[SOOHO] Hi-Con 2018

D28f2e4d0a276d9c6c6cd04e7e188fd8?s=47 SOOHO
November 10, 2018

[SOOHO] Hi-Con 2018

Programmers often copy and paste the software code from various sources like GitHub. This reuse is excessively found in Ethereum as its community is open source-oriented and smart contracts are open to the public through the chain.

Although the code reuse is an efficient development strategy, contract software often suffers from the propagated security threats due to the possibility of cloning buggy code. Vulnerable code clones - similar code fragments containing security bug - are even permanent because of the immutability of Ethereum.

If a hacker succeeds to exploit one of the clones, our contracts may also be exploited. Users, funds, and services are exposed to threats, and there is no other way than the contract migration. Therefore, to ensure the safety, the contract developer should pay attention to recently hacked clones.

In this session, we introduce real-world vulnerability propagation cases in Ethereum smart contract. And we propose our vulnerability DB and analyzer to Ethereum community to be secured from the known vulnerabilities.

D28f2e4d0a276d9c6c6cd04e7e188fd8?s=128

SOOHO

November 10, 2018
Tweet

Transcript

  1. 2.

    SPEAKER & TOPIC 0 2018 - Automated Vulnerability Detector @jisupark

    !2 2015 - Full Stack Engineer 2017 - SW Security@Korea Univ.
  2. 3.

    0 1. Backgrounds - Vulnerability and Exploit - Common Vulnerabilities

    and Exposures (CVE)? 2. Security threat trend 3. Code reuse 4. Code reuse in Smart Contract 5. Continuous Security in Sooho 6. Outro SPEAKER & TOPIC !3
  3. 4.

    VULNERABILITY & EXPLOIT 1 VULNERABILITY SW weaknesses that allow arbitrary

    attackers
 to perform unauthorized functions EXPLOIT Attack that performs an unauthorized function
 through the vulnerability. VS !4
  4. 5.

    CVE 1 •To standardize the way each known vulnerability or

    exposure is identified •To catalog vulnerabilities in software into a free “dictionary” for organizations to improve their security CVE-YYYY-NNNN (CVE-YEAR-NUMBER) !5
  5. 9.

    SECURITY THREAT TREND 2 ETHEREUM P2P NETWORK NODE NODE NODE

    NODE NODE REMIX IDE CONTRACT DEPLOY MIST BROWSER MYETHERWALLET !9
  6. 10.

    SECURITY THREAT TREND 2 ETHEREUM P2P NETWORK NODE NODE NODE

    NODE NODE REMIX IDE CONTRACT DEPLOY MIST BROWSER MYETHERWALLET !10
  7. 11.

    SECURITY THREAT TREND 2 ETHEREUM P2P NETWORK NODE NODE NODE

    NODE NODE REMIX IDE CONTRACT DEPLOY MIST BROWSER MYETHERWALLET !11
  8. 12.

    SECURITY THREAT TREND 2 ETHEREUM P2P NETWORK NODE NODE NODE

    NODE NODE REMIX IDE CONTRACT DEPLOY MIST BROWSER MYETHERWALLET !12
  9. 13.

    SECURITY THREAT TREND 2 ETHEREUM P2P NETWORK NODE NODE NODE

    NODE NODE REMIX IDE CONTRACT DEPLOY MIST BROWSER MYETHERWALLET !13
  10. 14.

    SECURITY THREAT TREND 2 ETHEREUM P2P NETWORK NODE NODE NODE

    NODE NODE REMIX IDE CONTRACT DEPLOY MIST BROWSER MYETHERWALLET !14
  11. 16.

    2TIMELINE OF EXPLOITS 2017 2018 Jun Jul Aug Sep Oct

    Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Batch/Proxy Overflow Parity Multi-sig 2 11/06/‘17 04/22/‘18 SmartBillions 10/05/‘17 07/13/‘17 Augur Rep Token Vulnerabilities are exploited in the real world Parity Multi-sig 07/19/‘17 FoMo3D Airdrop 07/24/‘18 !16 SpankChain 10/06/‘18
  12. 17.
  13. 18.

    3CODE REUSE !18 One of the main reasons of vulnerability

    propagation 1. Complete Code Reuse • Reuse at development stage • Reuse at compile stage 2. Partial Code Reuse • Project Fork • Copy & Paste         Ex) Code reuse in traditional software
  14. 21.

    3(2) Partial Reuse !21 • Project Fork • Develop new

    project by taking a copy of source code from the specific version of the project • Child project inherits a large amount of source from the parent project 48% forks from Ex) Fork in traditional software What if it were vulnerable?
  15. 22.

    3(2) Partial Reuse !22 •Copy & Paste •Reuse part of

    external source code from GitHub, StackOverflow Search Copy & Paste What if it were vulnerable?
  16. 23.

    3CODE REUSE !23 NOT ALWAYS HARMFUL 1. Development strategy 2.

    Maintenance strategy We love StackOverflow
  17. 26.

    4IN CONTRACT !26 Characteristics of Smart Contract 1. (Generally) Patch

    is impossible 2. Same execution environment 3. Traceable transactions 4. Hold assets
  18. 27.

    4IN CONTRACT !27 Characteristics of Smart Contract 1. (Generally) Patch

    is impossible 2. Same execution environment 3. Traceable transactions 4. Hold assets Favorable condition for hacker 1. Vulnerability remains 2. High accessibility 3. Replay attack 4. Great motivation
  19. 28.

    4 !28 Analysis Target 1. Verified Contract in Etherscan (retrieved

    18.08.21) 2. Defined functions from all contract Analysis 1. Code reuse of contract itself 2. Code reuse of function 3. Vulnerability propagation IN CONTRACT
  20. 29.
  21. 30.

    4 !30 1) Code reuse of contract itself IN CONTRACT

    Contract generator service creates similar contracts.
  22. 35.

    4IN CONTRACT !35 Patch File Vulnerable Code Vulnerable DB Target

    File Candidate Code Search Extract Abstract Normalize Extract (S&P ’17) Sooho-CLI
  23. 38.

    5CONTINUOUS SECURITY Design Code/Test Commit Setup Deploy AUDIT Code Review

    QA/Integration CONTINOUS SECURITY +Security Focused Review + Automated Security Testing + Threat Modeling + Secure OSS !38
  24. 39.

    OUTRO 6 Verification-as-a-Service - Automated Security Assessment Service - Advanced

    Security Assessment Service - https://sooho.io !39 Jisu Park (SW Security) Prof. Heejo Lee (SW Security) Prof. Hakjoo Oh (SW Analysis)
  25. 40.

    OUTRO 6 Write Code Pull Request Review Merge CASE#1 Automated

    Security Assessment in GitFlow 1. Automated Code Review 2. Auto-generated Report !40
  26. 41.

    OUTRO 6 !41 1. Various Inputs 2. Auto-generated Report CASE#2.

    Automated Security Assessment in Luniverse Write Code Review
  27. 42.

    OUTRO 6 !42 AEGIS INPUT/OUTPUT VERIFIER & REPORTER EXTERNAL
 SERVICE

    Automated Security Assessment .SOL REQ. ANALYZE RES. REPORT . . . VUL CLONE DETECTOR ARITHMETIC VERIFIER . . .
  28. 43.

    OUTRO 6 !43 Manual Audit O O O O O

    Auto. Audit O X X O Semi-Auto Patch File O X X X X Integration O X X X X Solidified OpenZeppelin SmartDec Certik Sooho
  29. 44.

    OUTRO 6 Global Capture The Flag Penetration Testing Manual Security

    Assessment and Consulting By Security Experts Security Audit !44