demonstration

Seraph: enabling cross-platform security analysis for EVM and WASM smart contracts

Authors:

Bangdao ChenAuthors Info & Claims

ICSE '20: Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering: Companion Proceedings

Pages 21 - 24

https://doi.org/10.1145/3377812.3382157

Published: 01 October 2020 Publication History

Abstract

As blockchain becomes increasingly popular across various industries in recent years, many companies started designing and developing their own smart contract platforms to enable better services on blockchain. While smart contracts are notoriously known to be vulnerable to external attacks, such platform diversity further amplified the security challenge. To mitigate this problem, we designed the very first cross-platform security analyzer called Seraph for smart contracts. Specifically, Seraph enables automated security analysis for different platforms built on two mainstream virtual machine architectures, i.e., EVM and WASM. To this end, Seraph introduces a set of general connector API to abstract interactions between the virtual machine and blockchain, e.g., load and update storage data on blockchain. Moreover, we proposed the symbolic semantic graph to model critical dependencies and decoupled security analysis from contract code as well. Our preliminary evaluation on four existing smart contract platforms demonstrated the potential of Seraph in finding security threats both flexibly and accurately. A video of Seraph is available at https://youtu.be/wxixZkVqUsc.

References

[1]

2019. FISCO-BCOS. https://fisco-bcos.org/.

[2]

2019. Microsoft Z3 SMT Solver. https://z3.codeplex.com/.

[3]

2019. Mythril. https://github.com/ConsenSys/mythril.

[4]

2019. Not so smart contracts. https://github.com/crytic/not-so-smart-contracts.

[5]

2019. SWC Registry. https://swcregistry.io.

[6]

Thomas Eiter, Georg Gottlob, and Heikki Mannila. 1997. Disjunctive datalog. ACM Transactions on Database Systems (TODS) 22, 3 (1997), 364--418.

Digital Library

[7]

Jeanne Ferrante, Karl J Ottenstein, and Joe D Warren. 1987. The program dependence graph and its use in optimization. ACM Transactions on Programming Languages and Systems (TOPLAS) 9, 3 (1987), 319--349.

Digital Library

[8]

Susan Horwitz, Thomas Reps, and David Binkley. 1990. Interprocedural slicing using dependence graphs. ACM Transactions on Programming Languages and Systems (TOPLAS) 12, 1 (1990), 26--60.

Digital Library

[9]

Andrew Johnson, Lucas Waye, Scott Moore, and Stephen Chong. 2015. Exploring and enforcing security guarantees via program dependence graphs. In ACM SIGPLAN Notices, Vol. 50. ACM, 291--302.

Digital Library

[10]

James C King. 1976. Symbolic execution and program testing. Commun. ACM 19, 7 (1976), 385--394.

Digital Library

[11]

Chao Liu, Han Liu, Zhao Cao, Zhong Chen, Bangdao Chen, and Bill Roscoe. 2018. ReGuard: finding reentrancy bugs in smart contracts. In ICSE (Companion). ACM, 65--68.

[12]

Han Liu, Chao Liu, Wenqi Zhao, Yu Jiang, and Jiaguang Sun. 2018. S-gram: towards semantic-aware security auditing for Ethereum smart contracts. In ASE. ACM, 814--819.

[13]

Loi Luu, Duc-Hiep Chu, Hrishi Olickel, Prateek Saxena, and Aquinas Hobor. 2016. Making smart contracts smarter. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM, 254--269.

Digital Library

[14]

Anton Permenev, Dimitar Dimitrov, Petar Tsankov, Dana Drachsler-Cohen, and Martin Vechev. 2019. Verx: Safety verification of smart contracts. Security and Privacy 2020 (2019).

[15]

Thomas Reps, Susan Horwitz, and Mooly Sagiv. 1995. Precise interprocedural dataflow analysis via graph reachability. In Proceedings of the 22nd ACM SIGPLAN-SIGACT symposium on Principles of programming languages. ACM, 49--61.

Digital Library

[16]

Petar Tsankov, Andrei Dan, Dana Drachsler Cohen, Arthur Gervais, Florian Buenzli, and Martin Vechev. 2018. Securify: Practical Security Analysis of Smart Contracts. arXiv preprint arXiv:1806.01143 (2018).

[17]

Gavin Wood. 2014. Ethereum: A secure decentralised generalised transaction ledger. Ethereum Project Yellow Paper 151 (2014).

Cited By

Wang LYuan YDing Y(2023)Analysis and Design of Identity Authentication for IoT Devices in the Blockchain Using Hashing and Digital Signature AlgorithmsInternational Journal of Distributed Sensor Networks10.1155/2023/25240512023(1-12)Online publication date: 15-Nov-2023
https://doi.org/10.1155/2023/2524051
Liu XHua BWang YPan Z(2023)An Empirical Study of Smart Contract Decompilers2023 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)10.1109/SANER56733.2023.00011(1-12)Online publication date: Mar-2023
https://doi.org/10.1109/SANER56733.2023.00011
Liu ZQian ZLi N(2023)An East-West-Traffic Governance System Based on eBPF and Centralized Gateway2023 IEEE International Conference on Sensors, Electronics and Computer Engineering (ICSECE)10.1109/ICSECE58870.2023.10263324(1366-1370)Online publication date: 18-Aug-2023
https://doi.org/10.1109/ICSECE58870.2023.10263324
Show More Cited By

