Take on public transportation today (11th May 2017), the headline news display on advertisement screen guide me start the discussion on block chain technology again. It looks a realistic situation intend to boots up block chain technology growth. Let’s take a quick seen!
As of 6 February 2016, there are 15.2 million bitcoins circulation of a capped total of 21 million.
- Total volume: 1800 Billion of dollars
- 4 days exchange volume equal to 30 Billion of dollars
Block chain space Radical changes on 2017
In 2017 Microsoft announced their participation in the newly formed Enterprise Ethereum Alliance. Joining them are also companies such as Intel, J.P. Morgan, BNY Mellon, BP, ING, Thomson Reuters and blockchain startups. In general, my idea on key word “Ethereum” only focus on security incident. Sounds like that I am not suggest anyone to create Ethereum to let hackers get away your money.
Quote: “In general, the Ethereum community is on board with the notion that we do not have to do things exactly the way that things are done in other crypto communities,” -shortcut from Bloomberg Business week.
As a matter of fact, new technology has technical limitation not the 1st day we heard, but it has the mature model finally, right? So I am not keen to my stubborn to say not suggest to use. Perhaps a positive discussion might provide more positive idea in this regard.
High Level understand of Ethereum
Ethereum is an open-source, public, blockchain-based distributed computing platform featuring smart contract (scripting) functionality.
Platform: x86, ARM
Written in: C++, Go, Rust
Technical weakness on security viewpoint
Programming language: C++
Security problems with C and C++ programs is hard to avoid the following issue:
- buffer overflow attack
- Integer problems in C/C++
- File I/O risks
- Temporary files / a C++ TOCTOU vulnerability
- Unicode bug
Programming language: Go
How are blockchain application developed by “GO”. What is “Go”? “Go” is a free and open source created at Google in 2007 by Robert Griesemer, Rob Pike, and Ken Thompson . Like other programming language, this programming language contain their design limitation. The vulnerability found this year was shown that the “Go” SSH library (x/crypto/ssh) by default does not verify host keys, facilitating man-in-the-middle attacks. Default behavior changed in commit e4e2799 to require explicitly registering a hostkey verification mechanism.
Programming language: Rust
Rust is a general purpose programming language sponsored by Mozilla Research. It is designed to be a “safe, concurrent, practical language”, supporting functional and imperative-procedural paradigms. Rust is syntactically similar to C++, but is designed for better memory safety while maintaining performance. Rust only panics from integer overflow when in debug mode. So it looks that this programming languages suitable for developers build block chain system application.
Remark: Developer Analyst firm Redmonk charted Rust’s move on the Github rankings from 46 to 18.
Modern cyber technology crisis
Ransomware attack is the 1st priority of concern:
Ransomware (Wannacry) attack hits 99 countries with UK hospitals among targets yesterday. As we know the specifics attack are leveraging a Windows exploit harvested from the NSA called EternalBlue (MS17-010 – the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server). As a result it trigger the one to many attacks within the internal network. Since it relies on SMB so it spread out in extremely fast way. We are not going to discuss this incident today.
The reflections of this incident let us know the design weakness can kill the system within 1 minutes and broadcast the attack to neighbor. Be reminded that even though block chain or Ethereum technology network are built by group. It is a star topology network. A benefits for system and network resilience. However it increase the inherent risk.
Peer-to-peer communications between nodes running Ethereum clients run using the underlying ÐΞVp2p Wire Protocol. It is very secure. However if a trust client being compromised. From techincal point of view, hacker will more easy to infiltrate into it. Besides, the objective of ransomware target for ransom (money). If the victim workstation (Ethereum client) or mobile phone (Ethereum client) was compromised by ransom (whole hard drive encrypted). A high possibility to pay for the ransom otherwise he will lost more money.
As said, Ethereum deploy a high standard of secure protocol ( ÐΞVp2p Wire Protocol). However you can drill down in different area see whether can find out the design limitation. For instance a well known vulnerability. A Java Debug Wire Protocol remote code execution. The problem was that JDWP ( Java Debug Wire Protocol) is one layer within the Java Platform Debugger Architecture (JPDA). JDWP does not use any authentication and could be abused by an attacker to execute arbitrary code on the affected server. Any impact here!
But my concern is on fast synchronization process. In the mean time I am still analysis what is the possibility to fool the remote peer on GetNodeData step. For more detail, please refer below specification.
Fast synchronization (PV63) specification:
GetNodeData [+0x0d, hash_0: B_32, hash_1: B_32, …] Require peer to return a NodeData message. Hint that useful values in it are those which correspond to given hashes.
NodeData [+0x0e, value_0: B, value_1: B, …] Provide a set of values which correspond to previously asked node data hashes from GetNodeData. Does not need to contain all; best effort is fine. If it contains none, then has no information for previous GetNodeData hashes.
GetReceipts [+0x0f, hash_0: B_32, hash_1: B_32, …] Require peer to return a Receipts message. Hint that useful values in it are those which correspond to blocks of the given hashes.
Receipts [+0x10, [receipt_0, receipt_1], …] Provide a set of receipts which correspond to previously asked in GetReceipts.
Our discussion stop here today. I will provide more update in this regard. Thank you.
Part 2:Blockchain technology situation – Malware join to bitcoin mining
Part 1:Blockchain technology situation – A Tales of Two Cities