Season 2 Episode 4: Blockhain Security Tools

Introduction

Basic blockchain architecture as it pertains to block creation and consensus mechanisms is very sound.  The algorithms used to accomplish the cryptographic functions might be questionable. Hence special consideration should be given to key management, key length, hashing algorithms, and the environment that activity is conducted in.  To date, none of the block chains have been hacked or maliciously modified, hence from that aspect we are safe. If you consider blockchain mechanisms to be the foundation, which is unhackable at this point, the next few layers above is where the problems start. In this show, I talk about various blockchain security tools currently available.

 

Basic Blockchain Ecosystem

The illustration below depicts the different layers that in my opinion comprise a blockchain ecosystem.

Blockchain Security Depicted in Layers

 

Layer 1: Consensus and Cryptographic functions.

Layer 2: Virtual processor executing code that executes smart contracts.  For Ethereum this would be Ethereum Virtual Machine(EVM) executing compiled solidity code. For bitcoin blockchain, this would be Virtual Processor executing script code.

Layer 3: Application Programming Interface(API) this performs multiple functions such as:

  • Converting smart contract code to bytecode
  • Wallet requests for transaction processing
  • Exposing blockchain explorer capability

Layer4: This is where outside world interacts with Layers 3, 2, and 1.

Weakest Link

The weakest link is Layer 4.  This is where all the problems start.

First, the wallets, if the owner does not protect the private key and passphrase or they are exposed, all the crypto held in that wallet can be lost.

Second, the smart contracts, if the smart contract code is not written properly then the inherent compiled bytecode that lives on the blockchain will have vulnerabilities.  If someone is able to exploit this particular vulnerability the impacts can be very damaging.  Just like the DAO hack which leads to over $60m getting stolen.

Some solutions

Since a smart contract is just code, it has to follow secure coding practices.  Although there are a lot of secure coding methodologies, and tools available for conventional programming languages such as C, C++, C#, Java, JavaScript, etc., there was nothing available for newly created smart contract languages such as solidity and script.  With the lack of secure coding practices & tools, coupled with inexperienced programmers in these new languages, it was a disaster waiting to happen.

Tools

Various organizations are now bringing out blockchain security tools to address this void.  Here is the list:

  • A platform should support conventional programming languages to ensure existing secure coding practices can be leveraged.
  • OpenZeppelin has created an open framework of reusable and secure smart contracts in the Solidity language.
  • Trailofbits has created following tools:
    • A repository that contains examples of common Ethereum smart contract vulnerabilities, including real code.
    • “Slither combines a set of proprietary static analyses on Solidity that detect common mistakes such as bugs in reentrancy, constructors, method access, and more. Run Slither as you develop, on every new check-in of code.”
    • Echidna applies next-generation smart fuzzing to EVM bytecode. Write Echidna tests for your code after you complete new features. It provides simple, high coverage unit tests that discover security bugs. Until your app has 80+% coverage with Echidna, don’t consider it complete”.
    • Manticore uses symbolic execution to simulate complex multi-contract and multi-transaction attacks against EVM bytecode. Once your app is functional, write Manticore tests to discover hidden, unexpected, or dangerous states that it can enter. Manticore enumerates the execution states of your contract and verifies critical functionality”.
    • They have also created some reversing tools just like Porosity below which converts bytecode to solidity code.
  • NCC Group had compiled a DASP (Decentralized Application Security Project) Top10 list
  • Porosity, a decompiler and smart contract auditing tool for Ethereum smart-contracts.

Other approaches

These are some of the attempts to address security in blockchains.

  • Ivy is a declarative language to provide Bitcoin Script developers “a high-level language that adds instructions to support additional functionality, including loops, state transitions (through transaction introspection), and program evaluation”.
  • Simplicity has been released by Blockstream. It is a “typed, combinator-based, functional language without loops and recursion, designed to be used for crypto-currencies and blockchain applications. It aims to improve upon existing crypto-currency languages, such as Bitcoin Script and Ethereum’s EVM, while avoiding some of the problems they face. Simplicity comes with formal denotational semantics defined in Coq, a popular, general purpose software proof assistant. Simplicity also includes operational semantics that are defined with an abstract machine that we call the Bit Machine. The Bit Machine is used as a tool for measuring the computational space and time resources needed to evaluate Simplicity programs. Owing to its Turing incompleteness, Simplicity is amenable to static analysis that can be used to derive upper bounds on the computational resources needed, prior to execution. While Turing incomplete, Simplicity can express any finitary function, which we believe is enough to build useful “smart contracts” for blockchain applications.”
  • DAML(Digital Asset Modeling Language) by Elevence, is a financial service industry focused smart contract language.
  • Microsoft Coco is a framework which allows “arbitrary blockchain networks to be integrated with it to achieve its benefits”.