Reference : Osiris: Hunting for Integer Bugs in Ethereum Smart Contracts
Scientific congresses, symposiums and conference proceedings : Paper published in a book
Engineering, computing & technology : Computer science
http://hdl.handle.net/10993/36757
Osiris: Hunting for Integer Bugs in Ethereum Smart Contracts
English
Ferreira Torres, Christof mailto [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > >]
Schütte, Julian mailto [Fraunhofer AISEC]
State, Radu mailto [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > >]
Dec-2018
34th Annual Computer Security Applications Conference (ACSAC ’18), San Juan, Puerto Rico, USA, December 3-7, 2018
Yes
978-1-4503-6569-7
34th Annual Computer Security Applications Conference
from 03-12-2018 to 07-12-2018
[en] Ethereum ; smart contracts ; integer bugs ; taint analysis ; symbolic execution
[en] The capability of executing so-called smart contracts in a decentralised manner is one of the compelling features of modern blockchains. Smart contracts are fully fledged programs which cannot be changed once deployed to the blockchain. They typically implement the business logic of distributed apps and carry billions of dollars worth of coins. In that respect, it is imperative that smart contracts are correct and have no vulnerabilities or bugs. However, research has identified different classes of vulnerabilities in smart contracts, some of which led to prominent multi-million dollar fraud cases. In this paper we focus on vulnerabilities related to integer bugs, a class of bugs that is particularly difficult to avoid due to some characteristics of the Ethereum Virtual Machine and the Solidity programming language.
In this paper we introduce Osiris – a framework that combines symbolic execution and taint analysis, in order to accurately find integer bugs in Ethereum smart contracts. Osiris detects a greater range of bugs than existing tools, while providing a better specificity of its detection. We have evaluated its performance on a large experimental dataset containing more than 1.2 million smart contracts. We found that 42,108 contracts contain integer bugs. Be- sides being able to identify several vulnerabilities that have been reported in the past few months, we were also able to identify a yet unknown critical vulnerability in a couple of smart contracts that are currently deployed on the Ethereum blockchain.
http://hdl.handle.net/10993/36757
10.1145/3274694.3274737

File(s) associated to this reference

Fulltext file(s):

FileCommentaryVersionSizeAccess
Open access
osiris.pdfPublisher postprint1.07 MBView/Open

Bookmark and Share SFX Query

All documents in ORBilu are protected by a user license.