Rewrite intro + methodology, more detailed sections, improve template

report/bibliography/urls.tex

@@ -0,0 +1,19 @@
+% CONTRACTS
+\newcommand{\urlcontractfakeweth}{https://polygonscan.com/address/0x15391A813d255e76de9b6b6d60df75c73f91121a}
+% CODE
+\newcommand{\urlcodesmartbugs}{https://github.com/smartbugs/smartbugs}
+\newcommand{\urlcodehoneybadger}{https://github.com/christoftorres/HoneyBadger}
+% IMAGES
+\newcommand{\urldiagrambytecode}{https://gists.rawgit.com/ajsantander/23c032ec7a722890feed94d93dff574a/raw/a453b28077e9669d5b51f2dc6d93b539a76834b8/BasicToken.svg}
+% VIDEOS
+\newcommand{\urlvideohackertraps}{https://www.youtube.com/watch?v=4bSQWoy5a_k}
+\newcommand{\urlvideomasqueradingcode}{https://www.youtube.com/watch?v=l1wjRy2BYPg}
+% CHANGELOGS
+\newcommand{\urlchangelogsoliditybugs}{https://github.com/ethereum/solidity/blob/develop/docs/bugs.json}
+% STANDARDS
+\newcommand{\urlstandardeipproxy}{https://eips.ethereum.org/EIPS/eip-1967}
+% ARTICLES
+\newcommand{\urlarticleredpill}{https://zengo.com/zengo-uncovers-security-vulnerabilities-in-popular-web3-transaction-simulation-solutions-the-red-pill-attack/}
+\newcommand{\urlarticledeconstructingcontract}{https://blog.openzeppelin.com/deconstructing-a-solidity-contract-part-i-introduction-832efd2d7737}
+% PAPERS
+\newcommand{\urlpaperartofthescam}{https://arxiv.org/pdf/1902.06976.pdf}

report/context.tex

@@ -2,10 +2,10 @@
 %								VARIABLES
 % =============================================================================
 
-\newcommand{\AUTHOR}{Apehex}
+\newcommand{\AUTHOR}{Forta Community}
 \newcommand{\CLIENT}{Forta}
 \newcommand{\DATE}{11/08/2023}
 \newcommand{\VERSION}{0.2.1}
 \newcommand{\TITLE}{Evasion Techniques}
-\newcommand{\SUBTITLE}{State Of The Art}
+\newcommand{\SUBTITLE}{Report On The Continuous Monitoring}
 \newcommand{\SUBJECT}{Web3}

report/main.tex

@@ -9,7 +9,7 @@
 \input{context} % Global settings
 
 % =======================================================================================
-\addbibresource{bibliography/references.bib} % bibliography file
+\input{bibliography/urls}
 
 % =======================================================================================
 
@@ -42,12 +42,13 @@ \part{Overview}
 % \chapter{Introduction} \label{ch:introduction}
 \input{sections/preamble/introduction}
 \input{sections/preamble/methodology}
-\input{sections/preamble/related}
+% \input{sections/preamble/related}
 
 % =======================================================================================
-%                                   PART 1: KNOWN
+%                                   PART 2: KNOWN
 % =======================================================================================
-\part{Known Techniques}
+\input{sections/evasion/known/description}
+\part{Known Evasion Techniques}
 %----------------------------------------------------------------------------------------
 \chapter{Spoofing} \label{ch:known-spoofing}
 \input{sections/evasion/known/spoofing/description}
@@ -76,29 +77,43 @@ \chapter{Redirection} \label{ch:known-redirection}
 \newpage\input{sections/evasion/known/redirection/selector-collisions}
 
 % =======================================================================================
-%                                   PART 2: FORESEEN
+%                                   PART 3: FORESEEN
 % =======================================================================================
-\part{Foreseen Techniques}
+% \addtocontents{toc}{\protect\newpage}
+\input{sections/evasion/foreseen/description}
+\part{Foreseen Evasion Techniques}
 %----------------------------------------------------------------------------------------
 \chapter{Spoofing} \label{ch:foreseen-spoofing}
 \input{sections/evasion/foreseen/spoofing/description}
-\input{sections/evasion/foreseen/spoofing/fake-users}
+\input{sections/evasion/foreseen/spoofing/sybils}
 \chapter{Obfuscation} \label{ch:foreseen-obfuscation}
 \input{sections/evasion/foreseen/obfuscation/description}
 \input{sections/evasion/foreseen/obfuscation/packing}
+\chapter{Poisoning} \label{ch:foreseen-poisoning}
+\input{sections/evasion/foreseen/poisoning/description}
+\input{sections/evasion/foreseen/poisoning/living-off-the-land}
 
