Blockchain Basics and Security for Penetration Testers

hello everyone the purpose of this talk is to provide people especially penetration testers an overview of what a blockchain is how we can look at it from a security perspective what kind of tools are available to conduct engagements and overall get a general understanding of this new technology that no doubt will be a major uh player in our field over the coming years first off let's begin by discussing what a blockchain is in terms of definition a blockchain is quite simply a database and you can think of it much like how you thought of it in your previous engagement in your web engagement especially when you were faced with a web application that had a

back end of mysql or ms sql or oracle a lot of applications that are built on top of the blockchains are much like that they're usually a web interface with a backend database that's built on top of the blockchain so the blockchain itself is simply a database but it's format the way it operates it's slightly different in terms of features databases have features that are different from what traditional databases offer which i will describe in detail so with traditional databases like the mssql mysql oracle everything was it was and still is centralized meaning that there is a server somewhere and that server is hosted by the company that needs the database to operate for them or that server is

somewhere on a remote data center somewhere but it's still owned and operated by the company that owns it with a blockchain based database uh the the game is shifted what we see is a a database that is hosted by multiple parties which are usually untrusted so they don't really know each other they have no particular relationship with each other they they just want to operate the blockchain they just want to operate the database so what happens is each one of those parties will grab a copy of the database and help each other maintain the latest state of that database and in the process they get rewarded now with traditional databases we have a permissioned way of approaching

objects meaning that uh if you were to read or want to read something from the database you need to have some sort of permission you have to have maybe read permission write permission in order to do anything on the on the databases that are traditional however with blockchain-based databases everything is permissionless what does that mean means that anyone at any moment in time with public blockchains can go and read everything on the database every single piece of information on the blockchain especially public blockchains are public i say public blockchains because some blockchains are private you know you can you can have a group of people that would operate a private blockchain and they can try to keep this information

private but but most of the industry right now is is full of public blockchains so just keep in mind that with blockchains people can read all the information there's no need for you to have any permission at all you can just go to to blockchain reader services and just read any particular transaction or information and finally with traditional databases administrators can modify records let's say you accidentally put some incorrect record on the database you can contact the administrator of your organization and ask them to remove their code or change it or modify it with a blockchain database that is simply cannot be done you you really cannot change anything whatsoever once you do it once you write something to

the blockchain it's there forever and that's basically the difference between traditional databases and blockchain-based databases traditional databases have their use and they will not go away but blockchain databases uh add a new use case allow for a new form of application slash uh protocol to be built on the internet that previously wasn't possible so that brings us quite nicely to bitcoin and and what is bitcoin and and how can we use it for our own uh benefits and an understanding of what blockchain is so bitcoin is basically a peer-to-peer cash uh a currency that is uh that has been built on top of the blockchain uh it's basically uh an app think of it like an app that's

been built on top of the blockchain and you are able to as an individual to transact this currency between yourself and a bunch of other people there's no bank that's operating yet a group of untrusted individual and people that don't know each other are operating the bitcoin network and uh using the blockchain technology they keep it up to date and and they do the transactions but in the process every time the people who are operating the network make a transaction happen and they earn a small amount of fee and that's how the network keeps running that's how we can continue using bitcoin without the need of any central government slash company in terms of features as i mentioned it's

decentralized there is no organization that that operates bitcoin it's a group of people that don't know each other but they have found a cryptographic way to confirm transactions are happening without being forged so so so they can trust each other and and transact in that way everything on the bitcoin uh blockchain is public meaning that everyone can read every single transaction and everything is immutable meaning that if i had one bitcoin i cannot send it to two people and this is only possible because of the blockchain technology with blockchain technology um you cannot duplicate your bitcoin and send it to people at the same time it's cryptographically impossible so so so that's basically uh bitcoin is

