Tips: towards automating patch suggestion for vulnerable smart contracts

Automated repair; Fix template; Smart contract vulnerability; Business transaction; Code changes; Critical business; Research topics; State of the art; Software

Résumé :

[en] Smart contracts are slowly penetrating our society where they are leveraged to support critical business transactions of which financial stakes are high. Smart contract programming is, however, in its infancy, and many failures due to programming defects exploited by malicious attackers and have made the headlines. In recent years, there has been an increasing effort in the literature to identify such vulnerabilities early in smart contracts to reduce the threats to the security of the accounts. Automatically patching smart contracts, however, is a much less investigated research topic. Yet, it can provide tools to help developers in fixing known vulnerabilities more rapidly. In this paper, we propose to review smart contract vulnerabilities and specify templates that will serve to automate patch generation. We implement the TIPS pipeline with 12 fix templates and assess its effectiveness on established smart contract datasets such as SmartBugs and ContractDefects. In particular, we show that TIPS is competitive against the state-of-the-art automated repair approach (SCRepair) in the literature. Finally, we evaluate the impact of the code changes suggested by TIPS in terms of gas usage.

Centre de recherche :

Interdisciplinary Centre for Security, Reliability and Trust (SnT) > TruX - Trustworthy Software Engineering
NCER-FT - FinTech National Centre of Excellence in Research

Disciplines :

Sciences informatiques

Auteur, co-auteur :

Chen, Qianguo; Nanjing University of Aeronautics and Astronautics, Nanjing, China

Zhou, Teng; Nanjing University of Aeronautics and Astronautics, Nanjing, China

Liu, Kui; Nanjing University of Aeronautics and Astronautics, Nanjing, China

Li, Li; Monash University, Melbourne, Australia

Ge, Chunpeng; Nanjing University of Aeronautics and Astronautics, Nanjing, China

Liu, Zhe; Nanjing University of Aeronautics and Astronautics, Nanjing, China

KLEIN, Jacques ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > TruX

BISSYANDE, Tegawendé François d Assise ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > TruX

Co-auteurs externes :

yes

Langue du document :

Anglais

Titre :

Tips: towards automating patch suggestion for vulnerable smart contracts

Date de publication/diffusion :

septembre 2023

Titre du périodique :

Automated Software Engineering

ISSN :

0928-8910

eISSN :

1573-7535

Maison d'édition :

Springer

Volume/Tome :

Fascicule/Saison :

Peer reviewed :

Peer reviewed vérifié par ORBi

URL complémentaire :

https://link.springer.com/content/pdf/10.1007/s10515-023-00392-y.pdf

Disponible sur ORBilu :

depuis le 27 novembre 2023

Statistiques

Nombre de vues

111 (dont 5 Unilu)

Nombre de téléchargements

173 (dont 1 Unilu)

