def test_concrete_call_symbolic_to():
# arrange
address = "0x10"
active_account = Account(address)
active_account.code = Disassembly("00")
environment = Environment(active_account, None, None, None, None, None)
state = GlobalState(None, environment, None)
state.mstate.memory = ["placeholder", "calldata_bling_0"]
node = Node("example")
node.contract_name = "the contract name"
node.function_name = "the function name"
to = Variable("calldata_3", VarType.SYMBOLIC)
meminstart = Variable(1, VarType.CONCRETE)
call = Call(node, state, None, None, to, None)
# act
issues = _concrete_call(call, state, address, meminstart)
# assert
issue = issues[0]
assert issue.address == address
assert issue.contract == node.contract_name
assert issue.function == node.function_name
assert issue.title == "Call data forwarded with delegatecall()"
assert issue.type == "Informational"
assert (
issue.description
== "This contract forwards its call data via DELEGATECALL in its fallback function."
" This means that any function in the called contract can be executed."
" Note that the callee contract will have access to the storage of the "
"calling contract.\n DELEGATECALL target: calldata_3"
)
def test_intercontract_call():
# Arrange
cfg.gbl_next_uid = 0
caller_code = Disassembly("6080604052348015600f57600080fd5b5073deadbeefdeadbeefdeadbeefdeadbeefdeadbeef73ffffffffffffffffffffffffffffffffffffffff166389627e13336040518263ffffffff167c0100000000000000000000000000000000000000000000000000000000028152600401808273ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff168152602001915050602060405180830381600087803b15801560be57600080fd5b505af115801560d1573d6000803e3d6000fd5b505050506040513d602081101560e657600080fd5b8101908080519060200190929190505050500000a165627a7a72305820fdb1e90f0d9775c94820e516970e0d41380a94624fa963c556145e8fb645d4c90029")
caller_address = "0xaffeaffeaffeaffeaffeaffeaffeaffeaffeaffe"
callee_code = Disassembly("608060405260043610603f576000357c0100000000000000000000000000000000000000000000000000000000900463ffffffff16806389627e13146044575b600080fd5b348015604f57600080fd5b506082600480360381019080803573ffffffffffffffffffffffffffffffffffffffff1690602001909291905050506084565b005b8073ffffffffffffffffffffffffffffffffffffffff166108fc3073ffffffffffffffffffffffffffffffffffffffff16319081150290604051600060405180830381858888f1935050505015801560e0573d6000803e3d6000fd5b50505600a165627a7a72305820a6b1335d6f994632bc9a7092d0eaa425de3dea05e015af8a94ad70b3969e117a0029")
callee_address = "0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef"
caller_account = Account(caller_address, caller_code, contract_name="Caller")
callee_account = Account(callee_address, callee_code, contract_name="Callee")
accounts = {
caller_address: caller_account,
callee_address: callee_account
}
laser = svm.LaserEVM(accounts)
# Act
laser.sym_exec(caller_address)
# Assert
# Initial node starts in contract caller
assert len(laser.nodes.keys()) > 0
assert laser.nodes[0].contract_name == 'Caller'
# At one point we call into contract callee
for node in laser.nodes.values():
if node.contract_name == 'Callee':
assert len(node.states[0].transaction_stack) > 1
return
assert False
def test_delegate_call(sym_mock, concrete_mock, curr_instruction):
# arrange
# sym_mock = mocker.patch.object(delegatecall, "_symbolic_call")
# concrete_mock = mocker.patch.object(delegatecall, "_concrete_call")
sym_mock.return_value = []
concrete_mock.return_value = []
curr_instruction.return_value = {"address": "0x10"}
active_account = Account("0x10")
active_account.code = Disassembly("00")
environment = Environment(active_account, None, None, None, None, None)
state = GlobalState(None, environment, Node)
state.mstate.memory = ["placeholder", "calldata_bling_0"]
state.mstate.stack = [1, 2, 3]
assert state.get_current_instruction() == {"address": "0x10"}
node = Node("example")
node.contract_name = "the contract name"
node.function_name = "fallback"
to = Variable("storage_1", VarType.SYMBOLIC)
call = Call(node, state, None, "DELEGATECALL", to, None)
