Save 37% off PRO during our Black Friday Sale! »

[SOOHO] Hi-Con 2018

D28f2e4d0a276d9c6c6cd04e7e188fd8?s=47 SOOHO
November 10, 2018

[SOOHO] Hi-Con 2018

Programmers often copy and paste the software code from various sources like GitHub. This reuse is excessively found in Ethereum as its community is open source-oriented and smart contracts are open to the public through the chain.

Although the code reuse is an efficient development strategy, contract software often suffers from the propagated security threats due to the possibility of cloning buggy code. Vulnerable code clones - similar code fragments containing security bug - are even permanent because of the immutability of Ethereum.

If a hacker succeeds to exploit one of the clones, our contracts may also be exploited. Users, funds, and services are exposed to threats, and there is no other way than the contract migration. Therefore, to ensure the safety, the contract developer should pay attention to recently hacked clones.

In this session, we introduce real-world vulnerability propagation cases in Ethereum smart contract. And we propose our vulnerability DB and analyzer to Ethereum community to be secured from the known vulnerabilities.

D28f2e4d0a276d9c6c6cd04e7e188fd8?s=128

SOOHO

November 10, 2018
Tweet

Transcript

  1. $POUJOVPVT4FDVSJUZ JO4NBSU$POUSBDU%FWFMPQNFOU +JTV1BSL KJTVQBSL!TPPIPJP 1

  2. SPEAKER & TOPIC 0 2018 - Automated Vulnerability Detector @jisupark

    !2 2015 - Full Stack Engineer 2017 - SW Security@Korea Univ.
  3. 0 1. Backgrounds - Vulnerability and Exploit - Common Vulnerabilities

    and Exposures (CVE)? 2. Security threat trend 3. Code reuse 4. Code reuse in Smart Contract 5. Continuous Security in Sooho 6. Outro SPEAKER & TOPIC !3
  4. VULNERABILITY & EXPLOIT 1 VULNERABILITY SW weaknesses that allow arbitrary

    attackers
 to perform unauthorized functions EXPLOIT Attack that performs an unauthorized function
 through the vulnerability. VS !4
  5. CVE 1 •To standardize the way each known vulnerability or

    exposure is identified •To catalog vulnerabilities in software into a free “dictionary” for organizations to improve their security CVE-YYYY-NNNN (CVE-YEAR-NUMBER) !5
  6. CVE 1 #BUDI0WFSGMPXWVMOFSBCJMJUZ !6

  7. CVE 1  *EFOUJGJFS  $POUFOU  4FWFSJUZ CBUDI0WFSGMPXஂড੼ 

      !7
  8. SECURITY THREAT TREND 2 &UIFSFVN#PVOUZ1SPHSBN !8

  9. SECURITY THREAT TREND 2 ETHEREUM P2P NETWORK NODE NODE NODE

    NODE NODE REMIX IDE CONTRACT DEPLOY MIST BROWSER MYETHERWALLET !9
  10. SECURITY THREAT TREND 2 ETHEREUM P2P NETWORK NODE NODE NODE

    NODE NODE REMIX IDE CONTRACT DEPLOY MIST BROWSER MYETHERWALLET !10
  11. SECURITY THREAT TREND 2 ETHEREUM P2P NETWORK NODE NODE NODE

    NODE NODE REMIX IDE CONTRACT DEPLOY MIST BROWSER MYETHERWALLET !11
  12. SECURITY THREAT TREND 2 ETHEREUM P2P NETWORK NODE NODE NODE

    NODE NODE REMIX IDE CONTRACT DEPLOY MIST BROWSER MYETHERWALLET !12
  13. SECURITY THREAT TREND 2 ETHEREUM P2P NETWORK NODE NODE NODE

    NODE NODE REMIX IDE CONTRACT DEPLOY MIST BROWSER MYETHERWALLET !13
  14. SECURITY THREAT TREND 2 ETHEREUM P2P NETWORK NODE NODE NODE

    NODE NODE REMIX IDE CONTRACT DEPLOY MIST BROWSER MYETHERWALLET !14
  15. SECURITY THREAT TREND 2 1SPQPSUJPOPGUIFWVMOFSBCMF DPOUSBDUTJO&UIFSFVN 5% 95% Vulnerable Contract

    Benign Contract ref. ZEUS(NDSS’18) !15
  16. 2TIMELINE OF EXPLOITS 2017 2018 Jun Jul Aug Sep Oct

    Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Batch/Proxy Overflow Parity Multi-sig 2 11/06/‘17 04/22/‘18 SmartBillions 10/05/‘17 07/13/‘17 Augur Rep Token Vulnerabilities are exploited in the real world Parity Multi-sig 07/19/‘17 FoMo3D Airdrop 07/24/‘18 !16 SpankChain 10/06/‘18
  17. WHY? !17

