Post

Ityfuzz paper reading

Posted
By
3 min read

AI Summary

AI Summary is generated by Scispace & ChatGPT.

Summary and Organized Content

Introduction and Background

  • Smart contracts pose challenges for fuzzing due to their stateful nature and the persistent blockchain state.
  • Existing fuzzing tools are limited to local deployment, making on-chain auditing for real-time exploration crucial.
  • ItyFuzz emerges as a solution, being a snapshot-based fuzzer designed specifically for testing smart contracts on-chain.

Key Features and Methodology

  • Snapshot-Based Fuzzing: ItyFuzz adopts a snapshot-based approach, allowing for the storage of intermediate states. This reduces re-execution overhead and facilitates efficient state exploration.
  • Waypoint Mechanisms: It employs dataflow and comparison waypoints to categorize and store states effectively, thus enabling the identification of potential vulnerabilities more efficiently.

Performance and Results

  • ItyFuzz excels in terms of instructional coverage, outperforming existing fuzzers. This capability empowers ItyFuzz to find and generate realistic exploits for on-chain projects swiftly.
  • The fuzzer’s ability to synthesize reentrancy exploits quickly stands out, highlighting its efficiency and effectiveness.

Contributions and Practical Implications

  • The development of ItyFuzz introduces a novel snapshot-based fuzzing algorithm tailored for stateful smart contract testing.
  • Practical implications include the reduction of re-execution overhead, faster synthesis of reentrancy exploits, and the facilitation of on-chain auditing to preemptively identify and prevent exploits in real-world smart contract applications.

Literature Context

  • Fuzz testing, a proven technique for identifying vulnerabilities in software, has evolved with coverage-guided fuzzers uncovering bugs in various real-world systems.
  • Despite the challenges posed by smart contracts’ stateful nature, there’s a growing need for advanced fuzzing techniques that can effectively test these contracts.

Conclusion

By consolidating the information, we see that ItyFuzz addresses a critical need in the domain of smart contract security. Its snapshot-based approach, complemented by innovative waypoint mechanisms, positions it as a robust tool for on-chain auditing and vulnerability detection.

Human Notes

Feature

Speed

  • the state of the blockchain is constantly changing
  • attacker exploits can happen at any time

How to speed up?

  • refactored existing EVM implementation for fast snapshot
  • feedback (i.e. waypoints) to classify states
  • corpus pruning (语料剪枝?) to reduce states ammounts

Contributions

  • snapshot-based fuzzing algorithm to reduce re-execution overhead
  • Dataflow waypoint to evaluate(classify) states based on “future” memory load (?)
  • Comparison waypoint to compress state corpus by probabilistic sampling and hard comparison feedback. 通过概率采样和硬比较反馈来压缩状态语料库?

2 Background

  • 2.1 To fuzz smart contracts, producing a sequence of inputs(transactions) is necessary.
  • 2.2 Waypoints: intermediate inputs that provide interesting.

4 Methodology

4.1 Architecture
  • execution waypoints save pair (s0,t0) to corpus1
  • state waypoints save result state s’ to corpus2 (infant state corpus)
4.3 Dataflow Waypoint
  • Interesting memory location: appears as the argument of the load instruction in the future.
  • Interesting state: state change contains unique writes to interesting memory locations.
  • Using past load locations to approximate the future intersting load locations.

  • 跟踪过去加载过的memory location以及正在加载的value的abstraction,如果写入的abstraction of value与该地址过去的都不同,则判断该store以及resulting state都是interesting的。

    L: abstract memory location map

    S: abstract store map

4.4 Comparison Waypoint
  • find states that have closer opcodes with the comparison target
  • s.votes+1 when execution minimizes the comparison map
  • votes number encodes the interestingness of a state

To solve the problem of too many states to select from, and the are likely similar:

  • prioritize the exploration of states with greater votes
  • algorithm switches between random sampling and probabilistic sampling during each epoch (this could avoid being greedy 虽然我没明白,防止收敛到局部最优?)

To solve the problem of infant state corpus boom:

  • prune corpus when its size = a threshold
  • sort the states by votes/visits

5 Implementation

LibAFL + state corpus + customized feedback for waypoints revm (rust)’s interpreter hook

6 Evalution

Campared with SMARTIAN and two ablations

  • Most fuzzers consider coverage(instructions or control flow edges) feedback.
  • Waypoints:
    • SlowFuzz prioritizes long execution path length
    • PerfFuzz addes multi-dimensinal feedback
    • Comparison feedback
    • FuzzFactory formalizes the concept of waypoints.
  • Stateful Fuzzing: SMARTIAN,Nyx,CorbFuzz
  • Smart Contract related
    • Fuzzer: ContractFuzzer, Echidna, Harvey, SMARTIAN
    • Symbolic Execution: Mythril, Manticore…
Security, Fuzz
fuzz
This post is licensed under CC BY 4.0 by the author.