statespace = MagicMock()
statespace.calls = [call]
# act
execute(statespace)
# assert
assert concrete_mock.call_count == 1
assert sym_mock.call_count == 1
def test_vmtest(
test_name: str, pre_condition: dict, action: dict, post_condition: dict
) -> None:
# Arrange
accounts = {}
for address, details in pre_condition.items():
account = Account(address)
account.code = Disassembly(details["code"][2:])
account.balance = int(details["balance"], 16)
account.nonce = int(details["nonce"], 16)
accounts[address] = account
laser_evm = LaserEVM(accounts)
# Act
laser_evm.time = datetime.now()
# TODO: move this line below and check for VmExceptions when gas has been implemented
if post_condition == {}:
return
execute_message_call(
laser_evm,
callee_address=action["address"],
caller_address=action["caller"],
origin_address=action["origin"],
code=action["code"][2:],
gas=action["gas"],
data=binascii.a2b_hex(action["data"][2:]),
gas_price=int(action["gasPrice"], 16),
value=int(action["value"], 16),
)
# Assert
assert len(laser_evm.open_states) == 1
world_state = laser_evm.open_states[0]
model = get_model(next(iter(laser_evm.nodes.values())).states[0].mstate.constraints)
for address, details in post_condition.items():
account = world_state[address]
assert account.nonce == int(details["nonce"], 16)
assert account.code.bytecode == details["code"][2:]
for index, value in details["storage"].items():
expected = int(value, 16)
if type(account.storage[int(index, 16)]) != int:
actual = model.eval(account.storage[int(index, 16)])
actual = 1 if actual == True else 0 if actual == False else actual
else:
actual = account.storage[int(index, 16)]
assert actual == expected
def test_vmtest(test_name: str, pre_condition: dict, action: dict, post_condition: dict) -> None:
# Arrange
accounts = {}
for address, details in pre_condition.items():
account = Account(address)
account.code = Disassembly(details['code'][2:])
account.balance = int(details['balance'], 16)
account.nonce = int(details['nonce'], 16)
accounts[address] = account
laser_evm = LaserEVM(accounts)
# Act
laser_evm.time = datetime.now()
try:
execute_message_call(
laser_evm,
callee_address=action['address'],
caller_address=action['caller'],
origin_address=action['origin'],
code=action['code'][2:],
gas=action['gas'],
data=binascii.a2b_hex(action['data'][2:]),
gas_price=int(action['gasPrice'], 16),
value=int(action['value'], 16)
)
except VmException as e:
if post_condition == {}:
return
else:
raise e
# Assert
if 'Suicide' not in test_name:
assert len(laser_evm.open_states) == 1
else:
assert len(laser_evm.open_states) == 0
return
world_state = laser_evm.open_states[0]
for address, details in post_condition.items():
account = world_state[address]
assert account.nonce == int(details['nonce'], 16)
assert account.code.bytecode == details['code'][2:]
for index, value in details['storage'].items():
expected = int(value, 16)
actual = get_concrete_int(account.storage[int(index, 16)])
assert actual == expected
def test_laser_result(self):
for input_file in TESTDATA_INPUTS_CONTRACTS.iterdir():
if input_file.name == "weak_random.sol":
continue
output_expected = TESTDATA_OUTPUTS_EXPECTED_LASER_RESULT / (
input_file.name + ".json")
output_current = TESTDATA_OUTPUTS_CURRENT_LASER_RESULT / (
input_file.name + ".json")
disassembly = SolidityContract(str(input_file)).disassembly
account = Account("0x0000000000000000000000000000000000000000",
disassembly)
accounts = {account.address: account}
laser = svm.LaserEVM(accounts, max_depth=22)
laser.sym_exec(account.address)
laser_info = _all_info(laser)
output_current.write_text(
json.dumps(laser_info, cls=LaserEncoder, indent=4))
if not (output_expected.read_text()
== output_expected.read_text()):
self.found_changed_files(input_file, output_expected,
output_current)
self.assert_and_show_changed_files()
def get_constr_glbstate(contract, address):
mstate = MachineState(gas=10000000)
minimal_const_byte_len = get_minimal_constructor_param_encoding_len(abi_json_to_abi(contract.abi))
