smt-friendly formalization of the solidity memory model · solidity smart contracts smt-friendly...
TRANSCRIPT
![Page 1: SMT-Friendly Formalization of the Solidity Memory Model · Solidity Smart Contracts SMT-Friendly Formalization of the Solidity Memory Model 2. 3 •Store data (blockchain) and execute](https://reader030.vdocuments.site/reader030/viewer/2022041117/5f2cf4f75f0c894d5677eda6/html5/thumbnails/1.jpg)
SMT-Friendly Formalization of the Solidity Memory ModelÁkos Hajdu1, Dejan Jovanović2
1Budapest University of Technology and Economics2SRI International
Paper originally published at ESOP 2020 link.springer.com/chapter/10.1007/978-3-030-44914-8_9
Presented at SMT 2020, July 5th
![Page 2: SMT-Friendly Formalization of the Solidity Memory Model · Solidity Smart Contracts SMT-Friendly Formalization of the Solidity Memory Model 2. 3 •Store data (blockchain) and execute](https://reader030.vdocuments.site/reader030/viewer/2022041117/5f2cf4f75f0c894d5677eda6/html5/thumbnails/2.jpg)
Solidity Smart Contracts
2SMT-Friendly Formalization of the Solidity Memory Model
![Page 3: SMT-Friendly Formalization of the Solidity Memory Model · Solidity Smart Contracts SMT-Friendly Formalization of the Solidity Memory Model 2. 3 •Store data (blockchain) and execute](https://reader030.vdocuments.site/reader030/viewer/2022041117/5f2cf4f75f0c894d5677eda6/html5/thumbnails/3.jpg)
3
• Store data (blockchain) and execute code (smart contracts)
• No trusted central party
• Consensus protocol
Distributed Computing Platforms
SMT-Friendly Formalization of the Solidity Memory Model
![Page 4: SMT-Friendly Formalization of the Solidity Memory Model · Solidity Smart Contracts SMT-Friendly Formalization of the Solidity Memory Model 2. 3 •Store data (blockchain) and execute](https://reader030.vdocuments.site/reader030/viewer/2022041117/5f2cf4f75f0c894d5677eda6/html5/thumbnails/4.jpg)
4
• Conceptually a single-world-computer abstraction– Example: Ethereum
Distributed Computing Platforms
SMT-Friendly Formalization of the Solidity Memory Model
![Page 5: SMT-Friendly Formalization of the Solidity Memory Model · Solidity Smart Contracts SMT-Friendly Formalization of the Solidity Memory Model 2. 3 •Store data (blockchain) and execute](https://reader030.vdocuments.site/reader030/viewer/2022041117/5f2cf4f75f0c894d5677eda6/html5/thumbnails/5.jpg)
5
Solidity Smart Contracts
SMT-Friendly Formalization of the Solidity Memory Model
contract DataStorage {
}
Complex datatype
State variable(s): permanent storage (blockchain)
Function(s): called with transactions
Parameters, return values, local variables in transient memory
struct Record { bool set; int[] data; }
mapping(address=>Record) private records;
function append(address at, int d) public {Record storage r = records[at];r.set = true;r.data.push(d);
}
function get(address at) public view returns (int[] memory ret) {require(isset(records[at]));ret = records[at].data;
}
function isset(Record storage r) internal view returns (bool s) {s = r.set;
}
Pointers to storage in internal scope
![Page 6: SMT-Friendly Formalization of the Solidity Memory Model · Solidity Smart Contracts SMT-Friendly Formalization of the Solidity Memory Model 2. 3 •Store data (blockchain) and execute](https://reader030.vdocuments.site/reader030/viewer/2022041117/5f2cf4f75f0c894d5677eda6/html5/thumbnails/6.jpg)
6
• Bytecode-level tools– Slither, Mythril, …
– Various formalizations
– Mostly vulnerable patterns
– Limited effectiveness and automation for high-level properties
• Solidity-level tools– SMTchecker, solc-verify, VeriSol, …
– High-level, functional properties
– Usually based on SMT
– Modular verification, bounded model checking, symbolic execution
