Solidity Smart Contracts SMT-based Verification of · 2018-11-09 · Solidity Smart Contracts...
Transcript of Solidity Smart Contracts SMT-based Verification of · 2018-11-09 · Solidity Smart Contracts...
![Page 1: Solidity Smart Contracts SMT-based Verification of · 2018-11-09 · Solidity Smart Contracts Leonardo Alt, Christian Reitwiessner ISoLA - Limassol, Cyprus - 2018-11-05 Christian](https://reader034.fdocuments.us/reader034/viewer/2022042911/5f442cb09954573688761090/html5/thumbnails/1.jpg)
SMT-based Verification ofSMT-based Verification ofSolidity Smart ContractsSolidity Smart Contracts
Leonardo Alt, Christian Reitwiessner
ISoLA - Limassol, Cyprus - 2018-11-05
Christian Reitwiessner Ethereum Foundation @ethchris github.com/chriseth [email protected] https://chriseth.github.io/notes/talks/smt_solidity_isola/
![Page 2: Solidity Smart Contracts SMT-based Verification of · 2018-11-09 · Solidity Smart Contracts Leonardo Alt, Christian Reitwiessner ISoLA - Limassol, Cyprus - 2018-11-05 Christian](https://reader034.fdocuments.us/reader034/viewer/2022042911/5f442cb09954573688761090/html5/thumbnails/2.jpg)
Existing Formal Verification ProjectsExisting Formal Verification Projects
![Page 3: Solidity Smart Contracts SMT-based Verification of · 2018-11-09 · Solidity Smart Contracts Leonardo Alt, Christian Reitwiessner ISoLA - Limassol, Cyprus - 2018-11-05 Christian](https://reader034.fdocuments.us/reader034/viewer/2022042911/5f442cb09954573688761090/html5/thumbnails/3.jpg)
Existing Formal Verification ProjectsExisting Formal Verification ProjectsEVM Formal Semantics: Eth-Isabelle, K-EVM,Ethereum-Lem, . . .
![Page 4: Solidity Smart Contracts SMT-based Verification of · 2018-11-09 · Solidity Smart Contracts Leonardo Alt, Christian Reitwiessner ISoLA - Limassol, Cyprus - 2018-11-05 Christian](https://reader034.fdocuments.us/reader034/viewer/2022042911/5f442cb09954573688761090/html5/thumbnails/4.jpg)
Existing Formal Verification ProjectsExisting Formal Verification ProjectsEVM Formal Semantics: Eth-Isabelle, K-EVM,Ethereum-Lem, . . .EVM Bytecode Symbolic Execution: Oyente, Mythril,Mayan, Securify, . . .
![Page 5: Solidity Smart Contracts SMT-based Verification of · 2018-11-09 · Solidity Smart Contracts Leonardo Alt, Christian Reitwiessner ISoLA - Limassol, Cyprus - 2018-11-05 Christian](https://reader034.fdocuments.us/reader034/viewer/2022042911/5f442cb09954573688761090/html5/thumbnails/5.jpg)
Existing Formal Verification ProjectsExisting Formal Verification ProjectsEVM Formal Semantics: Eth-Isabelle, K-EVM,Ethereum-Lem, . . .EVM Bytecode Symbolic Execution: Oyente, Mythril,Mayan, Securify, . . .Translation of Solidity to Verifiable Languages: Why3,F*, ZEUS, K-Solidity
![Page 6: Solidity Smart Contracts SMT-based Verification of · 2018-11-09 · Solidity Smart Contracts Leonardo Alt, Christian Reitwiessner ISoLA - Limassol, Cyprus - 2018-11-05 Christian](https://reader034.fdocuments.us/reader034/viewer/2022042911/5f442cb09954573688761090/html5/thumbnails/6.jpg)
Existing Formal Verification ProjectsExisting Formal Verification ProjectsEVM Formal Semantics: Eth-Isabelle, K-EVM,Ethereum-Lem, . . .EVM Bytecode Symbolic Execution: Oyente, Mythril,Mayan, Securify, . . .Translation of Solidity to Verifiable Languages: Why3,F*, ZEUS, K-SolidityOur Approach: SMT-based Bounded Model Checker
