[SOOHO] Hi-Con 2018 - Speaker Deck

[SOOHO] Hi-Con 2018

by SOOHO

Slide 1

Slide 1 text

$POUJOVPVT4FDVSJUZ JO4NBSU$POUSBDU%FWFMPQNFOU +JTV1BSL KJTVQBSL!TPPIPJP 1

Slide 2

Slide 2 text

SPEAKER & TOPIC 0 2018 - Automated Vulnerability Detector @jisupark !2 2015 - Full Stack Engineer 2017 - SW Security@Korea Univ.

Slide 3

Slide 3 text

0 1. Backgrounds - Vulnerability and Exploit - Common Vulnerabilities and Exposures (CVE)? 2. Security threat trend 3. Code reuse 4. Code reuse in Smart Contract 5. Continuous Security in Sooho 6. Outro SPEAKER & TOPIC !3

Slide 4

Slide 4 text

VULNERABILITY & EXPLOIT 1 VULNERABILITY SW weaknesses that allow arbitrary attackers  to perform unauthorized functions EXPLOIT Attack that performs an unauthorized function  through the vulnerability. VS !4

Slide 5

Slide 5 text

CVE 1 •To standardize the way each known vulnerability or exposure is identified •To catalog vulnerabilities in software into a free “dictionary” for organizations to improve their security CVE-YYYY-NNNN (CVE-YEAR-NUMBER) !5

Slide 6

Slide 6 text

CVE 1 #BUDI0WFSGMPXWVMOFSBCJMJUZ !6

Slide 7

Slide 7 text

CVE 1 *EFOUJGJFS $POUFOU 4FWFSJUZ CBUDI0WFSGMPXஂড੼ !7

Slide 8

Slide 8 text

SECURITY THREAT TREND 2 &UIFSFVN#PVOUZ1SPHSBN !8

Slide 9

Slide 9 text

SECURITY THREAT TREND 2 ETHEREUM P2P NETWORK NODE NODE NODE NODE NODE REMIX IDE CONTRACT DEPLOY MIST BROWSER MYETHERWALLET !9

Slide 10

Slide 10 text

SECURITY THREAT TREND 2 ETHEREUM P2P NETWORK NODE NODE NODE NODE NODE REMIX IDE CONTRACT DEPLOY MIST BROWSER MYETHERWALLET !10

Slide 11

Slide 11 text

SECURITY THREAT TREND 2 ETHEREUM P2P NETWORK NODE NODE NODE NODE NODE REMIX IDE CONTRACT DEPLOY MIST BROWSER MYETHERWALLET !11

Slide 12

Slide 12 text

SECURITY THREAT TREND 2 ETHEREUM P2P NETWORK NODE NODE NODE NODE NODE REMIX IDE CONTRACT DEPLOY MIST BROWSER MYETHERWALLET !12

Slide 13

Slide 13 text

SECURITY THREAT TREND 2 ETHEREUM P2P NETWORK NODE NODE NODE NODE NODE REMIX IDE CONTRACT DEPLOY MIST BROWSER MYETHERWALLET !13

Slide 14

Slide 14 text

SECURITY THREAT TREND 2 ETHEREUM P2P NETWORK NODE NODE NODE NODE NODE REMIX IDE CONTRACT DEPLOY MIST BROWSER MYETHERWALLET !14

Slide 15

Slide 15 text

SECURITY THREAT TREND 2 1SPQPSUJPOPGUIFWVMOFSBCMF DPOUSBDUTJO&UIFSFVN 5% 95% Vulnerable Contract Benign Contract ref. ZEUS(NDSS’18) !15

Slide 16

Slide 16 text

2TIMELINE OF EXPLOITS 2017 2018 Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Batch/Proxy Overﬂow Parity Multi-sig 2 11/06/‘17 04/22/‘18 SmartBillions 10/05/‘17 07/13/‘17 Augur Rep Token Vulnerabilities are exploited in the real world Parity Multi-sig 07/19/‘17 FoMo3D Airdrop 07/24/‘18 !16 SpankChain 10/06/‘18

Slide 17

Slide 17 text

WHY? !17

Slide 18

Slide 18 text

3CODE REUSE !18 One of the main reasons of vulnerability propagation 1. Complete Code Reuse • Reuse at development stage • Reuse at compile stage 2. Partial Code Reuse • Project Fork • Copy & Paste Ex) Code reuse in traditional software

Slide 19

Slide 19 text

3(1) Complete Reuse !19 Package Dependency External Contract Reference

Slide 20

Slide 20 text

3(1) Complete Reuse !20 Package Dependency External Contract Reference What if it were vulnerable?

