trusted bulletin-board emulation - korea...
TRANSCRIPT
![Page 1: Trusted bulletin-board emulation - Korea Universityprl.korea.ac.kr/~pronto/home/courses/aaa528/2018/misc/... · 2020-01-30 · Ethereum (7/2015 —6/2017) Blockchain Contracts Executions](https://reader034.vdocument.in/reader034/viewer/2022050607/5fadfdd180e064053e3cfcbe/html5/thumbnails/1.jpg)
Trusted bulletin-board emulation
Main difficulty: Some parties can cheat.
Classical result: simulation is possible if the “majority is honest”.
For example for 5 players we can tolerate at most 2 “cheaters”.
the “ideal” world a protocol that emulates the ideal world
Stefan
Dziembowski
![Page 2: Trusted bulletin-board emulation - Korea Universityprl.korea.ac.kr/~pronto/home/courses/aaa528/2018/misc/... · 2020-01-30 · Ethereum (7/2015 —6/2017) Blockchain Contracts Executions](https://reader034.vdocument.in/reader034/viewer/2022050607/5fadfdd180e064053e3cfcbe/html5/thumbnails/2.jpg)
Formally Verifying Smart Contracts
Mooly Sagiv
Tel Aviv University
![Page 3: Trusted bulletin-board emulation - Korea Universityprl.korea.ac.kr/~pronto/home/courses/aaa528/2018/misc/... · 2020-01-30 · Ethereum (7/2015 —6/2017) Blockchain Contracts Executions](https://reader034.vdocument.in/reader034/viewer/2022050607/5fadfdd180e064053e3cfcbe/html5/thumbnails/3.jpg)
And also…
Shelly GrossmanIttai Abraham
Guy Golan-GuetaNoam Rinetzky
David Dill
Yoni Zohar
Shachar Itzhaky Yan Michalevsky
![Page 4: Trusted bulletin-board emulation - Korea Universityprl.korea.ac.kr/~pronto/home/courses/aaa528/2018/misc/... · 2020-01-30 · Ethereum (7/2015 —6/2017) Blockchain Contracts Executions](https://reader034.vdocument.in/reader034/viewer/2022050607/5fadfdd180e064053e3cfcbe/html5/thumbnails/4.jpg)
Smart Contracts
•Transactions in bitcoin are limited– Transfer ‘X’ bitcoins from ‘Y’ to ‘Z’
•More powerful transactions–Exchange–Auction–Games–Bets–Legal agreements
•Solution–Store smart contracts on the blockchain–Computer programs implement transactions–Immutability guarantees persistence
![Page 5: Trusted bulletin-board emulation - Korea Universityprl.korea.ac.kr/~pronto/home/courses/aaa528/2018/misc/... · 2020-01-30 · Ethereum (7/2015 —6/2017) Blockchain Contracts Executions](https://reader034.vdocument.in/reader034/viewer/2022050607/5fadfdd180e064053e3cfcbe/html5/thumbnails/5.jpg)
Massive Losses due to Bugs
THE PROBLEM
![Page 6: Trusted bulletin-board emulation - Korea Universityprl.korea.ac.kr/~pronto/home/courses/aaa528/2018/misc/... · 2020-01-30 · Ethereum (7/2015 —6/2017) Blockchain Contracts Executions](https://reader034.vdocument.in/reader034/viewer/2022050607/5fadfdd180e064053e3cfcbe/html5/thumbnails/6.jpg)
CURRENT SOLUTIONS
Testing
AuditingManual
Costly
Incomplete
![Page 7: Trusted bulletin-board emulation - Korea Universityprl.korea.ac.kr/~pronto/home/courses/aaa528/2018/misc/... · 2020-01-30 · Ethereum (7/2015 —6/2017) Blockchain Contracts Executions](https://reader034.vdocument.in/reader034/viewer/2022050607/5fadfdd180e064053e3cfcbe/html5/thumbnails/7.jpg)
AUDITING IS INSUFFICIENT
From “A Postmortem on the Parity Multi-Sig
Library Self-Destruct”:
… multi-sig wallet code was created and audited by the
Ethereum Foundation’s DEV team, Parity technology and
others in the community
![Page 8: Trusted bulletin-board emulation - Korea Universityprl.korea.ac.kr/~pronto/home/courses/aaa528/2018/misc/... · 2020-01-30 · Ethereum (7/2015 —6/2017) Blockchain Contracts Executions](https://reader034.vdocument.in/reader034/viewer/2022050607/5fadfdd180e064053e3cfcbe/html5/thumbnails/8.jpg)
Automatic software verification
Desired Property
Solver
Is there a behavior
of P that violates ?
