def test_concrete_call_symbolic_to(): # arrange address = "0x10" active_account = Account(address) active_account.code = Disassembly("00") environment = Environment(active_account, None, None, None, None, None) state = GlobalState(None, environment, None) state.mstate.memory = ["placeholder", "calldata_bling_0"] node = Node("example") node.contract_name = "the contract name" node.function_name = "the function name" to = Variable("calldata_3", VarType.SYMBOLIC) meminstart = Variable(1, VarType.CONCRETE) call = Call(node, state, None, None, to, None) # act issues = _concrete_call(call, state, address, meminstart) # assert issue = issues[0] assert issue.address == address assert issue.contract == node.contract_name assert issue.function == node.function_name assert issue.title == "Call data forwarded with delegatecall()" assert issue.type == "Informational" assert ( issue.description == "This contract forwards its call data via DELEGATECALL in its fallback function." " This means that any function in the called contract can be executed." " Note that the callee contract will have access to the storage of the " "calling contract.\n DELEGATECALL target: calldata_3" )
def test_intercontract_call(): # Arrange cfg.gbl_next_uid = 0 caller_code = Disassembly("6080604052348015600f57600080fd5b5073deadbeefdeadbeefdeadbeefdeadbeefdeadbeef73ffffffffffffffffffffffffffffffffffffffff166389627e13336040518263ffffffff167c0100000000000000000000000000000000000000000000000000000000028152600401808273ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff168152602001915050602060405180830381600087803b15801560be57600080fd5b505af115801560d1573d6000803e3d6000fd5b505050506040513d602081101560e657600080fd5b8101908080519060200190929190505050500000a165627a7a72305820fdb1e90f0d9775c94820e516970e0d41380a94624fa963c556145e8fb645d4c90029") caller_address = "0xaffeaffeaffeaffeaffeaffeaffeaffeaffeaffe" callee_code = Disassembly("608060405260043610603f576000357c0100000000000000000000000000000000000000000000000000000000900463ffffffff16806389627e13146044575b600080fd5b348015604f57600080fd5b506082600480360381019080803573ffffffffffffffffffffffffffffffffffffffff1690602001909291905050506084565b005b8073ffffffffffffffffffffffffffffffffffffffff166108fc3073ffffffffffffffffffffffffffffffffffffffff16319081150290604051600060405180830381858888f1935050505015801560e0573d6000803e3d6000fd5b50505600a165627a7a72305820a6b1335d6f994632bc9a7092d0eaa425de3dea05e015af8a94ad70b3969e117a0029") callee_address = "0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef" caller_account = Account(caller_address, caller_code, contract_name="Caller") callee_account = Account(callee_address, callee_code, contract_name="Callee") accounts = { caller_address: caller_account, callee_address: callee_account } laser = svm.LaserEVM(accounts) # Act laser.sym_exec(caller_address) # Assert # Initial node starts in contract caller assert len(laser.nodes.keys()) > 0 assert laser.nodes[0].contract_name == 'Caller' # At one point we call into contract callee for node in laser.nodes.values(): if node.contract_name == 'Callee': assert len(node.states[0].transaction_stack) > 1 return assert False
def test_delegate_call(sym_mock, concrete_mock, curr_instruction): # arrange # sym_mock = mocker.patch.object(delegatecall, "_symbolic_call") # concrete_mock = mocker.patch.object(delegatecall, "_concrete_call") sym_mock.return_value = [] concrete_mock.return_value = [] curr_instruction.return_value = {"address": "0x10"} active_account = Account("0x10") active_account.code = Disassembly("00") environment = Environment(active_account, None, None, None, None, None) state = GlobalState(None, environment, Node) state.mstate.memory = ["placeholder", "calldata_bling_0"] state.mstate.stack = [1, 2, 3] assert state.get_current_instruction() == {"address": "0x10"} node = Node("example") node.contract_name = "the contract name" node.function_name = "fallback" to = Variable("storage_1", VarType.SYMBOLIC) call = Call(node, state, None, "DELEGATECALL", to, None) statespace = MagicMock() statespace.calls = [call] # act execute(statespace) # assert assert concrete_mock.call_count == 1 assert sym_mock.call_count == 1
