An Empirical Study on Implicit Constraints in Smart Contract Static Analysis
Wed 11 May 2022 20:05 - 20:10 at ICSE room 2-even hours - Software Security 5 Chair(s): Nancy Mead
Running on top of blockchain systems, smart contracts enable developers to build decentralized applications with rich functionalities. Many of the contracts are financial-related, which makes code audit rather important. Quantities of static analysis tools have been developed to automate the audit process, but not all of them take account of two special features of smart contracts: (1) The internal variables in contracts persist between executions; (2) The external variables, like time and assets, are constrained by real-world factors. Since these features bring implicit constraints on contract variables, they significantly affect the performance of static analysis tools, such as causing errors in reachability analysis and resulting in false positives, etc. Although a few recent works discussed these features, little is known about their impact on the wildly used tools. In this paper, we conduct a systematic study on such constraints from three aspects. First, we summarize the implicit constraints due to the special features of smart contracts. Second, we evaluate the impact of such constraints on the state-of-the-art static tools used in smart contract audits. The tools we select include both the industrial and academic ones. The experiment results show that six out of seven tools, including the latest verifiers, will be obviously affected by such constraints. Third, we propose a simple but effective method named ConSym to recognize such constraints. It can be easily integrated into existing symbolic execution based solutions to improve their performance. We integrate ConSym into OSIRIS and evaluate it with real-world contracts. The result shows that ConSym can filter out 96% of false positives reported by OSIRIS and achieve 3 times fewer false negatives than OSIRIS.
Tue 10 MayDisplayed time zone: Eastern Time (US & Canada) change
04:00 - 05:00 | Apps and SecuritySEIP - Software Engineering in Practice / Technical Track at ICSE room 3-even hours Chair(s): Alessio Ferrari CNR-ISTI | ||
04:00 5mTalk | An Empirical Study on Implicit Constraints in Smart Contract Static Analysis SEIP - Software Engineering in Practice Tingting Yin Tsinghua University, China, Chao Zhang Tsinghua University, Yuandong Ni Institute for Network Science and Cyberspace of Tsinghua University, Yixiong Wu Institute for Network Science and Cyberspace of Tsinghua University, Taiyu Wong Department of Computer Science and Technology, Tsinghua University, Xiapu Luo Hong Kong Polytechnic University, Zheming Li Tsinghua University, Yu Guo SECBIT labs Pre-print Media Attached | ||
04:05 5mTalk | Automated Detection of Password Leakage from Public GitHub RepositoriesNominated for Distinguished Paper Technical Track Runhan Feng Shanghai Jiao Tong University, Ziyang Yan Shanghai Jiao Tong University, Shiyan Peng Shanghai Jiao Tong University, Yuanyuan Zhang Shanghai Jiao Tong University Pre-print Media Attached | ||
04:10 5mTalk | Log-based Anomaly Detection with Deep Learning: How Far Are We Technical Track DOI Pre-print | ||
04:15 5mTalk | RoPGen: Towards Robust Code Authorship Attribution via Automatic Coding Style Transformation Technical Track Zhen Li University of Texas at San Antonio, Guenevere (Qian) Chen University of Texas at San Antonio, Chen Chen University of Central Florida, Yayi Zou Northeastern University, Shouhuai Xu University of Colorado Colorado Springs Pre-print Media Attached | ||
04:20 5mTalk | Where is Your App Frustrating Users? Technical Track Yawen Wang Institute of Software, Chinese Academy of Sciences, Junjie Wang Institute of Software at Chinese Academy of Sciences, Hongyu Zhang University of Newcastle, Xuran Ming Institute of Software, Chinese Academy of Sciences, Lin Shi ISCAS, Qing Wang Institute of Software at Chinese Academy of Sciences DOI Pre-print Media Attached | ||
04:25 5mTalk | Towards Automatically Repairing Compatibility Issues in Published Android Apps Technical Track Yanjie Zhao Monash University, Li Li Monash University, Kui Liu Nanjing University of Aeronautics and Astronautics, China, John Grundy Monash University Pre-print Media Attached | ||
Wed 11 MayDisplayed time zone: Eastern Time (US & Canada) change
20:00 - 21:00 | Software Security 5Technical Track / SEIP - Software Engineering in Practice / Journal-First Papers at ICSE room 2-even hours Chair(s): Nancy Mead Carnegie Mellon University | ||
20:00 5mTalk | Deep Learning based Vulnerability Detection: Are We There Yet? Journal-First Papers Saikat Chakraborty Columbia University, Rahul Krishna IBM Research, Yangruibo Ding Columbia University, Baishakhi Ray Columbia University Link to publication DOI Media Attached | ||
20:05 5mTalk | An Empirical Study on Implicit Constraints in Smart Contract Static Analysis SEIP - Software Engineering in Practice Tingting Yin Tsinghua University, China, Chao Zhang Tsinghua University, Yuandong Ni Institute for Network Science and Cyberspace of Tsinghua University, Yixiong Wu Institute for Network Science and Cyberspace of Tsinghua University, Taiyu Wong Department of Computer Science and Technology, Tsinghua University, Xiapu Luo Hong Kong Polytechnic University, Zheming Li Tsinghua University, Yu Guo SECBIT labs Pre-print Media Attached | ||
20:10 5mTalk | RoPGen: Towards Robust Code Authorship Attribution via Automatic Coding Style Transformation Technical Track Zhen Li University of Texas at San Antonio, Guenevere (Qian) Chen University of Texas at San Antonio, Chen Chen University of Central Florida, Yayi Zou Northeastern University, Shouhuai Xu University of Colorado Colorado Springs Pre-print Media Attached | ||
20:15 5mTalk | ReMoS: Reducing Defect Inheritance in Transfer Learning via Relevant Model Slicing Technical Track Ziqi Zhang Peking University, Yuanchun Li Microsoft Research, Jindong Wang Microsoft Research, Bingyan Liu Peking University, Ding Li Peking University, Xiangqun Chen Peking University, Yao Guo Peking University, Yunxin Liu Tsinghua University Pre-print Media Attached | ||
20:20 5mTalk | Modx: Binary Level Partial Imported Third-Party Library Detection through Program Modularization and Semantic Matching Technical Track Can Yang Institute of Information Engineering, University of Chinese Academy of Sciences, Zhengzi Xu Nanyang Technological University, Hongxu Chen Huawei Technologies Co., Ltd., Yang Liu Nanyang Technological University, Xiaorui Gong Institute of Information Engineering, Chinese Academy of Science, Baoxu Liu Institute of Information Engineering, Chinese Academy of Sciences Pre-print Media Attached | ||
20:25 5mTalk | Large-scale Security Measurements on the Android Firmware Ecosystem Technical Track Qinsheng Hou Shandong University; Qi An Xin Group Corp., Wenrui Diao Shandong University, Yanhao Wang Qi An Xin Group Corp., Xiaofeng Liu Shandong University, Song Liu Qi An Xin Group Corp., Lingyun Ying Qi An Xin Group Corp., Shanqing Guo Shandong University, Yuanzhi Li Qi An Xin Group Corp., Meining Nie Qi An Xin Group Corp., Haixin Duan Institute for Network Science and Cyberspace, Tsinghua University; Qi An Xin Group Corp. Pre-print Media Attached | ||