a product of the blockchain you just keep that in mind it wasn't possible in the old traditional databases but it is possible and this is one of the many things that could be built on top of the blockchain now bitcoin has limitations think speed think scripting capability what does that mean so um once you uh uh use bitcoin you'll notice that it is slow meaning that if i was to send you a bitcoin right now it will take you probably 30 minutes sometimes it's early sometimes it's slightly later but on average 30 minutes before you you you get a confirmation that yes it has been received in your wallet and you have received the bitcoin

that's a problem because if you want to build something on top of the bitcoin blockchain um it will it will take quite a while for it to actually propagate and finish so uh so that's quite limiting and there's also a problem with scripting capability meaning that if you wanted to utilize the existing network of bitcoin operators the existing bitcoin blockchain and build on top of that instead of rolling your own blockchain and then finding people to operate it and slowly grow just build on top of bitcoin instead if you want to do that the scripting capabilities of bitcoin are very limited so your your hands are quite tight over there so um what was the solution to this problem

the solution was something called ethereum ethereum um was proposed by a gentleman by the name of uh by sally butter and back in 2014 his his proposal was uh this uh cryptocurrency is incredible the the uh bitcoin cryptocurrency and and you know what we can do we can use it expand it and and and make it even better uh so how about we we increase its speed how about we make a lot of modifications to it and and he he wrote an extensive proposition and presented it to bitcoin developers and at the time bitcoin developers passed saying that these are what vitalik was proposing were major changes to what the bitcoin ideals were so they passed on those uh

proposals and that's how ethereum was born as i mentioned ethereum is an open source blockchain everyone and anyone can build on top of the ethereum blockchain and um in order for you to build on top of the ethereum blockchain uh what you need is is something called ether if there is the cryptocurrency use to perform any actions on top of the ethereum blockchain much like the bitcoin uh sort of system and blockchain it's decentralized it's public and it's immutable so um a large number of people across the globe are operating this blockchain network everybody can read every transaction and nothing can be changed or forged on the ethereum blockchain now in terms of limitations there are two problems with the ethereum

blockchain one is gas fees and the other is speed now you might be asking what is a gas fee if i wanted to perform a transaction on the ethereum blockchain uh let's say i wanted to send some ethereum from point a to point b there there are some fees and those fees are called gas fees and and those fees will will incur uh regardless of what the price of ethereum is if they are mandatory for every transaction and if you were to think of them they are denominated in in ethereum so if the price of ethereum goes to 10k or 20k that fee is fixed so you will still be uh in terms of ether you will be paying

the same amount but in dollar value your the fee could be much higher or much lower depending on the price of ethereum that day and that presents some problems because if you were to build on top of the ethereum blockchain then and and your application would need to perform some transactions maybe move ethereum from point a to point b for whatever reason uh the fee that you or your users should pay increases drastically depending or the accuracy decreases drastically depending on what the what the price of e3 is that day now um another famous uh keyword you hear in this industry is dapps what are gaps and and i think this diagram really explains it quite simply

dapps are decentralized applications any application that has been built on top of a blockchain based database is called adap and and that's all that it is you hear it being thrown around all the time and uh really the easiest way to think about it is this an application on top of the blockchain now as penetration testers uh what we will be faced with when we are hopefully in the future or in the near future will be doing uh blockchain based security orders is that people will provide us a web interface a web page and with that on that web page there will be a login mechanism you would go and test a blog in mechanism and you would log in

and then what you presented was quite simply a web application initially that that could suffer from all the typical issues that a normal application suffers from so um if you are going to conduct that engagement for the first part of it you would have to just use the normal os methodology on the web interface to see what you could find and then report on those however with blockchain security audits there is a second part to this puzzle and that's actually doing the code review every single logic that has been written is written or in in a language called solidity on ethereum now with solidity the language is much similar to javascript if you have done javascript before in

the past it would be easier for you to pick up solidity and you can use solidity to create the logic necessary to do all the operations needed on a blockchain database which in this case with solidity it's ethereum so with every engagements you get two parts one is doing the web interface with the west methodology and the other is learning solidity and then trying to pick up common code patterns that are bad and and point them to the developers uh with the white box engagements and and to learn what are common bad practices uh people in the ethereum community have put in a fantastic registry of classifications in place on a website that you see on the screen swc registry

