TY - JOUR
T1 - SigRec: Automatic Recovery of Function Signatures in Smart Contracts
AU - Chen, Ting
AU - Li, Zihao
AU - Luo, Xiapu
AU - Wang, Xiaofeng
AU - Wang, Ting
AU - He, Zheyuan
AU - Fang, Kezhao
AU - Zhang, Yufei
AU - Zhu, Hang
AU - Li, Hongwei
AU - Cheng, Yan
AU - Zhang, Xiao song
N1 - Publisher Copyright:
IEEE
PY - 2022/8/1
Y1 - 2022/8/1
N2 - Millions of smart contracts have been deployed onto Ethereum for providing various services, which can be invoked through their functions. For this purpose, the caller needs to know the function signature of a callee, which includes its function id and parameter types. Such signatures are critical to many applications focusing on smart contracts, e.g., reverse engineering, fuzzing, attack detection, and profiling. Unfortunately, it is challenging to recover the function signatures from contract bytecode, since neither debug information nor type information is present in the bytecode. To address this issue, prior approaches rely on source code, or a collection of known signatures from incomplete databases or incomplete heuristic rules, which, however, are far from adequate and cannot cope with the rapid growth of new contracts. In this paper, we propose a novel solution that leverages how functions are handled by Ethereum virtual machine (EVM) to automatically recover function signatures. In particular, we exploit how smart contracts determine the functions to be invoked to locate and extract function ids, and propose a new approach named type-aware symbolic execution (TASE) that utilizes the semantics of EVM operations on parameters to identify the number and the types of parameters.Moreover, we develop SigRec, a new tool for recovering function signatures from contract bytecode without the need of source code and function signature databases. The extensive experimental results show that SigRec outperforms all existing tools, achieving an unprecedented 98.9% accuracy within 0.07 seconds. We further demonstrate that the recovered function signatures are useful in attack detection, fuzzing and reverse engineering of EVM bytecode.
AB - Millions of smart contracts have been deployed onto Ethereum for providing various services, which can be invoked through their functions. For this purpose, the caller needs to know the function signature of a callee, which includes its function id and parameter types. Such signatures are critical to many applications focusing on smart contracts, e.g., reverse engineering, fuzzing, attack detection, and profiling. Unfortunately, it is challenging to recover the function signatures from contract bytecode, since neither debug information nor type information is present in the bytecode. To address this issue, prior approaches rely on source code, or a collection of known signatures from incomplete databases or incomplete heuristic rules, which, however, are far from adequate and cannot cope with the rapid growth of new contracts. In this paper, we propose a novel solution that leverages how functions are handled by Ethereum virtual machine (EVM) to automatically recover function signatures. In particular, we exploit how smart contracts determine the functions to be invoked to locate and extract function ids, and propose a new approach named type-aware symbolic execution (TASE) that utilizes the semantics of EVM operations on parameters to identify the number and the types of parameters.Moreover, we develop SigRec, a new tool for recovering function signatures from contract bytecode without the need of source code and function signature databases. The extensive experimental results show that SigRec outperforms all existing tools, achieving an unprecedented 98.9% accuracy within 0.07 seconds. We further demonstrate that the recovered function signatures are useful in attack detection, fuzzing and reverse engineering of EVM bytecode.
KW - automatic recovery
KW - Databases
KW - Ethereum
KW - function signature
KW - Layout
KW - Lenses
KW - Reverse engineering
KW - Semantics
KW - smart contract
KW - Smart contracts
KW - Tools
KW - type-aware symbolic execution
UR - http://www.scopus.com/inward/record.url?scp=85105854735&partnerID=8YFLogxK
U2 - 10.1109/TSE.2021.3078342
DO - 10.1109/TSE.2021.3078342
M3 - Journal article
AN - SCOPUS:85105854735
SN - 0098-5589
VL - 48
SP - 3066
EP - 3086
JO - IEEE Transactions on Software Engineering
JF - IEEE Transactions on Software Engineering
IS - 8
ER -