Skip to content

Latest commit

 

History

History
executable file
·
128 lines (99 loc) · 5.21 KB

README.md

File metadata and controls

executable file
·
128 lines (99 loc) · 5.21 KB

ConFuzzius

A data dependency-aware hybrid fuzzer for Ethereum smart contracts. Our paper can be found here.

Quick Start

A container with the dependencies set up can be found here.

To open the container, install docker and run:

docker pull christoftorres/confuzzius && docker run -i -t christoftorres/confuzzius

To evaluate a simple contract inside the container, run:

python3 fuzzer/main.py -s examples/TokenSale/contracts/TokenSale.sol -c TokenSale --solc v0.4.26 --evm byzantium -t 10

and you are done!

Custom Docker image build

docker build -t confuzzius .
docker run -it confuzzius:latest

Installation Instructions

1. Install Requirements

1.1 Solidity Compiler

sudo add-apt-repository ppa:ethereum/ethereum
sudo apt-get update
sudo apt-get install solc

1.2 Z3 Prover

Download the source code of version z3-4.8.5

Install z3 using Python bindings

python scripts/mk_make.py --python
cd build
make
sudo make install

2. Install Fuzzer

cd fuzzer
pip install -r requirements.txt

Running Instructions

     ______            ______                _           
    / ____/___  ____  / ____/_  __________  (_)_  _______
   / /   / __ \/ __ \/ /_  / / / /_  /_  / / / / / / ___/
  / /___/ /_/ / / / / __/ / /_/ / / /_/ /_/ / /_/ (__  ) 
  \____/\____/_/ /_/_/    \__,_/ /___/___/_/\__,_/____/  

usage: main.py [-h] (-s SOURCE | -a ABI) [-c CONTRACT] [-b BLOCKCHAIN_STATE] [--solc SOLC_VERSION] [--evm EVM_VERSION] [-g GENERATIONS | -t GLOBAL_TIMEOUT] [-n POPULATION_SIZE] [-pc PROBABILITY_CROSSOVER] [-pm PROBABILITY_MUTATION]
               [-r RESULTS] [--seed SEED] [--cfg] [--rpc-host RPC_HOST] [--rpc-port RPC_PORT] [--data-dependency DATA_DEPENDENCY] [--constraint-solving CONSTRAINT_SOLVING] [--environmental-instrumentation ENVIRONMENTAL_INSTRUMENTATION]
               [--max-individual-length MAX_INDIVIDUAL_LENGTH] [--max-symbolic-execution MAX_SYMBOLIC_EXECUTION] [-v]

optional arguments:
  -h, --help            show this help message and exit
  -s SOURCE, --source SOURCE
                        Solidity smart contract source code file (.sol).
  -a ABI, --abi ABI     Smart contract ABI file (.json).
  -c CONTRACT, --contract CONTRACT
                        Contract name to be fuzzed (if Solidity source code file provided) or blockchain contract address (if ABI file provided).
  -b BLOCKCHAIN_STATE, --blockchain-state BLOCKCHAIN_STATE
                        Initialize fuzzer with a blockchain state by providing a JSON file (if Solidity source code file provided) or a block number (if ABI file provided).
  --solc SOLC_VERSION   Solidity compiler version (default '0.6.12'). Installed compiler versions: [Version('0.6.12'), Version('0.4.26'), Version('0.4.25')].
  --evm EVM_VERSION     Ethereum VM (default 'petersburg'). Available VM's: 'homestead', 'byzantium' or 'petersburg'.
  -g GENERATIONS, --generations GENERATIONS
                        Number of generations (default 10).
  -t GLOBAL_TIMEOUT, --timeout GLOBAL_TIMEOUT
                        Number of seconds for fuzzer to stop.
  -n POPULATION_SIZE, --population-size POPULATION_SIZE
                        Size of the population.
  -pc PROBABILITY_CROSSOVER, --probability-crossover PROBABILITY_CROSSOVER
                        Size of the population.
  -pm PROBABILITY_MUTATION, --probability-mutation PROBABILITY_MUTATION
                        Size of the population.
  -r RESULTS, --results RESULTS
                        Folder or JSON file where results should be stored.
  --seed SEED           Initialize the random number generator with a given seed.
  --cfg                 Build control-flow graph and highlight code coverage.
  --rpc-host RPC_HOST   Ethereum client RPC hostname.
  --rpc-port RPC_PORT   Ethereum client RPC port.
  --data-dependency DATA_DEPENDENCY
                        Disable/Enable data dependency analysis: 0 - Disable, 1 - Enable (default: 1)
  --constraint-solving CONSTRAINT_SOLVING
                        Disable/Enable constraint solving: 0 - Disable, 1 - Enable (default: 1)
  --environmental-instrumentation ENVIRONMENTAL_INSTRUMENTATION
                        Disable/Enable environmental instrumentation: 0 - Disable, 1 - Enable (default: 1)
  --max-individual-length MAX_INDIVIDUAL_LENGTH
                        Maximal length of an individual (default: 5)
  --max-symbolic-execution MAX_SYMBOLIC_EXECUTION
                        Maximum number of symbolic execution calls before restting population (default: 10)
  -v, --version         show program's version number and exit

Local Fuzzing (Off-Chain)

python3 fuzzer/main.py -s examples/RemiCoin/contracts/RemiCoin.sol -c RemiCoin --solc v0.4.26 --evm byzantium -g 20

Remote Fuzzing (On-Chain)

python3 fuzzer/main.py -a examples/RemiCoin/abi.json -c 0x7dc4f41294697a7903c4027f6ac528c5d14cd7eb -b 5752250 --evm byzantium -g 20 --rpc-host <RPC-HOST> --rpc-port <RPC-PORT>