 % =======================================================================================
-%                                   PART 3: TOOLING
+%                                   PART 1: DETECTION
 % =======================================================================================
-\addtocontents{toc}{\protect\newpage}
-\part{Detection Tools}
-%----------------------------------------------------------------------------------------
-\chapter{Malware Detection In Web3} \label{ch:transposing-to-web3}
 \input{sections/detection/description}
-\input{sections/detection/data}
-\input{sections/detection/technologies}
-\chapter{Designing The Forta Agent} \label{ch:forta-agent}
-\section{Taking Advantage Of The Network} \label{sec:}
+\part{Detection In Web3}
+%----------------------------------------------------------------------------------------
+\chapter{Static Analysis} \label{ch:static-analysis}
+\input{sections/detection/static/description}
+\input{sections/detection/static/metadata}
+\input{sections/detection/static/code}
+\chapter{Dynamic Analysis} \label{ch:dynamic-analysis}
+\input{sections/detection/dynamic/description}
+\input{sections/detection/dynamic/metadata}
+\input{sections/detection/dynamic/traces}
+\chapter{Hybrid Analysis} \label{ch:hybrid-analysis}
+\input{sections/detection/hybrid/description}
+\input{sections/detection/hybrid/statistics}
+\input{sections/detection/hybrid/graph}
+\chapter{Taxonomy} \label{ch:taxonomy}
+\input{sections/detection/taxonomy/description}
+\input{sections/detection/taxonomy/diagram}
 
 % =======================================================================================
 %                                   PART 4: APPENDICES
@@ -115,6 +130,6 @@ \part{Appendices}
 \chapter{Samples}
 \input{appendices/samples}
 %----------------------------------------------------------------------------------------
-\newpage\printbibliography[title = {Resources}]
+% \newpage\printbibliography[title = {Resources}]
 
 \end{document}

report/sections/detection/description.tex

@@ -1,2 +1,2 @@
-In this section, we'll consider each the parts and processes of the detection tools.
-This serves both the purpose of imagining how they can fail as well as designing the next tools.
+\setpartintro{We'll transpose the traditional malware analysis to the smart contracts.\\
+This serves both the purpose of designing detection tools as anticipating their failure, e.g. the avenues for evasion.}

report/sections/detection/dynamic/description.tex

@@ -0,0 +1,2 @@
+When a transaction is committed to the blockchain, the targeted smart contract is executed.
+This process generates trace data.

report/sections/detection/dynamic/metadata.tex

@@ -0,0 +1,9 @@
+\section{Metadata} \label{sec:static-metadata}
+
+\subsection{Transaction Sender}
+
+the global variables \lstinline[language=Solidity]{block}, \lstinline[language=Solidity]{tx} and \lstinline[language=Solidity]{msg} hold valuable informations
+
+\subsection{Transaction Metadata}
+
+\subsection{Events (Topics)}

report/sections/detection/dynamic/traces.tex

@@ -0,0 +1,17 @@
+\section{Execution Traces} \label{sec:dynamic-traces}
+
+Execution traces can be obtained either by replaying locally a transaction or by querying a RPC node with tracing enabled.
+
+\subsection{State Changes}
+
+storage slots
+
+balance may change
+
+\subsection{External Function Calls}
+
+identify if the contract interacts with other contracts or addresses
+
+\subsection{Internal Function Calls}
+
+this can be insightful in determining the contract's behavior

report/sections/detection/hybrid/description.tex

@@ -0,0 +1,2 @@
+Zooming out from the perspective of a single smart contract, the blockchain can be considered as a whole.
+This is a mix of the static data over all addresses and the dynamic data generated over time and addresses.

report/sections/detection/hybrid/graph.tex

@@ -0,0 +1,4 @@
+\section{Graph Theory} \label{sec:hybrid-graph}
+
+The blockchain archive can be seen as a temporal graph.
+While the exact structure can vary depending on the application, generally the nodes are the addresses and the vertices are transactions.

