Upgrade to Pro — share decks privately, control downloads, hide ads and more …

[SOOHO] Hi-Con 2018

SOOHO
November 10, 2018
Technology
0
240

[SOOHO] Hi-Con 2018

Programmers often copy and paste the software code from various sources like GitHub. This reuse is excessively found in Ethereum as its community is open source-oriented and smart contracts are open to the public through the chain.

Although the code reuse is an efficient development strategy, contract software often suffers from the propagated security threats due to the possibility of cloning buggy code. Vulnerable code clones - similar code fragments containing security bug - are even permanent because of the immutability of Ethereum.

If a hacker succeeds to exploit one of the clones, our contracts may also be exploited. Users, funds, and services are exposed to threats, and there is no other way than the contract migration. Therefore, to ensure the safety, the contract developer should pay attention to recently hacked clones.

In this session, we introduce real-world vulnerability propagation cases in Ethereum smart contract. And we propose our vulnerability DB and analyzer to Ethereum community to be secured from the known vulnerabilities.

SOOHO

November 10, 2018
Tweet

More Decks by SOOHO

See All by SOOHO
[SOOHO] 2nd Luniverse Partners Day
sooho
0
290
[SOOHO] Luniverse Partners Day
sooho
0
190

Other Decks in Technology

See All in Technology
開発生産性向上サービスを作るFindyが自分たちで開発生産性を爆上げした組織づくりの歩み / Findy's path to boosting its own development productivity 2024-04-17
ma3tk
3
470
Databricks における 『MLOps』
databricksjapan
2
160
日本におけるデータエンジニアリングのこれまでとこれから
foursue
16
4k
サーバー間 GraphQL と webmock-graphql の話 / server-to-server graphql and webmock-graphql
qsona
2
170
Kernel MemoryでAzure OpenAI Serviceとお手軽データソース連携
mitsuzono
1
160
JAWS-UG Bedrock Claude Night
yamahiro
3
440
Janus
bkuhlmann
1
490
ユーザーストーリーのレビューを自動化したみたの
bun913
1
380
EMとして2023年度に頑張ったこと / What we did well in FY2023 as a EM
pauli
1
140
NgRx Signal Store
rainerhahnekamp
0
140
Azure Container Apps + Bicep 〜 こんな感じで運用しています
kaz29
2
380
Terraformあれやこれ/terraform-this-and-that
emiki
8
1.3k

Featured

See All Featured
Intergalactic Javascript Robots from Outer Space
tanoku
266
26k
Imperfection Machines: The Place of Print at Facebook
scottboms
259
12k
YesSQL, Process and Tooling at Scale
rocio
163
13k
Unsuck your backbone
ammeep
662
57k
Happy Clients
brianwarren
91
6.4k
RailsConf 2023
tenderlove
2
530
The World Runs on Bad Software
bkeepers
PRO
61
6.7k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
16
1.4k
The Brand Is Dead. Long Live the Brand.
mthomps
48
28k
Typedesign – Prime Four
hannesfritz
36
2.1k
It's Worth the Effort
3n
180
27k
Pencils Down: Stop Designing & Start Developing
hursman
117
11k

Transcript

  1. $POUJOVPVT4FDVSJUZ JO4NBSU$POUSBDU%FWFMPQNFOU +JTV1BSL KJTVQBSL!TPPIPJP 1

  2. SPEAKER & TOPIC 0 2018 - Automated Vulnerability Detector @jisupark

    !2 2015 - Full Stack Engineer 2017 - SW Security@Korea Univ.

  3. 0 1. Backgrounds - Vulnerability and Exploit - Common Vulnerabilities

    and Exposures (CVE)? 2. Security threat trend 3. Code reuse 4. Code reuse in Smart Contract 5. Continuous Security in Sooho 6. Outro SPEAKER & TOPIC !3

  4. VULNERABILITY & EXPLOIT 1 VULNERABILITY SW weaknesses that allow arbitrary

    attackers
 to perform unauthorized functions EXPLOIT Attack that performs an unauthorized function
 through the vulnerability. VS !4

  5. CVE 1 •To standardize the way each known vulnerability or

    exposure is identified •To catalog vulnerabilities in software into a free “dictionary” for organizations to improve their security CVE-YYYY-NNNN (CVE-YEAR-NUMBER) !5