– Precise formalization required
Verification Landscape
SMT-Friendly Formalization of the Solidity Memory Model
010101111000001010
Memory model lacks detailed and effective formalization
![Page 7: SMT-Friendly Formalization of the Solidity Memory Model · Solidity Smart Contracts SMT-Friendly Formalization of the Solidity Memory Model 2. 3 •Store data (blockchain) and execute](https://reader030.vdocuments.site/reader030/viewer/2022041117/5f2cf4f75f0c894d5677eda6/html5/thumbnails/7.jpg)
7
• Simple SMT-based program– Types: primitive, datatype, array
– Variable declarations
– Statements: assign, assume, if-then-else
– Expressions: identifier, array read/write,datatype constructor, member selector,conditional, basic arithmetic
• Can be expressed in any SMT-based tool– Boogie, Why3, Dafny, …
– Check by translating to SSA
Target Language
SMT-Friendly Formalization of the Solidity Memory Model
Point(x : int, y : int)
pts[0] := Point(1, 2)pts[1].x := pts[0].x + 1
pts : [int]Point
![Page 8: SMT-Friendly Formalization of the Solidity Memory Model · Solidity Smart Contracts SMT-Friendly Formalization of the Solidity Memory Model 2. 3 •Store data (blockchain) and execute](https://reader030.vdocuments.site/reader030/viewer/2022041117/5f2cf4f75f0c894d5677eda6/html5/thumbnails/8.jpg)
Formalizing the Solidity memory model
8SMT-Friendly Formalization of the Solidity Memory Model
![Page 9: SMT-Friendly Formalization of the Solidity Memory Model · Solidity Smart Contracts SMT-Friendly Formalization of the Solidity Memory Model 2. 3 •Store data (blockchain) and execute](https://reader030.vdocuments.site/reader030/viewer/2022041117/5f2cf4f75f0c894d5677eda6/html5/thumbnails/9.jpg)
9
• Memory: reference semantics
Overview
SMT-Friendly Formalization of the Solidity Memory Model
• Storage: value semanticscontract C {struct S { int x; T[] ta; }struct T { int z; }
}
T t1;S s1;S[] sa;
Tt1
S
T
T
s1
S
T
S
T
T
saT
function f() public {T storage tp = sa[1].ta[2];
}g(tp);
function g(T storage t) internal {t.z = 5;
}
• Local storage pointers
function f() public pure {
}
TS
Tsm1
t
Ssm2
S memory sm1 = S(1, new T[](2));T memory t = sm.ta[1];S memory sm2 = S(2, sm1.ta);
No mixing
![Page 10: SMT-Friendly Formalization of the Solidity Memory Model · Solidity Smart Contracts SMT-Friendly Formalization of the Solidity Memory Model 2. 3 •Store data (blockchain) and execute](https://reader030.vdocuments.site/reader030/viewer/2022041117/5f2cf4f75f0c894d5677eda6/html5/thumbnails/10.jpg)
10
• Standard heap model (per type)– Pointer: SMT integer
– Struct: SMT datatype
– Array: SMT array + length
– No null, default values recursively
Encoding the Memory
SMT-Friendly Formalization of the Solidity Memory Model
struct T { int z; }struct S { int x; T[] ta; }
S memory sm1 = S(1, new T[](2));
Tmem(z : int)Tmemarr(arr : [int]int, len : int)Smem(x : int, ta : int)
heapT : [int]TmemheapTA : [int]TmemarrheapS : [int]Smem
sm1 : intheapT[0] := Tmem(0)heapT[1] := Tmem(0)heapTA[2] := Tmemarr([0, 1], 2)heapS[3] := Smem(1, 2)sm1 := 3
sm1
.z
Allocation counter
.ta[1].z;
heapT[heapTA[heapS[3].ta].arr[1]]heapTA[heapS[3].ta]heapS[3]
![Page 11: SMT-Friendly Formalization of the Solidity Memory Model · Solidity Smart Contracts SMT-Friendly Formalization of the Solidity Memory Model 2. 3 •Store data (blockchain) and execute](https://reader030.vdocuments.site/reader030/viewer/2022041117/5f2cf4f75f0c894d5677eda6/html5/thumbnails/11.jpg)
11
• Scope limited to a single transaction
• Non-aliasing and new allocations– Require quantifiers in the general case (decidable fragment)
Encoding the Memory
SMT-Friendly Formalization of the Solidity Memory Model
function f(S memory sm) {... = S(...)
