d centralization 51 attacks developer centralization
play

D: Centralization, 51% Attacks Developer centralization Transf - PowerPoint PPT Presentation

Mar 19, 2024 •358 likes •911 views

D: Centralization, 51% Attacks Developer centralization Transf ansformati ormation on Code you write Code you Library use is depend on growing at a staggering rate Qu Ques estio tion Who controls the code you depend on? How

  1. D: Centralization, 51% Attacks

  2. Developer centralization

  3. Transf ansformati ormation on Code you write Code you Library use is depend on growing at a staggering rate

  4. Qu Ques estio tion  Who controls the code you depend on?  How many developers are there checking for its security?  Would you bet your life savings on them?  Case study  Secures connections on a vast majority of sites  Circa 2014, how many developers were maintaining this code?  John Walsh, "OpenSSL for example is largely staffed by one fulltime developer and a number of part- time volunteer developers … to write, maintain, test, and review 500,000 lines of business critical code. Half of these developers have other things to do." Portland State University CS 410/510 Blockchain Development & Security

  5. It' t's s all l go good, , un until til it i t isn sn't 't  Heartbleed OpenSSL bug (2014) Portland State University CS 410/510 Blockchain Development & Security

  6. Sec ecuring uring th the su e supp pply ly chain in  How many developers work on Solidity?  https://blog.lamden.io/turing-incompleteness-and-the-sad-state-of- solidity-d5278ba4eda0 Portland State University CS 410/510 Blockchain Development & Security

  7. Cen entral tralized ized tr trus ust t added ded to c cont ntract racts  Backdoors abound  From yesterday  https://www.trustnodes.com/2019/11/12/hackers-build-ethereum-google-sheets-sidechain- to-send-eth-by-email Portland State University CS 410/510 Blockchain Development & Security

  8. Governance centralization

  9. Go Governance ernance in blockchains ckchains  On-chain governance done via consensus protocol  How is off-chain governance done?  "The very idea of blockchain governance can seem like a paradox wrapped in a dilemma. The paradox: “How do you change something which is ‘immutable’?"  https://www.coindesk.com/the-blockchain-paradox Portland State University CS 410/510 Blockchain Development & Security

  10. Bu But t first st, , a st story Portland State University CS 410/510 Blockchain Development & Security

  11. The e DAO  Decentralized Autonomous Organization  Crowd-sourced venture-capital fund for funding future Ethereum projects  Completely virtual  Smart contracts written and deployed to run organization  Written by some of the top Ethereum developers  Initial funding period where people send ETH to get tokens representing voting stake (crowdsale or initial coin offering ICO)  Proposals to obtain funds for projects considered by the DAO  Members with tokens vote to approve these proposals. Portland State University CS 410/510 Blockchain Development & Security

  12. DAO O cont ntract ract ma manag nagement ement  splitDAO() function to create a "Child DAO"  Individuals or groups can join together to fund projects separately (i.e. create their own VC fund)  Child DAO can start raising funds and accepting proposals separately from others  Supports an "exit door"  Individuals or groups not happy with the DAO create their own Child DAO to exit contract and exchange their DAO tokens to get their ETH back  ETH sent to a specified address after a period of 28 days (similar to the DAO funding mechanism)  Exploit  Attacking contract leverages vulnerability in split function to exchange a single token for its equivalent in ETH tens of thousands of times  Flaw is with the logic of the DAO smart contract itself (not the EVM) Portland State University CS 410/510 Blockchain Development & Security

  13. Timelin meline  4/30/2016  Launched with 28-day funding window by German startup Slock.it  Several Ethereum Foundation members involved  5/2016  Raised $150 million from 11,000 people (including a number of Ethereum Foundation members)  Ethereum valuation at the time was $1 billion (> 10% of ETH in DAO)  Early 6/2016  50 project proposals received for funding, but DAO decides to hold off due to security issues in code  6/12/2016  Severe recursive call bug described by contract creator Portland State University CS 410/510 Blockchain Development & Security

  14.  6/17/2016  Attacker takes out > 3.6 million ETH over several hours  ~15% of all ether in existence  Valued at > $60M  Price of ETH plummets from $20 to $13  Attacker's contract  https://www.etherchain.org/account/0x304a554a3 10c7e546dfe434669c62820b7d83490#transactions Portland State University CS 410/510 Blockchain Development & Security

