Refactored VulnerableLOGsComputer to utilize event signatures and improved logging for local dependency analysis

merendamattia · merendamattia · commit 449e7157cf90 · 2025-10-14T17:34:07.000+02:00
diff --git a/src/main/java/it/unipr/crosschain/checker/VulnerableLOGsComputer.java b/src/main/java/it/unipr/crosschain/checker/VulnerableLOGsComputer.java
@@ -1,5 +1,6 @@
 package it.unipr.crosschain.checker;
 
+import it.unipr.analysis.contract.Signature;
 import it.unipr.analysis.taint.TaintAbstractDomain;
 import it.unipr.analysis.taint.TaintElement;
 import it.unipr.cfg.*;
@@ -15,22 +16,30 @@
 import it.unive.lisa.checks.semantic.SemanticCheck;
 import it.unive.lisa.program.cfg.CFG;
 import it.unive.lisa.program.cfg.statement.Statement;
+import java.util.HashSet;
+import java.util.Set;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 
 public class VulnerableLOGsComputer implements
 		SemanticCheck<SimpleAbstractState<MonolithicHeap, TaintAbstractDomain, TypeEnvironment<InferredTypes>>> {
 
 	private static final Logger log = LogManager.getLogger(VulnerableLOGsComputer.class);
+	private Set<Statement> eventsExitpoints;
+
+	public VulnerableLOGsComputer(Set<Signature> events) {
+		this.eventsExitpoints = new HashSet<>();
+		for (Signature event : events)
+			eventsExitpoints.addAll(event.getExitPoints());
+	}
 
 	@Override
 	public boolean visit(
 			CheckToolWithAnalysisResults<
 					SimpleAbstractState<MonolithicHeap, TaintAbstractDomain, TypeEnvironment<InferredTypes>>> tool,
 			CFG graph, Statement node) {
 
-		if (node instanceof Log) {
-
+		if (eventsExitpoints.contains(node)) {
 			EVMCFG cfg = ((EVMCFG) graph);
 
 			for (AnalyzedCFG<SimpleAbstractState<MonolithicHeap, TaintAbstractDomain,
@@ -47,43 +56,45 @@ public boolean visit(
 				// Retrieve the symbolic stack from the analysis result
 				TaintAbstractDomain taintedStack = analysisResult.getState().getValueState();
 
-				if (taintedStack.isBottom())
+				if (taintedStack.isBottom() || taintedStack.isTop())
 					// Nothing to do
 					continue;
-				else {
-					if (node instanceof Log1)
-						if (TaintElement.isAtLeastOneTainted(taintedStack.getElementAtPosition(1),
-								taintedStack.getElementAtPosition(2),
-								taintedStack.getElementAtPosition(3)))
-							addVulnerableLOG(node);
-					if (node instanceof Log2)
-						if (TaintElement.isAtLeastOneTainted(taintedStack.getElementAtPosition(1),
-								taintedStack.getElementAtPosition(2),
-								taintedStack.getElementAtPosition(3),
-								taintedStack.getElementAtPosition(4)))
-							addVulnerableLOG(node);
-					if (node instanceof Log3)
-						if (TaintElement.isAtLeastOneTainted(taintedStack.getElementAtPosition(1),
-								taintedStack.getElementAtPosition(2),
-								taintedStack.getElementAtPosition(3),
-								taintedStack.getElementAtPosition(4),
-								taintedStack.getElementAtPosition(5)))
-							addVulnerableLOG(node);
-					if (node instanceof Log4)
-						if (TaintElement.isAtLeastOneTainted(taintedStack.getElementAtPosition(1),
-								taintedStack.getElementAtPosition(2),
-								taintedStack.getElementAtPosition(3),
-								taintedStack.getElementAtPosition(4),
-								taintedStack.getElementAtPosition(5),
-								taintedStack.getElementAtPosition(6)))
-							addVulnerableLOG(node);
-				}
+
+				int numArgs = getNumberOfArgs(node);
+				boolean isAtLeastOneTainted = false;
+
+				for (int argIndex = 1; argIndex <= numArgs; argIndex++)
+					isAtLeastOneTainted |= TaintElement.isAtLeastOneTainted(
+							taintedStack.getElementAtPosition(argIndex));
+
+				if (isAtLeastOneTainted)
+					addVulnerableLOG(node);
 			}
 		}
 