}
assume(sm < refcnt)assume(heapS[sm].ta < refcnt)forall 0 <= i < heapTA[heapS[sm].ta].len:
assume(heapTA[heapS[sm].ta].arr[i] < refcnt)
struct T { int z; }struct S { int x; T[] ta; }
sm
sm.ta
sm.ta[i] (for each i)
New allocations should not alias with sm
Allocation counter
![Page 12: SMT-Friendly Formalization of the Solidity Memory Model · Solidity Smart Contracts SMT-Friendly Formalization of the Solidity Memory Model 2. 3 •Store data (blockchain) and execute](https://reader030.vdocuments.site/reader030/viewer/2022041117/5f2cf4f75f0c894d5677eda6/html5/thumbnails/12.jpg)
12
• Encode with SMT datatypes without heaps– Non-aliasing and deep copy ensured out-of-the-box
– Especially useful in modular verification– Otherwise many framing conditions for functions
Encoding the Storage
SMT-Friendly Formalization of the Solidity Memory Model
struct T { int z; }struct S { int x; T[] ta; }
contract C {T t1;S s1;S[] sa;
}
Tstor(z : int)Tstorarr(arr : [int]Tstor, len : int)Sstor(x : int, ta : Tstorarr)Sstorarr(arr : [int]Sstor, len : int)
t1: Tstors1: Sstorsa: Sstorarr
Local storage pointers?
![Page 13: SMT-Friendly Formalization of the Solidity Memory Model · Solidity Smart Contracts SMT-Friendly Formalization of the Solidity Memory Model 2. 3 •Store data (blockchain) and execute](https://reader030.vdocuments.site/reader030/viewer/2022041117/5f2cf4f75f0c894d5677eda6/html5/thumbnails/13.jpg)
13
• Storage is a finite-depth tree of values*
• Each element identified by path encode with SMT integer array
Local Storage Pointers
SMT-Friendly Formalization of the Solidity Memory Model
*Limited support for recursive data types, not used in practice.
