christoftorres/ConFuzzius
GitHub: christoftorres/ConFuzzius
面向以太坊智能合约的数据依赖感知混合模糊测试器,结合符号执行与约束求解高效发现合约安全漏洞。
Stars: 102 | Forks: 30
# ConFuzzius
一个针对以太坊智能合约的数据依赖感知混合模糊测试器。我们的论文可以在[这里](https://arxiv.org/pdf/2005.12156.pdf)找到。
## 快速开始
一个配置好依赖项的容器可以在[这里](https://hub.docker.com/r/christoftorres/confuzzius/)找到。
要打开容器,请安装 docker 并运行:
```
docker pull christoftorres/confuzzius && docker run -i -t christoftorres/confuzzius
```
要在容器内评估一个简单的合约,请运行:
```
python3 fuzzer/main.py -s examples/TokenSale/contracts/TokenSale.sol -c TokenSale --solc v0.4.26 --evm byzantium -t 10
```
这样就完成了!
## 自定义 Docker 镜像构建
```
docker build -t confuzzius .
docker run -it confuzzius:latest
```
## 安装说明
### 1. 安装依赖
#### 1.1 Solidity 编译器
```
sudo add-apt-repository ppa:ethereum/ethereum
sudo apt-get update
sudo apt-get install solc
```
#### 1.2 Z3 证明器
下载 [z3-4.8.5 版本的源代码](https://github.com/Z3Prover/z3/releases/tag/Z3-4.8.5)
使用 Python 绑定安装 z3
```
python scripts/mk_make.py --python
cd build
make
sudo make install
```
### 2. 安装模糊测试器
```
cd fuzzer
pip install -r requirements.txt
```
## 运行说明
```
______ ______ _
/ ____/___ ____ / ____/_ __________ (_)_ _______
/ / / __ \/ __ \/ /_ / / / /_ /_ / / / / / / ___/
/ /___/ /_/ / / / / __/ / /_/ / / /_/ /_/ / /_/ (__ )
\____/\____/_/ /_/_/ \__,_/ /___/___/_/\__,_/____/
usage: main.py [-h] (-s SOURCE | -a ABI) [-c CONTRACT] [-b BLOCKCHAIN_STATE] [--solc SOLC_VERSION] [--evm EVM_VERSION] [-g GENERATIONS | -t GLOBAL_TIMEOUT] [-n POPULATION_SIZE] [-pc PROBABILITY_CROSSOVER] [-pm PROBABILITY_MUTATION]
[-r RESULTS] [--seed SEED] [--cfg] [--rpc-host RPC_HOST] [--rpc-port RPC_PORT] [--data-dependency DATA_DEPENDENCY] [--constraint-solving CONSTRAINT_SOLVING] [--environmental-instrumentation ENVIRONMENTAL_INSTRUMENTATION]
[--max-individual-length MAX_INDIVIDUAL_LENGTH] [--max-symbolic-execution MAX_SYMBOLIC_EXECUTION] [-v]
optional arguments:
-h, --help show this help message and exit
-s SOURCE, --source SOURCE
Solidity smart contract source code file (.sol).
-a ABI, --abi ABI Smart contract ABI file (.json).
-c CONTRACT, --contract CONTRACT
Contract name to be fuzzed (if Solidity source code file provided) or blockchain contract address (if ABI file provided).
-b BLOCKCHAIN_STATE, --blockchain-state BLOCKCHAIN_STATE
Initialize fuzzer with a blockchain state by providing a JSON file (if Solidity source code file provided) or a block number (if ABI file provided).
--solc SOLC_VERSION Solidity compiler version (default '0.6.12'). Installed compiler versions: [Version('0.6.12'), Version('0.4.26'), Version('0.4.25')].
--evm EVM_VERSION Ethereum VM (default 'petersburg'). Available VM's: 'homestead', 'byzantium' or 'petersburg'.
-g GENERATIONS, --generations GENERATIONS
Number of generations (default 10).