  15.  6/17/2016  Software fork immediately proposed by Buterin  https://blog.ethereum.org/2016/06/17/critical-update-re-dao-vulnerability/  Changing code for running the full-node to disallow future transactions on both contracts A software fork has been proposed, (with NO ROLLBACK; no transactions or blocks will be “reversed”) which will make any transactions that make any calls/callcodes/delegatecalls that reduce the balance of an account with code hash 0x7278d050619a624f84f51987149ddb439cdaadfba5966f7cfaea7ad44340a 4ba (ie. the DAO and children) lead to the transaction (not just the call, the transaction) being invalid …  Attacker stops withdrawing once soft fork is proposed Portland State University CS 410/510 Blockchain Development & Security

  16.  6/2016  Attacker posts a rant threatening to sue (e.g. code is law)  https://pastebin.com/CcGUBgDG  Eventually offers ETH to all miners and full-nodes who do not accept software fork  Software fork approved, but update pulled a few hours before deployment, due to a denial-of-service vulnerability  Attacker can flood miners with transactions that will eventually be discarded without collecting any fees (bypasses gas mechanism)!  http://hackingdistributed.com/2016/06/28/ethereum-soft-fork-dos-vector/ for(uint32 i=0; i < 1000000; i++) { sha3('some data'); // costly computation } DarkDAO.splitDAO(...); // render the transaction invalid  Hard fork proposed  Undo the transactions altogether and end the DAO (returning all money back to token holders)  But, effectively a bailout for DAO token holders Portland State University CS 410/510 Blockchain Development & Security

  17. Hist storical orical ref eference erence (2008 8 crash ash)  Lehman took risks to make huge returns  When risks went south, asked for a government bailout  Didn't get one and failed  But…  Eventually everyone else did  The exact thing that cryptocurrencies want to end! Portland State University CS 410/510 Blockchain Development & Security

  18. 2016 6 DAO  The DAO and its investors took risks to make huge returns  When risks went south, asked for an Ethereum Foundation bailout even though Ethereum worked exactly as intended  Ethical discussion  Are DAO token holders like the banks?  Is the Ethereum Foundation like the government?  Was the DAO like the banks and considered "too big to fail"?  Is this doing what cryptocurrencies were intended to prevent?  What are the pros and cons of undoing the DAO transactions? Portland State University CS 410/510 Blockchain Development & Security

  19. Cons  "Code is law" - the original statement of the DAO terms and conditions should stand under any circumstances  Blockchain should be immutable regardless of outcome  Slippery slope  Once you modify/censor for one reason there is not a lot to keep you from doing it for other contracts  "Without an immutable censorship resistant ledger, a blockchain has very little value to offer."  Ethereum Foundation developers were investors in the DAO  They propose bailing themselves out which is anathema to the ideas behind blockchains  https://cryptohustle.com/5-reasons-why-the-dao-bailout-was-bad-for- ethereum/ Portland State University CS 410/510 Blockchain Development & Security

  20. Pros os  "Code is law" is too drastic and humans should have the final say through social consensus  Hacker should not be allowed to profit from exploit  Slippery slope argument not valid as community is not beholden to past decisions, people can act rationally and fairly in each situation  Not a bailout as money isn't being taken from the community, it is just a return of funds to the original investors  If the community acts now it will make people that are unethical think twice before using Ethereum as their platform of choice (remember this for later)  https://www.cryptocompare.com/coins/guides/the-dao-the-hack- the-soft-fork-and-the-hard-fork/ Portland State University CS 410/510 Blockchain Development & Security

  21. Asi side: de: Forma malism lism vs. s. Rea ealism lism in leg egal al go gover ernan nance ce  Formalism  Law derived logically by examining the relevant facts, case law, and nothing else.  Law stands separate from social and political institutions  Law should derive from absolute principles  Much like advocates who insist on immutability at all costs  Realism  Law is based on the decision of the courts, including any historical and social phenomena that influence that decision.  Anything that influences a judge is law  Law is a moving target, not inflexible dogma.  Much like advocates that insist on community-driven interpretation of the law Portland State University CS 410/510 Blockchain Development & Security

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Procurement Organizational Transformation: Standardization, Centralization, Automation May 4,

Procurement Organizational Transformation: Standardization, Centralization, Automation May 4,

Procurement Organizational Transformation: Standardization, Centralization, Automation May 4, 2017 ABInbevs Global Procurement Journey First step in centralization in 2010 Global Procurement Office (GPO) Increasingly agile

547 views • 17 slides
Permissioned Blockchains - Who is the Controller? Permissioned Blockchains Re-centralization of

Permissioned Blockchains - Who is the Controller? Permissioned Blockchains Re-centralization of

Permissioned Blockchains - Who is the Controller? Permissioned Blockchains Re-centralization of Blockchain and its consequences for data protection agenda Controllers and the GDPR How do we apply a centralized regulation on a

382 views • 17 slides
IT Centralization Town Hall November 4, 2019 The #1 Question! We must do things

IT Centralization Town Hall November 4, 2019 The #1 Question! We must do things

IT Centralization Town Hall November 4, 2019 The #1 Question! We must do things differently than weve always done them, and find smarter ways to operate more effectively and protect taxpayer dollars. Governor John Carney 3.5

530 views • 18 slides
IT Centralization Monthly Information Session Agenda June 24, 2020 Program Status

IT Centralization Monthly Information Session Agenda June 24, 2020 Program Status

IT Centralization Monthly Information Session Agenda June 24, 2020 Program Status Metrics &amp; Focus Agency Activity Schedule Shared Services Cost Model Partner Service Agreement Change Management ITC

501 views • 12 slides
IT Centralization Monthly Information Session Agenda March 25, 2020 Program Status

IT Centralization Monthly Information Session Agenda March 25, 2020 Program Status

IT Centralization Monthly Information Session Agenda March 25, 2020 Program Status COVID19 Impact Roadmap Update Current Activity Metrics Change Management Mailbox Open Q&amp;A Delivering Technology

316 views • 8 slides
IT Centralization Monthly Information Session Agenda July 29, 2020 Program Status

IT Centralization Monthly Information Session Agenda July 29, 2020 Program Status

IT Centralization Monthly Information Session Agenda July 29, 2020 Program Status Metrics &amp; Focus Agency Activity Schedule Data Collection Template (revised) System Support Template Staff Reallocation

449 views • 11 slides
Single Transaction Bond Centralization Project and eBond Update Presentation to the Chicago

Single Transaction Bond Centralization Project and eBond Update Presentation to the Chicago

U.S. Customs and Border Protection Single Transaction Bond Centralization Project and eBond Update Presentation to the Chicago Customs Brokers &amp; Forwarders Association (CCBFA) March 20, 2014 1 VIGILANCE SERVICE INTEGRITY Discussion

230 views • 19 slides
Infrastructure Project Update November 2011 Centralization of Facilities Situation: The buildings

Infrastructure Project Update November 2011 Centralization of Facilities Situation: The buildings

University Facilities Management Facilities Condition &amp; Infrastructure Project Update November 2011 Centralization of Facilities Situation: The buildings on the UH campus have received varying degrees of investment, care and service due to

328 views • 11 slides
How Bitcoin achieves Decentralization Centralization vs. Decentralization Distributed

How Bitcoin achieves Decentralization Centralization vs. Decentralization Distributed

Cryptocurrency Technologies How Bitcoin achieves Decentralization How Bitcoin achieves Decentralization Centralization vs. Decentralization Distributed Consensus Consensus without Identity, using a Block Chain Incentives and Proof

1.23k views • 25 slides
Ohio Tax At Last!! Centralization of Ohios Municipal Income Tax What Taxpayers Must Do

Ohio Tax At Last!! Centralization of Ohios Municipal Income Tax What Taxpayers Must Do

27th Annual Tuesday &amp; Wednesday, January 2324, 2018 Hya Regency Columbus, Columbus, Ohio Workshop A Ohio Tax At Last!! Centralization of Ohios Municipal Income Tax What Taxpayers Must Do Now Tuesday, January 23, 2018 1:45

1.3k views • 68 slides
Centralization and Regionalization at the National Agricultural Statistics Service Roger Schou

Centralization and Regionalization at the National Agricultural Statistics Service Roger Schou

Centralization and Regionalization at the National Agricultural Statistics Service Roger Schou National Agricultural Statistics Service IBUC XV Washington, DC, USA Centralized Surveys IBUC XIII 1 survey Mink (April 2010)

468 views • 28 slides
www.nationalcompliance.com Services NCMS was established to assist oil &amp; gas operators

www.nationalcompliance.com Services NCMS was established to assist oil &amp; gas operators

www.nationalcompliance.com Services NCMS was established to assist oil &amp; gas operators with the contractor pre-qualification process. The services provided by NCMS concentrate on standardization and centralization of multiple operator

434 views • 8 slides
Post-Homestead Backwards and Forwards Whats up? So much happened lately! Homestead

Post-Homestead Backwards and Forwards Whats up? So much happened lately! Homestead

Post-Homestead Backwards and Forwards Whats up? So much happened lately! Homestead Price explosion Network effect Proof of Stake news Mining centralization Dapps &amp; Crowdsales Whats up? So much

757 views • 49 slides
ADMINISTRATION - THE GOOD, THE BAD AND THE REAL UGLY EFFECTS SEEN FROM A PUBLIC SECTOR UNION

ADMINISTRATION - THE GOOD, THE BAD AND THE REAL UGLY EFFECTS SEEN FROM A PUBLIC SECTOR UNION

DIGITALISATION AND CENTRALIZATION OF THE DANISH TAX ADMINISTRATION - THE GOOD, THE BAD AND THE REAL UGLY EFFECTS SEEN FROM A PUBLIC SECTOR UNION PERSPECTIVE - AND A PICTURE OF THE FUTURE IN OTHER AREAS? THOMAS LYNGE MADSEN, SENIOR CONSULTANT,

952 views • 16 slides
Virtual Reality and the Person- Environment Experience: Research and Clinical Implications for

Virtual Reality and the Person- Environment Experience: Research and Clinical Implications for

Virtual Reality and the Person- Environment Experience: Research and Clinical Implications for Occupational Therapy Dr.Denise Reid University of Toronto May 27, 2005 Person-Environment Experiences Environmental centralization

455 views • 24 slides
Wireless networks Routing: DSR, AODV 1 Routing in Ad Hoc Networks Goals Adapt quickly

Wireless networks Routing: DSR, AODV 1 Routing in Ad Hoc Networks Goals Adapt quickly

Wireless networks Routing: DSR, AODV 1 Routing in Ad Hoc Networks Goals Adapt quickly to topology changes No centralization Loop free routing Load balancing among different routes in case of congestion Supporting

908 views • 89 slides
Exceptions and Processes Generated externally (interrupts) or internally (traps and faults)

Exceptions and Processes Generated externally (interrupts) or internally (traps and faults)

4/20/17 Review from last lecture Exceptions Events that require nonstandard control flow Exceptions and Processes Generated externally (interrupts) or internally (traps and faults) Samira Khan Processes April 20, 2017 At any

419 views • 15 slides
13 - Computer Security Network Security 1 Context

13 - Computer Security Network Security 1 Context

13 - Computer Security Network Security 1 Context Computers connected in a network - but also: smartphones, fridges, IoT devices, Each device has an IP address Packets are routed via

771 views • 51 slides
The Risk you carry in your Pocket Nils Black Hat Abu Dhabi 2010 MWR InfoSecurity Who Am I?

The Risk you carry in your Pocket Nils Black Hat Abu Dhabi 2010 MWR InfoSecurity Who Am I?

The Risk you carry in your Pocket Nils Black Hat Abu Dhabi 2010 MWR InfoSecurity Who Am I? Head of Research @ MWR Exploiting stuff before Microsoft, Google, Adobe, IBM, Mozilla, Sun, Linux, Apple Pwn2Own Winner 2009

1.09k views • 64 slides
Who tells you that your secure product is actually secure?

Who tells you that your secure product is actually secure?

Who tells you that your secure product is actually secure? Think about the 6me it stays on the field It went through a security evalua6on

866 views • 28 slides
Ethereum Blocks Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of Electrical Engineering

Ethereum Blocks Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of Electrical Engineering

Ethereum Blocks Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of Electrical Engineering Indian Institute of Technology Bombay September 3, 2019 1 / 23 Ethereum Block Header Block = (Header, Transactions, Uncle Headers) Block Header

594 views • 23 slides
Automatic Failure Diagnosis based on Timing Behavior Anomaly Detection in Distributed Java Web

Automatic Failure Diagnosis based on Timing Behavior Anomaly Detection in Distributed Java Web

Automatic Failure Diagnosis based on Timing Behavior Anomaly Detection in Distributed Java Web Applications Diploma Thesis Presentation Nina S. Marwede Abteilung Software Engineering Fakultt II Department fr Informatik August 26, 2008

654 views • 41 slides
Introductory Lecture on Astrophysics (for astroparticle physicists) Pasquale D. Serpico

Introductory Lecture on Astrophysics (for astroparticle physicists) Pasquale D. Serpico

Introductory Lecture on Astrophysics (for astroparticle physicists) Pasquale D. Serpico International School on AstroParticle Physics - Zaragoza 13/07/2010 Disclaimer Disclaimer Astrophysics is a huge field: In no way I can provide anything

1.01k views • 58 slides
MPI Review Computational Example Common approach for grid-based computations on distributed

MPI Review Computational Example Common approach for grid-based computations on distributed

Lecture 9: Distributed Memory More on MPI Communication costs Hardware / Network topologies from Rauber and Runger MPI Review Computational Example Common approach for grid-based computations on distributed memory uses domain

753 views • 37 slides

More recommend