HITB-Invoice-Logo

thank you for joining us!

Can a Fuzzer Match a Human

Date

August 26, 2022

Time

16:30

Track

CommSec Track

Compilers are programs that translate programs written in a high level programming language into machine code. The Solidity compiler accepts smart contracts written in the Solidity programming language and generates optimized Ethereum virtual machine (EVM) bytecode.

There are multiple components of the compiler that can introduce security issues: the optimiser and the code generator being the most security sensitive because they influence the binary code. Testing the codegen and the optimiser within the compiler requires a structured approach. Arbitrary character sequences as input-what a COTS fuzzer can easily provide-will simply be rejected by the compiler as invalid programs.

Second, finding bugs in the optimiser requires program interpretation and differential testing: side effects of the unoptimized and optimized programs need to be identical, otherwise the optimized program contains a bug. Testing the code generator is aided by the fact that the Solidity compiler has two implementations of the code generator, the legacy code generator and the new Yul intermediate representation (IR) based code generator. We employ a similar technique to find security relevant bugs in either codegens.

Speakers

Security Engineer

Ethereum Foundation

Bhargava Shastry is a security engineer at the Ethereum foundation. He spends most of his work time finding interesting ways to fuzz test the Solidity compiler-optimizer. He holds a Ph.D. from TU Berlin where he spent 5 wonderful years researching new ways to probe for security vulnerabilities in open source software.

Other Talks in This Track

LOCATION

CommSec Track

DATE

August 26

TIME

10:30

LOCATION

CommSec Track

DATE

August 26

TIME

11:30

LOCATION

CommSec Track

DATE

August 26

TIME

12:00