Voir plus de statistiques

citations Scopus^®

citations Scopus^®
sans auto-citations

OpenCitations

citations OpenAlex

Bibliographie

Ashraf, I., Ma, X., Jiang, B., Chan, W.K.: GasFuzzer: fuzzing ethereum smart contract binaries to expose gas-oriented exception security vulnerabilities. IEEE Access 8, 99552–99564 (2020). 10.1109/ACCESS.2020.2995183 DOI: 10.1109/ACCESS.2020.2995183
Brent, L., Grech, N., Lagouvardos, S., Scholz, B., Smaragdakis, Y.: Ethainter: a smart contract security analyzer for composite vulnerabilities. In: Proceedings of the 41st ACM SIGPLAN International Conference on Programming Language Design and Implementation, pp. 454–469. ACM (2020). https://doi.org/10.1145/3385412.3385990
Chen, J., Xia, X., Lo, D., Grundy, J., Luo, X., Chen, T.: Defining smart contract defects on ethereum. IEEE Trans. Softw. Eng. (2020)
del Castillo, M.: The DAO attacked: code issue leads to \$60 million ether theft (2016)
Durieux, T., Cornu, B., Seinturier, L., Monperrus, M.: Dynamic patch generation for null pointer exceptions using metaprogramming. In: Proceedings of the 24th International Conference on Software Analysis, Evolution and Reengineering, pp. 349–358 (2017)
Durieux, T., Ferreira, J.F., Abreu, R., Cruz, P.: Empirical review of automated analysis tools on 47,587 ethereum smart contracts. In: Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering, pp. 530–541 (2020)
Ethereum smart contract security best practices. https://consensys.github.io/smart-contract-best-practices/ (Last Accessed: July 2021)
Ethereum. https://ethereum.org/ (Last Accessed: July 2021)
Feist, J., Grieco, G., Groce, A.: Slither: a static analysis framework for smart contracts. In: 2019 IEEE/ACM 2nd International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB), pp. 8–15 (2019)
Gao, Z., Jiang, L., Xia, X., Lo, D., Grundy, J.C.: Checking smart contracts with structural code embedding. IEEE Trans. Softw. Eng. 1–1 (2020)
Gazzola, L., Micucci, D., Mariani, L.: Automatic software repair: a survey. IEEE Trans. Softw. Eng. 45(1), 34–67 (2017) DOI: 10.1109/TSE.2017.2755013
Ghanbari, A., Benton, S., Zhang, L.: Practical program repair via bytecode mutation. In: Proceedings of the 28th ACM SIGSOFT International Symposium on Software Testing and Analysis, pp. 19–30. ACM (2019). https://doi.org/10.1145/3293882.3330559
Goues, C.L., Pradel, M., Roychoudhury, A.: Automated program repair. Commun. ACM 62(12), 56–65 (2019) DOI: 10.1145/3318162
Hartel, P.H., Schumi, R.: Mutation testing of smart contracts at scale. In: Proceedings of the 14th International Conference on Tests and Proofs. Lecture Notes in Computer Science, vol. 12165, pp. 23–42 (2020). https://doi.org/10.1007/978-3-030-50995-8_2
Huang, Y., Jiang, B., Chan, W.K.: EOSFuzze: fuzzing EOSIO smart contracts for vulnerability detection. CoRR (2020) arXiv:2007.14903
ICO Security. https://blog.positive.com (Last Accessed: July 2021)
Jiang, B., Liu, Y., Chan, W.K.: ContractFuzzer: fuzzing smart contracts for vulnerability detection. In: Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering, pp. 259–269. ACM (2018a). https://doi.org/10.1145/3238147.3238177
Jiang, J., Xiong, Y., Zhang, H., Gao, Q., Chen, X.: Shaping program repair space with existing patches and similar code. In: Proceedings of the 27th ACM SIGSOFT International Symposium on Software Testing and Analysis, pp. 298–309. ACM, (2018b)
Kim, D., Nam, J., Song, J., Kim, S.: Automatic patch generation learned from human-written patches. In: 2013 35th International Conference on Software Engineering (ICSE), pp. 802–811 (2013)
Koyuncu, A., Liu, K., Bissyandé, T.F., Kim, D., Monperrus, M., Klein, J., Le Traon, Y.: ifixr: bug report driven program repair. In: Proceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, pp. 314–325 (2019)