# better would be to append symbolic params to the bytecode such that the codecopy instruction that copies the
# params into memory takes care of placing them onto the memory with the respective size.
for i in range(int(minimal_const_byte_len / 32)):
mstate.mem_extend(128 + 32 * i, 32)
mstate.memory.insert(128 + 32 * i, BitVec('calldata_' + contract.name + '[' + str(i * 32)+ "]", 256))
# Todo Replace pure placement of enough symbolic 32 Byte-words with placement of symbolic variables that contain
# the name of the solidity variables
accounts = {address: Account(address, contract.disassembly, contract_name=contract.name)}
environment = Environment(
accounts[address],
BitVec("caller", 256),
[],
BitVec("gasprice", 256),
BitVec("callvalue", 256),
BitVec("origin", 256),
calldata_type=CalldataType.SYMBOLIC,
)
# Todo find source for account info, maybe the std statespace?
return GlobalState(accounts, environment, None, mstate)
def test_calldata_constraints_in_transaction():
# Arrange
laser_evm = LaserEVM({})
world_state = WorldState()
correct_constraints = [MagicMock(), MagicMock(), MagicMock()]
transaction = MessageCallTransaction(world_state, Account("ca11ee"),
Account("ca114"))
transaction.call_data = MagicMock()
transaction.call_data.constraints = correct_constraints
# Act
_setup_global_state_for_execution(laser_evm, transaction)
# Assert
state = laser_evm.work_list[0]
for constraint in correct_constraints:
assert constraint in state.environment.calldata.constraints
def test_symbolic_call_storage_to(mocker):
# arrange
address = "0x10"
active_account = Account(address)
active_account.code = Disassembly("00")
environment = Environment(active_account, None, None, None, None, None)
state = GlobalState(None, environment, None)
state.mstate.memory = ["placeholder", "calldata_bling_0"]
node = Node("example")
node.contract_name = "the contract name"
node.function_name = "the function name"
to = Variable("storage_1", VarType.SYMBOLIC)
call = Call(node, state, None, "Type: ", to, None)
mocker.patch.object(SymExecWrapper, "__init__", lambda x, y: None)
statespace = SymExecWrapper(1)
mocker.patch.object(statespace, "find_storage_write")
statespace.find_storage_write.return_value = "Function name"
# act
issues = _symbolic_call(call, state, address, statespace)
# assert
issue = issues[0]
assert issue.address == address
assert issue.contract == node.contract_name
assert issue.function == node.function_name
assert issue.title == "Type: to a user-supplied address"
assert issue.type == "Informational"
assert (
issue.description
== "This contract delegates execution to a contract address in storage slot 1."
" This storage slot can be written to by calling the function `Function name`. "
"Be aware that the called contract gets unrestricted access to this contract's state."