-t GLOBAL_TIMEOUT, --timeout GLOBAL_TIMEOUT
Number of seconds for fuzzer to stop.
-n POPULATION_SIZE, --population-size POPULATION_SIZE
Size of the population.
-pc PROBABILITY_CROSSOVER, --probability-crossover PROBABILITY_CROSSOVER
Size of the population.
-pm PROBABILITY_MUTATION, --probability-mutation PROBABILITY_MUTATION
Size of the population.
-r RESULTS, --results RESULTS
Folder or JSON file where results should be stored.
--seed SEED Initialize the random number generator with a given seed.
--cfg Build control-flow graph and highlight code coverage.
--rpc-host RPC_HOST Ethereum client RPC hostname.
--rpc-port RPC_PORT Ethereum client RPC port.
--data-dependency DATA_DEPENDENCY
Disable/Enable data dependency analysis: 0 - Disable, 1 - Enable (default: 1)
--constraint-solving CONSTRAINT_SOLVING
Disable/Enable constraint solving: 0 - Disable, 1 - Enable (default: 1)
--environmental-instrumentation ENVIRONMENTAL_INSTRUMENTATION
Disable/Enable environmental instrumentation: 0 - Disable, 1 - Enable (default: 1)
--max-individual-length MAX_INDIVIDUAL_LENGTH
Maximal length of an individual (default: 5)
--max-symbolic-execution MAX_SYMBOLIC_EXECUTION
Maximum number of symbolic execution calls before restting population (default: 10)
-v, --version show program's version number and exit
```
#### 本地模糊测试(链下)
```
python3 fuzzer/main.py -s examples/RemiCoin/contracts/RemiCoin.sol -c RemiCoin --solc v0.4.26 --evm byzantium -g 20
```
#### 远程模糊测试(链上)
```
python3 fuzzer/main.py -a examples/RemiCoin/abi.json -c 0x7dc4f41294697a7903c4027f6ac528c5d14cd7eb -b 5752250 --evm byzantium -g 20 --rpc-host --rpc-port
```
一个针对以太坊智能合约的数据依赖感知混合模糊测试器。我们的论文可以在[这里](https://arxiv.org/pdf/2005.12156.pdf)找到。
## 快速开始
一个配置好依赖项的容器可以在[这里](https://hub.docker.com/r/christoftorres/confuzzius/)找到。
要打开容器,请安装 docker 并运行:
```
docker pull christoftorres/confuzzius && docker run -i -t christoftorres/confuzzius
```
要在容器内评估一个简单的合约,请运行:
```
python3 fuzzer/main.py -s examples/TokenSale/contracts/TokenSale.sol -c TokenSale --solc v0.4.26 --evm byzantium -t 10
```
这样就完成了!
## 自定义 Docker 镜像构建
```
docker build -t confuzzius .
docker run -it confuzzius:latest
```
## 安装说明
### 1. 安装依赖
#### 1.1 Solidity 编译器
```
sudo add-apt-repository ppa:ethereum/ethereum
sudo apt-get update
sudo apt-get install solc
```
#### 1.2 Z3 证明器
下载 [z3-4.8.5 版本的源代码](https://github.com/Z3Prover/z3/releases/tag/Z3-4.8.5)
使用 Python 绑定安装 z3
```
python scripts/mk_make.py --python
cd build
make
sudo make install
```
### 2. 安装模糊测试器
```
cd fuzzer
pip install -r requirements.txt
```
## 运行说明
```
______ ______ _
/ ____/___ ____ / ____/_ __________ (_)_ _______
/ / / __ \/ __ \/ /_ / / / /_ /_ / / / / / / ___/
/ /___/ /_/ / / / / __/ / /_/ / / /_/ /_/ / /_/ (__ )
\____/\____/_/ /_/_/ \__,_/ /___/___/_/\__,_/____/
usage: main.py [-h] (-s SOURCE | -a ABI) [-c CONTRACT] [-b BLOCKCHAIN_STATE] [--solc SOLC_VERSION] [--evm EVM_VERSION] [-g GENERATIONS | -t GLOBAL_TIMEOUT] [-n POPULATION_SIZE] [-pc PROBABILITY_CROSSOVER] [-pm PROBABILITY_MUTATION]
[-r RESULTS] [--seed SEED] [--cfg] [--rpc-host RPC_HOST] [--rpc-port RPC_PORT] [--data-dependency DATA_DEPENDENCY] [--constraint-solving CONSTRAINT_SOLVING] [--environmental-instrumentation ENVIRONMENTAL_INSTRUMENTATION]
[--max-individual-length MAX_INDIVIDUAL_LENGTH] [--max-symbolic-execution MAX_SYMBOLIC_EXECUTION] [-v]
optional arguments:
-h, --help show this help message and exit
-s SOURCE, --source SOURCE
Solidity smart contract source code file (.sol).