def test_vmtest( test_name: str, pre_condition: dict, action: dict, post_condition: dict ) -> None: # Arrange accounts = {} for address, details in pre_condition.items(): account = Account(address) account.code = Disassembly(details["code"][2:]) account.balance = int(details["balance"], 16) account.nonce = int(details["nonce"], 16) accounts[address] = account laser_evm = LaserEVM(accounts) # Act laser_evm.time = datetime.now() # TODO: move this line below and check for VmExceptions when gas has been implemented if post_condition == {}: return execute_message_call( laser_evm, callee_address=action["address"], caller_address=action["caller"], origin_address=action["origin"], code=action["code"][2:], gas=action["gas"], data=binascii.a2b_hex(action["data"][2:]), gas_price=int(action["gasPrice"], 16), value=int(action["value"], 16), ) # Assert assert len(laser_evm.open_states) == 1 world_state = laser_evm.open_states[0] model = get_model(next(iter(laser_evm.nodes.values())).states[0].mstate.constraints) for address, details in post_condition.items(): account = world_state[address] assert account.nonce == int(details["nonce"], 16) assert account.code.bytecode == details["code"][2:] for index, value in details["storage"].items(): expected = int(value, 16) if type(account.storage[int(index, 16)]) != int: actual = model.eval(account.storage[int(index, 16)]) actual = 1 if actual == True else 0 if actual == False else actual else: actual = account.storage[int(index, 16)] assert actual == expected
def test_vmtest(test_name: str, pre_condition: dict, action: dict, post_condition: dict) -> None: # Arrange accounts = {} for address, details in pre_condition.items(): account = Account(address) account.code = Disassembly(details['code'][2:]) account.balance = int(details['balance'], 16) account.nonce = int(details['nonce'], 16) accounts[address] = account laser_evm = LaserEVM(accounts) # Act laser_evm.time = datetime.now() try: execute_message_call( laser_evm, callee_address=action['address'], caller_address=action['caller'], origin_address=action['origin'], code=action['code'][2:], gas=action['gas'], data=binascii.a2b_hex(action['data'][2:]), gas_price=int(action['gasPrice'], 16), value=int(action['value'], 16) ) except VmException as e: if post_condition == {}: return else: raise e # Assert if 'Suicide' not in test_name: assert len(laser_evm.open_states) == 1 else: assert len(laser_evm.open_states) == 0 return world_state = laser_evm.open_states[0] for address, details in post_condition.items(): account = world_state[address] assert account.nonce == int(details['nonce'], 16) assert account.code.bytecode == details['code'][2:] for index, value in details['storage'].items(): expected = int(value, 16) actual = get_concrete_int(account.storage[int(index, 16)]) assert actual == expected
def test_laser_result(self): for input_file in TESTDATA_INPUTS_CONTRACTS.iterdir(): if input_file.name == "weak_random.sol": continue output_expected = TESTDATA_OUTPUTS_EXPECTED_LASER_RESULT / ( input_file.name + ".json") output_current = TESTDATA_OUTPUTS_CURRENT_LASER_RESULT / ( input_file.name + ".json") disassembly = SolidityContract(str(input_file)).disassembly account = Account("0x0000000000000000000000000000000000000000", disassembly) accounts = {account.address: account} laser = svm.LaserEVM(accounts, max_depth=22) laser.sym_exec(account.address) laser_info = _all_info(laser) output_current.write_text( json.dumps(laser_info, cls=LaserEncoder, indent=4)) if not (output_expected.read_text() == output_expected.read_text()): self.found_changed_files(input_file, output_expected, output_current) self.assert_and_show_changed_files()
def get_constr_glbstate(contract, address): mstate = MachineState(gas=10000000) minimal_const_byte_len = get_minimal_constructor_param_encoding_len(abi_json_to_abi(contract.abi)) # better would be to append symbolic params to the bytecode such that the codecopy instruction that copies the # params into memory takes care of placing them onto the memory with the respective size. for i in range(int(minimal_const_byte_len / 32)): mstate.mem_extend(128 + 32 * i, 32) mstate.memory.insert(128 + 32 * i, BitVec('calldata_' + contract.name + '[' + str(i * 32)+ "]", 256)) # Todo Replace pure placement of enough symbolic 32 Byte-words with placement of symbolic variables that contain # the name of the solidity variables accounts = {address: Account(address, contract.disassembly, contract_name=contract.name)} environment = Environment( accounts[address], BitVec("caller", 256), [], BitVec("gasprice", 256), BitVec("callvalue", 256), BitVec("origin", 256), calldata_type=CalldataType.SYMBOLIC, ) # Todo find source for account info, maybe the std statespace? return GlobalState(accounts, environment, None, mstate)