![Page 7: Solidity Smart Contracts SMT-based Verification of · 2018-11-09 · Solidity Smart Contracts Leonardo Alt, Christian Reitwiessner ISoLA - Limassol, Cyprus - 2018-11-05 Christian](https://reader034.fdocuments.us/reader034/viewer/2022042911/5f442cb09954573688761090/html5/thumbnails/7.jpg)
GoalsGoalsautomatic verification as part of the compiler stackminimal effort by the programmerno verification conditionsno additional tools to install
![Page 8: Solidity Smart Contracts SMT-based Verification of · 2018-11-09 · Solidity Smart Contracts Leonardo Alt, Christian Reitwiessner ISoLA - Limassol, Cyprus - 2018-11-05 Christian](https://reader034.fdocuments.us/reader034/viewer/2022042911/5f442cb09954573688761090/html5/thumbnails/8.jpg)
GoalsGoalsautomatic verification as part of the compiler stackminimal effort by the programmerno verification conditionsno additional tools to installautomatic counterexamples
![Page 9: Solidity Smart Contracts SMT-based Verification of · 2018-11-09 · Solidity Smart Contracts Leonardo Alt, Christian Reitwiessner ISoLA - Limassol, Cyprus - 2018-11-05 Christian](https://reader034.fdocuments.us/reader034/viewer/2022042911/5f442cb09954573688761090/html5/thumbnails/9.jpg)
GoalsGoalsautomatic verification as part of the compiler stackminimal effort by the programmerno verification conditionsno additional tools to installautomatic counterexamplespracticality over completeness
![Page 10: Solidity Smart Contracts SMT-based Verification of · 2018-11-09 · Solidity Smart Contracts Leonardo Alt, Christian Reitwiessner ISoLA - Limassol, Cyprus - 2018-11-05 Christian](https://reader034.fdocuments.us/reader034/viewer/2022042911/5f442cb09954573688761090/html5/thumbnails/10.jpg)
GoalsGoalsautomatic verification as part of the compiler stackminimal effort by the programmerno verification conditionsno additional tools to installautomatic counterexamplespracticality over completeness
first and automatic helper, more thorough andsophisticated analysis based on EVM bytecode
![Page 11: Solidity Smart Contracts SMT-based Verification of · 2018-11-09 · Solidity Smart Contracts Leonardo Alt, Christian Reitwiessner ISoLA - Limassol, Cyprus - 2018-11-05 Christian](https://reader034.fdocuments.us/reader034/viewer/2022042911/5f442cb09954573688761090/html5/thumbnails/11.jpg)
Verification TargetsVerification Targetsarithmetic overflow / underflowdivision by zerotrivial conditions / unreachable codeassertions
![Page 12: Solidity Smart Contracts SMT-based Verification of · 2018-11-09 · Solidity Smart Contracts Leonardo Alt, Christian Reitwiessner ISoLA - Limassol, Cyprus - 2018-11-05 Christian](https://reader034.fdocuments.us/reader034/viewer/2022042911/5f442cb09954573688761090/html5/thumbnails/12.jpg)
pragma experimental SMTChecker; contract Coin { mapping(address => uint) balances; // ... function transfer(address to, uint amount) public { // Error: Underflow for balances[msg.sender] = 0 and amount = 1 balances[msg.sender] -= amount; balances[to] += amount; } }