  6. CVE 1 #BUDI0WFSGMPXWVMOFSBCJMJUZ !6

  7. CVE 1  *EFOUJGJFS  $POUFOU  4FWFSJUZ CBUDI0WFSGMPXஂড੼ 

      !7

  8. SECURITY THREAT TREND 2 &UIFSFVN#PVOUZ1SPHSBN !8

  9. SECURITY THREAT TREND 2 ETHEREUM P2P NETWORK NODE NODE NODE

    NODE NODE REMIX IDE CONTRACT DEPLOY MIST BROWSER MYETHERWALLET !9

  10. SECURITY THREAT TREND 2 ETHEREUM P2P NETWORK NODE NODE NODE

    NODE NODE REMIX IDE CONTRACT DEPLOY MIST BROWSER MYETHERWALLET !10

  11. SECURITY THREAT TREND 2 ETHEREUM P2P NETWORK NODE NODE NODE

    NODE NODE REMIX IDE CONTRACT DEPLOY MIST BROWSER MYETHERWALLET !11

  12. SECURITY THREAT TREND 2 ETHEREUM P2P NETWORK NODE NODE NODE

    NODE NODE REMIX IDE CONTRACT DEPLOY MIST BROWSER MYETHERWALLET !12

  13. SECURITY THREAT TREND 2 ETHEREUM P2P NETWORK NODE NODE NODE

    NODE NODE REMIX IDE CONTRACT DEPLOY MIST BROWSER MYETHERWALLET !13

  14. SECURITY THREAT TREND 2 ETHEREUM P2P NETWORK NODE NODE NODE

    NODE NODE REMIX IDE CONTRACT DEPLOY MIST BROWSER MYETHERWALLET !14

  15. SECURITY THREAT TREND 2 1SPQPSUJPOPGUIFWVMOFSBCMF DPOUSBDUTJO&UIFSFVN 5% 95% Vulnerable Contract

    Benign Contract ref. ZEUS(NDSS’18) !15

  16. 2TIMELINE OF EXPLOITS 2017 2018 Jun Jul Aug Sep Oct

    Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Batch/Proxy Overflow Parity Multi-sig 2 11/06/‘17 04/22/‘18 SmartBillions 10/05/‘17 07/13/‘17 Augur Rep Token Vulnerabilities are exploited in the real world Parity Multi-sig 07/19/‘17 FoMo3D Airdrop 07/24/‘18 !16 SpankChain 10/06/‘18

  17. WHY? !17

  18. 3CODE REUSE !18 One of the main reasons of vulnerability

    propagation 1. Complete Code Reuse • Reuse at development stage • Reuse at compile stage 2. Partial Code Reuse • Project Fork • Copy & Paste         Ex) Code reuse in traditional software

  19. 3(1) Complete Reuse !19 Package Dependency External Contract Reference

  20. 3(1) Complete Reuse !20 Package Dependency External Contract Reference What

    if it were vulnerable?

  21. 3(2) Partial Reuse !21 • Project Fork • Develop new

    project by taking a copy of source code from the specific version of the project • Child project inherits a large amount of source from the parent project 48% forks from Ex) Fork in traditional software What if it were vulnerable?

  22. 3(2) Partial Reuse !22 •Copy & Paste •Reuse part of

    external source code from GitHub, StackOverflow Search Copy & Paste What if it were vulnerable?

  23. 3CODE REUSE !23 NOT ALWAYS HARMFUL 1. Development strategy 2.

    Maintenance strategy We love StackOverflow

  24. 3CODE REUSE !24 CVE-2016-5195 Case of DIRTY COW(CVE-2016-5195) “Vulnerable code

    clone” remains even if original code patched

  25. IN SMART CONTRACT? !25

  26. 4IN CONTRACT !26 Characteristics of Smart Contract 1. (Generally) Patch

    is impossible 2. Same execution environment 3. Traceable transactions 4. Hold assets

  27. 4IN CONTRACT !27 Characteristics of Smart Contract 1. (Generally) Patch

    is impossible 2. Same execution environment 3. Traceable transactions 4. Hold assets Favorable condition for hacker 1. Vulnerability remains 2. High accessibility 3. Replay attack 4. Great motivation

  28. 4 !28 Analysis Target 1. Verified Contract in Etherscan (retrieved

    18.08.21) 2. Defined functions from all contract Analysis 1. Code reuse of contract itself 2. Code reuse of function 3. Vulnerability propagation IN CONTRACT

  29. 4IN CONTRACT !29 1) Code reuse of contract itself Exactly

    same contracts exist in Ethereum

  30. 4 !30 1) Code reuse of contract itself IN CONTRACT

    Contract generator service creates similar contracts.

  31. 4IN CONTRACT !31 2) Code reuse of function WHICH FUNCTION

    IS USED THE MOST?

  32. 4IN CONTRACT !32 2) Code reuse of function SafeMath is

    commonly used

  33. 4IN CONTRACT !33 3) Vulnerability propagation

  34. 4IN CONTRACT !34

  35. 4IN CONTRACT !35 Patch File Vulnerable Code Vulnerable DB Target

    File Candidate Code Search Extract Abstract Normalize Extract (S&P ’17) Sooho-CLI

  36. 5CONTINUOUS SECURITY Design Code/Test Commit Setup Deploy AUDIT Code Review

    QA/Integration CONTINOUS DELIVERY !36

  37. 5CONTINUOUS SECURITY ref. nowsecure Earlier detection, better cost !37

  38. 5CONTINUOUS SECURITY Design Code/Test Commit Setup Deploy AUDIT Code Review

    QA/Integration CONTINOUS SECURITY +Security Focused Review + Automated Security Testing + Threat Modeling + Secure OSS !38

  39. OUTRO 6 Verification-as-a-Service - Automated Security Assessment Service - Advanced

    Security Assessment Service - https://sooho.io !39 Jisu Park (SW Security) Prof. Heejo Lee (SW Security) Prof. Hakjoo Oh (SW Analysis)

  40. OUTRO 6 Write Code Pull Request Review Merge CASE#1 Automated

    Security Assessment in GitFlow 1. Automated Code Review 2. Auto-generated Report !40

  41. OUTRO 6 !41 1. Various Inputs 2. Auto-generated Report CASE#2.

    Automated Security Assessment in Luniverse Write Code Review

  42. OUTRO 6 !42 AEGIS INPUT/OUTPUT VERIFIER & REPORTER EXTERNAL
 SERVICE

    Automated Security Assessment .SOL REQ. ANALYZE RES. REPORT . . . VUL CLONE DETECTOR ARITHMETIC VERIFIER . . .

  43. OUTRO 6 !43 Manual Audit O O O O O

    Auto. Audit O X X O Semi-Auto Patch File O X X X X Integration O X X X X Solidified OpenZeppelin SmartDec Certik Sooho

  44. OUTRO 6 Global Capture The Flag Penetration Testing Manual Security

    Assessment and Consulting By Security Experts Security Audit !44

  45. WE HIRE <3 !45 General: [email protected] Personal: [email protected]