Counterexample Proof
Program P
Y N
![Page 9: Trusted bulletin-board emulation - Korea Universityprl.korea.ac.kr/~pronto/home/courses/aaa528/2018/misc/... · 2020-01-30 · Ethereum (7/2015 —6/2017) Blockchain Contracts Executions](https://reader034.vdocument.in/reader034/viewer/2022050607/5fadfdd180e064053e3cfcbe/html5/thumbnails/9.jpg)
SafetyProperty
VerificationIs there a behavior
of P that violates ?
Counterexample Proof
Program P
Disillusionment in program verification 80’s
[POPL’78, CACM’79] R.A. DeMillo, R.J. Lipton, A. J. Perlis:Social Processes and Proofs of Theorems and Programs
Rice’s Theorem
I can’t decide!
Unknown
![Page 10: Trusted bulletin-board emulation - Korea Universityprl.korea.ac.kr/~pronto/home/courses/aaa528/2018/misc/... · 2020-01-30 · Ethereum (7/2015 —6/2017) Blockchain Contracts Executions](https://reader034.vdocument.in/reader034/viewer/2022050607/5fadfdd180e064053e3cfcbe/html5/thumbnails/10.jpg)
Challenges in program verification
• Specifying program behavior
• Complexity of program verification
–The halting problem
–Rice theorem
–The ability of simple programs to represent complex behaviors
• Complexity of realistic systems
–Huge code
–Heterogeneous code
–Missing code
![Page 11: Trusted bulletin-board emulation - Korea Universityprl.korea.ac.kr/~pronto/home/courses/aaa528/2018/misc/... · 2020-01-30 · Ethereum (7/2015 —6/2017) Blockchain Contracts Executions](https://reader034.vdocument.in/reader034/viewer/2022050607/5fadfdd180e064053e3cfcbe/html5/thumbnails/11.jpg)
The SAT Problem
• Given a propositional formula (Boolean function)
– = (a b) ( a b c)
• Determine if is satisfiable
–Find a satisfying assignment or report that such does not exist
• For n variables, there are 2n possible truth assignments to be checked• Tools exist: Z3, Yices, CVC, …
a
b b
c c c c
0
0 0
00 001
1 1
1 1 1
1
![Page 12: Trusted bulletin-board emulation - Korea Universityprl.korea.ac.kr/~pronto/home/courses/aaa528/2018/misc/... · 2020-01-30 · Ethereum (7/2015 —6/2017) Blockchain Contracts Executions](https://reader034.vdocument.in/reader034/viewer/2022050607/5fadfdd180e064053e3cfcbe/html5/thumbnails/12.jpg)
Verification by reductions to SAT
Desired Property
Counterexample Proof
Program P
Front-End
Formula
P
SAT Solver
![Page 13: Trusted bulletin-board emulation - Korea Universityprl.korea.ac.kr/~pronto/home/courses/aaa528/2018/misc/... · 2020-01-30 · Ethereum (7/2015 —6/2017) Blockchain Contracts Executions](https://reader034.vdocument.in/reader034/viewer/2022050607/5fadfdd180e064053e3cfcbe/html5/thumbnails/13.jpg)
Verification by reduction to SAT
a
x:=1x:=0
b
y:=1y:=0
0 1
1
assert x==y
SAT Query:((a x)(a x))
((b y)(b y))
((x y) (x y)?
SAT Answer:Satisfiable by a=0, b = 1
0
![Page 14: Trusted bulletin-board emulation - Korea Universityprl.korea.ac.kr/~pronto/home/courses/aaa528/2018/misc/... · 2020-01-30 · Ethereum (7/2015 —6/2017) Blockchain Contracts Executions](https://reader034.vdocument.in/reader034/viewer/2022050607/5fadfdd180e064053e3cfcbe/html5/thumbnails/14.jpg)
Verification by reduction to SAT
a
x:=1;b:=1x:=0;b:=0
b
y:=1y:=0
0 1
1
assert x==y
0
SAT Query:((a x b)(a x b))
((b y)(b y))
((x y) (x y)?