![Page 13: Solidity Smart Contracts SMT-based Verification of · 2018-11-09 · Solidity Smart Contracts Leonardo Alt, Christian Reitwiessner ISoLA - Limassol, Cyprus - 2018-11-05 Christian](https://reader034.fdocuments.us/reader034/viewer/2022042911/5f442cb09954573688761090/html5/thumbnails/13.jpg)
pragma experimental SMTChecker; contract Coin { mapping(address => uint) balances; // ... function transfer(address to, uint amount) public { require(balances[msg.sender] >= amount); balances[msg.sender] -= amount; balances[to] += amount; // Error: overflow for balances[to] = 2**256-1 and amount = 1 } }
![Page 14: Solidity Smart Contracts SMT-based Verification of · 2018-11-09 · Solidity Smart Contracts Leonardo Alt, Christian Reitwiessner ISoLA - Limassol, Cyprus - 2018-11-05 Christian](https://reader034.fdocuments.us/reader034/viewer/2022042911/5f442cb09954573688761090/html5/thumbnails/14.jpg)
pragma experimental SMTChecker; contract Coin { mapping(address => uint) balances; // ... function transfer(address to, uint amount) public { require(balances[msg.sender] >= amount); require(balances[to] < 2**200 && balances[msg.sender] < 2**200); balances[msg.sender] -= amount; balances[to] += amount; } }
![Page 15: Solidity Smart Contracts SMT-based Verification of · 2018-11-09 · Solidity Smart Contracts Leonardo Alt, Christian Reitwiessner ISoLA - Limassol, Cyprus - 2018-11-05 Christian](https://reader034.fdocuments.us/reader034/viewer/2022042911/5f442cb09954573688761090/html5/thumbnails/15.jpg)
pragma experimental SMTChecker; contract Coin { mapping(address => uint) balances; // ... function transfer(address to, uint amount) public { require(balances[msg.sender] >= amount); require(balances[to] < 2**200 && balances[msg.sender] < 2**200); uint sumPre = balances[msg.sender] + balances[to]; balances[msg.sender] -= amount; balances[to] += amount; uint sumPost = balances[msg.sender] + balances[to]; assert(sumPre == sumPost); } }
![Page 16: Solidity Smart Contracts SMT-based Verification of · 2018-11-09 · Solidity Smart Contracts Leonardo Alt, Christian Reitwiessner ISoLA - Limassol, Cyprus - 2018-11-05 Christian](https://reader034.fdocuments.us/reader034/viewer/2022042911/5f442cb09954573688761090/html5/thumbnails/16.jpg)
How is it done?How is it done?
![Page 17: Solidity Smart Contracts SMT-based Verification of · 2018-11-09 · Solidity Smart Contracts Leonardo Alt, Christian Reitwiessner ISoLA - Limassol, Cyprus - 2018-11-05 Christian](https://reader034.fdocuments.us/reader034/viewer/2022042911/5f442cb09954573688761090/html5/thumbnails/17.jpg)
How is it done?How is it done?traverse AST in execution order
![Page 18: Solidity Smart Contracts SMT-based Verification of · 2018-11-09 · Solidity Smart Contracts Leonardo Alt, Christian Reitwiessner ISoLA - Limassol, Cyprus - 2018-11-05 Christian](https://reader034.fdocuments.us/reader034/viewer/2022042911/5f442cb09954573688761090/html5/thumbnails/18.jpg)
How is it done?How is it done?traverse AST in execution orderintroduce variable for each expression and newassignment
![Page 19: Solidity Smart Contracts SMT-based Verification of · 2018-11-09 · Solidity Smart Contracts Leonardo Alt, Christian Reitwiessner ISoLA - Limassol, Cyprus - 2018-11-05 Christian](https://reader034.fdocuments.us/reader034/viewer/2022042911/5f442cb09954573688761090/html5/thumbnails/19.jpg)
