Write a Blog >>
Tue 10 Nov 2020 08:09 - 08:10 at Virtual room 1 - Fuzzing

We present Harvey, an industrial greybox fuzzer for smart contracts,
which are programs managing accounts on a blockchain.

Greybox fuzzing is a lightweight test-generation approach that
effectively detects bugs and security vulnerabilities. However,
greybox fuzzers randomly mutate program inputs to exercise new paths;
this makes it challenging to cover code that is guarded by narrow
checks. Moreover, most real-world smart contracts transition through
many different states during their lifetime, e.g., for every bid in an
auction. To explore these states and thereby detect deep
vulnerabilities, a greybox fuzzer would need to generate sequences of
contract transactions, e.g., by creating bids from multiple users,
while keeping the search space and test suite tractable.

In this paper, we explain how Harvey alleviates both
challenges with two key techniques. First, Harvey extends standard greybox fuzzing with
a method for predicting new inputs that are more likely to cover new
paths or reveal vulnerabilities in smart contracts. Second, it fuzzes
transaction sequences in a targeted and demand-driven way. We have
evaluated our approach on 27 real-world contracts. Our experiments
show that our techniques significantly increase Harvey's
effectiveness in achieving high coverage and detecting
vulnerabilities, in most cases orders-of-magnitude faster.

Tue 10 Nov
Times are displayed in time zone: (UTC) Coordinated Universal Time change

08:00 - 08:02
Talk
Boosting Fuzzer Efficiency: An Information Theoretic PerspectiveACM SIGSOFT Distinguished Paper Award
Research Papers
Marcel BöhmeMonash University, Australia, Valentin ManèsKAIST, South Korea, Sang Kil ChaKAIST, South Korea
DOI
08:03 - 08:04
Talk
CrFuzz: Fuzzing Multi-purpose Programs through Input Validation
Research Papers
Suhwan SongSeoul National University, South Korea, Chengyu SongUniversity of California at Riverside, USA, Yeongjin JangOregon State University, USA, Byoungyoung LeeSeoul National University, South Korea
DOI
08:05 - 08:06
Talk
Detecting Critical Bugs in SMT Solvers Using Blackbox Mutational Fuzzing
Research Papers
Muhammad Numair MansurMPI-SWS, Germany, Maria ChristakisMPI-SWS, Valentin WüstholzConsenSys, Fuyuan ZhangMPI-SWS, Germany
DOI Pre-print
08:07 - 08:08
Talk
Fuzzing: On the Exponential Cost of Vulnerability Discovery
Research Papers
Marcel BöhmeMonash University, Australia, Brandon FalkGamozo Labs, n.n.
DOI
08:09 - 08:10
Talk
Harvey: A Greybox Fuzzer for Smart Contracts
Industry Papers
DOI Pre-print
08:11 - 08:12
Talk
Intelligent REST API Data Fuzzing
Research Papers
Patrice GodefroidMicrosoft Research, USA, Bo-Yuan HuangPrinceton University, USA, Marina PolishchukMicrosoft Research, USA
DOI
08:13 - 08:14
Talk
MTFuzz: Fuzzing with a Multi-task Neural Network
Research Papers
Dongdong SheColumbia University, USA, Rahul KrishnaColumbia University, USA, Lu YanShanghai Jiao Tong University, China, Suman JanaColumbia University, USA, Baishakhi RayColumbia University, USA
DOI Pre-print
08:15 - 08:30
Talk
Conversations on Fuzzing
Research Papers
Dongdong SheColumbia University, USA, Muhammad Numair MansurMPI-SWS, Germany, Marcel BöhmeMonash University, Australia, Suhwan SongSeoul National University, South Korea, Valentin WüstholzConsenSys, M: Mike PapadakisUniversity of Luxembourg, Luxembourg