ACFIX: Guiding LLMs with Mined Common RBAC Practices for Context-Aware Repair of Access Control Vulnerabilities in Smart Contracts
arxiv(2024)
摘要
Smart contracts are susceptible to various security issues, among which
access control (AC) vulnerabilities are particularly critical. While existing
research has proposed multiple detection tools, the automatic and appropriate
repair of AC vulnerabilities in smart contracts remains a challenge. Unlike
commonly supported vulnerability types by existing repair tools, such as
reentrancy, which are usually fixed by template-based approaches, the main
obstacle of AC lies in identifying the appropriate roles or permissions amid a
long list of non-AC-related source code to generate proper patch code, a task
that demands human-level intelligence.
Leveraging recent advancements in large language models (LLMs), we employ the
state-of-the-art GPT-4 model and enhance it with a novel approach called ACFIX.
The key insight is that we can mine common AC practices for major categories of
code functionality and use them to guide LLMs in fixing code with similar
functionality. To this end, ACFIX involves both offline and online phases.
First, during the offline phase, ACFIX mines a tax- onomy of common Role-based
Access Control (RBAC) practices from 344,251 on-chain contracts, categorizing
49 role-permission pairs from the top 1,000 pairs mined. Second, during the
online phase, ACFIX tracks AC-related elements across the contract and uses
this context information along with a Chain-of-Thought pipeline to guide LLMs
in identifying the most appropriate role-permission pair for the subject
contract and subsequently generating a suitable patch. This patch will then
undergo a validity and effectiveness check. To evaluate ACFIX, we built the
first benchmark dataset of 118 real-world AC vulnerabilities, and our
evaluation revealed that ACFIX successfully repaired 94.92
represents a significant improvement compared to the baseline GPT-4, which
achieved only 52.54
更多查看译文
AI 理解论文
溯源树
样例
生成溯源树,研究论文发展脉络
Chat Paper
正在生成论文摘要