def test_calldata_constraints_in_transaction(): # Arrange laser_evm = LaserEVM({}) world_state = WorldState() correct_constraints = [MagicMock(), MagicMock(), MagicMock()] transaction = MessageCallTransaction(world_state, Account("ca11ee"), Account("ca114")) transaction.call_data = MagicMock() transaction.call_data.constraints = correct_constraints # Act _setup_global_state_for_execution(laser_evm, transaction) # Assert state = laser_evm.work_list[0] for constraint in correct_constraints: assert constraint in state.environment.calldata.constraints
def test_symbolic_call_storage_to(mocker): # arrange address = "0x10" active_account = Account(address) active_account.code = Disassembly("00") environment = Environment(active_account, None, None, None, None, None) state = GlobalState(None, environment, None) state.mstate.memory = ["placeholder", "calldata_bling_0"] node = Node("example") node.contract_name = "the contract name" node.function_name = "the function name" to = Variable("storage_1", VarType.SYMBOLIC) call = Call(node, state, None, "Type: ", to, None) mocker.patch.object(SymExecWrapper, "__init__", lambda x, y: None) statespace = SymExecWrapper(1) mocker.patch.object(statespace, "find_storage_write") statespace.find_storage_write.return_value = "Function name" # act issues = _symbolic_call(call, state, address, statespace) # assert issue = issues[0] assert issue.address == address assert issue.contract == node.contract_name assert issue.function == node.function_name assert issue.title == "Type: to a user-supplied address" assert issue.type == "Informational" assert ( issue.description == "This contract delegates execution to a contract address in storage slot 1." " This storage slot can be written to by calling the function `Function name`. " "Be aware that the called contract gets unrestricted access to this contract's state." )
def runTest(): disassembly = SolidityContract("./tests/native_tests.sol").disassembly account = Account("0x0000000000000000000000000000000000000000", disassembly) accounts = {account.address: account} laser = svm.LaserEVM(accounts, max_depth=100) laser.sym_exec(account.address) laser_info = str(_all_info(laser)) print("\n") _test_natives(laser_info, SHA256_TEST, "SHA256") _test_natives(laser_info, RIPEMD160_TEST, "RIPEMD160") _test_natives(laser_info, ECRECOVER_TEST, "ECRECOVER") _test_natives(laser_info, IDENTITY_TEST, "IDENTITY")
def runTest(self): disassembly = SolidityContract('./tests/native_tests.sol').disassembly account = Account("0x0000000000000000000000000000000000000000", disassembly) accounts = {account.address: account} laser = svm.LaserEVM(accounts, max_depth=100) laser.sym_exec(account.address) laser_info = str(_all_info(laser)) print('\n') _test_natives(laser_info, SHA256_TEST, 'SHA256') _test_natives(laser_info, RIPEMD160_TEST, 'RIPEMD160') _test_natives(laser_info, ECRECOVER_TEST, 'ECRECOVER') _test_natives(laser_info, IDENTITY_TEST, 'IDENTITY')
def test_codecopy_concrete(): # Arrange active_account = Account("0x0", code=Disassembly("60606040")) environment = Environment(active_account, None, None, None, None, None) og_state = GlobalState(None, environment, None, MachineState(gas=10000000)) og_state.mstate.stack = [2, 2, 2] instruction = Instruction("codecopy", dynamic_loader=None) # Act new_state = instruction.evaluate(og_state)[0] # Assert assert new_state.mstate.memory[2] == 96 assert new_state.mstate.memory[3] == 64
def get_callee_account(global_state, callee_address, dynamic_loader): """ Gets the callees account from the global_state :param global_state: state to look in :param callee_address: address of the callee :param dynamic_loader: dynamic loader to use :return: Account belonging to callee """ environment = global_state.environment accounts = global_state.accounts try: return global_state.accounts[callee_address] except KeyError: # We have a valid call address, but contract is not in the modules list logging.info("Module with address " + callee_address + " not loaded.") if dynamic_loader is None: raise ValueError() logging.info("Attempting to load dependency") try: code = dynamic_loader.dynld(environment.active_account.address, callee_address) except Exception as e: logging.info("Unable to execute dynamic loader.") raise ValueError() if code is None: logging.info("No code returned, not a contract account?") raise ValueError() logging.info("Dependency loaded: " + callee_address) callee_account = Account(callee_address, code, callee_address, dynamic_loader=dynamic_loader) accounts[callee_address] = callee_account return callee_account
