Added Access Control Incompleteness Checker and related abstract domain for taint analysis

Author: merendamattia

src/main/java/it/unipr/cfg/EVMCFG.java

@@ -50,6 +50,12 @@ public class EVMCFG extends CFG {
 	public Set<Statement> externalData;
 	public Set<Statement> jumpI;
 	public Set<Statement> successfullyTerminationStatements;
+	private Set<Statement> calldataloads;
+	private Set<Statement> calldatacopies;
+	private Set<Statement> calldatasizes;
+	private Set<Statement> callers;
+	private Set<Statement> origins;
+	private Set<Statement> callvalues;
 
 	/**
 	 * Builds a EVMCFG starting from its description.
@@ -72,6 +78,11 @@ public void computeHotspotNodes() {
 		this.jumpNodes = new HashSet<Statement>();
 		this.pushedJumps = new HashSet<Statement>();
 		this.sstores = new HashSet<Statement>();
+		this.calldataloads = new HashSet<Statement>();
+		this.calldatacopies = new HashSet<Statement>();
+		this.calldatasizes = new HashSet<Statement>();
+		this.callers = new HashSet<Statement>();
+		this.origins = new HashSet<Statement>();
 
 		NodeList<CFG, Statement, Edge> cfgNodeList = this.getNodeList();
 
@@ -158,6 +169,126 @@ public Set<Statement> getAllSstore() {
 		return this.sstores;
 	}
 
+	/**
+	 * Returns all CALLDATALOAD statements contained in the control-flow graph.
+	 *
+	 * @return a set with every CALLDATALOAD statement in this CFG
+	 */
+	public Set<Statement> getAllCalldataload() {
+		if (this.calldataloads == null) {
+			NodeList<CFG, Statement, Edge> cfgNodeList = this.getNodeList();
+			Set<Statement> calldataloads = new HashSet<>();
+
+			for (Statement statement : cfgNodeList.getNodes())
+				if (statement instanceof Calldataload)
+					calldataloads.add(statement);
+
+			return this.calldataloads = calldataloads;
+		}
+
+		return this.calldataloads;
+	}
+
+	/**
+	 * Returns all CALLDATACOPY statements contained in the control-flow graph.
+	 *
+	 * @return a set with every CALLDATACOPY statement in this CFG
+	 */
+	public Set<Statement> getAllCalldatacopy() {
+		if (this.calldatacopies == null) {
+			NodeList<CFG, Statement, Edge> cfgNodeList = this.getNodeList();
+			Set<Statement> calldatacopies = new HashSet<>();
+
+			for (Statement statement : cfgNodeList.getNodes())
+				if (statement instanceof Calldatacopy)
+					calldatacopies.add(statement);
+
+			return this.calldatacopies = calldatacopies;
+		}
+
+		return this.calldatacopies;
+	}
+
+	/**
+	 * Returns all CALLDATASIZE statements contained in the control-flow graph.
+	 *
+	 * @return a set with every CALLDATASIZE statement in this CFG
+	 */
+	public Set<Statement> getAllCalldatasize() {
+		if (this.calldatasizes == null) {
+			NodeList<CFG, Statement, Edge> cfgNodeList = this.getNodeList();
+			Set<Statement> calldatasizes = new HashSet<>();
+
+			for (Statement statement : cfgNodeList.getNodes())
+				if (statement instanceof Calldatasize)
+					calldatasizes.add(statement);
+
+			return this.calldatasizes = calldatasizes;
+		}
+
+		return this.calldatasizes;
+	}
+
+	/**
+	 * Returns all CALLER statements contained in the control-flow graph.
+	 *
+	 * @return a set with every CALLER statement in this CFG
+	 */
+	public Set<Statement> getAllCaller() {
+		if (this.callers == null) {
+			NodeList<CFG, Statement, Edge> cfgNodeList = this.getNodeList();
+			Set<Statement> callers = new HashSet<>();
+
+			for (Statement statement : cfgNodeList.getNodes())
+				if (statement instanceof Caller)
+					callers.add(statement);
+
+			return this.callers = callers;
+		}
+
+		return this.callers;
+	}
+
+	/**
+	 * Returns all ORIGIN statements contained in the control-flow graph.
+	 *
+	 * @return a set with every ORIGIN statement in this CFG
+	 */
+	public Set<Statement> getAllOrigin() {
+		if (this.origins == null) {
+			NodeList<CFG, Statement, Edge> cfgNodeList = this.getNodeList();
+			Set<Statement> origins = new HashSet<>();
+
+			for (Statement statement : cfgNodeList.getNodes())
+				if (statement instanceof Origin)
+					origins.add(statement);
+
+			return this.origins = origins;
+		}
+
+		return this.origins;
+	}
+
+	/**
+	 * Returns all CALLVALUE statements contained in the control-flow graph.
+	 *
+	 * @return a set with every CALLVALUE statement in this CFG
+	 */
+	public Set<Statement> getAllCallvalue() {
+		if (this.callvalues == null) {
+			NodeList<CFG, Statement, Edge> cfgNodeList = this.getNodeList();
+			Set<Statement> callvalues = new HashSet<>();
+
+			for (Statement statement : cfgNodeList.getNodes())
+				if (statement instanceof Callvalue)
+					callvalues.add(statement);
+
+			return this.callvalues = callvalues;
+		}
+
+		return this.callvalues;
+	}
+
 	/**
 	 * Returns a set of all the STOP and RETURN statements in the CFG.
 	 *

