerability Search

Duration: 00:06:05

Speaker: Han Liu, Qian Ren, Zhiqiang Yang

Type: Breakout

Expertise: Intermediate

Event: Devcon 5

Date: Oct 2019

In this talk, we will highlight an automatic vulnerability search technique for smart contracts. In the context of security, vulnerability search enables us to make quick response to new threats and zero-day exploits. In those cases, well-designed analysis is far from prepared to deliever precise detections. Our vulnerability search technique can act as a complement in this setting to efficiently identify potentially vulnerable contracts without heavyweight in-depth reasoning and analysis.The key insight is to "birthmarking" a smart contract by abstracting its programming intents. Generally, the generation of birthmarks is realized via symbolically executing the bytecode of a smart contract and building global dependency on the fly. More specifically, both syntax features (e.g., number and type of instructions) and semantic features (e.g., load and store at the same storage) are considered in birthmarks. Then, the task of searching for a known vulnerability is converted to computing a similarity between a target contract (with the vulnerability) and a candidate contract (may/may not have the vulnerability). We have implemented a prototype to search for known vulnerabilities and conducted large-scale evaluations on real-world security issues. Particularly, we will use CVE­-2018-­10376 to explain how the search technique can help existing security analyzers
About the speakers

HL

Han Liu

Postdoc Researcher

Dr. Han Liu is currently a postdoctoral researcher in the School of Software, Tsinghua University, Beijing, China, leading the blockchain security group. Before that, he worked as a senior researcher in Chieftin Fintech Research Lab at Shenzhen, leading the finance security group. He obtained his Ph.D. at Tsinghua University in 2017. In 2015, he worked as a visiting scholar in the University of California, Davis. The research interests of Dr. Han Liu span computer security, software engineering and programming languages. In the context of blockchain, he focuses on creating efficient and effective techniques for formal verification of smart contracts, attack-tolerant virtual machine and automatic semantic modeling of DApps. He has published many academic papers in top-tier conferences and journals (including three pieces of his recent works on blockchain security), such as ICSE, FSE, ASE, FM, TPDS, TIE etc. Dr. Han Liu has received the scholarship of Devcon4. He has been serving as PI for two national research projects and leading three industrial blockchain-based projects with Hongkong Exchange (Formal verification of the IFC DApp), Ant Financial (Automatic security auditing of smart contracts) and WeBank (Testing the BCOS blockchain).

  • Related