 		return true;
 	}
 
+	/**
+	 * Computes the number of arguments consumed from the stack by the provided
+	 * EVM instruction.
+	 *
+	 * @param node the statement to inspect
+	 *
+	 * @return the amount of stack elements consumed by {@code node}
+	 */
+	private int getNumberOfArgs(Statement node) {
+		if (node instanceof Log1)
+			return 3;
+		if (node instanceof Log2)
+			return 4;
+		if (node instanceof Log3)
+			return 5;
+		if (node instanceof Log4)
+			return 6;
+		return 0;
+	}
+
 	/**
 	 * Adds a vulnerable log statement to the time synchronization checker and
 	 * logs a warning message indicating the potential vulnerability.
@@ -95,7 +106,7 @@ private void addVulnerableLOG(Statement node) {
 		MyCache.getInstance().addVulnerableLogStatementForLocalDependencyChecker(node);
 
 		ProgramCounterLocation nodeLocation = (ProgramCounterLocation) node.getLocation();
-		log.warn("(Time Synchronization vulnerability) LOG possibly vulnerable at pc {} (line {}) (cfg={}).",
+		log.warn("(Local Dependency Checker) Event possibly vulnerable at pc {} (line {}) (cfg={}).",
 				nodeLocation.getPc(),
 				nodeLocation.getSourceCodeLine(),
 				node.getCFG().hashCode());
diff --git a/src/main/java/it/unipr/crosschain/xEVMLiSA.java b/src/main/java/it/unipr/crosschain/xEVMLiSA.java
@@ -287,10 +287,10 @@ public static void runCrossChainCheckers(Bridge bridge) {
 	/**
 	 * Executes the Local Dependency analysis for all contracts in the given
 	 * bridge. This method performs three phases in parallel across all
-	 * contracts: (i) Identify vulnerable LOG statements for the Local
-	 * Dependency Checker. (ii) Mark any CALLDATALOAD sites reachable from those
-	 * LOGs as tainted. (iii) Run the core Local Dependency Checker logic on
-	 * each contract.
+	 * contracts: (i) Identify vulnerable Event statements for the Local
+	 * Dependency Checker. (ii) Mark any CALLDATALOAD or CALLDATACOPY sites
+	 * reachable from those LOGs as tainted. (iii) Run the core Local Dependency
+	 * Checker logic on each contract.
 	 *
 	 * @param bridge the Bridge instance whose contracts will be analyzed
 	 */
@@ -569,7 +569,7 @@ public static void computeVulnerablesLOGsForLocalDependencyChecker(SmartContract
 		LiSAConfiguration conf = LiSAConfigurationManager.createConfiguration(contract);
 		LiSA lisa = new LiSA(conf);
 
-		VulnerableLOGsComputer checker = new VulnerableLOGsComputer();
+		VulnerableLOGsComputer checker = new VulnerableLOGsComputer(contract.getEventsSignature());
 		conf.semanticChecks.add(checker);
 		conf.abstractState = new SimpleAbstractState<>(new MonolithicHeap(),
 				new VulnerableLOGsAbstractDomain(),
@@ -597,12 +597,17 @@ public static void computeTaintedCallDataForLocalDependencyChecker(SmartContract
 			for (Signature event : contract.getEventsSignature()) {
 				for (Statement emit : event.getExitPoints()) {
 					if (logsVulnerable.contains(emit)) {
+
 						/* Functions linked to this event */
 						Set<Signature> functionsLinked = MyCache.getInstance().getMapEventsFunctions(event);
-						log.warn("No linked function found for event {} in contract {}.", event.getFullSignature(),
-								contract.getName());
-						for (Signature functionLinked : functionsLinked) {
 
+						if (functionsLinked.isEmpty()) {
+							log.warn("No linked function found for event {} in contract {}.", event.getFullSignature(),
+									contract.getName());
+							continue;
+						}
+
+						for (Signature functionLinked : functionsLinked) {
 							for (Statement entrypoint : functionLinked.getEntryPoints()) {
 								for (Statement exitpoint : functionLinked.getExitPoints()) {
 									/*