SAT Answer:Unsatisfiable
![Page 15: Trusted bulletin-board emulation - Korea Universityprl.korea.ac.kr/~pronto/home/courses/aaa528/2018/misc/... · 2020-01-30 · Ethereum (7/2015 —6/2017) Blockchain Contracts Executions](https://reader034.vdocument.in/reader034/viewer/2022050607/5fadfdd180e064053e3cfcbe/html5/thumbnails/15.jpg)
The SMT(Sat Modulo Theory) Problem
• Given a ground first order formula over theories(Boolean function) • = x, y: 2x + y 5 y < 3
• Determine if is satisfiable• Find a satisfying assignment or report that such does not exist
• Satisfiability becomes harder
• But tools exist: Yices, Z3, CVC, …
![Page 16: Trusted bulletin-board emulation - Korea Universityprl.korea.ac.kr/~pronto/home/courses/aaa528/2018/misc/... · 2020-01-30 · Ethereum (7/2015 —6/2017) Blockchain Contracts Executions](https://reader034.vdocument.in/reader034/viewer/2022050607/5fadfdd180e064053e3cfcbe/html5/thumbnails/16.jpg)
Verification by reductions to SMT
Desired Property
Counterexample Proof
Program P
Front-End
Formula
P
SMT Solver
![Page 17: Trusted bulletin-board emulation - Korea Universityprl.korea.ac.kr/~pronto/home/courses/aaa528/2018/misc/... · 2020-01-30 · Ethereum (7/2015 —6/2017) Blockchain Contracts Executions](https://reader034.vdocument.in/reader034/viewer/2022050607/5fadfdd180e064053e3cfcbe/html5/thumbnails/17.jpg)
Simple Example Token (buggy)
balance[to]=balance[to]-fee
balance[to]>=amount?
balance[to]=balance[to]-amount
balance[from]=balance[from]+amount
x. (xto x from) b’[x]=b[x] b[to] amount+fee (b’[to]=b[to]-amount-fee b’[from]=b[from]+amount)
b[to]<amount+fee (b’[to]=b[to] b’[from]=b[from])
SMT Answer:Satisfiable by balance[to]=10,fee=5,amount=6balance[from]=100
assert
T
F
![Page 18: Trusted bulletin-board emulation - Korea Universityprl.korea.ac.kr/~pronto/home/courses/aaa528/2018/misc/... · 2020-01-30 · Ethereum (7/2015 —6/2017) Blockchain Contracts Executions](https://reader034.vdocument.in/reader034/viewer/2022050607/5fadfdd180e064053e3cfcbe/html5/thumbnails/18.jpg)
Simple Example Token (corrected)
18
balance[to]amount+fee?
balance[to]=balance[to]-amount-fee
balance[from]=balance[from]+amount
SAT Answer:Unsatisfiable
assert x. (xto x from) b’[x]=b[x] b[to] amount+fee (b’[to]=b[to]-amount-fee b’[from]=b[from]+amount)
b[to]<amount+fee (b’[to]=b[to] b’[from]=b[from])
assert
T
F
![Page 19: Trusted bulletin-board emulation - Korea Universityprl.korea.ac.kr/~pronto/home/courses/aaa528/2018/misc/... · 2020-01-30 · Ethereum (7/2015 —6/2017) Blockchain Contracts Executions](https://reader034.vdocument.in/reader034/viewer/2022050607/5fadfdd180e064053e3cfcbe/html5/thumbnails/19.jpg)
More interesting contracts
• Unbounded participants
• Complicated specifications• Higher order reasoning
• Need to handle loops
19
![Page 20: Trusted bulletin-board emulation - Korea Universityprl.korea.ac.kr/~pronto/home/courses/aaa528/2018/misc/... · 2020-01-30 · Ethereum (7/2015 —6/2017) Blockchain Contracts Executions](https://reader034.vdocument.in/reader034/viewer/2022050607/5fadfdd180e064053e3cfcbe/html5/thumbnails/20.jpg)
Minting Tokens - buggy
20
totalSupply=totalSupply+amount
SAT Answer:Satisfiable bybalance=10,totalSupply=10,amount=5
assertbalance’=totalSupply’ totalSupply’=totalSupply+amount
assert
balance=totalSupply?F
T
![Page 21: Trusted bulletin-board emulation - Korea Universityprl.korea.ac.kr/~pronto/home/courses/aaa528/2018/misc/... · 2020-01-30 · Ethereum (7/2015 —6/2017) Blockchain Contracts Executions](https://reader034.vdocument.in/reader034/viewer/2022050607/5fadfdd180e064053e3cfcbe/html5/thumbnails/21.jpg)
Minting Tokens - corrected
21
totalSupply=totalSupply+amount
SAT Answer:Unsatisfiable
assertbalance’=totalSupply’ totalSupply’=totalSupply+amount
assert
balance=totalSupply?