def test_execute(mocker): active_account = Account('0x00') environment = Environment(active_account, None, None, None, None, None) state_1 = GlobalState(None, environment, None, MachineState(gas=10000000)) state_1.mstate.stack = [1, 2] mocker.patch.object(state_1, 'get_current_instruction') state_1.get_current_instruction.return_value = {"opcode": "PUSH"} state_2 = GlobalState(None, environment, None, MachineState(gas=10000000)) state_2.mstate.stack = [1, 2, 3] mocker.patch.object(state_2, 'get_current_instruction') state_2.get_current_instruction.return_value = {"opcode": "ADD"} node_1 = Node("Test contract") node_1.states = [state_1, state_2] state_3 = GlobalState(None, environment, None, MachineState(gas=10000000)) state_3.mstate.stack = [1, 2] mocker.patch.object(state_3, 'get_current_instruction') state_3.get_current_instruction.return_value = {"opcode": "ADD"} node_2 = Node("Test contract") node_2.states = [state_3] edge = Edge(node_1.uid, node_2.uid) statespace = LaserEVM(None) statespace.edges = [edge] statespace.nodes[node_1.uid] = node_1 statespace.nodes[node_2.uid] = node_2 # Act result = TaintRunner.execute(statespace, node_1, state_1, [True, True]) # Assert print(result) assert len(result.records) == 3 assert result.records[2].states == [] assert state_3 in result.records[1].states
def test_execute_message_call(mocked_setup: MagicMock): # Arrange laser_evm = LaserEVM({}) world_state = WorldState() world_state.accounts["address"] = Account("address") laser_evm.open_states = [world_state] laser_evm.exec = MagicMock() mocked_setup.side_effect = _is_message_call # Act execute_message_call(laser_evm, "address") # Assert # laser_evm.exec.assert_called_once() assert laser_evm.exec.call_count == 1 # mocked_setup.assert_called_once() assert mocked_setup.call_count == 1 assert len(laser_evm.open_states) == 0
def __init__( self, contract, address, strategy, dynloader=None, max_depth=22, execution_timeout=None, create_timeout=None, max_transaction_count=3, ): if strategy == "dfs": s_strategy = DepthFirstSearchStrategy elif strategy == "bfs": s_strategy = BreadthFirstSearchStrategy elif strategy == "naive-random": s_strategy = ReturnRandomNaivelyStrategy elif strategy == "weighted-random": s_strategy = ReturnWeightedRandomStrategy else: raise ValueError("Invalid strategy argument supplied") account = Account( address, contract.disassembly, dynamic_loader=dynloader, contract_name=contract.name, ) self.accounts = {address: account} self.laser = svm.LaserEVM( self.accounts, dynamic_loader=dynloader, max_depth=max_depth, execution_timeout=execution_timeout, strategy=s_strategy, create_timeout=create_timeout, max_transaction_count=max_transaction_count, ) if isinstance(contract, SolidityContract): self.laser.sym_exec(creation_code=contract.creation_code, contract_name=contract.name) else: self.laser.sym_exec(address) self.nodes = self.laser.nodes self.edges = self.laser.edges # Generate lists of interesting operations self.calls = [] self.sstors = {} for key in self.nodes: state_index = 0 for state in self.nodes[key].states: instruction = state.get_current_instruction() op = instruction["opcode"] if op in ("CALL", "CALLCODE", "DELEGATECALL", "STATICCALL"): stack = state.mstate.stack if op in ("CALL", "CALLCODE"): gas, to, value, meminstart, meminsz, memoutstart, memoutsz = ( get_variable(stack[-1]), get_variable(stack[-2]), get_variable(stack[-3]), get_variable(stack[-4]), get_variable(stack[-5]), get_variable(stack[-6]), get_variable(stack[-7]), ) if to.type == VarType.CONCRETE and to.val < 5: # ignore prebuilts continue if (meminstart.type == VarType.CONCRETE and meminsz.type == VarType.CONCRETE): self.calls.append( Call( self.nodes[key], state, state_index, op, to, gas, value, state.mstate.memory[meminstart. val:meminsz.val * 4], )) else: self.calls.append( Call( self.nodes[key], state, state_index, op, to, gas, value, )) else: gas, to, meminstart, meminsz, memoutstart, memoutsz = ( get_variable(stack[-1]), get_variable(stack[-2]), get_variable(stack[-3]), get_variable(stack[-4]), get_variable(stack[-5]), get_variable(stack[-6]), ) self.calls.append( Call(self.nodes[key], state, state_index, op, to, gas)) elif op == "SSTORE": stack = copy.deepcopy(state.mstate.stack) address = state.environment.active_account.address index, value = stack.pop(), stack.pop() try: self.sstors[address] except KeyError: self.sstors[address] = {} try: self.sstors[address][str(index)].append( SStore(self.nodes[key], state, state_index, value)) except KeyError: self.sstors[address][str(index)] = [ SStore(self.nodes[key], state, state_index, value) ] state_index += 1