SMT abstraction

[JoranHonig]

Description

Currently we are directly using z3 objects in laser, and are often directly using the z3 api. This has a few downsides.

• Firstly this makes most of the code dependent on z3, which makes it difficult to plug in another SMT solver which might work better on the specific queries we have in mythril.
• Secondly, at some point we want to start tracking taint in "run time" this would be easy to do if we can add a record to a BitVec object, which is impossible using z3 objects directly. How this could look:

  > x = BitVector("x")
  > x.has_taint()
  false
  > x.taint()
  > x.has_taint()
  true

Details

Abstraction layer

To solve this problem we should build abstraction around SMT solving logic, which would provide an interface along the lines of https://github.com/angr/claripy.

Taint analysis

For the dynamic taint analysis we'd need to be able to taint a bitvector multiple times, and to distinguish the different taints. This is required because different analysis modules will run at the same time, and the integer overflow detection should not look for tainted variables from another module.

[ghost]

For the abstraction layer, how is about pysmt (https://github.com/pysmt/pysmt)? It uses SMT-Lib format to interact with SMT/SAT solvers and has supported many popular solvers, including Z3 and CVC4.

[norhh]

@hzzhang , Thats quite interesting, will look into that

[JoranHonig]

@hzzhang That still leaves taint analysis unimplemented

[norhh]

we can implement an interface between pysmt and mythril where we can implement stuff like taint .

[ghost]

@JoranHonig @norhh Agree, another interface would be needed.

[ghost]

@JoranHonig If no one has already been working on this, I'd like to take it.

[JoranHonig]

@hzzhang Go ahead and pick this up :+1:

[ghost]

Add SMT abstract layer for Mythril OSS

[JoranHonig]

I'm going to take this over because @hzzang doesn't have time to work on this right now.

[JoranHonig]

I've looked into the following three options:

1. Roll our own abstraction layer Possible, and it would allow us to build a solution that exactly fits our needs. But would take more time than the other two options

2. Extend pySMT This is the approach that hzzang took. In the pr we see that a symbol manager can be used to store properties for each symbol. However, this doesn't allow us to taint or annotate expressions, therefore it doesn't fully fit our needs yet.

3. Use claripy

   • Has nice annotation system that already works.
   • However, it doesn't support arrays. Some of mythril's current logic is based on z3 arrays so we will need to refactor this.