How is it done?How is it done?traverse AST in execution orderintroduce variable for each expression and newassignmentcollect constraints
![Page 20: Solidity Smart Contracts SMT-based Verification of · 2018-11-09 · Solidity Smart Contracts Leonardo Alt, Christian Reitwiessner ISoLA - Limassol, Cyprus - 2018-11-05 Christian](https://reader034.fdocuments.us/reader034/viewer/2022042911/5f442cb09954573688761090/html5/thumbnails/20.jpg)
How is it done?How is it done?traverse AST in execution orderintroduce variable for each expression and newassignmentcollect constraintsquery the SMT solver for verification targets
![Page 21: Solidity Smart Contracts SMT-based Verification of · 2018-11-09 · Solidity Smart Contracts Leonardo Alt, Christian Reitwiessner ISoLA - Limassol, Cyprus - 2018-11-05 Christian](https://reader034.fdocuments.us/reader034/viewer/2022042911/5f442cb09954573688761090/html5/thumbnails/21.jpg)
Branch ConditionsBranch Conditionsauxiliary stack that keeps track of conditions forcurrent point in control-flowno constraint added to SMT solver
![Page 22: Solidity Smart Contracts SMT-based Verification of · 2018-11-09 · Solidity Smart Contracts Leonardo Alt, Christian Reitwiessner ISoLA - Limassol, Cyprus - 2018-11-05 Christian](https://reader034.fdocuments.us/reader034/viewer/2022042911/5f442cb09954573688761090/html5/thumbnails/22.jpg)
Control-FlowControl-Flowadd b -> r where b is conjunction of branchconditions and r is condition in require(r) orassert(r)
![Page 23: Solidity Smart Contracts SMT-based Verification of · 2018-11-09 · Solidity Smart Contracts Leonardo Alt, Christian Reitwiessner ISoLA - Limassol, Cyprus - 2018-11-05 Christian](https://reader034.fdocuments.us/reader034/viewer/2022042911/5f442cb09954573688761090/html5/thumbnails/23.jpg)
Type ConstraintsType Constraintslocal variables take default value of type (0 /false), while function parameters take full range oftype (uint: 0 <= x < 2**256)
![Page 24: Solidity Smart Contracts SMT-based Verification of · 2018-11-09 · Solidity Smart Contracts Leonardo Alt, Christian Reitwiessner ISoLA - Limassol, Cyprus - 2018-11-05 Christian](https://reader034.fdocuments.us/reader034/viewer/2022042911/5f442cb09954573688761090/html5/thumbnails/24.jpg)
Variable AssignmentsVariable Assignmentsencoding follows SSA formcontrol-flow joins use if-then-else function andbranch conditions to combine SSA values fromdifferent branches
![Page 25: Solidity Smart Contracts SMT-based Verification of · 2018-11-09 · Solidity Smart Contracts Leonardo Alt, Christian Reitwiessner ISoLA - Limassol, Cyprus - 2018-11-05 Christian](https://reader034.fdocuments.us/reader034/viewer/2022042911/5f442cb09954573688761090/html5/thumbnails/25.jpg)
Function CallsFunction Callsinternal calls fully inlined (might need heuristic atsome point)external calls reset storage variables to "unknown"
![Page 26: Solidity Smart Contracts SMT-based Verification of · 2018-11-09 · Solidity Smart Contracts Leonardo Alt, Christian Reitwiessner ISoLA - Limassol, Cyprus - 2018-11-05 Christian](https://reader034.fdocuments.us/reader034/viewer/2022042911/5f442cb09954573688761090/html5/thumbnails/26.jpg)
a0 ≥ 0, a0 < 2256, b0 ≥ 0, b0 < 2256,
