|
| 1 | +# DOS Detection in Neo VM Fuzzer |
| 2 | + |
| 3 | +## Overview |
| 4 | + |
| 5 | +This document describes the Denial of Service (DOS) detection capabilities implemented in the Neo VM Fuzzer. The fuzzer is designed to identify potential DOS vectors in Neo VM scripts that could be exploited to cause resource exhaustion or performance degradation in the Neo blockchain. |
| 6 | + |
| 7 | +DOS attacks in a virtual machine context typically exploit inefficient execution paths that consume excessive resources. In the Neo VM, these can manifest as: |
| 8 | + |
| 9 | +1. **Computational DOS**: Scripts that execute an excessive number of operations |
| 10 | +2. **Memory DOS**: Scripts that consume excessive memory through stack manipulation |
| 11 | +3. **Infinite Loops**: Scripts that create execution paths that never terminate |
| 12 | +4. **Exponential Complexity**: Scripts that trigger exponential growth in resource usage |
| 13 | + |
| 14 | +## Detection Mechanisms |
| 15 | + |
| 16 | +The DOS detection system analyzes script execution metrics to identify potential DOS vectors based on the following criteria: |
| 17 | + |
| 18 | +1. **High Instruction Count**: Scripts that execute an excessive number of instructions may indicate a DOS vector. The current threshold is set to 100 instructions. |
| 19 | + |
| 20 | +2. **Excessive Stack Depth**: Scripts that create deep stacks may cause memory exhaustion. The current threshold is set to 5 stack items. |
| 21 | + |
| 22 | +3. **Slow Opcodes**: Scripts that repeatedly execute opcodes with high average execution times may indicate a DOS vector. The current thresholds are: |
| 23 | + - Average execution time > 0.05ms |
| 24 | + - Executed more than 2 times |
| 25 | + |
| 26 | +4. **Long Execution Time**: Scripts that take a long time to execute may indicate a DOS vector. The current threshold is set to 10ms. |
| 27 | + |
| 28 | +5. **Potential Infinite Loops**: Scripts that contain patterns indicative of infinite loops are flagged as potential DOS vectors. |
| 29 | + |
| 30 | +## Detection Strategy |
| 31 | + |
| 32 | +The enhanced fuzzer: |
| 33 | + |
| 34 | +1. Tracks detailed execution metrics: |
| 35 | + - Instruction count per opcode |
| 36 | + - Stack depth throughout execution |
| 37 | + - Memory allocations |
| 38 | + - Execution time per opcode |
| 39 | + - Branch decision patterns |
| 40 | + |
| 41 | +2. Identifies suspicious patterns: |
| 42 | + - Operations with execution time significantly above average |
| 43 | + - Scripts with high instruction-to-progress ratios |
| 44 | + - Repeated state patterns indicating potential infinite loops |
| 45 | + - Exponential growth in resource consumption |
| 46 | + |
| 47 | +3. Scores and ranks scripts by their "DOS potential" |
| 48 | + |
| 49 | +## Implementation |
| 50 | + |
| 51 | +The DOS detection system is implemented in the following components: |
| 52 | + |
| 53 | +1. **DOSDetector**: The main class responsible for analyzing execution metrics and detecting potential DOS vectors. |
| 54 | + - Located in `Utils/DOSDetector.cs` |
| 55 | + - Configurable thresholds for different detection mechanisms |
| 56 | + - Calculates a DOS score based on multiple factors |
| 57 | + - Tracks execution time per opcode |
| 58 | + - Monitors stack depth and memory usage |
| 59 | + - Identifies potential infinite loops by tracking instruction pointer frequencies |
| 60 | + - Provides detailed analysis results with recommendations |
| 61 | + |
| 62 | + Key methods: |
| 63 | + - `OnStep`: Handles step events from the execution engine to track metrics |
| 64 | + - `AnalyzeExecution`: Analyzes collected metrics to calculate a DOS score |
| 65 | + - `GenerateReport`: Creates a detailed report of the analysis results |
| 66 | + |
| 67 | +2. **VMRunner**: Integrates with the DOSDetector to analyze script execution. |
| 68 | + - Located in `Runners/VMRunner.cs` |
| 69 | + - Performs DOS analysis for both successful and crashed script executions |
| 70 | + - Collects execution metrics such as instruction count, stack depth, and execution time |
| 71 | + - Saves potential DOS vectors to the corpus |
| 72 | + |
| 73 | + Key methods: |
| 74 | + - `Execute`: Executes a script and performs DOS analysis |
| 75 | + - `SaveDOSVector`: Saves a potential DOS vector to the corpus |
| 76 | + |
| 77 | +3. **InstrumentedExecutionEngine**: Tracks detailed execution metrics used for DOS detection. |
| 78 | + - Located in `Runners/InstrumentedExecutionEngine.cs` |
| 79 | + - Monitors instruction execution, stack operations, and execution time |
| 80 | + - Provides hooks for the DOSDetector to monitor execution |
| 81 | + - Records opcode execution times and frequencies |
| 82 | + |
| 83 | + Key methods: |
| 84 | + - `Execute`: Executes a script with detailed instrumentation |
| 85 | + - `OnStep`: Fires when an instruction is executed, providing metrics to subscribers |
| 86 | + |
| 87 | +## DOS Score Calculation |
| 88 | + |
| 89 | +The DOS score is calculated based on multiple factors, with each factor contributing a portion to the overall score: |
