Security with block chain technology-part-2 – Samrat Das
Key areas for security testing in block chain:
Nodes:
· Vulnerability Assessment and Build Review
· Redundancy Testing
· Synchronization Testing
· Consensus Algorithm Testing
· Private Keys (The Wallets)
· Password Strength Review
· Key Storage Review
Shared Ledger/ Storage:
· Information Disclosure Checks
· Smart Contracts (The Functionality) -Secure Code Review
Application Security Testing:
· API Testing
· Web Application Security Testing
· Mobile Application
Anatomical Break up of Block Chain Security Testing:
Nodes
The nodes on the block chain provide redundancy, synchronization and communication to the block chain ledger. The greater number of nodes within a network, the more secure and redundant the network becomes.
Vulnerability Assessment and Build Review
All nodes hosting a private block chain application can be assessed to detect and remove exploits.
Proof Of Work Algorithm:
As a GPU mining activity, it is vulnerable attacks where an attacker gains access to 51%+ of the network nodes and attempting to change the block chain via majority consensus.
Proof of Stake Algorithm:
This is mining via stake power. The more crypto coin owned on a network, the more staking power one has. The potential vulnerability here lurks as one user may be able to gain access to a large amount of coin, gain a big staking power and attack the block chain.
Private Keys /Wallets
Inside all nodes there is a program running which has access to each node’s individual wallet using its private key and password.
The wallet can be used to gain a user’s block chain “account” and any potential currency inside the wallet. Depending on the block chains application.
Here is the key is to ensure that the private key is hardened, leading to two below cases:
Password Strength Review
The passwords implemented should be tested across with brute force approach and dictionary attacks upon the private key to try and crack the password.
Key Storage Review
Review needs to be conducted to understand how organizations are storing their wallet private keys and look at the storage implementation..
The Shared Ledger
A ledger is the database which stores the data to be used by an application apart from storing smart contracts which are pieces of code written to perform functionality in use by the application. Ledger testing is done on mainly two initial points:
Information Disclosure
Data blocks being stored on the block chain can have data written into them which is then used by an application to perform functionality. All data written to the ledger can be seen by all parties that use it. It is thus important to check no sensitive information gets disclosed within its blocks.
Smart Contract Code Review
Some blocks hold smart contracts which can be executed for complete functionality to an application. It may thus hold implement logic flaws like any other coding language.
As a result, a secure code review should be conducted to identify its flaws.
Block Chain Hacking
Let’s now wrap up our block chain concepts with some attacks which can be launched to hack into block chain network:
Sybil Attack
An attack where huge number of nodes on a single network are owned by the same party and attempts to disrupt network activity through flooding the network with bad transactions or manipulating the relaying of valid transactions are done.
Most theoretical and not yet exploited in the wild. Bitcoin prevents them through its Proof-of-Work algorithm, requiring nodes to spend resources (in the form of energy) to receive coins, thereby making owning the vast majority of nodes very expensive.
Routing Attack
An attack made by compromising of an Internet Service Provider (ISP). As per ETHZurich, 13 ISPs host 30% of the Bitcoin network, while 3 ISPs route 60% of all transaction traffic for the network. This a major point of failure if an ISP were to be compromised to corrupted.
How does it work?
Routing attack work by intercepting internet traffic being sent between Autonomous Systems, top-level nodes in the architecture of the internet, of which there are few enough to intercept with relative ease. This can certainly be used against Bitcoin or other cryptocurrency traffic.
A cryptocurrency network could be partitioned into two or more separate networks using this technique, exposing either side of the partition to double-spending attacks because they cannot communicate with the entire network to validate transactions. Once coins were spent on one side of the network and goods or services received, the partition could be removed and the side of the network with the shorter chain would be rejected by the network as a whole and those transactions would be wiped out.
This kind of attack has not occurred but does have possibility of being carried out.
Direct Denial of Service
We all know what a DOS attack is. It is an attempt by attackers to cripple a server by flooding it with high volumes of traffic. In the case of a Bitcoin node, this looks like huge volumes of small or invalid transactions being sent in an effort to flood the network and prevent legitimate transactions from being processed.
Major networks like Bitcoin are constantly under attack from DDoS attempts, but design decisions made in the development of the Bitcoin network act to mitigate the risk of DDoS attempts.
51% or Majority Attack
As discussed before the mining concept, security of a block chain is directly linked to the computer power building the chain. Here, the threat of an attacker gaining control over a majority of the hash power on the network is a potential possibility.
The attacker can mine blocks faster than the rest of the network combined, opening the door to ‘double-spending.’
Double-spending is a method of defrauding a cryptocurrency that involves submitting transactions to the chain, receiving the good or service that transaction pays for, and subsequently using the majority hash power to fork the block chain at a point prior to the transaction. This effectively erases that transaction from the chain history, allowing the attacker to transact with those same coins a second time.
51% in the Wild
A group of hackers that called themselves the ’51 Crew.’ in the second half of 2016, began holding small Ethereum clones for ransom, taking advantage on their low hash rates and centralized mining distribution to rent enough hardware to corner the network.
Their demand was Bitcoins in exchange for shutting down their operation and leaving the projects in peace. If not, they would fork the coin’s block chain to a point prior to the large sales the crew had already made on exchanges.
The projects, Krypton (now defunct) and Shift (still traded at small volume), both refused to pay the ransom and subsequently had their block chains forked.
Cryptographic Vulnerabilities
The major funds being siphoned off were often due to crypto bugs in the software of the coin itself which were security holes that can be discovered and exploited by hackers.
Split Return Exploit: Decentralized Autonomous Organization
The DAO (Decentralized Autonomous Organization) was built on top of Ethereum using smart contracts. The idea was to give anyone the ability to invest in the company and vote on projects they wanted to be funded, all managed securely and automatically by the DAO smart contract code.
If you invested in the DAO (by purchasing DAO tokens) and then later decided to pull out, there existed a process by which you could have your Ethereum returned to you in exchange for your DAO tokens. This is the mechanism called the ‘Split Return’ that was exploited by a pioneering DAOist on June 17, 2016.
Split Return is a two-step process:
– Return the right amount of Ethereum to the token holder triggering the return, post that retrieve the tokens and register the transaction on the block chain to update the DAO token balance.
– The hacker stumbled on the fact he could fool the system into repeating the first step without moving onto the second, which enabled them to sweep of $50million worth of Ethereum out of the DAO and into a separate DAO controlled only by the attacker!
Thus this was all about of Block Chain for now. Hope you found the article informative! Next part will be focussed on smart contracts!
Published at Sat, 04 Jan 2020 19:17:50 +0000
{flickr|100|campaign}
