Blockchain Security Tools скачать в хорошем качестве

Blockchain Security Tools

Introduction Basic blockchain architecture as it pertains to block creation and consensus mechanisms is very sound. The algorithms used to accomplish the cryptographic functions might be questionable. Hence special consideration should be given to key management, key length, hashing algorithms, and the environment that activity is conducted in. To date none of the block chains have been hacked or maliciously modified, hence from that aspect we are safe. If you consider blockchain mechanisms to be the foundation, which are unhackable at this point, the next few layers above is where the problems start. In this show, I talk about various blockchain security tools currently available. Basic Blockchain Eco system The illustration below depicts the different layers that in my opinion comprise a blockchain eco system. Layer 1: Consensus and Cryptographic functions. Layer 2: Virtual processor executing code that executes smart contracts. For Ethereum this would be Ethereum Virtual Machine(EVM) executing compiled solidity code. For bitcoin blockchain this would be Virtual Processor executing script code. Layer 3: Application Programming Interface(API) this performs multiple functions such as: • Converting smart contract code to bytecode • Wallet requests for transaction processing • Exposing blockchain explorer capability Layer4: This is where outside world interacts with Layers 3, 2, and 1. Weakest Link The weakest link is Layer 4. This is where all the problems start. First, the wallets, if the owner does not protect the private key and passphrase or they are exposed, all the crypto held in that wallet can be lost. Second, the smart contracts, if the smart contract code is not written properly then the inherent compiled byte code that lives on the blockchain will have vulnerabilities. If some one is able to exploit this particular vulnerability the impacts can be very damaging. Just like the DAO hack which lead to over $60m getting stolen. Some solutions Since smart contract is just code, it has to follow secure coding practices. Although there are a lot of secure coding methodologies, and tools available for conventional programming languages such as C, C++, C#, Java, JavaScript, etc., there was nothing available for newly created smart contract languages such as solidity and script. With the lack of secure coding practices & tools, coupled with inexperienced programmers in these new languages, it was a disaster waiting to happen. Tools Various organizations are now bringing out blockchain security tools to address this void. Here is the list: • A platform should support conventional programming languages to ensure existing secure coding practices can be leveraged. • OpenZeppelin has created an open framework of reusable and secure smart contracts in the Solidity language. • Trailofbits has created following tools: ○ A repository that contains examples of common Ethereum smart contract vulnerabilities, including real code. ○ "Slither combines a set of proprietary static analyses on Solidity that detect common mistakes such as bugs in reentrancy, constructors, method access, and more. Run Slither as you develop, on every new checkin of code." ○ "Echidna applies next-generation smart fuzzing to EVM bytecode. Write Echidna tests for your code after you complete new features. It provides simple, high coverage unit tests that discover security bugs. Until your app has 80+% coverage with Echidna, don’t consider it complete". ○ "Manticore uses symbolic execution to simulate complex multi-contract and multi-transaction attacks against EVM bytecode. Once your app is functional, write Manticore tests to discover hidden, unexpected, or dangerous states that it can enter. Manticore enumerates the execution states of your contract and verifies critical functionality". ○ They have also created some reversing tools just like Porosity below which converts bytecode to solidity code. • NCC Group had compiled a DASP (Decentralized Application Security Project) Top10 list • Porosity, a decompiler and smart contract auditing tool for Ethereum smart-contracts.