balance[bank]=balance[bank]+amount
T
F
![Page 22: Trusted bulletin-board emulation - Korea Universityprl.korea.ac.kr/~pronto/home/courses/aaa528/2018/misc/... · 2020-01-30 · Ethereum (7/2015 —6/2017) Blockchain Contracts Executions](https://reader034.vdocument.in/reader034/viewer/2022050607/5fadfdd180e064053e3cfcbe/html5/thumbnails/22.jpg)
Challenge: Handling Loops
• Bounded loop instantiation• CBMC
• Scaling
• User specified loop invariants• Powerful
• But requires careful insights
• Automatic loop invariants inference• Ultimately limited
• Even when checking is possible
• Limited loops
28
![Page 23: Trusted bulletin-board emulation - Korea Universityprl.korea.ac.kr/~pronto/home/courses/aaa528/2018/misc/... · 2020-01-30 · Ethereum (7/2015 —6/2017) Blockchain Contracts Executions](https://reader034.vdocument.in/reader034/viewer/2022050607/5fadfdd180e064053e3cfcbe/html5/thumbnails/23.jpg)
Summary thus far
• Program verification is powerful
• But hard to apply to complicated systems
• Modularity helps
29
![Page 24: Trusted bulletin-board emulation - Korea Universityprl.korea.ac.kr/~pronto/home/courses/aaa528/2018/misc/... · 2020-01-30 · Ethereum (7/2015 —6/2017) Blockchain Contracts Executions](https://reader034.vdocument.in/reader034/viewer/2022050607/5fadfdd180e064053e3cfcbe/html5/thumbnails/24.jpg)
Runtime Monitoring
• Enforce correctness at runtime
• Especially useful with generic required properties
• Java properties• No out of bound array accesses
• No null dereferences
• ….
• Can we do the same for contracts?
30
![Page 25: Trusted bulletin-board emulation - Korea Universityprl.korea.ac.kr/~pronto/home/courses/aaa528/2018/misc/... · 2020-01-30 · Ethereum (7/2015 —6/2017) Blockchain Contracts Executions](https://reader034.vdocument.in/reader034/viewer/2022050607/5fadfdd180e064053e3cfcbe/html5/thumbnails/25.jpg)
MOTIVATION: EXISTING VM
Ledger:
Beneficiary Money
Alice 2100
Bob 400
…
Blockchain
DAO State:
Balance=2600
Beneficiary Money
Alice 2000
Bob 500
Thief 100
DAO
Withdraw(100$)VM
DAO State:
Balance=0
Beneficiary Money
Alice 2000
Bob 500
Thief 0
![Page 26: Trusted bulletin-board emulation - Korea Universityprl.korea.ac.kr/~pronto/home/courses/aaa528/2018/misc/... · 2020-01-30 · Ethereum (7/2015 —6/2017) Blockchain Contracts Executions](https://reader034.vdocument.in/reader034/viewer/2022050607/5fadfdd180e064053e3cfcbe/html5/thumbnails/26.jpg)
Quality VM
Ledger:
Beneficiary Money
Alice 2100
Bob 400
…
DAO State:
Balance=2600
Beneficiary Money
Alice 2000
Bob 500
Thief 100
DAO
Withdraw(100$)QVM
Rule violation
Rules
Blockchain
![Page 27: Trusted bulletin-board emulation - Korea Universityprl.korea.ac.kr/~pronto/home/courses/aaa528/2018/misc/... · 2020-01-30 · Ethereum (7/2015 —6/2017) Blockchain Contracts Executions](https://reader034.vdocument.in/reader034/viewer/2022050607/5fadfdd180e064053e3cfcbe/html5/thumbnails/27.jpg)
Some Generic Correctness Rules
• Effectively Callback Free (ECF) transactions– Eliminate the DAO bug
• Immutable Ownership–Parity #1
• Prevent Bad upgrades –Monitor code changes and signed whitelists
–Parity #2
• A flexible framework for arbitrary rules
![Page 28: Trusted bulletin-board emulation - Korea Universityprl.korea.ac.kr/~pronto/home/courses/aaa528/2018/misc/... · 2020-01-30 · Ethereum (7/2015 —6/2017) Blockchain Contracts Executions](https://reader034.vdocument.in/reader034/viewer/2022050607/5fadfdd180e064053e3cfcbe/html5/thumbnails/28.jpg)
Effective Callback Freedom – the DAO bug