src/main/java/it/unipr/crosschain/checker/AccessControlIncompletenessChecker.java

@@ -0,0 +1,201 @@
+package it.unipr.crosschain.checker;
+
+import it.unipr.analysis.contract.SmartContract;
+import it.unipr.analysis.taint.TaintAbstractDomain;
+import it.unipr.analysis.taint.TaintElement;
+import it.unipr.cfg.*;
+import it.unipr.utils.MyCache;
+import it.unive.lisa.analysis.AnalysisState;
+import it.unive.lisa.analysis.AnalyzedCFG;
+import it.unive.lisa.analysis.SemanticException;
+import it.unive.lisa.analysis.SimpleAbstractState;
+import it.unive.lisa.analysis.heap.MonolithicHeap;
+import it.unive.lisa.analysis.nonrelational.value.TypeEnvironment;
+import it.unive.lisa.analysis.types.InferredTypes;
+import it.unive.lisa.checks.semantic.CheckToolWithAnalysisResults;
+import it.unive.lisa.checks.semantic.SemanticCheck;
+import it.unive.lisa.program.cfg.CFG;
+import it.unive.lisa.program.cfg.statement.Statement;
+import java.util.HashSet;
+import java.util.Set;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+
+/**
+ * Semantic checker that detects missing access control guards by combining a
+ * taint analysis with control-flow reachability information. The checker looks
+ * for sensitive sink instructions that can be reached from untrusted sources
+ * without passing through any guarded conditional jumps.
+ */
+public class AccessControlIncompletenessChecker implements
+		SemanticCheck<SimpleAbstractState<MonolithicHeap, TaintAbstractDomain, TypeEnvironment<InferredTypes>>> {
+
+	private static final Logger log = LogManager.getLogger(AccessControlIncompletenessChecker.class);
+
+	private Set<Statement> taintedJumpi = new HashSet<>();
+	private SmartContract contract;
+
+	/**
+	 * Builds the checker for the given contract.
+	 *
+	 * @param contract the contract under analysis
+	 */
+	public AccessControlIncompletenessChecker(SmartContract contract) {
+		this.contract = contract;
+	}
+
+	@Override
+	public boolean visit(
+			CheckToolWithAnalysisResults<
+					SimpleAbstractState<MonolithicHeap, TaintAbstractDomain, TypeEnvironment<InferredTypes>>> tool,
+			CFG graph) {
+
+		EVMCFG cfg = ((EVMCFG) graph);
+
+		for (Statement node : cfg.getNodes())
+			if (node instanceof Jumpi)
+				for (AnalyzedCFG<SimpleAbstractState<MonolithicHeap, TaintAbstractDomain,
+						TypeEnvironment<InferredTypes>>> result : tool.getResultOf(cfg)) {
+
+					AnalysisState<SimpleAbstractState<MonolithicHeap, TaintAbstractDomain,
+							TypeEnvironment<InferredTypes>>> analysisResult = null;
+
+					try {
+						analysisResult = result.getAnalysisStateBefore(node);
+					} catch (SemanticException e1) {
+						log.error("(AccessControlIncompletenessChecker): {}", e1.getMessage());
+					}
+
+					TaintAbstractDomain taintedStack = analysisResult.getState().getValueState();
+
+					if (taintedStack.isBottom() || taintedStack.isTop())
+						continue;
+
+					if (TaintElement.isAtLeastOneTainted(
+							taintedStack.getElementAtPosition(1),
+							taintedStack.getElementAtPosition(2)))
+						taintedJumpi.add(node);
+				}
+		return true;
+	}
+
+	@Override
+	public boolean visit(
+			CheckToolWithAnalysisResults<
+					SimpleAbstractState<MonolithicHeap, TaintAbstractDomain, TypeEnvironment<InferredTypes>>> tool,
+			CFG graph, Statement node) {
+
+		if (node instanceof Call
+				|| node instanceof Callcode
+				|| node instanceof Staticcall
+				|| node instanceof Delegatecall
+				|| node instanceof Sstore
+				|| node instanceof Balance
+				|| node instanceof Address) {
+			EVMCFG cfg = ((EVMCFG) graph);
+
+			for (AnalyzedCFG<SimpleAbstractState<MonolithicHeap, TaintAbstractDomain,
+					TypeEnvironment<InferredTypes>>> result : tool.getResultOf(cfg)) {
+				AnalysisState<SimpleAbstractState<MonolithicHeap, TaintAbstractDomain,