Koyuncu, A., Liu, K., Bissyandé, T.F., Kim, D., Monperrus, M., Klein, J., Le Traon, Y.: FixMiner: mining relevant fix patterns for automated program repair. Empir. Softw. Eng. 25(3), 1980–2024 (2020). 10.1007/s10664-019-09780-z DOI: 10.1007/s10664-019-09780-z
Le, X.B.D., Lo, D., Le Goues, C.: History driven program repair. In: 2016 IEEE 23rd International Conference on Software Analysis, Evolution, and Reengineering (SANER), vol. 1, pp. 213–224. IEEE (2016)
Li, Z., Wu, H., Xu, J., Wang, X., Zhang, L., Chen, Z.: Musc: a tool for mutation testing of ethereum smart contract. In: Proceedings of the 34th IEEE/ACM International Conference on Automated Software Engineering, pp. 1198–1201. IEEE (2019). 10.1109/ASE.2019.00136
Liu, X., Zhong, H.: Mining stackoverflow for program repair. In: Proceedings of the 25th International Conference on Software Analysis, Evolution and Reengineering, pp. 118–129 (2018)
Liu, C., Liu, H., Cao, Z., Chen, Z., Chen, B., Roscoe, B.: ReGuard: finding reentrancy bugs in smart contracts. In: Proceedings of the 40th International Conference on Software Engineering: Companion Proceeedings, pp. 65–68. ACM, (2018a). 10.1145/3183440.3183495
Liu, H., Liu, C., Zhao, W., Jiang, Y., Sun, J.: S-gram: towards semantic-aware security auditing for ethereum smart contracts. In: Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering, pp. 814–819. ACM (2018b). https://doi.org/10.1145/3238147.3240728
Liu, K., Koyuncu, A., Bissyandé, T.F., Kim, D., Klein, J., Le Traon, Y.: You cannot fix what you cannot find! an investigation of fault localization bias in benchmarking automated program repair systems. In: 2019 12th IEEE Conference on Software Testing, Validation and Verification (ICST), pp. 102–113 (2019a)
Liu, K., Koyuncu, A., Kim, D., Bissyandé, T.F.: Avatar: Fixing semantic bugs with fix patterns of static analysis violations. In: 2019 IEEE 26th International Conference on Software Analysis, Evolution and Reengineering (SANER), pp. 1–12 (2019b)
Liu, K., Koyuncu, A., Kim, D., Bissyandé, T.F.: TBar: revisiting template-based automated program repair. In: Proceedings of the 28th ACM SIGSOFT International Symposium on Software Testing and Analysis, pp. 31–42 (2019c). https://doi.org/10.1145/3293882.3330577
Liu, K., Wang, S., Koyuncu, A., Kim, K., Bissyandé, T.F., Kim, D., Wu, P., Klein, J., Mao, X., Traon, Y.L.: On the efficiency of test suite based program repair: a systematic assessment of 16 automated repair systems for java programs. In: Proceedings of the 42nd International Conference on Software Engineering, pp. 615–627. ACM (2020). 10.1145/3377811.3380338
Liu, K., Li, L., Koyuncu, A., Kim, D., Liu, Z., Klein, J., Bissyandé, T.F.: A critical review on the evaluation of automated program repair systems. J. Syst. Softw. 171, 110817 (2021). 10.1016/j.jss.2020.110817 DOI: 10.1016/j.jss.2020.110817
Liu, K., Zhang, J., Li, L., Koyuncu, A., Kim, D., Ge, C., Liu, Z., Klein, J., Bissyandé, T.F.: Reliable fix patterns inferred from static checkers for automated program repair. ACM Trans. Softw. Eng. Methodol. (2022). 10.1145/3579637 DOI: 10.1145/3579637
Long, F., Amidon, P., Rinard, M.: Automatic inference of code transforms for patch generation. In: Proceedings of the 11th Joint Meeting on Foundations of Software Engineering, pp. 727–739 (2017)
Luu, L., Chu, D.-H., Olickel, H., Saxena, P., Hobor, A.: Making smart contracts smarter. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 254–269. ACM (2016)
Monperrus, M.: Automatic software repair: a bibliography. ACM Comput. Surv. 51(1), 17–11724 (2018)