  18. 3CODE REUSE !18 One of the main reasons of vulnerability

    propagation 1. Complete Code Reuse • Reuse at development stage • Reuse at compile stage 2. Partial Code Reuse • Project Fork • Copy & Paste         Ex) Code reuse in traditional software
  19. 3(1) Complete Reuse !19 Package Dependency External Contract Reference

  20. 3(1) Complete Reuse !20 Package Dependency External Contract Reference What

    if it were vulnerable?
  21. 3(2) Partial Reuse !21 • Project Fork • Develop new

    project by taking a copy of source code from the specific version of the project • Child project inherits a large amount of source from the parent project 48% forks from Ex) Fork in traditional software What if it were vulnerable?
  22. 3(2) Partial Reuse !22 •Copy & Paste •Reuse part of

    external source code from GitHub, StackOverflow Search Copy & Paste What if it were vulnerable?
  23. 3CODE REUSE !23 NOT ALWAYS HARMFUL 1. Development strategy 2.

    Maintenance strategy We love StackOverflow
  24. 3CODE REUSE !24 CVE-2016-5195 Case of DIRTY COW(CVE-2016-5195) “Vulnerable code

    clone” remains even if original code patched
  25. IN SMART CONTRACT? !25

  26. 4IN CONTRACT !26 Characteristics of Smart Contract 1. (Generally) Patch

    is impossible 2. Same execution environment 3. Traceable transactions 4. Hold assets
  27. 4IN CONTRACT !27 Characteristics of Smart Contract 1. (Generally) Patch

    is impossible 2. Same execution environment 3. Traceable transactions 4. Hold assets Favorable condition for hacker 1. Vulnerability remains 2. High accessibility 3. Replay attack 4. Great motivation
  28. 4 !28 Analysis Target 1. Verified Contract in Etherscan (retrieved

    18.08.21) 2. Defined functions from all contract Analysis 1. Code reuse of contract itself 2. Code reuse of function 3. Vulnerability propagation IN CONTRACT
  29. 4IN CONTRACT !29 1) Code reuse of contract itself Exactly

    same contracts exist in Ethereum
  30. 4 !30 1) Code reuse of contract itself IN CONTRACT

    Contract generator service creates similar contracts.
  31. 4IN CONTRACT !31 2) Code reuse of function WHICH FUNCTION

    IS USED THE MOST?
  32. 4IN CONTRACT !32 2) Code reuse of function SafeMath is

    commonly used
  33. 4IN CONTRACT !33 3) Vulnerability propagation

  34. 4IN CONTRACT !34

  35. 4IN CONTRACT !35 Patch File Vulnerable Code Vulnerable DB Target

    File Candidate Code Search Extract Abstract Normalize Extract (S&P ’17) Sooho-CLI
  36. 5CONTINUOUS SECURITY Design Code/Test Commit Setup Deploy AUDIT Code Review

    QA/Integration CONTINOUS DELIVERY !36
  37. 5CONTINUOUS SECURITY ref. nowsecure Earlier detection, better cost !37

  38. 5CONTINUOUS SECURITY Design Code/Test Commit Setup Deploy AUDIT Code Review

    QA/Integration CONTINOUS SECURITY +Security Focused Review + Automated Security Testing + Threat Modeling + Secure OSS !38
  39. OUTRO 6 Verification-as-a-Service - Automated Security Assessment Service - Advanced

    Security Assessment Service - https://sooho.io !39 Jisu Park (SW Security) Prof. Heejo Lee (SW Security) Prof. Hakjoo Oh (SW Analysis)
  40. OUTRO 6 Write Code Pull Request Review Merge CASE#1 Automated

    Security Assessment in GitFlow 1. Automated Code Review 2. Auto-generated Report !40
  41. OUTRO 6 !41 1. Various Inputs 2. Auto-generated Report CASE#2.

    Automated Security Assessment in Luniverse Write Code Review
  42. OUTRO 6 !42 AEGIS INPUT/OUTPUT VERIFIER & REPORTER EXTERNAL
 SERVICE

    Automated Security Assessment .SOL REQ. ANALYZE RES. REPORT . . . VUL CLONE DETECTOR ARITHMETIC VERIFIER . . .
  43. OUTRO 6 !43 Manual Audit O O O O O

    Auto. Audit O X X O Semi-Auto Patch File O X X X X Integration O X X X X Solidified OpenZeppelin SmartDec Certik Sooho
  44. OUTRO 6 Global Capture The Flag Penetration Testing Manual Security

    Assessment and Consulting By Security Experts Security Audit !44
  45. WE HIRE <3 !45 General: contact@sooho.io Personal: jisupark@sooho.io