dot io on this swc registry dot io you will see a page that presents 36 different classifications of different types of bugs and and how you can look for them how you can fix them what is the implications of each one so hopefully once you learn solidity your next step should be to browse this page and pick up what are the important skills necessary in order to understand what code could be vulnerable and then report it accordingly now i wanted to walk you through how the code looks like and then give you a couple of examples and show you how simple it is really to understand the language and then what kind of bugs could be

found and how bad or good uh well how bad they can be really so um what you see in this page is uh the most basic solidity code you would see out there and the first line is just a compiler version uh you're basically telling the compiler which version to use to compile your code and then every single uh application that's been built on uh ethereum at least it starts with the line contract what you see here is the name of the contract afterwards so it's contract hello world that's on line three that's just the contract name and then on line four we just define a string variable and we give it a value of hello world

that's that's all that it is and once you compile it and then call the greets variable you will see the hello world being printed that's all that it is really now i want to give you a sample vulnerable code if you have done any sort of white box testing of code before i'm sure you're very familiar with overflows and underflows meaning that if a value goes over a certain threshold it it goes back to its original value instead so in order to give you an example what you see on this on this page is this is a contract called withdrawal if you look at line number two contract withdrawal that's just a contract name on line number three

we have an unsigned integer that is for the balance variable so the balance variable uh has been or has a type of unsigned integer eight meaning that the maximum value it could have is 255 so um the problem here is that if someone was able to increase their their balance to more than 255 suddenly their their balance changes to one because it rolls over the variable unsigned integer it rolls over once it hits its maximum value back to one and another way to exploit this issue is if someone was able to withdraw a sum more than their balance make sure the variable goes back to its max value then they can abuse it that way as well

and this is the issue that you see on the screen so on line 4 function withdraw unsigned integer 8 sum so what you see here is there's a function that is uh for withdrawing and the the sum variable is of the type inside integer eight the sum is controlled by uh any user so uh what they can do is they can provide a number for example uh two here or three and uh in the next line on line five the balance the sum is subtracted from the balance so number three is subtracted from one which is the balance and uh because the variable has a maximum value of 255 so it's one to 255 and when you do the

subtraction it goes back all the way up to the maximum value and you artificially increase the value of your balance because of this underflow issue another issue and other vulnerability within solidity is what you see on the screen um the answer is really inside the note that i provided at the top so in solidity you can create functions and you can set functions to be public or private and if you forget to properly secure them anyone can call them later what you see now is the code itself so you see uh progmo solidity 0.4.24 that's the compiler version the next line is contract identity crisis that's a contract name the next line afterwards is address

public owner it's just a variable of the type address that holds the address of the owner and then we have a function called set wallet owner and it takes any address that the user provides and is set to public uh and and this is exactly where the problem is if you create a function and you set it to public and you forget to secure it with other means that solidity provides people can later call it again make themselves the owner and then take over the contract and and become the owner and then probably withdraw its balance if it has any balance this exact issue was the source of multiple exploits as a recent where people

created some sort of function that would do something incredibly sensitive but they forget to set it or protect it properly and that caused all sorts of issues and that's really how to how to look at solidity as as you can see it's a very in my opinion if you know javascript it's a very simple language to read you just have to have the patience to go over it once you do the web interface checks you just get access to the code go over the code but you have to also understand what to look for so the swc registry is the best way to approach this now in terms of tools there are two excellent tools out

there one is slither is the one i use all the time and slither is a free tool and what you do is you just point it to some some piece of code that that you have received from the client and you let it run it gives you an incredible number of uh results however a lot of them can be false positive so it's up to you as the reviewer to go through the results use slither as as a starting point to to understand okay there might be an issue on point a or point b maybe i should start looking there and then and then sort of start filtering down what is valid and what is invalid and

then take it from there mythics is also another good service it's it's paid however but it's also another good service that does reviewing of uh solidity code as well and with that thank you very much