contract C {struct T {int z;
}struct S {int x;T t;T[] ta;
}
T t1;S s1;S[] sa;
}
C T
S
S[]
T
T[]
S T
T[] T
T
t1
s1
sa
t
ta [i]
t
ta [i]
[i]
0
1
2
0
1
0
1
i
i
i
![Page 14: SMT-Friendly Formalization of the Solidity Memory Model · Solidity Smart Contracts SMT-Friendly Formalization of the Solidity Memory Model 2. 3 •Store data (blockchain) and execute](https://reader030.vdocuments.site/reader030/viewer/2022041117/5f2cf4f75f0c894d5677eda6/html5/thumbnails/14.jpg)
T
S T
T[]
T
T
t1
s1 t
ta [i]
t
0
1 0
1
0
i
14
• Packing: expression to SMT array– Fit expression to tree
Local Storage Pointers
SMT-Friendly Formalization of the Solidity Memory Model
contract C {struct T {int z;
}struct S {int x;T t;T[] ta;
}
T t1;S s1;S[] sa;
}
C
S[] S
T[] T
sa
ta [i]
[i]2
1 i
i
T storage t = sa[8].ta[5];
t : [int]intt := [2, 8, 1, 5]
![Page 15: SMT-Friendly Formalization of the Solidity Memory Model · Solidity Smart Contracts SMT-Friendly Formalization of the Solidity Memory Model 2. 3 •Store data (blockchain) and execute](https://reader030.vdocuments.site/reader030/viewer/2022041117/5f2cf4f75f0c894d5677eda6/html5/thumbnails/15.jpg)
T
S T
T[]
T
T
t1
s1 t
ta [i]
t
0
1 0
1
0
i
15
• Unpacking: SMT array to expression– Conditional based on tree
Local Storage Pointers
SMT-Friendly Formalization of the Solidity Memory Model
contract C {struct T {int z;
}struct S {int x;T t;T[] ta;
}
T t1;S s1;S[] sa;
}
C
S[] S
T[] T
sa
ta [i]
[i]2
1 i
i
function f(T storage ptr) {... ptr.z;
}
ite(ptr[0] = 0,
t1,
ite(ptr[0] = 1,
ite(ptr[1] = 0,
s1.t,
s1.ta[ptr[2]]), … ).z
![Page 16: SMT-Friendly Formalization of the Solidity Memory Model · Solidity Smart Contracts SMT-Friendly Formalization of the Solidity Memory Model 2. 3 •Store data (blockchain) and execute](https://reader030.vdocuments.site/reader030/viewer/2022041117/5f2cf4f75f0c894d5677eda6/html5/thumbnails/16.jpg)
16
Assignments Between Data Locations
SMT-Friendly Formalization of the Solidity Memory Model
• Ensured by construction
• Ensured by pack/unpack
• Need manual copying– Requires quantifiers in the general case
LHS/RHS Storage Memory Storage ptr.
Storage Deep copy Deep copy Deep copy
Memory Deep copy Pointer assign Deep copy
Storage ptr. Pointer assign Error Pointer assign
![Page 17: SMT-Friendly Formalization of the Solidity Memory Model · Solidity Smart Contracts SMT-Friendly Formalization of the Solidity Memory Model 2. 3 •Store data (blockchain) and execute](https://reader030.vdocuments.site/reader030/viewer/2022041117/5f2cf4f75f0c894d5677eda6/html5/thumbnails/17.jpg)
17
Details in the Paper
SMT-Friendly Formalization of the Solidity Memory Model
arxiv.org/abs/2001.03256
![Page 18: SMT-Friendly Formalization of the Solidity Memory Model · Solidity Smart Contracts SMT-Friendly Formalization of the Solidity Memory Model 2. 3 •Store data (blockchain) and execute](https://reader030.vdocuments.site/reader030/viewer/2022041117/5f2cf4f75f0c894d5677eda6/html5/thumbnails/18.jpg)
Evaluation
18SMT-Friendly Formalization of the Solidity Memory Model
![Page 19: SMT-Friendly Formalization of the Solidity Memory Model · Solidity Smart Contracts SMT-Friendly Formalization of the Solidity Memory Model 2. 3 •Store data (blockchain) and execute](https://reader030.vdocuments.site/reader030/viewer/2022041117/5f2cf4f75f0c894d5677eda6/html5/thumbnails/19.jpg)
19
• solc-verify (our tool) github.com/SRI-CSL/solidity– Modular verifier based on Boogie/SMT and the presented encoding
• Mythril github.com/ConsenSys/mythril– Symbolic execution engine running over bytecode
• VeriSol github.com/microsoft/verisol– Modular/BMC tool based on Boogie/SMT
– Heap-based modeling of memory and storage