contract C { function f(uint256 a, uint256 b) public { if (a == 0) require(b <= 1); else if (a == 1) b = 2; else b = 3; assert(b <= 5); } }
![Page 27: Solidity Smart Contracts SMT-based Verification of · 2018-11-09 · Solidity Smart Contracts Leonardo Alt, Christian Reitwiessner ISoLA - Limassol, Cyprus - 2018-11-05 Christian](https://reader034.fdocuments.us/reader034/viewer/2022042911/5f442cb09954573688761090/html5/thumbnails/27.jpg)
a0 ≥ 0, a0 < 2256, b0 ≥ 0, b0 < 2256, a0 = 0 -> b0 ≤ 1,
contract C { function f(uint256 a, uint256 b) public { if (a == 0) require(b <= 1); else if (a == 1) b = 2; else b = 3; assert(b <= 5); } }
![Page 28: Solidity Smart Contracts SMT-based Verification of · 2018-11-09 · Solidity Smart Contracts Leonardo Alt, Christian Reitwiessner ISoLA - Limassol, Cyprus - 2018-11-05 Christian](https://reader034.fdocuments.us/reader034/viewer/2022042911/5f442cb09954573688761090/html5/thumbnails/28.jpg)
a0 ≥ 0, a0 < 2256, b0 ≥ 0, b0 < 2256, a0 = 0 -> b0 ≤ 1, b1 = 2,
contract C { function f(uint256 a, uint256 b) public { if (a == 0) require(b <= 1); else if (a == 1) b = 2; else b = 3; assert(b <= 5); } }
![Page 29: Solidity Smart Contracts SMT-based Verification of · 2018-11-09 · Solidity Smart Contracts Leonardo Alt, Christian Reitwiessner ISoLA - Limassol, Cyprus - 2018-11-05 Christian](https://reader034.fdocuments.us/reader034/viewer/2022042911/5f442cb09954573688761090/html5/thumbnails/29.jpg)
a0 ≥ 0, a0 < 2256, b0 ≥ 0, b0 < 2256, a0 = 0 -> b0 ≤ 1, b1 = 2, b2 = 3,
contract C { function f(uint256 a, uint256 b) public { if (a == 0) require(b <= 1); else if (a == 1) b = 2; else b = 3; assert(b <= 5); } }
![Page 30: Solidity Smart Contracts SMT-based Verification of · 2018-11-09 · Solidity Smart Contracts Leonardo Alt, Christian Reitwiessner ISoLA - Limassol, Cyprus - 2018-11-05 Christian](https://reader034.fdocuments.us/reader034/viewer/2022042911/5f442cb09954573688761090/html5/thumbnails/30.jpg)
a0 ≥ 0, a0 < 2256, b0 ≥ 0, b0 < 2256, a0 = 0 -> b0 ≤ 1, b1 = 2, b2 = 3, b3 = ite(a = 1, b1, b2),
contract C { function f(uint256 a, uint256 b) public { if (a == 0) require(b <= 1); else if (a == 1) b = 2; else b = 3; assert(b <= 5); } }
![Page 31: Solidity Smart Contracts SMT-based Verification of · 2018-11-09 · Solidity Smart Contracts Leonardo Alt, Christian Reitwiessner ISoLA - Limassol, Cyprus - 2018-11-05 Christian](https://reader034.fdocuments.us/reader034/viewer/2022042911/5f442cb09954573688761090/html5/thumbnails/31.jpg)
a0 ≥ 0, a0 < 2256, b0 ≥ 0, b0 < 2256, a0 = 0 -> b0 ≤ 1, b1 = 2, b2 = 3, b3 = ite(a = 1, b1, b2), b4 = ite(a = 0, b0, b3),
contract C { function f(uint256 a, uint256 b) public { if (a == 0) require(b <= 1); else if (a == 1) b = 2; else b = 3; assert(b <= 5); } }
![Page 32: Solidity Smart Contracts SMT-based Verification of · 2018-11-09 · Solidity Smart Contracts Leonardo Alt, Christian Reitwiessner ISoLA - Limassol, Cyprus - 2018-11-05 Christian](https://reader034.fdocuments.us/reader034/viewer/2022042911/5f442cb09954573688761090/html5/thumbnails/32.jpg)
a0 ≥ 0, a0 < 2256, b0 ≥ 0, b0 < 2256, a0 = 0 -> b0 ≤ 1, b1 = 2, b2 = 3, b3 = ite(a = 1, b1, b2), b4 = ite(a = 0, b0, b3), ¬ b4 ≤ 5