report/sections/detection/hybrid/statistics.tex

@@ -0,0 +1,3 @@
+\section{Statistics} \label{sec:hybrid-stats}
+
+the activity of a single address over time can be broken-down with statistics

report/sections/detection/static/code.tex

@@ -0,0 +1,17 @@
+\section{Code} \label{sec:static-code}
+
+\subsection{Bytecode}
+
+Similarly to the traditional binaries, smart contracts are compiled into bytecode which can be parsed: headers
+
+\subsection{Opcode Sequence}
+
+Bytecode can be interpreted as a language, giving a level of abstraction to the analysis.
+
+\subsection{Function Signatures}
+
+More specifically, functions can be extracted and compared to the reference implementations of the standards for example
+
+\subsection{Source code}
+
+When available, this layer can hold deceptive measures for the human reader; hence, it is very informative + creation code (not in bytecode)

report/sections/detection/static/description.tex

@@ -0,0 +1,5 @@
+The data available for analysis depends on the execution stage.
+For smart contracts, there are three main contexts.
+
+Outside of execution, the blockchain acts as a cold storage.
+In this first context, the detection methods are called "static analysis".

report/sections/detection/static/metadata.tex

@@ -0,0 +1,7 @@
+\section{Metadata} \label{sec:static-metadata}
+
+\subsection{Contract's creator}
+
+\subsection{Transaction Metadata}
+
+Details like the contract's creator, the balance, the creation timestamp and associated Ether provide a context to the whole analysis

report/sections/detection/taxonomy/description.tex

@@ -0,0 +1,2 @@
+Having looked over all the sources of data available, many techniques for detection and evasion emerged.
+By analogy with the malware space, these techniques can be sorted as follows.

report/sections/evasion/foreseen/description.tex

@@ -0,0 +1 @@
+\setpartintro{}

report/sections/evasion/foreseen/obfuscation/packing.tex

@@ -1,12 +1,14 @@
 \section{Payload Packing}
 
-\subsection{Evades}
+\subsection{Overview}
 
-Pattern matching on the bytecode.
+Encryption / encoding / compression can be leveraged to make malicious code unreadable.
 
-\subsection{How}
+\subsection{Evasion Targets}
 
-Encryption / encoding / compression can be leveraged to make malicious code unreadable.
+Pattern matching on the bytecode.
+
+\subsection{Samples}
 
 \subsection{Detection \& Countermeasures}
 

report/sections/evasion/foreseen/poisoning/description.tex

@@ -0,0 +1 @@
+Poisoning techniques hijack legitimate contracts to take advantage of their authority and appear trustworthy.

report/sections/evasion/foreseen/poisoning/living-off-the-land.tex

@@ -0,0 +1,19 @@
+\section{Living Off The Land}
+
+\subsection{Overview}
+
+Living off the land means surviving on what you can forage, hunt, or grow in nature.
+For malware, it means using 
+
+- callbacks (flashloans)
+- special contract
+
+\subsection{Evasion Targets}
+
+Pattern matching on the bytecode.
+
+\subsection{Samples}
+
+\subsubsection{Executing Raw Bytecode}
+
+\subsection{Detection \& Countermeasures}

report/sections/evasion/foreseen/spoofing/sybils.tex

@@ -0,0 +1,16 @@
+\section{Sybils} \label{sec:sybils}
+
+\subsection{Overview}
+
+Much like social networks, the blockchain is made of interconnected users.
+Their activity in and out of the blockchain gives weight to a project.
+
+So scammers could:
+- creates bots and enroll people to build a legitimate history on their contracts.
+- create a legitimitae service to hijack it later
+
+\subsection{Evasion Targets}
+
+\subsection{Samples}
+
+\subsection{Detection \& Countermeasures}

report/sections/evasion/known/description.tex

@@ -0,0 +1 @@
+\setpartintro{}

report/sections/evasion/known/spoofing/fake-standards-implementation.tex

@@ -14,7 +14,7 @@ \subsection{Overview}
 \subsection{Evasion Targets}
 
 \begin{description}
-\item[Etherscan]{the interpretation of proxy is fixed, it can easily be fooled}
+\item[block explorers]{the interpretation of proxies is fixed, it can easily be fooled}
 \item[users]{few users actually check the code, having a valid front is enough}
 \end{description}
 

report/sections/evasion/known/spoofing/overriding-standards-implementation.tex

@@ -20,9 +20,9 @@ \subsection{Evasion Targets}
 This technique is a refinment of the previous one: it will work on more targets.
 
