TY - GEN
T1 - VFIX
T2 - 40th IEEE International Conference on Software Maintenance and Evolution, ICSME 2024
AU - Fang, Pengcheng
AU - Gao, Peng
AU - Peng, Yun
AU - Zhang, Qingzhao
AU - Xie, Tao
AU - Song, Dawn
AU - Mittal, Prateek
AU - Kulkarni, Sanjeev
AU - Liu, Zhuotao
AU - Xiao, Xusheng
N1 - Publisher Copyright:
© 2024 IEEE.
PY - 2024
Y1 - 2024
N2 - The increased adoption of smart contracts in many industries has made them an attractive target for cybercriminals, leading to millions of dollars in losses. Thus, continuously fixing newly found vulnerabilities of smart contracts becomes a routine software maintenance task for running smart contracts. However, fixing the vulnerabilities that are specific to the smart contract domain requires security knowledge that many developers lack. Without effective tool support, this task can be very costly in terms of manual labor. To fill this critical need, in this paper, we propose VFIX, which automatically generates security patches for vulnerable smart contracts. In particular, VFIX provides a novel program analysis framework that can incorporate different fix patterns for fixing various types of vulnerabilities. To address the unique challenges in accurately fixing smart contract vulnerabilities, VFIX innovatively combines template-based repair with a set of static program analysis techniques specially designed for smart contracts. Specifically, given an input smart contract, VFIX conducts ensemble identification based on multiple static verification tools to identify vulnerabilities for an automatic fix. Then, VFIX generates patches using template-based fix patterns, and conducts static program analysis (e.g., program dependency computation, pointer analysis) for smart contracts to accurately infer and populate the parameter values for the fix templates. Finally, VFIX performs static verification to ensure that the patched contract is free of vulnerabilities. Our evaluations on 144 real smart contracts containing different types of vulnerabilities show that VFIX can successfully fix 94% of the vulnerabilities and preserve the expected normal behaviors of the smart contracts.
AB - The increased adoption of smart contracts in many industries has made them an attractive target for cybercriminals, leading to millions of dollars in losses. Thus, continuously fixing newly found vulnerabilities of smart contracts becomes a routine software maintenance task for running smart contracts. However, fixing the vulnerabilities that are specific to the smart contract domain requires security knowledge that many developers lack. Without effective tool support, this task can be very costly in terms of manual labor. To fill this critical need, in this paper, we propose VFIX, which automatically generates security patches for vulnerable smart contracts. In particular, VFIX provides a novel program analysis framework that can incorporate different fix patterns for fixing various types of vulnerabilities. To address the unique challenges in accurately fixing smart contract vulnerabilities, VFIX innovatively combines template-based repair with a set of static program analysis techniques specially designed for smart contracts. Specifically, given an input smart contract, VFIX conducts ensemble identification based on multiple static verification tools to identify vulnerabilities for an automatic fix. Then, VFIX generates patches using template-based fix patterns, and conducts static program analysis (e.g., program dependency computation, pointer analysis) for smart contracts to accurately infer and populate the parameter values for the fix templates. Finally, VFIX performs static verification to ensure that the patched contract is free of vulnerabilities. Our evaluations on 144 real smart contracts containing different types of vulnerabilities show that VFIX can successfully fix 94% of the vulnerabilities and preserve the expected normal behaviors of the smart contracts.
KW - Program Analysis
KW - Smart Contract Security
KW - Static Verification
KW - Vulnerability Patch
UR - http://www.scopus.com/inward/record.url?scp=85215532187&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85215532187&partnerID=8YFLogxK
U2 - 10.1109/ICSME58944.2024.00013
DO - 10.1109/ICSME58944.2024.00013
M3 - Conference contribution
AN - SCOPUS:85215532187
T3 - Proceedings - 2024 IEEE International Conference on Software Maintenance and Evolution, ICSME 2024
SP - 13
EP - 24
BT - Proceedings - 2024 IEEE International Conference on Software Maintenance and Evolution, ICSME 2024
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 6 October 2024 through 11 October 2024
ER -