)
def runTest():
disassembly = SolidityContract("./tests/native_tests.sol").disassembly
account = Account("0x0000000000000000000000000000000000000000", disassembly)
accounts = {account.address: account}
laser = svm.LaserEVM(accounts, max_depth=100)
laser.sym_exec(account.address)
laser_info = str(_all_info(laser))
print("\n")
_test_natives(laser_info, SHA256_TEST, "SHA256")
_test_natives(laser_info, RIPEMD160_TEST, "RIPEMD160")
_test_natives(laser_info, ECRECOVER_TEST, "ECRECOVER")
_test_natives(laser_info, IDENTITY_TEST, "IDENTITY")
def runTest(self):
disassembly = SolidityContract('./tests/native_tests.sol').disassembly
account = Account("0x0000000000000000000000000000000000000000",
disassembly)
accounts = {account.address: account}
laser = svm.LaserEVM(accounts, max_depth=100)
laser.sym_exec(account.address)
laser_info = str(_all_info(laser))
print('\n')
_test_natives(laser_info, SHA256_TEST, 'SHA256')
_test_natives(laser_info, RIPEMD160_TEST, 'RIPEMD160')
_test_natives(laser_info, ECRECOVER_TEST, 'ECRECOVER')
_test_natives(laser_info, IDENTITY_TEST, 'IDENTITY')
def test_codecopy_concrete():
# Arrange
active_account = Account("0x0", code=Disassembly("60606040"))
environment = Environment(active_account, None, None, None, None, None)
og_state = GlobalState(None, environment, None, MachineState(gas=10000000))
og_state.mstate.stack = [2, 2, 2]
instruction = Instruction("codecopy", dynamic_loader=None)
# Act
new_state = instruction.evaluate(og_state)[0]
# Assert
assert new_state.mstate.memory[2] == 96
assert new_state.mstate.memory[3] == 64
def get_callee_account(global_state, callee_address, dynamic_loader):
"""
Gets the callees account from the global_state
:param global_state: state to look in
:param callee_address: address of the callee
:param dynamic_loader: dynamic loader to use
:return: Account belonging to callee
"""
environment = global_state.environment
accounts = global_state.accounts
try:
return global_state.accounts[callee_address]
except KeyError:
# We have a valid call address, but contract is not in the modules list
logging.info("Module with address " + callee_address + " not loaded.")
if dynamic_loader is None:
raise ValueError()
logging.info("Attempting to load dependency")
try:
code = dynamic_loader.dynld(environment.active_account.address,
callee_address)
except Exception as e:
logging.info("Unable to execute dynamic loader.")
raise ValueError()
if code is None:
logging.info("No code returned, not a contract account?")
raise ValueError()
logging.info("Dependency loaded: " + callee_address)
callee_account = Account(callee_address,
code,
callee_address,
dynamic_loader=dynamic_loader)
accounts[callee_address] = callee_account
return callee_account
def test_execute(mocker):
active_account = Account('0x00')
environment = Environment(active_account, None, None, None, None, None)
state_1 = GlobalState(None, environment, None, MachineState(gas=10000000))
state_1.mstate.stack = [1, 2]
mocker.patch.object(state_1, 'get_current_instruction')
state_1.get_current_instruction.return_value = {"opcode": "PUSH"}
state_2 = GlobalState(None, environment, None, MachineState(gas=10000000))
state_2.mstate.stack = [1, 2, 3]
mocker.patch.object(state_2, 'get_current_instruction')
state_2.get_current_instruction.return_value = {"opcode": "ADD"}
node_1 = Node("Test contract")
node_1.states = [state_1, state_2]
state_3 = GlobalState(None, environment, None, MachineState(gas=10000000))
state_3.mstate.stack = [1, 2]
mocker.patch.object(state_3, 'get_current_instruction')
state_3.get_current_instruction.return_value = {"opcode": "ADD"}
node_2 = Node("Test contract")
node_2.states = [state_3]
edge = Edge(node_1.uid, node_2.uid)
