CrossInspector: A Static Analysis Approach for Cross-Contract Vulnerability Detection
- URL: http://arxiv.org/abs/2408.15292v1
- Date: Tue, 27 Aug 2024 00:53:14 GMT
- Title: CrossInspector: A Static Analysis Approach for Cross-Contract Vulnerability Detection
- Authors: Xiao Chen,
- Abstract summary: CrossInspector is a novel framework for detecting cross-contract vulnerabilities at the bytecode level through static analysis.
We ran CrossInspector on a randomly selected set of 300 real-world smart contracts and identified 11 cross-contract vulnerabilities that were missed by prior tools.
- Score: 3.6320095921016264
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: With the development of blockchain technology, the detection of smart contract vulnerabilities is increasingly emphasized. However, when detecting vulnerabilities in inter-contract interactions (i.e., cross-contract vulnerabilities) using smart contract bytecode, existing tools often produce many false positives and false negatives due to insufficient recovery of semantic information and inadequate consideration of contract dependencies. We present CrossInspector, a novel framework for detecting cross-contract vulnerabilities at the bytecode level through static analysis. CrossInspector utilizes a trained Transformer model to recover semantic information and considers control flow, data flow, and dependencies related to smart contract state variables to construct a state dependency graph for fine-grained inter-procedural analysis. Additionally, CrossInspector incorporates a pruning method and two parallel optimization mechanisms to accelerate the vulnerability detection process. Experiments on our manually constructed dataset demonstrate that CrossInspector outperforms the state-of-the-art tools in both precision (97\%) and recall (96.75\%), while also significantly reducing the overall time from 16.34 seconds to 7.83 seconds, almost on par with the fastest tool that utilizes bytecode for detection. Additionally, we ran CrossInspector on a randomly selected set of 300 real-world smart contracts and identified 11 cross-contract vulnerabilities that were missed by prior tools.
Related papers
- Impact of Code Transformation on Detection of Smart Contract Vulnerabilities [0.0]
This paper presents a method for improving the quantity and quality of smart contract vulnerability datasets.
The approach centers around semantic-preserving code transformation, a technique that modifies the source code structure without altering its semantic meaning.
The improved results show that many newly created vulnerabilities can bypass tools and the false reporting rate goes up to 100%.
arXiv Detail & Related papers (2024-10-29T03:08:25Z) - Smart Contract Vulnerability Detection based on Static Analysis and Multi-Objective Search [3.297959314391795]
This paper introduces a method for detecting vulnerabilities in smart contracts using static analysis and a multi-objective optimization algorithm.
We focus on four types of vulnerabilities: reentrancy, call stack overflow, integer overflow, and timestamp dependencies.
We validate our approach using an open-source dataset collected from Etherscan, containing 6,693 smart contracts.
arXiv Detail & Related papers (2024-09-30T23:28:17Z) - Efficiently Detecting Reentrancy Vulnerabilities in Complex Smart Contracts [35.26195628798847]
Existing vulnerability detection tools perform poorly in terms of efficiency and successful detection rates for vulnerabilities in complex contracts.
SliSE provides a robust and efficient method for detection of Reentrancy vulnerabilities for complex contracts.
arXiv Detail & Related papers (2024-03-17T16:08:30Z) - Blockchain Smart Contract Threat Detection Technology Based on Symbolic
Execution [0.0]
Reentrancy vulnerability, which is hidden and complex, poses a great threat to smart contracts.
In this paper, we propose a smart contract threat detection technology based on symbolic execution.
The experimental results show that this method significantly increases both detection efficiency and accuracy.
arXiv Detail & Related papers (2023-12-24T03:27:03Z) - Enhancing Multiple Reliability Measures via Nuisance-extended
Information Bottleneck [77.37409441129995]
In practical scenarios where training data is limited, many predictive signals in the data can be rather from some biases in data acquisition.
We consider an adversarial threat model under a mutual information constraint to cover a wider class of perturbations in training.
We propose an autoencoder-based training to implement the objective, as well as practical encoder designs to facilitate the proposed hybrid discriminative-generative training.
arXiv Detail & Related papers (2023-03-24T16:03:21Z) - ADC: Adversarial attacks against object Detection that evade Context
consistency checks [55.8459119462263]
We show that even context consistency checks can be brittle to properly crafted adversarial examples.
We propose an adaptive framework to generate examples that subvert such defenses.
Our results suggest that how to robustly model context and check its consistency, is still an open problem.
arXiv Detail & Related papers (2021-10-24T00:25:09Z) - Combining Graph Neural Networks with Expert Knowledge for Smart Contract
Vulnerability Detection [37.7763374870026]
Existing efforts for contract security analysis rely on rigid rules defined by experts, which are labor-intensive and non-scalable.
We propose a novel temporal message propagation network to extract the graph feature from the normalized graph, and combine the graph feature with designed expert patterns to yield a final detection system.
arXiv Detail & Related papers (2021-07-24T13:16:30Z) - Adversarial Robustness under Long-Tailed Distribution [93.50792075460336]
Adversarial robustness has attracted extensive studies recently by revealing the vulnerability and intrinsic characteristics of deep networks.
In this work we investigate the adversarial vulnerability as well as defense under long-tailed distributions.
We propose a clean yet effective framework, RoBal, which consists of two dedicated modules, a scale-invariant and data re-balancing.
arXiv Detail & Related papers (2021-04-06T17:53:08Z) - ESCORT: Ethereum Smart COntRacTs Vulnerability Detection using Deep
Neural Network and Transfer Learning [80.85273827468063]
Existing machine learning-based vulnerability detection methods are limited and only inspect whether the smart contract is vulnerable.
We propose ESCORT, the first Deep Neural Network (DNN)-based vulnerability detection framework for smart contracts.
We show that ESCORT achieves an average F1-score of 95% on six vulnerability types and the detection time is 0.02 seconds per contract.
arXiv Detail & Related papers (2021-03-23T15:04:44Z) - Detection as Regression: Certified Object Detection by Median Smoothing [50.89591634725045]
This work is motivated by recent progress on certified classification by randomized smoothing.
We obtain the first model-agnostic, training-free, and certified defense for object detection against $ell$-bounded attacks.
arXiv Detail & Related papers (2020-07-07T18:40:19Z) - Instance-aware, Context-focused, and Memory-efficient Weakly Supervised
Object Detection [184.563345153682]
We develop an instance-aware and context-focused unified framework for weakly supervised learning.
It employs an instance-aware self-training algorithm and a learnable Concrete DropBlock while devising a memory-efficient sequential batch back-propagation.
Our proposed method state-of-the-art results on COCO ($12.1% AP$, $24.8% AP_50$), VOC 2007 ($54.9% AP$), and VOC 2012 ($52.1% AP$)
arXiv Detail & Related papers (2020-04-09T17:57:09Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.