DAO::withdraw(to) {if b[to] > 0 {sendMoney(to, b[to]); b[to] = 0; }}
Thief::uponTransfer(a) {DAO::withdraw(Thief)}
b[Thief]=100coins[Thief]=205
![Page 29: Trusted bulletin-board emulation - Korea Universityprl.korea.ac.kr/~pronto/home/courses/aaa528/2018/misc/... · 2020-01-30 · Ethereum (7/2015 —6/2017) Blockchain Contracts Executions](https://reader034.vdocument.in/reader034/viewer/2022050607/5fadfdd180e064053e3cfcbe/html5/thumbnails/29.jpg)
EFFECTIVE CALLBACK FREEDOM (ECF)
Withdraw start
b > 0
Call
sendMoney
Return from
sendMoney
Withdraw end
sendMoney start
Call Withdraw
Return from
Withdraw
sendMoney end
For every path there is a path without callbacks with same effect
b = 0f
t
…
…
$100$0 $5$105
![Page 30: Trusted bulletin-board emulation - Korea Universityprl.korea.ac.kr/~pronto/home/courses/aaa528/2018/misc/... · 2020-01-30 · Ethereum (7/2015 —6/2017) Blockchain Contracts Executions](https://reader034.vdocument.in/reader034/viewer/2022050607/5fadfdd180e064053e3cfcbe/html5/thumbnails/30.jpg)
f
GIST OF DAO ATTACK
Withdraw start
b > 0
Call
sendMoney
Return from
sendMoney
Withdraw end
sendMoney start
Call Withdraw
Return from
Withdraw
sendMoney end
For every path there is a path without callbacks with same effect
t
…
…b = 0
$100 $5$105$205
![Page 31: Trusted bulletin-board emulation - Korea Universityprl.korea.ac.kr/~pronto/home/courses/aaa528/2018/misc/... · 2020-01-30 · Ethereum (7/2015 —6/2017) Blockchain Contracts Executions](https://reader034.vdocument.in/reader034/viewer/2022050607/5fadfdd180e064053e3cfcbe/html5/thumbnails/31.jpg)
Ethereum (7/2015 — 6/2017)
Blockchain Contracts Executions Non-ECF (%)
Ethereum 342K 96M 3,321 (0.003%)
Ethereum Classic 91K 32M 2,288 (0.007%)
Each Non-ECF is an actual attack (0% False positive)
Miniscule performance overhead*
Could have prevented the DAO bug without human intervention!
Empirical Results (POPL’18)
*3.38% in time executing EVM alone – drops further in real settings
![Page 32: Trusted bulletin-board emulation - Korea Universityprl.korea.ac.kr/~pronto/home/courses/aaa528/2018/misc/... · 2020-01-30 · Ethereum (7/2015 —6/2017) Blockchain Contracts Executions](https://reader034.vdocument.in/reader034/viewer/2022050607/5fadfdd180e064053e3cfcbe/html5/thumbnails/32.jpg)
Contract Verification != Software Verification
• Relatively small number of generic required properties are needed
• Not per-contract
• Restricted domain
– Small contracts
– Modularity due to ECF
• Feasibility of defensive checking
THE THREE ENABLERS
![Page 33: Trusted bulletin-board emulation - Korea Universityprl.korea.ac.kr/~pronto/home/courses/aaa528/2018/misc/... · 2020-01-30 · Ethereum (7/2015 —6/2017) Blockchain Contracts Executions](https://reader034.vdocument.in/reader034/viewer/2022050607/5fadfdd180e064053e3cfcbe/html5/thumbnails/33.jpg)
Complementary Approaches
• Concolic execution
• Restricted programs
•
![Page 34: Trusted bulletin-board emulation - Korea Universityprl.korea.ac.kr/~pronto/home/courses/aaa528/2018/misc/... · 2020-01-30 · Ethereum (7/2015 —6/2017) Blockchain Contracts Executions](https://reader034.vdocument.in/reader034/viewer/2022050607/5fadfdd180e064053e3cfcbe/html5/thumbnails/34.jpg)
Summary
• Virtualization is powerful
• Program verification is powerful
• Program verification is expensive
• Few Success stories
–Hardware Verification
–Operating System
–Device drivers
–Packet Filters
–Distributed protocols
• Contract verification
• Higher order programming reduces errors and enables verification