- This event has passed.
November 5, 2018 10:30 am - 12:00 pm EST
Title: Decompiling Ethereum Bytecode and Detecting Gas-Focused Vulnerabilities
Location: 142 ISEC, 805 Columbus Avenue, Boston MA, 02120
Host: Pete Manolios
The talk will present two related static analysis techniques on EVM bytecode: MadMax, which detects gas-focused vulnerabilities, and Gigahorse, which performs decompilation of EVM bytecode.
MadMax combines contract decompilation and declarative program-structure queries. The analysis captures high-level domain-specific concepts (such as “dynamic data structure storage” and “safely resumable loops”) and achieves high precision and scalability. MadMax analyzes the entirety of smart contracts in the current Ethereum blockchain in just 10 hours (with decompilation timeouts in 8% of the cases) and flags contracts with a current monetary value in the $B range. (Manual inspection of a sample of flagged contracts shows that 81% of the sampled warnings do indeed lead to vulnerabilities.)
Gigahorse is a general-purpose decompiler for EVM bytecode, drastically improving over past approaches (including the decompilation techniques used in MadMax). Gigahorse turns EVM bytecode into a high-level 3-address code representation. The new intermediate representation of smart contracts makes implicit data- and control-flow dependencies of the EVM bytecode explicit. Gigahorse can decompile over 99.98% of deployed contracts and offers a full-featured toolchain for further analyses.
Key to both MadMax and Gigahorse is the use of a declarative, logic-based specification for the analysis.
About the Speaker
Yannis Smaragdakis is a Professor at the University of Athens. Prior to that he had a 10+ year faculty career in the US, most recently as an Associate Professor at the University of Massachusetts, Amherst. His interests include program analysis and testing (especially pointer analysis, static-dynamic analysis combinations, and invariant inference); declarative and extensible languages (especially program generators, generics/templates, and logic-based languages); and languages and tools for systems (especially multi-threading, parallel and distributed computing, and program locality). Large parts of his FC++ project have been integrated into the Boost C++ libraries, and he continues to maintain strong ties to industrial development and open-source projects. His latest work includes the Doop framework for the analysis of Java bytecode, as well as other related projects for program analysis algorithms expressed declaratively, in the Datalog language. Smaragdakis has served on the SIGPLAN Executive Committee and was the Program Chair of OOPSLA’16. He is a recipient of an NSF Career award, ERC Consolidator and Proof-of-Concept grants, and best/distinguished paper or artifact awards at OOPSLA’18, ECOOP’18, OOPSLA’15, ISSTA’12, ASE’07, ISSTA’06, GPCE’04, USENIX’99.