-a ABI, --abi ABI Smart contract ABI file (.json).
-c CONTRACT, --contract CONTRACT
Contract name to be fuzzed (if Solidity source code file provided) or blockchain contract address (if ABI file provided).
-b BLOCKCHAIN_STATE, --blockchain-state BLOCKCHAIN_STATE
Initialize fuzzer with a blockchain state by providing a JSON file (if Solidity source code file provided) or a block number (if ABI file provided).
--solc SOLC_VERSION Solidity compiler version (default '0.6.12'). Installed compiler versions: [Version('0.6.12'), Version('0.4.26'), Version('0.4.25')].
--evm EVM_VERSION Ethereum VM (default 'petersburg'). Available VM's: 'homestead', 'byzantium' or 'petersburg'.
-g GENERATIONS, --generations GENERATIONS
Number of generations (default 10).
-t GLOBAL_TIMEOUT, --timeout GLOBAL_TIMEOUT
Number of seconds for fuzzer to stop.
-n POPULATION_SIZE, --population-size POPULATION_SIZE
Size of the population.
-pc PROBABILITY_CROSSOVER, --probability-crossover PROBABILITY_CROSSOVER
Size of the population.
-pm PROBABILITY_MUTATION, --probability-mutation PROBABILITY_MUTATION
Size of the population.
-r RESULTS, --results RESULTS
Folder or JSON file where results should be stored.
--seed SEED Initialize the random number generator with a given seed.
--cfg Build control-flow graph and highlight code coverage.
--rpc-host RPC_HOST Ethereum client RPC hostname.
--rpc-port RPC_PORT Ethereum client RPC port.
--data-dependency DATA_DEPENDENCY
Disable/Enable data dependency analysis: 0 - Disable, 1 - Enable (default: 1)
--constraint-solving CONSTRAINT_SOLVING
Disable/Enable constraint solving: 0 - Disable, 1 - Enable (default: 1)
--environmental-instrumentation ENVIRONMENTAL_INSTRUMENTATION
Disable/Enable environmental instrumentation: 0 - Disable, 1 - Enable (default: 1)
--max-individual-length MAX_INDIVIDUAL_LENGTH
Maximal length of an individual (default: 5)
--max-symbolic-execution MAX_SYMBOLIC_EXECUTION
Maximum number of symbolic execution calls before restting population (default: 10)
-v, --version show program's version number and exit
```
#### 本地模糊测试(链下)
```
python3 fuzzer/main.py -s examples/RemiCoin/contracts/RemiCoin.sol -c RemiCoin --solc v0.4.26 --evm byzantium -g 20
```
#### 远程模糊测试(链上)
```
python3 fuzzer/main.py -a examples/RemiCoin/abi.json -c 0x7dc4f41294697a7903c4027f6ac528c5d14cd7eb -b 5752250 --evm byzantium -g 20 --rpc-host 标签:ASN解析, EuroS&P, EVM, pocsuite3, Solidity, Z3求解器, 云安全监控, 代码安全, 以太坊, 区块链安全, 去中心化应用安全, 数据依赖, 智能合约, 混合模糊测试, 漏洞枚举, 符号执行, 请求拦截, 软件测试, 逆向工具, 静态分析