A Language for Smart Contracts with Secure Control Flow (Technical Report)

• URL: http://arxiv.org/abs/2407.01204v2
• Date: Tue, 22 Apr 2025 22:04:29 GMT
• Title: A Language for Smart Contracts with Secure Control Flow (Technical Report)
• Authors: Siqiu Yao, Haobin Ni, Stephanie Ma, Noah Schiff, Andrew C. Myers, Ethan Cecchetti,
• Abstract summary: Smart contracts are vulnerable to control-flow attacks based on confused deputies, reentrancy, and incorrect error handling.<n>We introduce SCIF, a language for secure smart contracts, that addresses these classes of control-flow attacks.<n> SCIF enforces both classic end-to-end information flow security and new security restrictions on control flow, even when SCIF contracts interact with malicious non-SCIF code.
• Score: 2.8771104250726847
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: Smart contracts are frequently vulnerable to control-flow attacks based on confused deputies, reentrancy, and incorrect error handling. These attacks exploit the complexity of interactions among multiple possibly unknown contracts. Existing best practices to prevent vulnerabilities rely on code patterns and heuristics that produce both false positives and false negatives. Even with extensive audits and heuristic tools, new vulnerabilities continue to arise, routinely costing tens of millions of dollars. We introduce SCIF, a language for secure smart contracts, that addresses these classes of control-flow attacks. By extending secure information flow mechanisms in a principled way, SCIF enforces both classic end-to-end information flow security and new security restrictions on control flow, even when SCIF contracts interact with malicious non-SCIF code. SCIF is implemented as a compiler to Solidity. We show how SCIF can secure contracts with minimal overhead through case studies of applications with intricate security reasoning and a large corpus of insecure code.

