Add additional analysis modules (#1836)

* Update z3 * Add analysis modules * Modify test
9 months ago · 13969337fd
parent 57dbd0cfd6
commit 13969337fd
12 changed files with 486 additions and 6 deletions
--- a/mythril/analysis/module/loader.py
+++ b/mythril/analysis/module/loader.py
@ -14,12 +14,17 @@ from mythril.analysis.module.modules.exceptions import Exceptions
 from mythril.analysis.module.modules.external_calls import ExternalCalls
 from mythril.analysis.module.modules.integer import IntegerArithmetics
 from mythril.analysis.module.modules.multiple_sends import MultipleSends
+from mythril.analysis.module.modules.requirements_violation import RequirementsViolation
 from mythril.analysis.module.modules.state_change_external_calls import (
    StateChangeAfterCall,
 )
 from mythril.analysis.module.modules.suicide import AccidentallyKillable
+from mythril.analysis.module.modules.transaction_order_dependence import (
+    TransactionOrderDependence,
+)
 from mythril.analysis.module.modules.unchecked_retval import UncheckedRetval
 from mythril.analysis.module.modules.user_assertions import UserAssertions
+from mythril.analysis.module.modules.unexpected_ether import UnexpectedEther

 from mythril.analysis.module.base import EntryPoint

@ -90,19 +95,22 @@ class ModuleLoader(object, metaclass=Singleton):
    def _register_mythril_modules(self):
        self._modules.extend(
            [
+                AccidentallyKillable(),
                ArbitraryJump(),
                ArbitraryStorage(),
                ArbitraryDelegateCall(),
-                PredictableVariables(),
-                TxOrigin(),
                EtherThief(),
                Exceptions(),
                ExternalCalls(),
                IntegerArithmetics(),
                MultipleSends(),
+                PredictableVariables(),
+                RequirementsViolation(),
                StateChangeAfterCall(),
-                AccidentallyKillable(),
+                TransactionOrderDependence(),
+                TxOrigin(),
                UncheckedRetval(),
+                UnexpectedEther(),
                UserAssertions(),
            ]
        )
--- a/mythril/analysis/module/modules/requirements_violation.py
+++ b/mythril/analysis/module/modules/requirements_violation.py
@ -0,0 +1,85 @@
+"""This module contains the detection code for requirement violations in a call"""
+import logging
+
+from mythril.analysis import solver
+from mythril.analysis.module.base import DetectionModule
+from mythril.analysis.report import Issue
+from mythril.analysis.issue_annotation import IssueAnnotation
+from mythril.laser.smt import And
+from mythril.analysis.swc_data import REQUIREMENT_VIOLATION
+from mythril.exceptions import UnsatError
+from mythril.laser.ethereum.state.global_state import GlobalState
+
+from typing import List
+
+log = logging.getLogger(__name__)
+
+
+class RequirementsViolation(DetectionModule):
+    """This module detects transaction order dependence"""
+
+    name = "Requirement Violation"
+    swc_id = REQUIREMENT_VIOLATION
+    description = "Checks whether any requirements violate in a call."
+    entrypoint = "callback"
+    pre_hooks = ["REVERT"]
+    plugin_default_enabled = True
+
+    def _execute(self, state: GlobalState) -> List[Issue]:
+        """
+
+        :param state:
+        :return:
+        """
+        issues = self._analyze_state(state)
+        for issue in issues:
+            self.cache.add((issue.source_location, issue.bytecode_hash))
+        return issues
+
+    def _analyze_state(self, state) -> List[Issue]:
+        """
+
+        :param state:
+        :return:
+        """
+
+        if len(state.transaction_stack) < 2:
+            return []
+
+        try:
+            address = state.get_current_instruction()["address"]
+            description_head = "A requirement was violated in a nested call and the call was reverted as a result."
+            description_tail = "Make sure valid inputs are provided to the nested call (for instance, via passed arguments)."
+            transaction_sequence = solver.get_transaction_sequence(
+                state, state.world_state.constraints
+            )
+            issue = Issue(
+                contract=state.environment.active_account.contract_name,
+                function_name=state.environment.active_function_name,
+                address=address,
+                swc_id=REQUIREMENT_VIOLATION,
+                title="requirement violation",
+                severity="Medium",
+                description_head=description_head,
+                description_tail=description_tail,
+                bytecode=state.environment.code.bytecode,
+                transaction_sequence=transaction_sequence,
+                gas_used=(state.mstate.min_gas_used, state.mstate.max_gas_used),
+            )
+            state.annotate(
+                IssueAnnotation(
+                    conditions=[And(*state.world_state.constraints)],
+                    issue=issue,
+                    detector=self,
+                )
+            )
+
+            return [issue]
+
+        except UnsatError:
+            log.debug("no model found")
+
+        return []
+
+
+detector = RequirementsViolation()
--- a/mythril/analysis/module/modules/transaction_order_dependence.py
+++ b/mythril/analysis/module/modules/transaction_order_dependence.py
@ -0,0 +1,138 @@
+"""This module contains the detection code for transaction order dependence."""