Index Terms

Seraph: enabling cross-platform security analysis for EVM and WASM smart contracts
1. Security and privacy
  1. Software and application security
    1. Domain-specific security and privacy architectures

Recommendations

Adding Concurrency to Smart Contracts
PODC '17: Proceedings of the ACM Symposium on Principles of Distributed Computing

Modern cryptocurrency systems, such as Ethereum, permit complex financial transactions through scripts called smart contracts. These smart contracts are executed many, many times, always without real concurrency. First, all smart contracts are serially ...
Empirical vulnerability analysis of automated smart contracts security testing on blockchains
CASCON '18: Proceedings of the 28th Annual International Conference on Computer Science and Software Engineering

The emerging blockchain technology supports decentralized computing paradigm shift and is a rapidly approaching phenomenon. While blockchain is thought primarily as the basis of Bitcoin, its application has grown far beyond cryptocurrencies due to the ...
A survey on smart contract vulnerabilities: Data sources, detection and repair
Abstract
Smart contracts contain many built-in security features, such as non-immutability once being deployed and non-involvement of third parties for contract execution. These features reduce security risks and enhance users’ trust towards ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ICSE '20: Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering: Companion Proceedings

June 2020

357 pages

ISBN:9781450371223

DOI:10.1145/3377812

General Chairs:
Gregg Rothermel
North Carolina State University
,
Doo-Hwan Bae
KAIST, South Korea

Copyright © 2020 Owner/Author.

Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

Sponsors

SIGSOFT: ACM Special Interest Group on Software Engineering

In-Cooperation

KIISE: Korean Institute of Information Scientists and Engineers
IEEE CS

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 October 2020

Check for updates

Author Tags

Qualifiers

Demonstration

Conference

ICSE '20

Sponsor:

SIGSOFT

ICSE '20: 42nd International Conference on Software Engineering

June 27 - July 19, 2020

Seoul, South Korea

Acceptance Rates

Overall Acceptance Rate 276 of 1,856 submissions, 15%

Upcoming Conference

ICSE 2025

2025 IEEE/ACM 46th International Conference on Software Engineering

April 26 - May 3, 2025

Ottawa , ON , Canada

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

8
Total Citations
View Citations
297
Total Downloads

Downloads (Last 12 months)62
Downloads (Last 6 weeks)4

Reflects downloads up to 30 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Wang LYuan YDing Y(2023)Analysis and Design of Identity Authentication for IoT Devices in the Blockchain Using Hashing and Digital Signature AlgorithmsInternational Journal of Distributed Sensor Networks10.1155/2023/25240512023(1-12)Online publication date: 15-Nov-2023
https://doi.org/10.1155/2023/2524051
Liu XHua BWang YPan Z(2023)An Empirical Study of Smart Contract Decompilers2023 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)10.1109/SANER56733.2023.00011(1-12)Online publication date: Mar-2023
https://doi.org/10.1109/SANER56733.2023.00011
Liu ZQian ZLi N(2023)An East-West-Traffic Governance System Based on eBPF and Centralized Gateway2023 IEEE International Conference on Sensors, Electronics and Computer Engineering (ICSECE)10.1109/ICSECE58870.2023.10263324(1366-1370)Online publication date: 18-Aug-2023
https://doi.org/10.1109/ICSECE58870.2023.10263324
Li BFan HGao YDong WBulusu NAryafar EBalasubramanian ASong J(2022)Bringing webassembly to resource-constrained iot devices for seamless device-cloud integrationProceedings of the 20th Annual International Conference on Mobile Systems, Applications and Services10.1145/3498361.3538922(261-272)Online publication date: 27-Jun-2022
https://dl.acm.org/doi/10.1145/3498361.3538922
Yang SLi HZheng Z(2022)WaLi: Control-Flow-Based Analysis of Wasm Smart ContractsBlockchain and Trustworthy Systems10.1007/978-981-19-8043-5_23(322-335)Online publication date: 10-Dec-2022
https://doi.org/10.1007/978-981-19-8043-5_23
Xue YFu JSu SBhuiyan ZQiu JLu HHu NTian Z(2022)Preventing Price Manipulation Attack by Front-RunningAdvances in Artificial Intelligence and Security10.1007/978-3-031-06764-8_25(309-322)Online publication date: 8-Jul-2022
https://doi.org/10.1007/978-3-031-06764-8_25
Wang BLiu HLiu CYang ZRen QZheng HLei HJuristo N(2021)BlockEyeProceedings of the 43rd International Conference on Software Engineering: Companion Proceedings10.1109/ICSE-Companion52605.2021.00025(17-20)Online publication date: 25-May-2021
https://dl.acm.org/doi/10.1109/ICSE-Companion52605.2021.00025
Wang YHe JZhu NYi YZhang QSong HXue R(2021)Security enhancement technologies for smart contracts in the blockchain: A surveyTransactions on Emerging Telecommunications Technologies10.1002/ett.4341Online publication date: 16-Aug-2021
https://doi.org/10.1002/ett.4341

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents