Security with Block Chain Technology:Part 1

-

Penetration Testing and Security Audit of Block Chain Technology:

By- Samrat Das

     Block chain overview:
Block chain in the simplest of terms can be defined as a chain of the block that contains information. The basic fundamental relies on timestamping digital documents to prevent backdating them or tampering them.
Why is block chain used?
Block chain is used for the secure transfer of a variety of things including money, property, contracts, etc. but the facility of no third-party intermediary needed like bank or government.
The downside or rather advantage being once a data is recorded inside a block chain, it becomes very difficult to change.
Protocol Concepts:
Block chain is a software protocol which needs the Internet as a medium to run as a meta-technology. It is made up of: database, software and connected computers.
Features of block chain:
·         Resilience: Replicated architecture, the advantage of block chain is even in cases of DOS attacks the chain is still operational by most nodes.
·         Quicker Time Processing: Allows quicker settlement of trades eliminating the need of verification, settlement, and clearance because a single version of agreed-upon data of the shared ledger is available between all holders.
·         Reliability: Block chain certifies and verifies the identities of the interested parties. The factors of double records, reducing rates are removed and transactions are way quicker.
·         Unchangeable transactions: Block chain certifies the un-alterability of all operations. Post addition of new block to the chain of ledgers, it cannot be removed or modified.
·         Fraud prevention: Being a model on shared information and consensus, possible losses are prevented due to fraud or embezzlement.
What is a Block?
A Block chain is made up of a chain of blocks which contains data which is stored inside a block. The type of data depends on the type of block chain which generally involves Sender, Receiver, and number of bitcoins to be transferred.

The first block in the chain is called the Genesis block. Each new block in the chain is linked to the previous block.
    Basic security protocols in Block Chain:
a.      Proof of Work
In order to retain integrity in files, hashing is a mechanism which prevents tampering. In terms of feasibility though, modern computers can calculate hundreds of thousands of hashes per second leading which an attacker can tamper with a block and recalculate all the hashes of other blocks to make the block chain valid.
In order to circumvent the issue, blockchains uses “Proof-of-Work” concept. It is a mechanism which slows down the creation of the new blocks.
Proof-of-work is a basically a computational problem that takes efforts to solve. The fact is based on the time to verify the results of the computational problem which is trivial compared to the effort it takes to solve the computational problem itself.
How does it secure bit coins?
In case of Bitcoins, it takes almost 10 minutes to calculate the required proof-of-work to add a new block to the chain.
If a hacker would change data in Block 2, he would need to perform proof of work (which would take 10 minutes) and only then make changes in Block 3 and all the succeeding blocks, which would slow down his pace of attack and reduce the feasibility of attack.



b.      Distributed P2P Network
Another security method is distributing block chain. Rather than using a central entity to manage the chain, Block chains use a distributed peer-peer network, and everyone is allowed to join. When someone enters this network, he will get the full copy of the block chain.
In this structure, each computer is called a node.

When any user creates a new block, this new block is sent to all the users on the network. Each node needs to verify the block to make sure that it hasn't been altered. After complete checking, each node adds this block to their block chain.
Here comes another term to learn about, and it is consensus. This concept states, what blocks are valid and which are not. Nodes in the network will reject blocks that are tampered with.

Considering the hypothetical situation, tampering with a block chain now needs the below possibility:
·         Tamper with all blocks on the chain
·         Redo the proof-of-work for each block
·         Take control of greater than 50% of the peer-to-peer network.
Post the completion of above tasks, the tampered block becomes accepted by everyone else. This is highly unlikely thus proving as the baseline of security level for block chains.

How Block Chain Transactions Work?
Since now we have the fundamentals of block chain clear, let’s take a look at how the transactions model of block chain works at a high level.
1) Person A requests a transaction, which can be cryptocurrency, contracts, records or other information.
2) The requested transaction is broadcasted to a P2P network with the help of nodes.
3) The network of nodes validates the transaction and the user's status with the help of known algorithms.
4) Once the transaction is complete the new block is then added to the existing block chain as permanent and unalterable.
Versions of Block chain:
 