statespace = LaserEVM(None)
statespace.edges = [edge]
statespace.nodes[node_1.uid] = node_1
statespace.nodes[node_2.uid] = node_2
# Act
result = TaintRunner.execute(statespace, node_1, state_1, [True, True])
# Assert
print(result)
assert len(result.records) == 3
assert result.records[2].states == []
assert state_3 in result.records[1].states
def test_execute_message_call(mocked_setup: MagicMock):
# Arrange
laser_evm = LaserEVM({})
world_state = WorldState()
world_state.accounts["address"] = Account("address")
laser_evm.open_states = [world_state]
laser_evm.exec = MagicMock()
mocked_setup.side_effect = _is_message_call
# Act
execute_message_call(laser_evm, "address")
# Assert
# laser_evm.exec.assert_called_once()
assert laser_evm.exec.call_count == 1
# mocked_setup.assert_called_once()
assert mocked_setup.call_count == 1
assert len(laser_evm.open_states) == 0
def __init__(
self,
contract,
address,
strategy,
dynloader=None,
max_depth=22,
execution_timeout=None,
create_timeout=None,
max_transaction_count=3,
):
if strategy == "dfs":
s_strategy = DepthFirstSearchStrategy
elif strategy == "bfs":
s_strategy = BreadthFirstSearchStrategy
elif strategy == "naive-random":
s_strategy = ReturnRandomNaivelyStrategy
elif strategy == "weighted-random":
s_strategy = ReturnWeightedRandomStrategy
else:
raise ValueError("Invalid strategy argument supplied")
account = Account(
address,
contract.disassembly,
dynamic_loader=dynloader,
contract_name=contract.name,
)
self.accounts = {address: account}
self.laser = svm.LaserEVM(
self.accounts,
dynamic_loader=dynloader,
max_depth=max_depth,
execution_timeout=execution_timeout,
strategy=s_strategy,
create_timeout=create_timeout,
max_transaction_count=max_transaction_count,
)
if isinstance(contract, SolidityContract):
self.laser.sym_exec(creation_code=contract.creation_code,
contract_name=contract.name)
else:
self.laser.sym_exec(address)
self.nodes = self.laser.nodes
self.edges = self.laser.edges
# Generate lists of interesting operations
self.calls = []
self.sstors = {}
for key in self.nodes:
state_index = 0
for state in self.nodes[key].states:
instruction = state.get_current_instruction()
op = instruction["opcode"]
if op in ("CALL", "CALLCODE", "DELEGATECALL", "STATICCALL"):
stack = state.mstate.stack
if op in ("CALL", "CALLCODE"):
gas, to, value, meminstart, meminsz, memoutstart, memoutsz = (
get_variable(stack[-1]),
get_variable(stack[-2]),
get_variable(stack[-3]),
get_variable(stack[-4]),
get_variable(stack[-5]),
get_variable(stack[-6]),
get_variable(stack[-7]),
)
if to.type == VarType.CONCRETE and to.val < 5:
# ignore prebuilts
continue
if (meminstart.type == VarType.CONCRETE
and meminsz.type == VarType.CONCRETE):
self.calls.append(
Call(
self.nodes[key],
state,
state_index,
op,
to,
gas,
value,
state.mstate.memory[meminstart.
val:meminsz.val * 4],
))
else:
self.calls.append(
Call(
self.nodes[key],
state,
state_index,
op,
to,
gas,
value,
))
else:
gas, to, meminstart, meminsz, memoutstart, memoutsz = (
get_variable(stack[-1]),
get_variable(stack[-2]),
get_variable(stack[-3]),
get_variable(stack[-4]),
get_variable(stack[-5]),
get_variable(stack[-6]),
)
self.calls.append(
Call(self.nodes[key], state, state_index, op, to,
gas))
elif op == "SSTORE":
stack = copy.deepcopy(state.mstate.stack)
address = state.environment.active_account.address
index, value = stack.pop(), stack.pop()
try:
self.sstors[address]
except KeyError:
self.sstors[address] = {}
try:
self.sstors[address][str(index)].append(
SStore(self.nodes[key], state, state_index, value))
except KeyError:
self.sstors[address][str(index)] = [
SStore(self.nodes[key], state, state_index, value)
]
state_index += 1