 \begin{description}
-\item[Etherscan]{blockchain explorers lack  even more flexibility to detect these exploits}
-\item[Users]{the source code is even closer to a legitimate contract}
-\item[Reviewers]{the interpretation of the source code is subtle, and reviewing the bytecode is very time consuming}
+\item[block explorers]{blockchain explorers lack even more flexibility to detect these exploits}
+\item[users]{the source code is even closer to a legitimate contract}
+\item[reviewers]{the interpretation of the source code is subtle, and reviewing the bytecode is very time consuming}
 \end{description}
 
 \subsection{Samples}

report/sections/preamble/introduction.tex

@@ -4,7 +4,9 @@ \section{Introduction} \label{chap:introduction}
 In turn, they have become attractive tools for scammers and protocol attackers to steal digital assets.
 
 As there is growing scrutiny by both users and security tools, malicious actors are answering with deception.
-This cat-and-mouse game between malware detection mechanisms and evasive tatics has been relentless in the binary and web spaces.
+To achieve their end goals, they first have to appear legitimate and circumvent the security tools.
+This involves specific tricks, which we refer to as "evasion" and are the focus of this document.
 
+Exploit detection mechanisms and evasive tactics have played a relentless cat-and-mouse game in the binary and web spaces.
 Now, this history can be analyzed to improve the current detection tools and anticipate future threats in the web3 ecosystem.
 We will delve into the code of each evasion technique, highlight their distinctive features and propose countermeasures.

report/sections/preamble/methodology.tex

@@ -1,6 +1,6 @@
 \section{Methodology} \label{sec:methodology}
 
-This state-of-the-art is grounded in both past and present research.
+This report is grounded in both past and present research.
 
 A literature review on traditional malware evasion forms the basis for the study's taxonomy and framework.
 Studying these historical evasion techniques gives insights into potential trends for the blockchain ecosystem.
@@ -10,4 +10,11 @@ \section{Methodology} \label{sec:methodology}
 
 The report's practical aspect is backed by an analysis of selected smart contract samples.
 These samples were chosen for two reasons: their association with recent hacks and their ability to slip past detection mechanisms, especially those of the \href{https://explorer.forta.network/}{Forta network}.
-Contracts from other platforms such as \href{https://www.chainabuse.com/reports}{chainabuse}, \href{https://www.web3rekt.com/}{web3rekt}, and \href{https://www.rekt.news/}{rekt.news} provided the necessary data for this analysis.
+% Contracts from other platforms such as \href{https://www.chainabuse.com/reports}{chainabuse}, \href{https://www.web3rekt.com/}{web3rekt}, and \href{https://www.rekt.news/}{rekt.news} provided the necessary data for this analysis.
+
+Forta being a network of independent scanning agents, each of them is free to implement a different approach.
+Since it is not bound by a systemic choice of detection, the countermeasures are centered on each evasion technique.
+Static, dynamic, hybrid, graph analysis are all mentioned when it is relevant to a given target.
+
+The analysis is meant as a reference guide for the development of future bots on the Forta network.
+It will be a continuous feeedback loop: the report will be updated regularly as progress is made.

report/template/book/background.tex

@@ -13,7 +13,7 @@
         \fill[orange] (0,\paperheight) rectangle (8mm,-\paperheight); % bar width 6mm
       \fi
       \ifbackgroundtitlevisible
-        \node[rotate=90, white, font=\huge\bfseries\sffamily, anchor=south] at (8mm, 0mm) {\currentparttitle};
+        \node[rotate=90, white, font=\huge\bfseries\sffamily, anchor=west] at (4mm, 0mm) {\currentparttitle};
       \fi
     }
   }

report/template/book/cover.tex

@@ -57,7 +57,7 @@
 
     %%%%%%%%%%%%%%%%%%%% Author Name %%%%%%%%%%%%%%%%%%%%
     \begin{pgfonlayer}{fg}
-    \drawtext{\Large\textsc{#3}\\\Large\textsc{#4}}{$(current page.east)+(-0.5,-5)$}{2cm}{0}{text=white,anchor=east,align=right};
+    \drawtext{\Large\textsc{#3}\\\Large\textsc{#4}}{$(current page.east)+(-0.5,-5.2)$}{2cm}{0}{text=white,anchor=east,align=right};
     \end{pgfonlayer}
 
     %%%%%%%%%%%%%%%%%%%% Year %%%%%%%%%%%%%%%%%%%%