+
+from mythril.analysis import solver
+from mythril.analysis.potential_issues import (
+    PotentialIssue,
+    get_potential_issues_annotation,
+)
+from mythril.analysis.swc_data import TX_ORDER_DEPENDENCE
+from mythril.laser.ethereum.transaction.symbolic import ACTORS
+from mythril.analysis.module.base import DetectionModule
+from mythril.laser.smt import Or, Bool
+from mythril.laser.ethereum.state.global_state import GlobalState
+from mythril.exceptions import UnsatError
+import logging
+
+log = logging.getLogger(__name__)
+
+DESCRIPTION = """
+
+Search for calls whose value depends on balance or storage.
+
+"""
+
+
+class BalanceAnnotation:
+    def __init__(self, caller):
+        self.caller = caller
+
+
+class StorageAnnotation:
+    def __init__(self, caller):
+        self.caller = caller
+
+
+class TransactionOrderDependence(DetectionModule):
+    """This module detects transaction order dependence."""
+
+    name = "Transaction Order Dependence"
+    swc_id = TX_ORDER_DEPENDENCE
+    description = DESCRIPTION
+    entrypoint = "callback"
+    pre_hooks = ["CALL"]
+    post_hooks = ["BALANCE", "SLOAD"]
+    plugin_default_enabled = True
+
+    def _execute(self, state: GlobalState) -> None:
+        """
+
+        :param state:
+        :return:
+        """
+        potential_issues = self._analyze_state(state)
+
+        annotation = get_potential_issues_annotation(state)
+        annotation.potential_issues.extend(potential_issues)
+
+    @staticmethod
+    def annotate_balance_storage_vals(state, opcode):
+        val = state.mstate.stack[-1]
+        if opcode == "BALANCE":
+            annotation = BalanceAnnotation
+        else:
+            annotation = StorageAnnotation
+        if len(val.get_annotations(annotation)) == 0:
+            state.mstate.stack[-1].annotate(annotation(state.environment.sender))
+        return []
+
+    def _analyze_state(self, state: GlobalState):
+        """
+
+        :param state:
+        :return:
+        """
+        opcode = state.get_current_instruction()["opcode"]
+        if opcode != "CALL":
+            opcode = state.environment.code.instruction_list[state.mstate.pc - 1][
+                "opcode"
+            ]
+        if opcode in ("BALANCE", "SLOAD"):
+            self.annotate_balance_storage_vals(state, opcode)
+            return []
+
+        value = state.mstate.stack[-3]
+        if (
+            len(value.get_annotations(StorageAnnotation))
+            + len(value.get_annotations(BalanceAnnotation))
+            == 0
+        ):
+            return []
+        callers = []
+
+        storage_annotations = value.get_annotations(StorageAnnotation)
+        if len(storage_annotations) == 1:
+            callers.append(storage_annotations[0].caller)
+        balance_annotations = value.get_annotations(BalanceAnnotation)
+        if len(balance_annotations) == 1:
+            callers.append(balance_annotations[0].caller)
+
+        address = state.get_current_instruction()["address"]
+        call_constraint = Bool(False)
+        for caller in callers:
+            call_constraint = Or(call_constraint, ACTORS.attacker == caller)
+
+        try:
+            constraints = state.world_state.constraints + [call_constraint]
+
+            solver.get_transaction_sequence(state, constraints)
+
+            description_head = (
+                "The value of the call is dependent on balance or storage write"
+            )
+            description_tail = (
+                "This can lead to race conditions. An attacker may be able to run a transaction after our transaction "
+                "which can change the value of the call"
+            )
+
+            issue = PotentialIssue(
+                contract=state.environment.active_account.contract_name,
+                function_name=state.environment.active_function_name,
+                address=address,
+                swc_id=TX_ORDER_DEPENDENCE,
+                title="Transaction Order Dependence",
+                bytecode=state.environment.code.bytecode,
+                severity="Medium",
+                description_head=description_head,
+                description_tail=description_tail,
+                constraints=constraints,
+                detector=self,
+            )
+
+        except UnsatError:
+            log.debug("[Transaction Order Dependence] No model found.")
+            return []
+
+        return [issue]
+
+
+detector = TransactionOrderDependence()
--- a/mythril/analysis/module/modules/unexpected_ether.py
+++ b/mythril/analysis/module/modules/unexpected_ether.py
@ -0,0 +1,142 @@
+"""This module contains the detection code for unexpected ether balance."""
