AChecker: Statically Detecting Smart Contract Access Control Vulnerabilities (ICSE 2023 - Technical Track) - ICSE 2023

Write a Blog >>

Sun 14 - Sat 20 May 2023 Melbourne, Australia

Who

Asem Ghaleb, Julia Rubin, Karthik Pattabiraman

Track

ICSE 2023 Technical Track

Time Zone

The program is currently displayed in (GMT+10:00) Hobart.

Use conference time zone: (GMT+10:00) HobartSelect other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

By setting a time band, the program will dim events that are outside this time window. This is useful for (virtual) conferences with a continuous program (with repeated sessions).
The time band will also limit the events that are included in the personal iCalendar subscription service.

Display full programSpecify a time band

When

Wed 17 May 2023 16:00 - 16:15 at Meeting Room 103 - SE for security 1 Chair(s): Abhik Roychoudhury

Abstract

As most smart contracts have a financial nature and handle valuable assets, smart contract developers use access control to protect assets managed by smart contracts from being misused by malicious or unauthorized people. Unfortunately, programming languages used for writing smart contracts, such as Solidity, were not designed with a permission-based security model in mind. Therefore, smart contract developers implement access control checks based on their judgment and in an ad-hoc manner, which results in several vulnerabilities in smart contracts, called access control vulnerabilities. Further, the inconsistency in implementing access control makes it difficult to reason about whether a contract meets access control needs and is free of access control vulnerabilities. In this work, we propose AChecker – an approach for detecting access control vulnerabilities. Unlike prior work, AChecker does not rely on pre-defined patterns or contract transactions history. Instead, it infers access control implemented in smart contracts via static data-flow analysis. Moreover, the approach performs further symbolic-based analysis to distinguish cases when unauthorized people can obtain control of the contract as intended functionality.

We evaluated AChecker on three public datasets of real-world smart contracts, including one which consists of contracts with assigned access control CVEs, and compared its effectiveness with eight analysis tools. The evaluation results showed that AChecker outperforms these tools in terms of both precision and recall. In addition, AChecker flagged vulnerabilities in 21 frequently-used contracts on Ethereum blockchain with 90% precision.

Asem Ghaleb

University of British Columbia

Canada

Julia Rubin

University of British Columbia, Canada

Canada

Karthik Pattabiraman

University of British Columbia

Time Zone

The program is currently displayed in (GMT+10:00) Hobart.

Use conference time zone: (GMT+10:00) HobartSelect other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

By setting a time band, the program will dim events that are outside this time window. This is useful for (virtual) conferences with a continuous program (with repeated sessions).
The time band will also limit the events that are included in the personal iCalendar subscription service.

Display full programSpecify a time band

Session Program

Wed 17 May
Displayed time zone: Hobart change

	15:45 - 17:15	SE for security 1Technical Track / SEET - Software Engineering Education and Training / Journal-First Papers / SEIS - Software Engineering in Society at Meeting Room 103 Chair(s): Abhik Roychoudhury National University of Singapore

	15:45 15m Talk		TAINTMINI: Detecting Flow of Sensitive Data in Mini-Programs with Static Taint Analysis Technical Track Chao Wang , Ronny Ko The Ohio State University, Yue Zhang The Ohio State University, Yuqing Yang The Ohio State University, Zhiqiang Lin The Ohio State University
	16:00 15m Talk		AChecker: Statically Detecting Smart Contract Access Control Vulnerabilities Technical Track Asem Ghaleb University of British Columbia, Julia Rubin University of British Columbia, Canada, Karthik Pattabiraman University of British Columbia
	16:15 15m Talk		Fine-grained Commit-level Vulnerability Type Prediction By CWE Tree Structure Technical Track Shengyi Pan Zhejiang University, Lingfeng Bao Zhejiang University, Xin Xia Huawei, David Lo Singapore Management University, Shanping Li Zhejiang University Pre-print
	16:30 15m Paper		Security Thinking in Online Freelance Software Development SEIS - Software Engineering in Society Irum Rauf The Open University, UK, Marian Petre School of Computing and Communications, The Open University, UK, Thein Tun School of Computing and Communications,The Open University, UK; Simply Business, UK, Tamara Lopez The Open University, Bashar Nuseibeh The Open University, UK; Lero, University of Limerick, Ireland
	16:45 7m Talk		Open Science in Software Engineering: A Study on Deep Learning-Based Vulnerability Detection Journal-First Papers Yu Nong Washington State University, Rainy Sharma Washington State University, Wahab Hamou-Lhadj Concordia University, Montreal, Canada, Xiapu Luo The Hong Kong Polytechnic University, Haipeng Cai Washington State University Link to publication DOI Authorizer link Pre-print
	16:52 8m Talk		Training for Security: Planning the Use of a SAT in the Development Pipeline of Web Apps SEET - Software Engineering Education and Training Sabato Nocera University of Salerno, Simone Romano University of Salerno, Rita Francese University of Salerno, Giuseppe Scanniello University of Salerno
	17:00 15m Talk		VulGen: Realistic Vulnerability Generation Via Pattern Mining and Deep Learning Technical Track Yu Nong Washington State University, Yuzhe Ou University of Texas at Dallas, Michael Pradel University of Stuttgart, Feng Chen University of Texas at Dallas, Haipeng Cai Washington State University Pre-print