Mueller, B.: Smashing ethereum smart contracts for fun and real profit. In: 9th Annual HITB Security Conference (HITBSecConf), p. 54 (2018)
Nguyen, T.D., Pham, L.H., Sun, J., Lin, Y., Minh, Q.T.: sFuzz: an efficient adaptive fuzzer for solidity smart contracts. CoRR (2020). arXiv:2004.08563
Nguyen, T.D., Pham, L.H., Sun, J.: sGUARD: towards fixing vulnerable smart contracts automatically (2021). arXiv preprint arXiv:2101.01917
Nikolić, I., Kolluri, A., Sergey, I., Saxena, P., Hobor, A.: Finding the greedy, prodigal, and suicidal contracts at scale. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 653–663 (2018)
Smart Contracts. https://github.com/crytic/not-so-smart-contracts (Last Accessed: July 2021)
O’Leary, R.-R.: Parity team publishes postmortem on $160 million ether freeze (2017)
Remix. https://remix.ethereum.org/ (Last Accessed: July 2021)
Rolim, R., Soares, G., Gheyi, R., D’Antoni, L.: Learning quick fixes from code repositories (2018). arXiv preprint arXiv:1803.03806
Saha, R.K., Lyu, Y., Yoshida, H., Prasad, M.R.: ELIXIR: effective object-oriented program repair. In: Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering, pp. 648–659 (2017)
Saha, S., Saha, R.K., Prasad, M.R.: Harnessing evolution for multi-hunk program repair. In: Proceedings of the 41st International Conference on Software Engineering, pp. 13–24. IEEE (2019). https://doi.org/10.1109/ICSE.2019.00020
Solidity. https://github.com/ethereum/solidity (Last Accessed: July 2021)
SWC-registry. https://smartcontractsecurity.github.io/SWC-registry (Last Accessed: July 2021)
This is the very first iteration of the Decentralized Application Security Project (or DASP) Top 10 of 2018. https://dasp.co/ (Last Accessed: July 2021)
Tikhomirov, S., Voskresenskaya, E., Ivanitskiy, I., Takhaviev, R., Marchenko, E., Alexandrov, Y.: Smartcheck: static analysis of ethereum smart contracts. In: Proceedings of the 1st International Workshop on Emerging Trends in Software Engineering for Blockchain, pp. 9–16 (2018)
Torres, C.F., Schütte, J., State, R.: Osiris: Hunting for integer bugs in ethereum smart contracts. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 664–676. ACM (2018). 10.1145/3274694.3274737
Wan, Z., Xia, X., Lo, D., Chen, J., Luo, X., Yang, X.: Smart contract security: a practitioners’ perspective (2021). arXiv preprint arXiv:2102.10963
Wen, M., Chen, J., Wu, R., Hao, D., Cheung, S.-C.: Context-aware patch generation for better automated program repair. In: Proceedings of the 40th IEEE/ACM International Conference on Software Engineering, pp. 1–11 (2018)
Wüstholz, V., Christakis, M.: Harvey: a greybox fuzzer for smart contracts. CoRR (2019). arXiv:1905.06944
Xiong, Y., Wang, J., Yan, R., Zhang, J., Han, S., Huang, G., Zhang, L.: Precise condition synthesis for program repair. In: Proceedings of the 39th IEEE/ACM International Conference on Software Engineering, pp. 416–426. IEEE (2017). https://doi.org/10.1109/ICSE.2017.45
Yu, X.L., Al-Bataineh, O., Lo, D., Roychoudhury, A.: Smart contract repair. ACM Trans. Softw. Eng. Methodol. 29(4), 1–32 (2020) DOI: 10.1145/3402450
Yuan, Y., Banzhaf, W.: ARJA: automated repair of java programs via multi-objective genetic programming. IEEE Trans. Softw. Eng. (2018). 10.1109/TSE.2018.2874648 DOI: 10.1109/TSE.2018.2874648
Zhang, Q., Wang, Y., Li, J., Ma, S.: EthPloit: from fuzzing to efficient exploit generation against smart contracts. In: Proceedings of the 27th IEEE International Conference on Software Analysis, Evolution and Reengineering, pp. 116–126 (2020a). https://doi.org/10.1109/SANER48275.2020.9054822
Zhang, P., Yu, J., Ji, S.: ADF-GA: data flow criterion based test case generation for ethereum smart contracts. CoRR abs/2003.00257 (2020b). arXiv:2003.00257