+						TypeEnvironment<InferredTypes>>> analysisResult = null;
+
+				try {
+					analysisResult = result.getAnalysisStateBefore(node);
+				} catch (SemanticException e1) {
+					log.error("(AccessControlIncompletenessChecker): {}", e1.getMessage());
+				}
+
+				// Retrieve the symbolic stack from the analysis result
+				TaintAbstractDomain taintedStack = analysisResult.getState().getValueState();
+
+				if (taintedStack.isBottom() || taintedStack.isTop())
+					// Nothing to do
+					continue;
+
+				int numArgs = getNumberOfArgs(node);
+				boolean isAtLeastOneTainted = false;
+
+				for (int argIndex = 1; argIndex <= numArgs; argIndex++)
+					isAtLeastOneTainted |= TaintElement.isAtLeastOneTainted(
+							taintedStack.getElementAtPosition(argIndex));
+
+				if (isAtLeastOneTainted)
+					checkForAccessControlIncompleteness(tool, cfg, node);
+			}
+		}
+		return true;
+	}
+
+	/**
+	 * Computes the number of arguments consumed from the stack by the provided
+	 * EVM instruction.
+	 *
+	 * @param node the statement to inspect
+	 *
+	 * @return the amount of stack elements consumed by {@code node}
+	 */
+	private int getNumberOfArgs(Statement node) {
+		if (node instanceof Call || node instanceof Callcode)
+			return 7;
+		if (node instanceof Staticcall || node instanceof Delegatecall)
+			return 6;
+		if (node instanceof Sstore)
+			return 2;
+		if (node instanceof Balance)
+			return 1;
+		return 0;
+	}
+
+	/**
+	 * Verifies whether a tainted source can reach an unguarded sink without
+	 * being protected by a conditional jump and, if so, records the
+	 * vulnerability.
+	 *
+	 * @param tool the analysis tool to report warnings on
+	 * @param cfg  the CFG under inspection
+	 * @param sink the sink statement that manipulates sensitive state
+	 */
+	private void checkForAccessControlIncompleteness(CheckToolWithAnalysisResults<
+			SimpleAbstractState<MonolithicHeap, TaintAbstractDomain, TypeEnvironment<InferredTypes>>> tool, EVMCFG cfg,
+			Statement sink) {
+
+		Set<Statement> sources = new HashSet<>();
+		sources.addAll(cfg.getAllCalldataload());
+		sources.addAll(cfg.getAllCalldatacopy());
+		sources.addAll(cfg.getAllCalldatacopy());
+		sources.addAll(cfg.getAllCaller());
+		sources.addAll(cfg.getAllOrigin());
+		sources.addAll(cfg.getAllCallvalue());
+
+		for (Statement source : sources) {
+			if (cfg.reachableFromWithoutStatements(source, sink, taintedJumpi)) {
+				String functionSignatureByStatement = contract.getFunctionSignatureByStatement(source);
+
+				// It means that this vulnerability is inside a private function
+				if (functionSignatureByStatement.equals("no-function-found"))
+					continue;
+
+				ProgramCounterLocation sinkLocation = (ProgramCounterLocation) sink.getLocation();
+
+				log.warn(
+						"[DEFINITE] Access Control Incompleteness vulnerability at pc {} (line {}) coming from pc {} (line {}).",
+						sinkLocation.getPc(),
+						sinkLocation.getSourceCodeLine(),
+						((ProgramCounterLocation) sink.getLocation()).getPc(),
+						((ProgramCounterLocation) sink.getLocation()).getSourceCodeLine());
+
+				String warn = "[DEFINITE] Access Control Incompleteness vulnerability at "
+						+ ((ProgramCounterLocation) sink.getLocation()).getSourceCodeLine();
+				tool.warn(warn);
+				MyCache.getInstance().addUncheckedExternalCallWarning(cfg.hashCode(), warn);
+
+				warn = "[DEFINITE] Access Control Incompleteness vulnerability in " + contract.getName() + " at "
+						+ functionSignatureByStatement
+						+ " (pc: " + ((ProgramCounterLocation) sink.getLocation()).getPc() + ", "
+						+ "line: " + ((ProgramCounterLocation) sink.getLocation()).getSourceCodeLine() + ")";
+				MyCache.getInstance().addVulnerabilityPerFunction(cfg.hashCode(), warn);
+			}
+		}
+	}
+
+}