contract C { function f(uint256 a, uint256 b) public { if (a == 0) require(b <= 1); else if (a == 1) b = 2; else b = 3; assert(b <= 5); } }
![Page 33: Solidity Smart Contracts SMT-based Verification of · 2018-11-09 · Solidity Smart Contracts Leonardo Alt, Christian Reitwiessner ISoLA - Limassol, Cyprus - 2018-11-05 Christian](https://reader034.fdocuments.us/reader034/viewer/2022042911/5f442cb09954573688761090/html5/thumbnails/33.jpg)
Future PlansFuture Plansautomatic detection of loop boundsmulti-transaction invariantsauto-inferred post-constructor invariants
![Page 34: Solidity Smart Contracts SMT-based Verification of · 2018-11-09 · Solidity Smart Contracts Leonardo Alt, Christian Reitwiessner ISoLA - Limassol, Cyprus - 2018-11-05 Christian](https://reader034.fdocuments.us/reader034/viewer/2022042911/5f442cb09954573688761090/html5/thumbnails/34.jpg)
auto-inferred post-constructorauto-inferred post-constructorinvariantsinvariants
State variable a is initialized with value at most 100and never re-assigned.
contract C { uint256 a; constructor(uint256 x) public { require(x <= 100); a = x; } function f(uint256 y) public view returns (uint) { require(y <= 100); return a + y; } }
![Page 35: Solidity Smart Contracts SMT-based Verification of · 2018-11-09 · Solidity Smart Contracts Leonardo Alt, Christian Reitwiessner ISoLA - Limassol, Cyprus - 2018-11-05 Christian](https://reader034.fdocuments.us/reader034/viewer/2022042911/5f442cb09954573688761090/html5/thumbnails/35.jpg)
Future Plans (2)Future Plans (2)modifiers as pre- and post-conditions plus functionabstractionexplicit contract-level invariant annotations
![Page 36: Solidity Smart Contracts SMT-based Verification of · 2018-11-09 · Solidity Smart Contracts Leonardo Alt, Christian Reitwiessner ISoLA - Limassol, Cyprus - 2018-11-05 Christian](https://reader034.fdocuments.us/reader034/viewer/2022042911/5f442cb09954573688761090/html5/thumbnails/36.jpg)
Future Plans (3)Future Plans (3)effective callback freeness (Grossman et al.)range restrictions for "real-life" values like
number of transactions, amount of ether, gas,block.timestamp, . . .
![Page 37: Solidity Smart Contracts SMT-based Verification of · 2018-11-09 · Solidity Smart Contracts Leonardo Alt, Christian Reitwiessner ISoLA - Limassol, Cyprus - 2018-11-05 Christian](https://reader034.fdocuments.us/reader034/viewer/2022042911/5f442cb09954573688761090/html5/thumbnails/37.jpg)
Advanced version migth prove that there is no overflowin the following:contract Coin { mapping(address => uint) balances; function mint(address r, uint amount) public { require(amount < 2**100); balances[r] += amount; } function transfer(address to, uint amount) public { require(balances[msg.sender] >= amount); balances[msg.sender] -= amount; balances[to] += amount; } }
![Page 38: Solidity Smart Contracts SMT-based Verification of · 2018-11-09 · Solidity Smart Contracts Leonardo Alt, Christian Reitwiessner ISoLA - Limassol, Cyprus - 2018-11-05 Christian](https://reader034.fdocuments.us/reader034/viewer/2022042911/5f442cb09954573688761090/html5/thumbnails/38.jpg)
Join the discussion!Join the discussion!
[email protected], [email protected]
We are hiring and giving out research grants!
https://gitter.im/ethereum/solidity-dev