• SMTchecker github.com/ethereum/solidity– SMT-based intra-function analyzer built into the compiler
Compared Tools
SMT-Friendly Formalization of the Solidity Memory Model
![Page 20: SMT-Friendly Formalization of the Solidity Memory Model · Solidity Smart Contracts SMT-Friendly Formalization of the Solidity Memory Model 2. 3 •Store data (blockchain) and execute](https://reader030.vdocuments.site/reader030/viewer/2022041117/5f2cf4f75f0c894d5677eda6/html5/thumbnails/20.jpg)
20
• „Real world” contracts: limited for evaluating memory semantics– Many old versions, new features are rare
– Many toy examples, overrepresented categories
– Complex contracts depend on other features
• Manually developed tests– 325 test cases organized into categories
– Assign, delete, init, storage, storage pointer
– Exercise a specific feature, check resultwith assertion
Tests
SMT-Friendly Formalization of the Solidity Memory Model
contract InitMemoryArrayFixedSize {function test() public pure {int[2] memory a;assert(a.length == 2);assert(a[0] == 0);assert(a[1] == 0);}
}
github.com/dddejan/solidity-semantics-tests
![Page 21: SMT-Friendly Formalization of the Solidity Memory Model · Solidity Smart Contracts SMT-Friendly Formalization of the Solidity Memory Model 2. 3 •Store data (blockchain) and execute](https://reader030.vdocuments.site/reader030/viewer/2022041117/5f2cf4f75f0c894d5677eda6/html5/thumbnails/21.jpg)
21
• Bytecode level is precise
• solc-verify comes close– We have some unimplemented features
Results
SMT-Friendly Formalization of the Solidity Memory Model
0 20 40 60 80 100
myth
verisol
smt-checker
solc-verify
0 2 4 6 8 10 12 14
myth
verisol
smt-checker
solc-verify
0 5 10 15
myth
verisol
smt-checker
solc-verify
0 5 10 15 20 25
myth
verisol
smt-checker
solc-verify
0 50 100 150
myth
verisol
smt-checker
solc-verify
assign
delete
init
storage
storageptr
Mythril bug report: github.com/ConsenSys/mythril/issues/1282
![Page 22: SMT-Friendly Formalization of the Solidity Memory Model · Solidity Smart Contracts SMT-Friendly Formalization of the Solidity Memory Model 2. 3 •Store data (blockchain) and execute](https://reader030.vdocuments.site/reader030/viewer/2022041117/5f2cf4f75f0c894d5677eda6/html5/thumbnails/22.jpg)
22
• Low computational cost for solc-verify
Results
SMT-Friendly Formalization of the Solidity Memory Model
1,00
10,00
100,00
1000,00
assigment delete init storage storageptr
Exe
cuti
on
tim
e (
s)
solc-verify smt-checker verisol myth
![Page 23: SMT-Friendly Formalization of the Solidity Memory Model · Solidity Smart Contracts SMT-Friendly Formalization of the Solidity Memory Model 2. 3 •Store data (blockchain) and execute](https://reader030.vdocuments.site/reader030/viewer/2022041117/5f2cf4f75f0c894d5677eda6/html5/thumbnails/23.jpg)
Summary
23SMT-Friendly Formalization of the Solidity Memory Model
![Page 24: SMT-Friendly Formalization of the Solidity Memory Model · Solidity Smart Contracts SMT-Friendly Formalization of the Solidity Memory Model 2. 3 •Store data (blockchain) and execute](https://reader030.vdocuments.site/reader030/viewer/2022041117/5f2cf4f75f0c894d5677eda6/html5/thumbnails/24.jpg)
24
• SMT-friendly formalization of the Solidity memory model
– Memory: standard heap
– Storage: values
– Local storage pointers: encode path
• Implementation– solc-verify: modular verifier
– Extensive set of test cases
– On par with bytecode-level tools,at low computational cost
Summary
SMT-Friendly Formalization of the Solidity Memory Model
TST
S
T
ST
T
assigment delete init storage storageptr
hajduakos.github.iocsl.sri.com/users/dejan
arxiv.org/abs/2001.03256github.com/SRI-CSL/solidity