Slide 21

Slide 21 text

3(2) Partial Reuse !21 • Project Fork • Develop new project by taking a copy of source code from the speciﬁc version of the project • Child project inherits a large amount of source from the parent project 48% forks from Ex) Fork in traditional software What if it were vulnerable?

Slide 22

Slide 22 text

3(2) Partial Reuse !22 •Copy & Paste •Reuse part of external source code from GitHub, StackOverflow Search Copy & Paste What if it were vulnerable?

Slide 23

Slide 23 text

3CODE REUSE !23 NOT ALWAYS HARMFUL 1. Development strategy 2. Maintenance strategy We love StackOverﬂow

Slide 24

Slide 24 text

3CODE REUSE !24 CVE-2016-5195 Case of DIRTY COW(CVE-2016-5195) “Vulnerable code clone” remains even if original code patched

Slide 25

Slide 25 text

IN SMART CONTRACT? !25

Slide 26

Slide 26 text

4IN CONTRACT !26 Characteristics of Smart Contract 1. (Generally) Patch is impossible 2. Same execution environment 3. Traceable transactions 4. Hold assets

Slide 27

Slide 27 text

4IN CONTRACT !27 Characteristics of Smart Contract 1. (Generally) Patch is impossible 2. Same execution environment 3. Traceable transactions 4. Hold assets Favorable condition for hacker 1. Vulnerability remains 2. High accessibility 3. Replay attack 4. Great motivation

Slide 28

Slide 28 text

4 !28 Analysis Target 1. Verified Contract in Etherscan (retrieved 18.08.21) 2. Defined functions from all contract Analysis 1. Code reuse of contract itself 2. Code reuse of function 3. Vulnerability propagation IN CONTRACT

Slide 29

Slide 29 text

4IN CONTRACT !29 1) Code reuse of contract itself Exactly same contracts exist in Ethereum

Slide 30

Slide 30 text

4 !30 1) Code reuse of contract itself IN CONTRACT Contract generator service creates similar contracts.

Slide 31

Slide 31 text

4IN CONTRACT !31 2) Code reuse of function WHICH FUNCTION IS USED THE MOST?

Slide 32

Slide 32 text

4IN CONTRACT !32 2) Code reuse of function SafeMath is commonly used

Slide 33

Slide 33 text

4IN CONTRACT !33 3) Vulnerability propagation

Slide 34

Slide 34 text

4IN CONTRACT !34

Slide 35

Slide 35 text

4IN CONTRACT !35 Patch File Vulnerable Code Vulnerable DB Target File Candidate Code Search Extract Abstract Normalize Extract (S&P ’17) Sooho-CLI

Slide 36

Slide 36 text

5CONTINUOUS SECURITY Design Code/Test Commit Setup Deploy AUDIT Code Review QA/Integration CONTINOUS DELIVERY !36

Slide 37

Slide 37 text

5CONTINUOUS SECURITY ref. nowsecure Earlier detection, better cost !37

Slide 38

Slide 38 text

5CONTINUOUS SECURITY Design Code/Test Commit Setup Deploy AUDIT Code Review QA/Integration CONTINOUS SECURITY +Security Focused Review + Automated Security Testing + Threat Modeling + Secure OSS !38

Slide 39

Slide 39 text

OUTRO 6 Verification-as-a-Service - Automated Security Assessment Service - Advanced Security Assessment Service - https://sooho.io !39 Jisu Park (SW Security) Prof. Heejo Lee (SW Security) Prof. Hakjoo Oh (SW Analysis)

Slide 40

Slide 40 text

OUTRO 6 Write Code Pull Request Review Merge CASE#1 Automated Security Assessment in GitFlow 1. Automated Code Review 2. Auto-generated Report !40

Slide 41

Slide 41 text

OUTRO 6 !41 1. Various Inputs 2. Auto-generated Report CASE#2. Automated Security Assessment in Luniverse Write Code Review

Slide 42

Slide 42 text

OUTRO 6 !42 AEGIS INPUT/OUTPUT VERIFIER & REPORTER EXTERNAL  SERVICE Automated Security Assessment .SOL REQ. ANALYZE RES. REPORT . . . VUL CLONE DETECTOR ARITHMETIC VERIFIER . . .

Slide 43

Slide 43 text

OUTRO 6 !43 Manual Audit O O O O O Auto. Audit O X X O Semi-Auto Patch File O X X X X Integration O X X X X Solidiﬁed OpenZeppelin SmartDec Certik Sooho

Slide 44

Slide 44 text

OUTRO 6 Global Capture The Flag Penetration Testing Manual Security Assessment and Consulting By Security Experts Security Audit !44

Slide 45

Slide 45 text

WE HIRE <3 !45 General: [email protected] Personal: [email protected]