Paper published in a book (Scientific congresses, symposiums and conference proceedings)
Osiris: Hunting for Integer Bugs in Ethereum Smart Contracts
FERREIRA TORRES, Christof; Schütte, Julian; STATE, Radu
2018In 34th Annual Computer Security Applications Conference (ACSAC ’18), San Juan, Puerto Rico, USA, December 3-7, 2018
Peer reviewed
 

Files


Full Text
osiris.pdf
Publisher postprint (1.09 MB)
Download

All documents in ORBilu are protected by a user license.

Send to



Details



Keywords :
Ethereum; smart contracts; integer bugs; taint analysis; symbolic execution
Abstract :
[en] The capability of executing so-called smart contracts in a decentralised manner is one of the compelling features of modern blockchains. Smart contracts are fully fledged programs which cannot be changed once deployed to the blockchain. They typically implement the business logic of distributed apps and carry billions of dollars worth of coins. In that respect, it is imperative that smart contracts are correct and have no vulnerabilities or bugs. However, research has identified different classes of vulnerabilities in smart contracts, some of which led to prominent multi-million dollar fraud cases. In this paper we focus on vulnerabilities related to integer bugs, a class of bugs that is particularly difficult to avoid due to some characteristics of the Ethereum Virtual Machine and the Solidity programming language. In this paper we introduce Osiris – a framework that combines symbolic execution and taint analysis, in order to accurately find integer bugs in Ethereum smart contracts. Osiris detects a greater range of bugs than existing tools, while providing a better specificity of its detection. We have evaluated its performance on a large experimental dataset containing more than 1.2 million smart contracts. We found that 42,108 contracts contain integer bugs. Be- sides being able to identify several vulnerabilities that have been reported in the past few months, we were also able to identify a yet unknown critical vulnerability in a couple of smart contracts that are currently deployed on the Ethereum blockchain.
Disciplines :
Computer science
Author, co-author :
FERREIRA TORRES, Christof ;  University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)
Schütte, Julian;  Fraunhofer AISEC
STATE, Radu  ;  University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)
External co-authors :
yes
Language :
English
Title :
Osiris: Hunting for Integer Bugs in Ethereum Smart Contracts
Publication date :
December 2018
Event name :
34th Annual Computer Security Applications Conference
Event date :
from 03-12-2018 to 07-12-2018
Main work title :
34th Annual Computer Security Applications Conference (ACSAC ’18), San Juan, Puerto Rico, USA, December 3-7, 2018
ISBN/EAN :
978-1-4503-6569-7
Peer reviewed :
Peer reviewed
Available on ORBilu :
since 01 October 2018

Statistics


Number of views
729 (25 by Unilu)
Number of downloads
3526 (64 by Unilu)

OpenCitations
 
15
OpenAlex citations
 
313

Bibliography


Similar publications



Contact ORBilu