+from mythril.analysis.report import Issue
+from mythril.analysis.issue_annotation import IssueAnnotation
+from mythril.analysis.swc_data import UNEXPECTED_ETHER_BALANCE
+from mythril.analysis.module.base import DetectionModule
+from mythril.analysis.module.module_helpers import is_prehook
+from mythril.laser.smt import BitVec, And
+from mythril.analysis.solver import UnsatError, get_transaction_sequence
+from mythril.laser.ethereum.state.annotation import StateAnnotation
+from mythril.laser.ethereum.state.global_state import GlobalState
+
+import logging
+
+log = logging.getLogger(__name__)
+
+DESCRIPTION = """
+Check for strict equality checks with contract balance
+"""
+
+
+class EtherBalanceCheckAnnotation(StateAnnotation):
+    """State Annotation used if an overflow is both possible and used in the annotated path"""
+
+    def __init__(self, balance: BitVec) -> None:
+        self.balance = balance
+
+
+class BalanceConditionAnnotation:
+    """"""
+
+    def __init__(self, address=None) -> None:
+        self.address = address
+
+
+class UnexpectedEther(DetectionModule):
+    """This module checks for strict equality checks with contract balance."""
+
+    author = "MythX Team"
+    plugin_license = "All rights reserved - ConsenSys"
+    plugin_type = "Detection Module"
+    plugin_description = DESCRIPTION
+    plugin_default_enabled = True
+
+    name = "Unexpected Ether Balance"
+    swc_id = "132"
+    description = DESCRIPTION
+    pre_hooks = ["INVALID", "EQ", "RETURN", "STOP"]
+    post_hooks = ["BALANCE"]
+
+    def _execute(self, state: GlobalState) -> None:
+        """
+
+        :param state:
+        :return:
+        """
+
+        return self._analyze_state(state)
+
+    def _analyze_state(self, state):
+        """
+
+        :param state:
+        :return:
+        """
+        node = state.node
+        instruction = state.get_current_instruction()
+        if is_prehook() is False:
+            balance = state.mstate.stack[-1]
+            annotations = state.get_annotations(EtherBalanceCheckAnnotation)
+            for annotation in annotations:
+                if annotation.balance == balance:
+                    return []
+
+            state.annotate(EtherBalanceCheckAnnotation(balance))
+            return []
+
+        if instruction["opcode"] == "EQ":
+            op1, op2 = state.mstate.stack[-2:]
+            annotations = list(state.get_annotations(EtherBalanceCheckAnnotation))
+            op = None
+            for annotation in annotations:
+                if hash(annotation.balance) != hash(op1) and hash(
+                    annotation.balance
+                ) != hash(op2):
+                    continue
+                if hash(annotation.balance) == hash(op1):
+                    op = op1
+                else:
+                    op = op2
+                break
+            if op is None:
+                return []
+            op.annotate(
+                BalanceConditionAnnotation(
+                    address=state.get_current_instruction()["address"]
+                )
+            )
+            log.debug(
+                "Equality check for contract balance in function " + node.function_name
+            )
+            return []
+
+        for constraint in state.world_state.constraints:
+            for annotation in constraint.get_annotations(BalanceConditionAnnotation):
+                if annotation.address in self.cache:
+                    continue
+                try:
+                    transaction_sequence = get_transaction_sequence(
+                        state, state.world_state.constraints
+                    )
+                except UnsatError:
+                    continue
+                log.debug("Detected a strict equality check")
+                title = "Strict Ether balance check"
+                description_head = "Use of strict ether balance checking"
+                description_tail = "Ether can be forcefully sent to this contract, This may make the contract unusable."
