devcon 5 / birthmarking your smart contracts for vulnerability search
- YouTube
- IPFS
- Details
Birthmarking Your Smart Contracts For Vulnerability Search
Duration: 00:06:05
Speaker: Han Liu, Qian Ren, Zhiqiang Yang
Type: Breakout
Expertise: Intermediate
Event: Devcon
Date: Invalid Date
In this talk, we will highlight an automatic vulnerability search technique for smart contracts. In the context of security, vulnerability search enables us to make quick response to new threats and zero-day exploits. In those cases, well-designed analysis is far from prepared to deliever precise detections. Our vulnerability search technique can act as a complement in this setting to efficiently identify potentially vulnerable contracts without heavyweight in-depth reasoning and analysis.The key insight is to "birthmarking" a smart contract by abstracting its programming intents. Generally, the generation of birthmarks is realized via symbolically executing the bytecode of a smart contract and building global dependency on the fly. More specifically, both syntax features (e.g., number and type of instructions) and semantic features (e.g., load and store at the same storage) are considered in birthmarks. Then, the task of searching for a known vulnerability is converted to computing a similarity between a target contract (with the vulnerability) and a candidate contract (may/may not have the vulnerability). We have implemented a prototype to search for known vulnerabilities and conducted large-scale evaluations on real-world security issues. Particularly, we will use CVE-2018-10376 to explain how the search technique can help existing security analyzers
Categories
- Related
Devcon
Talk
06:55
S-gram: Statistical Linter For Incomplete Solidity Smart Contracts
This presentation will introduce a statistical linting technique called S-gram for Solidity smart contracts. Generally, S-gram aims at finding bugs, stylistic errors, bad programming practice patterns in Solidity contracts. Unlike traditional approaches relying on program analysis which requires full/compilable contracts, S-gram offers automatic checking capability even for incomplete Solidity contracts, thus can help create better development experience where developers can almost code and check simultaneously. The key insight behind S-gram is that "unusual code is more likely to be buggy". The likelihood is measured via probability computation in statistical language models, e.g. N-gram. Specifically, S-gram builds an N-gram model out of a corpus of “good” contracts (“good” means meeting stylistic specifications and having no bugs). Given an incomplete contract c, S-gram first parses it into a token sequence based on abstract syntax tree types e.g., AssignExpr, CallExpr etc. Then, S-gram calculates probabilities with respect to the N-gram model for all the subsequences of c and further flags less-probable code as suspicious. This presentation will also introduce preliminary evaluation on S-gram in terms of capturing real-world smart contract errors. In the end, this presentation will highlight the future tooling support to integrate S-gram with a Solidity IDE.
Devcon
Workshop
1:24:46
Farcaster frames: building embeddable Ethereum apps
Frames are an open standard for creating embeddable, interactive apps in social media feeds and on the web. They help solve one of the hardest problems for Ethereum dapp developers: distribution. Although frames originated on Farcaster, it's now possible to build cross-platform frames that work on Farcaster, Lens, XMTP, and the open web. In this hands on workshop we'll introduce the core concepts behind frames and build a simple frame app that interacts with a smart contract.
Devcon
Talk
17:35
Keynote: Nomic Foundation’s vision for Ethereum’s tooling ecosystem
Nomic Foundation is the nonprofit behind Hardhat. Nomic’s co-founder and CTO will walk you through Nomic’s long-term vision for a community-driven developer tooling ecosystem for Ethereum.
Devcon
Talk
15:24
Augur
Dr. Jack Peterson presents on Augur (http://www.augur.net/), an open-source, decentralized prediction market built on Ethereum.
Devcon
Talk
17:20
Digital Identity
Christian Lundkvist of ConsenSys (https://consensys.net/) presents on digital identity.
Devcon
Talk
22:32
Introduction to Snarks
Blockchains are a hostile world were all information is public and computations are expensive. A technology called zkSNARKs is coming to the rescue: It allows both a tremendous speedup in verifying the correctness of a computation while at the same time it hides the private details from prying eyes. This talk tries to give an idea about how and why it works.
Devcon
Talk
22:19
Missing Links in the Ethereum Stack
Observations about what developer tools missing from the Ethereum stack, yet currently available to traditional web developers.
Devcon
Talk
26:48
Scalable Responsive Đapps with Swarm and ENS
Daniel Nagy gives their talk titled, "Scalable Responsive Đapps with Swarm and ENS"
Devcon
Talk
13:52
Sikorka – Proof of Presence for Blockchain Applications
Sikorka – Proof of Presence for Blockchain Applications
Devcon
Talk
12:36
Blockchain Model Canvas
Blockchain Model Canvas