Related papers

• CodeBC: A More Secure Large Language Model for Smart Contract Code Generation in Blockchain [6.7475904578675285]
  Large language models (LLMs) excel at generating code from natural language instructions, yet they often lack an understanding of security vulnerabilities. This limitation makes it difficult for LLMs to avoid security risks in generated code, particularly in high-security programming tasks such as smart contract development for blockchain. We introduce CodeBC, a code generation model specifically designed for generating secure smart contracts in blockchain.
  arXiv  Detail & Related papers  (2025-04-28T14:14:16Z)
• Secure Smart Contract with Control Flow Integrity [3.1655211232629563]
  We develop CrossGuard, a framework that enforces control flow integrity in real-time to secure smart contracts. Our evaluation demonstrates that CrossGuard effectively blocks 28 of the 30 analyzed attacks when configured only once prior to contract deployment.
  arXiv  Detail & Related papers  (2025-04-07T21:08:16Z)
• Defeating Prompt Injections by Design [79.00910871948787]
  CaMeL is a robust defense that creates a protective system layer around the Large Language Models (LLMs) To operate, CaMeL explicitly extracts the control and data flows from the (trusted) query. We demonstrate effectiveness of CaMeL by solving $67%$ of tasks with provable security in AgentDojo [NeurIPS 2024], a recent agentic security benchmark.
  arXiv  Detail & Related papers  (2025-03-24T15:54:10Z)
• Steering Dialogue Dynamics for Robustness against Multi-turn Jailbreaking Attacks [55.29301192316118]
  Large language models (LLMs) are highly vulnerable to jailbreaking attacks. We propose a safety steering framework grounded in safe control theory. Our method achieves invariant safety at each turn of dialogue by learning a safety predictor.
  arXiv  Detail & Related papers  (2025-02-28T21:10:03Z)
• Constructing Trustworthy Smart Contracts [1.7495213911983416]
  We introduce ASP, a system aimed at easing the construction of provably secure contracts. The language semantics guarantee that Asp contracts are free of commonly exploited vulnerabilities. The defensive compiler enforces the semantics and translates Asp to Solidity, the most popular contract language.
  arXiv  Detail & Related papers  (2024-11-21T20:26:18Z)
• SCANS: Mitigating the Exaggerated Safety for LLMs via Safety-Conscious Activation Steering [56.92068213969036]
  Safety alignment is indispensable for Large Language Models (LLMs) to defend threats from malicious instructions. Recent researches reveal safety-aligned LLMs prone to reject benign queries due to the exaggerated safety issue. We propose a Safety-Conscious Activation Steering (SCANS) method to mitigate the exaggerated safety concerns.
  arXiv  Detail & Related papers  (2024-08-21T10:01:34Z)
• Rethinking the Vulnerabilities of Face Recognition Systems:From a Practical Perspective [53.24281798458074]
  Face Recognition Systems (FRS) have increasingly integrated into critical applications, including surveillance and user authentication. Recent studies have revealed vulnerabilities in FRS to adversarial (e.g., adversarial patch attacks) and backdoor attacks (e.g., training data poisoning)
  arXiv  Detail & Related papers  (2024-05-21T13:34:23Z)
• SmartML: Towards a Modeling Language for Smart Contracts [0.3277163122167434]
  This paper proposes SmartML, a modeling language for smart contracts that is platform independent and easy to comprehend. We detail its formal semantics and type system with a focus on its role in addressing security vulnerabilities.
  arXiv  Detail & Related papers  (2024-03-11T11:27:53Z)
• Defending Large Language Models against Jailbreak Attacks via Semantic Smoothing [107.97160023681184]
  Aligned large language models (LLMs) are vulnerable to jailbreaking attacks. We propose SEMANTICSMOOTH, a smoothing-based defense that aggregates predictions of semantically transformed copies of a given input prompt.
  arXiv  Detail & Related papers  (2024-02-25T20:36:03Z)
• A security framework for Ethereum smart contracts [13.430752634838539]
  This article presents ESAF, a framework for analysis of smart contracts. It aims to unify and facilitate the task of analyzing smart contract vulnerabilities. It can be used as a persistent security monitoring tool for a set of target contracts as well as a classic vulnerability analysis tool among other uses.
  arXiv  Detail & Related papers  (2024-02-05T22:14:21Z)
• A Survey and Comparative Analysis of Security Properties of CAN Authentication Protocols [92.81385447582882]
  The Controller Area Network (CAN) bus leaves in-vehicle communications inherently non-secure. This paper reviews and compares the 15 most prominent authentication protocols for the CAN bus. We evaluate protocols based on essential operational criteria that contribute to ease of implementation.
  arXiv  Detail & Related papers  (2024-01-19T14:52:04Z)
• HasTEE+ : Confidential Cloud Computing and Analytics with Haskell [50.994023665559496]
  Confidential computing enables the protection of confidential code and data in a co-tenanted cloud deployment using specialized hardware isolation units called Trusted Execution Environments (TEEs) TEEs offer low-level C/C++-based toolchains that are susceptible to inherent memory safety vulnerabilities and lack language constructs to monitor explicit and implicit information-flow leaks. We address the above with HasTEE+, a domain-specific language (cla) embedded in Haskell that enables programming TEEs in a high-level language with strong type-safety.
  arXiv  Detail & Related papers  (2024-01-17T00:56:23Z)
• Blockchain Smart Contract Threat Detection Technology Based on Symbolic Execution [0.0]
  Reentrancy vulnerability, which is hidden and complex, poses a great threat to smart contracts. In this paper, we propose a smart contract threat detection technology based on symbolic execution. The experimental results show that this method significantly increases both detection efficiency and accuracy.
  arXiv  Detail & Related papers  (2023-12-24T03:27:03Z)
• Gradual Verification for Smart Contracts [0.4543820534430522]
  Algos facilitate secure resource transactions through smart contracts, yet these digital agreements are prone to vulnerabilities. Traditional verification techniques fall short in providing comprehensive security assurances. This paper introduces an incremental approach: gradual verification.
  arXiv  Detail & Related papers  (2023-11-22T12:42:26Z)
• SyzTrust: State-aware Fuzzing on Trusted OS Designed for IoT Devices [67.65883495888258]
  We present SyzTrust, the first state-aware fuzzing framework for vetting the security of resource-limited Trusted OSes. SyzTrust adopts a hardware-assisted framework to enable fuzzing Trusted OSes directly on IoT devices. We evaluate SyzTrust on Trusted OSes from three major vendors: Samsung, Tsinglink Cloud, and Ali Cloud.
  arXiv  Detail & Related papers  (2023-09-26T08:11:38Z)
• Not what you've signed up for: Compromising Real-World LLM-Integrated Applications with Indirect Prompt Injection [64.67495502772866]
  Large Language Models (LLMs) are increasingly being integrated into various applications. We show how attackers can override original instructions and employed controls using Prompt Injection attacks. We derive a comprehensive taxonomy from a computer security perspective to systematically investigate impacts and vulnerabilities.
  arXiv  Detail & Related papers  (2023-02-23T17:14:38Z)
• Functional Encryption with Secure Key Leasing [6.375982344506753]
  cryptographic primitive that enables us to lease software to a user by encoding it into a quantum state. Secure software leasing has a mechanism that verifies whether a returned software is valid or not. We introduce the notion of secret-key functional encryption (FEE) with secure key leasing.
  arXiv  Detail & Related papers  (2022-09-27T00:15:00Z)
• HCC: A Language-Independent Hardening Contract Compiler for Smart Contracts [5.379572824182189]
  We propose the first practical smart contract compiler, called HCC. HCC inserts security hardening checks at the source-code level based on a novel and language-independent code property graph (CPG) notation.
  arXiv  Detail & Related papers  (2022-03-01T11:25:32Z)
• ESCORT: Ethereum Smart COntRacTs Vulnerability Detection using Deep Neural Network and Transfer Learning [80.85273827468063]
  Existing machine learning-based vulnerability detection methods are limited and only inspect whether the smart contract is vulnerable. We propose ESCORT, the first Deep Neural Network (DNN)-based vulnerability detection framework for smart contracts. We show that ESCORT achieves an average F1-score of 95% on six vulnerability types and the detection time is 0.02 seconds per contract.
  arXiv  Detail & Related papers  (2021-03-23T15:04:44Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.