+
+                issue = Issue(
+                    contract=state.environment.active_account.contract_name,
+                    function_name=state.environment.active_function_name,
+                    address=annotation.address,
+                    title=title,
+                    bytecode=state.environment.code.bytecode,
+                    swc_id=UNEXPECTED_ETHER_BALANCE,
+                    severity="Low",
+                    description_head=description_head,
+                    description_tail=description_tail,
+                    transaction_sequence=transaction_sequence,
+                )
+                state.annotate(
+                    IssueAnnotation(
+                        conditions=[And(*state.world_state.constraints)],
+                        issue=issue,
+                        detector=self,
+                    )
+                )
+
+                return [issue]
+        return []
+
+
+detector = UnexpectedEther()
--- a/mythril/laser/ethereum/call.py
+++ b/mythril/laser/ethereum/call.py
@ -206,16 +206,17 @@ def native_call(

    if isinstance(callee_address, BitVec) or not (
        0 < int(callee_address, 16) <= PRECOMPILE_COUNT
-        or hevm_cheat_code.is_cheat_address(callee_address)
    ):
        return None
+    # Disabled due to issues with how multi contract calls are handled with some older solc versions
+    """
    if hevm_cheat_code.is_cheat_address(callee_address):
        log.info("HEVM cheat code address triggered")
        handle_cheat_codes(
            global_state, callee_address, call_data, memory_out_offset, memory_out_size
        )
        return [global_state]
-
+    """
    log.debug("Native contract called: " + callee_address)
    try:
        mem_out_start = util.get_concrete_int(memory_out_offset)
--- a/tests/integration_tests/analysis_tests.py
+++ b/tests/integration_tests/analysis_tests.py
@ -80,3 +80,20 @@ def test_analysis_pending(file_name, tx_data, calldata):
            0
        ]
        assert test_case["steps"][tx_data["TX_OUTPUT"]]["input"] == calldata
+
+
+test_data_code = [
+    ("114", f"{TESTDATA}/input_contracts/tx.sol", True),
+    ("123", f"{TESTDATA}/input_contracts/requirements_violation_pos.sol", True),
+    ("123", f"{TESTDATA}/input_contracts/requirements_violation_neg.sol", False),
+    ("132", f"{TESTDATA}/input_contracts/unexpected_ether_pos.sol", True),
+    ("132", f"{TESTDATA}/input_contracts/unexpected_ether_neg.sol", False),
+]
+
+
+@pytest.mark.parametrize("swc, file_path, exists", test_data_code)
+def test_analysis_code(swc, file_path, exists):
+    assert (
+        "SWC ID: {}".format(swc)
+        in output_of(f"python3 {MYTH} a {file_path} --solver-timeout 5000")
+    ) == exists
--- a/tests/integration_tests/safe_functions_test.py
+++ b/tests/integration_tests/safe_functions_test.py
@ -14,7 +14,6 @@ test_data = (
        "ether_send.sol",
        [
            "crowdfunding()",
-            "withdrawfunds()",
            "owner()",
            "balances(address)",
            "getBalance()",
--- a/tests/testdata/input_contracts/requirements_violation_neg.sol
+++ b/tests/testdata/input_contracts/requirements_violation_neg.sol
@ -0,0 +1,15 @@
+pragma solidity ^0.4.25;
+
+contract Bar {
+    Foo private f = new Foo();
+    function doubleBaz() public view returns (int256) {
+        return 2 * f.baz(1); //Changes the external contract to not hit the overly strong requirement.
+    }
+}
+
+contract Foo {
+    function baz(int256 x) public pure returns (int256) {
+        require(0 < x); //You can also fix the contract by changing the input to the uint type and removing the require
+        return 42;
+    }
+}
--- a/tests/testdata/input_contracts/requirements_violation_pos.sol
+++ b/tests/testdata/input_contracts/requirements_violation_pos.sol
@ -0,0 +1,15 @@
+pragma solidity ^0.4.25;
+
+contract Bar {
+    Foo private f = new Foo();
+    function doubleBaz() public view returns (int256) {
+        return 2 * f.baz(0);
+    }
+}
+
+contract Foo {
+    function baz(int256 x) public pure returns (int256) {
+        require(0 < x);
+        return 42;
+    }
+}
--- a/tests/testdata/input_contracts/tx.sol
+++ b/tests/testdata/input_contracts/tx.sol
@ -0,0 +1,28 @@
+
+pragma solidity ^0.4.16;
+
+contract EthTxOrderDependenceMinimal {
+    address public owner;
+    bool public claimed;
+    uint public reward;
+
+    function EthTxOrderDependenceMinimal() public {
+        owner = msg.sender;
+    }
+
+    function setReward() public payable {
+        require (!claimed);
+
+        require(msg.sender == owner);
+        owner.transfer(reward);
+        reward = msg.value;
+    }
+
+    function claimReward(uint256 submission) {
+        require (!claimed);
+        require(submission < 10);
+
+        msg.sender.transfer(reward);
+        claimed = true;
+    }
+}
--- a/tests/testdata/input_contracts/unexpected_ether_neg.sol
+++ b/tests/testdata/input_contracts/unexpected_ether_neg.sol
@ -0,0 +1,16 @@
+pragma solidity ^0.5.0;
+
+contract Lockdrop {
+
+    function lock()
+        external
+        payable
+    {
+        uint256 eth = msg.value;
+        address owner = msg.sender;
+        assert(address(0x0).balance > msg.value);
+    }
+
+
+
+}
--- a/tests/testdata/input_contracts/unexpected_ether_pos.sol
+++ b/tests/testdata/input_contracts/unexpected_ether_pos.sol
@ -0,0 +1,16 @@
+pragma solidity ^0.5.0;
+
+contract Lockdrop {
+
+    function lock()
+        external
+        payable
+    {
+        uint256 eth = msg.value;
+        address owner = msg.sender;
+        assert(address(0x0).balance == msg.value);
+    }
+
+
+
+}