·         Block Chain 1.0: Currency
DLT (distributed ledger technology) led to its first and obvious application: Cryptocurrencies. This allows financial transactions based on block chain technology used in currency and payments. Example: Bitcoin.
·         Block Chain 2.0: Smart Contracts
Smart Contracts came in 2.0 version, which are small computer programs that reside in the block chain as free computer programs that execute automatically, and check conditions defined earlier like facilitation, verification or enforcement.
·         Block Chain 3.0: DApps:
DApps better known as decentralized application has their backend code running on a decentralized peer-to-peer network. A DApp can have also have frontend code and user interfaces written in any language that can make a call to its backend, like a traditional Apps
Block Chain Variants
·         Public:  Ledgers are visible to everyone on the internet allowing anyone to verify and add a block of transactions to the block chain. Anyone can use a public block chain network.
·         Private: The private block chain is within a single organization allowing only specific people of the organization to verify and add transaction blocks. At times, a read only access is provided for everyone on the internet.
·         Consortium:  A group of organizations can verify and add transactions for this model, depending on need, the view is open or restricted to select groups as cross-organizations access controlled by pre-authorized nodes.
Block Chain limitations:
Higher costs: Nodes seek higher rewards for completing Transactions in a business which work on the principle of Supply and Demand
Slower transactions: Nodes prioritize transactions with higher rewards, backlogs of transactions build up
Smaller ledger: It not possible to a full copy of the Block Chain, potentially which can affect immutability, consensus, etc.
Transaction costs, network speed: The transactions cost of Bitcoin is quite high after being touted as 'nearly free' for the first few years.
Risk of error: There is always a risk of error, as long as the human factor is involved. In case a block chain serves as a database, all the incoming data has to be of high quality
Wasteful: Every node that runs the block chain has to maintain consensus across the blockchain. This offers very low downtime and makes data stored on the block chain forever unchangeable.
Here is a useful diagram which shows how block chain works:

Image Source:   https://media.g2crowd.com/wp-content/uploads/2018/01/23135723/blocks-2.jpg         
Take away concepts:
·         A Block chain is a chain of blocks that contain information
·         Block Chain vs Bitcoin: Block chain is the technology, Bitcoin is the implementation
·         Three versions of Block Chain are Block Chain 1.0: Currency, Block Chain 2.0: Smart Contracts and Block Chain 3.0: DApps
·         The Block Chain database is disturbed and not centralized.
·         Block Chain require Proof of Work before a new block is added
·         Block chain technology features are: Resilience, Decentralized, Time reducing, reliable haing unalterable transitions
·         Block Chain variants 1) Public 2) Private 3) Consortium
·         Higher cost, slower transactions, small ledger, the risk of error are some disadvantage of using this technology.

That's for now..  the second part of the series will focus on methodology and performing block chain security testing including penetration testing.

Comments

Post a Comment

Popular posts from this blog

Arbitrary file upload and RCE in Wonder CMS - CVE-2017-14521

-
Image
By- Samrat Das Hi Readers Recently in one of my pentest research, I found a CMS " WonderCMS" hosted in github. Curious to explore its functionalities, I downloaded and set it up in my local system. After fiddling with the source code, I found that it did not have any kind of file upload security mechanism and allowed the user to upload any file type! After reporting it to them, I did not receive any security relevant response, hence decided to publish a blog on this. Title of the Vulnerability:   Arbitrary File Upload Vulnerability Class: Security Misconfiguration Technical Details & Description: The application source code is coded in a way which allows arbitrary file extensions to be uploaded. This leads to uploading of remote shells/ malicious Trojans which can lead to complete system compromise and server takeover. CVE ID allocated :  CVE-2017-14521 Product & Service Introduction: Wonder CMS 2.3.1 WonderCMS is an open source CMS (Content Ma
Read more

Cross Site Request Forgery- Intex Router N-150 | CVE-2018-12529

-
Image
By- Navina Asrani Hi Readers, Recently while tinkering with my wifi router, I was curious to find if it has possible loopholes and vulnerabilities. Curious to explore its functionalities, I started probing with the options. Title of the Vulnerability:   Cross Site Request Forgery Vulnerability Class: Code Execution/ Privilege Escalation Technical Details & Description: The firmware allows malicious request to be executed without verifying source of request. This leads to arbitrary execution with malicious request which will lead to the creation of a privileged user. CVE ID allocated: -  CVE-2018-12529 Product & Service Introduction: Intex Router Steps to Re-Produce – 1.        Visit the application 2.         Go to any router setting modification page and change the values, create a request and observe the lack of CSRF tokens. 3.        Craft an html page with all the details for the built-in admin user creation and host it on a server
Read more

Stored XSS in Wonder CMS- CVE-2017-14522

-
Image
By- Samrat Das Hi Readers Recently in one of my pentest research, I found a CMS " WonderCMS" hosted in github. Curious to explore its functionalities, I downloaded and set it up in my local system. After fiddling with the source code, I found that it did not have any kind of security mechanism to filter any user input and accepted and stored in blindly without any sort of input validation Title of the Vulnerability:   Stored XSS Common Vulnerability Scoring System:  7.0 Vulnerability Class:  Injection Technical Details & Description:  The application source code is coded in a way which allows user input values to be stored and processed by the application. CVE ID allocated :  CVE-2017-14522 Product & Service Introduction:  Wonder CMS 2.3.1 WonderCMS is an open source CMS (Content Management System) built with PHP, jQuery, HTML and CSS (Bootstrap responsive). WonderCMS doesn't require any configuration and can be simply unzipped a
Read more