| 90 | + |
| 91 | +- **Instruction Count**: Up to 0.5 points based on the number of instructions executed |
| 92 | +- **Stack Depth**: Up to 0.3 points based on the maximum stack depth |
| 93 | +- **Slow Opcodes**: Up to 0.3 points based on the presence of slow opcodes |
| 94 | +- **Execution Time**: Up to 0.5 points based on the total execution time |
| 95 | +- **Potential Infinite Loops**: Up to 0.5 points based on loop detection |
| 96 | + |
| 97 | +A script is considered a potential DOS vector if its DOS score exceeds the configured threshold (default: 0.1). |
| 98 | + |
| 99 | +## Workflow Integration |
| 100 | + |
| 101 | +The DOS detection is integrated into the fuzzing workflow: |
| 102 | + |
| 103 | +1. The fuzzer executes a script with the instrumented execution engine |
| 104 | +2. The DOSDetector analyzes the execution metrics |
| 105 | +3. If the DOS score exceeds the threshold, the script is flagged as a potential DOS vector |
| 106 | +4. The fuzzer saves the potential DOS vector to the corpus |
| 107 | +5. The fuzzer includes the DOS vector in the fuzzing results |
| 108 | + |
| 109 | +### DOS Vector Analysis File Format |
| 110 | + |
| 111 | +Each DOS vector analysis file contains: |
| 112 | + |
| 113 | +``` |
| 114 | +DOS Vector Analysis: dos-20250326-055929-0_80-High_instruction_count__3411;_Excessive_stack_depth__2048-7b56e5b8 |
| 115 | +Timestamp: 3/26/2025 5:59:29AM |
| 116 | +DOS Score: 0.80 |
| 117 | +Detection Reason: High instruction count: 3411; Excessive stack depth: 2048 |
| 118 | +
|
| 119 | +Metrics: |
| 120 | + TotalInstructions: 3411 |
| 121 | + MaxStackDepth: 2048 |
| 122 | + UniqueOpcodes: 0 |
| 123 | + TotalExecutionTimeMs: 3.7773 |
| 124 | + InstructionScore: 0.5 |
| 125 | + LoopScore: 0 |
| 126 | + StackScore: 0.3 |
| 127 | +
|
| 128 | +Recommendations: |
| 129 | + - Consider adding instruction count limits to prevent excessive execution |
| 130 | + - Consider adding stack depth limits to prevent stack overflow attacks |
| 131 | +``` |
| 132 | + |
| 133 | +## Test Scripts |
| 134 | + |
| 135 | +The following test scripts are provided to verify the DOS detection functionality: |
| 136 | + |
| 137 | +1. **minimal_dos_vector.neo**: A simple script that triggers DOS detection based on execution time |
| 138 | +2. **stack_depth_dos.neo**: A script that focuses on excessive stack depth |
| 139 | +3. **comprehensive_dos_vector.neo**: A script that combines multiple DOS vectors |
| 140 | +4. **final_dos_test.neo**: A comprehensive test script that triggers multiple DOS detection mechanisms |
| 141 | + |
| 142 | +## Recent Enhancements |
| 143 | + |
| 144 | +1. **DOS Detection for Crashed Scripts**: Modified the VMRunner to perform DOS analysis even when scripts crash with exceptions, ensuring we can detect potential DOS vectors in all scripts. |
| 145 | + |
| 146 | +2. **Adjusted Detection Thresholds**: Lowered the thresholds to make the detection more sensitive: |
| 147 | + - Reduced instruction count threshold from 5000 to 100 |
| 148 | + - Reduced stack depth threshold from 50 to 5 |
| 149 | + - Reduced slow opcode threshold from 0.2ms to 0.05ms |
| 150 | + - Reduced execution time threshold from 500ms to 10ms |
| 151 | + |
| 152 | +3. **Enhanced Logging**: Added detailed logging about the DOS detection process to help debug and understand why scripts are or aren't being detected as DOS vectors. |
| 153 | + |
| 154 | +## Future Improvements |
| 155 | + |
| 156 | +1. **Improved Loop Detection**: Enhance the detection of potential infinite loops by analyzing execution patterns. |
| 157 | +2. **Dynamic Thresholds**: Implement dynamic thresholds based on the average execution metrics of the corpus. |
| 158 | +3. **Opcode-Specific Analysis**: Implement more detailed analysis of specific opcodes known to be resource-intensive. |
| 159 | +4. **Memory Usage Analysis**: Add detection for scripts that consume excessive memory. |
| 160 | +5. **Machine Learning-Based Detection**: Implement anomaly detection for more precise identification of DOS vectors. |
| 161 | +6. **Automatic Test Case Generation**: Generate test cases that specifically target DOS vulnerabilities. |
| 162 | +7. **Formal Verification Integration**: Integrate with formal verification tools to prove absence of certain DOS vectors. |
| 163 | +8. **Automatic Mitigation Recommendations**: Generate mitigation recommendations based on detected patterns. |
| 164 | + |
| 165 | +## Usage |
| 166 | + |
| 167 | +To enable DOS detection when running the fuzzer, use the following command-line options: |
| 168 | + |
| 169 | +```bash |
| 170 | +dotnet run -- --detect-dos --dos-threshold 0.1 --track-opcodes --track-memory |
| 171 | +``` |
| 172 | + |
| 173 | +- `--detect-dos`: Enables DOS detection |
| 174 | +- `--dos-threshold`: Sets the threshold for DOS detection (default: 0.1) |
| 175 | +- `--track-opcodes`: Enables tracking of opcode execution times (required for DOS detection) |
| 176 | +- `--track-memory`: Enables tracking of memory usage (recommended for DOS detection) |
0 commit comments