Static Application Security Testing (SAST) Tools for Smart Contracts: How Far Are We?
In recent years, the importance of smart contract security has been heightened by the increasing number of attacks against them. To address this issue, a multitude of static application security testing (SAST) tools have been proposed for detecting vulnerabilities in smart contracts. However, objectively comparing these tools to determine their effectiveness remains challenging. Existing studies often fall short due to the taxonomies and benchmarks only covering a coarse and potentially outdated set of vulnerability types, which leads to evaluations that are not entirely comprehensive and may display bias.
In this paper, we fill this gap by proposing an up-to-date and fine-grained taxonomy that includes 45 unique vulnerability types for smart contracts. Taking it as a baseline, we develop an extensive benchmark that covers 40 distinct types and includes a diverse range of code characteristics, vulnerability patterns, and application scenarios. Based on them, we evaluated 8 SAST tools using this benchmark, which comprises 788 smart contract files and 10,394 vulnerabilities. Our results reveal that the existing SAST tools fail to detect around 50% of vulnerabilities in our benchmark and suffer from high false positives, with precision not surpassing 10%. We also discover that by combining the results of multiple tools, the false negative rate can be reduced effectively, at the expense of flagging 36.77 percentage points more functions. Nevertheless, many vulnerabilities, especially those beyond Access Control and Reentrancy vulnerabilities, remain undetected. We finally highlight the valuable insights from our study, hoping to provide guidance on tool development, enhancement, evaluation, and selection for developers, researchers, and practitioners.
Fri 19 JulDisplayed time zone: Brasilia, Distrito Federal, Brazil change
15:30 - 16:00 | |||
15:30 30mPoster | Predicting Failures of Autoscaling Distributed Applications Posters Giovanni Denaro University of Milano - Bicocca, Noura El Moussa USI Università della Svizzera Italiana & SIT Schaffhausen Institute of Technology, Rahim Heydarov USI Università della Svizzera Italiana, Francesco Lomio SIT Schaffhausen Institute of Technology, Mauro Pezze USI Università della Svizzera Italiana & SIT Schaffhausen Institute of Technology, Ketai Qiu USI Università della Svizzera Italiana | ||
15:30 30mPoster | On the Contents and Utility of IoT Cybersecurity Guidelines Posters Jesse Chen University of Arizona, Dharun Anandayuvaraj Purdue University, James C. Davis Purdue University, Sazzadur Rahaman University of Arizona | ||
15:30 30mPoster | Demystifying Invariant Effectiveness for Securing Smart Contracts Posters Zhiyang Chen University of Toronto, Ye Liu Nanyang Technological University, Sidi Mohamed Beillahi University of Toronto, Yi Li Nanyang Technological University, Fan Long University of Toronto | ||
15:30 30mPoster | Improving the Learning of Code Review Successive Tasks with Cross-Task Knowledge Distillation Posters | ||
15:30 30mPoster | Static Application Security Testing (SAST) Tools for Smart Contracts: How Far Are We? Posters Kaixuan Li East China Normal University, Yue Xue Metatrust Labs, Sen Chen Tianjin University, Han Liu East China Normal University, Kairan Sun Nanyang Technological University, Ming Hu Singapore Management University, Haijun Wang Xi'an Jiaotong University, Yang Liu Nanyang Technological University, Yixiang Chen East China Normal University | ||
15:30 30mPoster | Predicting Code Comprehension: A Novel Approach to Align Human Gaze with Code Using Deep Neural Networks Posters Tarek Alakmeh University of Zurich, David Reich University of Potsdam, Lena Jäger University of Zurich, Thomas Fritz University of Zurich | ||
15:30 30mPoster | Decomposing Software Verification Using Distributed Summary Synthesis Posters DOI Pre-print | ||
15:30 30mPoster | EyeTrans: Merging Human and Machine Attention for Neural Code Summarization Posters Yifan Zhang Vanderbilt University, Jiliang Li Vanderbilt University, Zachary Karas Vanderbilt University, Aakash Bansal University of Notre Dame, Toby Jia-Jun Li University of Notre Dame, Collin McMillan University of Notre Dame, Kevin Leach Vanderbilt University, Yu Huang Vanderbilt University | ||
15:30 30mPoster | Mining Action Rules for Defect Reduction Planning Posters Khouloud Oueslati Polytechnique Montréal, Canada, Gabriel Laberge Polytechnique Montréal, Canada, Maxime Lamothe Polytechnique Montreal, Foutse Khomh Polytechnique Montréal | ||
15:30 30mPoster | How does Simulation-based Testing for Self-driving Cars match Human Perception? Posters Christian Birchler Zurich University of Applied Sciences & University of Bern, Tanzil Kombarabettu Mohammed University of Zurich, Pooja Rani University of Zurich, Teodora Nechita Zurich University of Applied Sciences, Timo Kehrer University of Bern, Sebastiano Panichella Zurich University of Applied Sciences | ||
15:30 30mPoster | Beyond Code Generation: An Observational Study of ChatGPT Usage in Software Engineering Practice Posters Ranim Khojah Chalmers | University of Gothenburg, Mazen Mohamad Chalmers | RISE - Research Institutes of Sweden, Philipp Leitner Chalmers | University of Gothenburg, Francisco Gomes de Oliveira Neto Chalmers | University of Gothenburg | ||
This room is conjoined with the Foyer to provide additional space for the coffee break, and hold poster presentations throughout the event.