Deja vu Security’s Blockchain Security Offerings
Blockchain technologies enable businesses and financial systems, and are considered by some to be revolutionary decentralized frameworks of power, or overly-hyped and messianic-like. Blockchains are all of these things, and technologists, entrepreneurs, and developers are creating new and innovative uses for blockchain on an almost daily basis. Justin Drake, Researcher at the Ethereum Foundation, told the MIT Tech Review, “The same way the internet revolutionized communication, blockchain is going to revolutionize trust. Now there is an alternative to institutions and governments. We can rethink the whole system.” Sunny Lu of VeChain, similarly told Capital Markets CIO Outlook, “Blockchain technology is not limited to the financial industry, but one that is comparable to the internet technology, capable of changing the world once again.”
But how much do the wisest technology experts really trust blockchains? The answer is simultaneously a great deal and very little. That’s because experts understand how blockchains really work, that they have different iterations that are more effective (depending on where you fall on the proof-of-work vs. proof-of-stake spectrum), and that they’re not perfectly failsafe—they’re hackable just like any other systems: “The security of even the best-designed blockchain systems can fail in places where the fancy math and software rules come into contact with humans, who are skilled cheaters, in the real world, where things can get messy” (Mike Orcutt, MIT Technology Review, May/June 2018). Blockchains—via Bitcoin—may have been around since 2008 when Satoshi Nakamoto first announced they were creating a “new electronic cash system that’s fully peer-to-peer, with no trusted third party,” but it’s still the Wild West out there, and unforeseen promise and dangers abound.
Of course, that shouldn’t—and doesn’t—stop entrepreneurs and organizations from utilizing it. It has already made significant disruptions to the financial industry, and camera companies to governments are exploring its potential to bring greater transparency, accountability, decentralization, and anonymity to their systems. But the best blockchain developers know it’s about more than just building a framework and releasing it to the public—blockchains are being used to move some of the world’s most sensitive information, including financials, medical records, government documents, and voting ballots. And since blockchain as a technology is fallible, the information it contains and the individuals putting their trust in it are at risk. There’s precedent for the risk, too; a couple notable catastrophes include the 2017 hacks of NiceHash for $78 million and Parity for about $30 million.
Unfortunately, being both new and highly complex, blockchains are still not well understood, and are difficult to secure. Blockchain technologies rely on distributed networks—nodes—and many rely on the concept of “mining.” Mining and nodes create opportunities for nefarious actors to “cheat”—for example, by either hijacking a majority of the nodes for majority power, or by tricking other nodes into working on mining problems that have already been solved. These are just a couple reasons there are few places developers can go to get their systems secured. There are few blockchain experts, and even fewer blockchain security experts. Deja vu Security (“Deja”) happens to be one of those select few. With a number of security assessments of some of the most foundational and complicated blockchain systems in the world under our belt, we’re one of the best tools developers have to ensure their systems can withstand black hat attacks. Deja has had its hands in comprehensive security reviews of two leading cryptocurrencies, a smart contract platform, crypto developer toolsets, blockchain-based identity management ecosystems, blockchain-based financial investment applications, and more.
There’s a reason people keep coming to us for our blockchain services: There are very few security companies out there whose in-house experts can do both the depth and breadth of analysis necessary for a full review of a blockchain implementation from start to finish. Our security consultants can do it all, including assessments of blockchain-based systems and distributed ledgers, virtual machine and transaction verification, smart contract implementation, peer-to-peer network and distributed implementations, miner clients and miner pools, wallet implementations, cryptocurrency exchanges and trading systems, distributed autonomous organization implementations, and domain-specific languages and runtimes for contracts and virtual machines. Compared to Deja, even some of the industry’s loudest voices have gaps in their expertise—they might be able to dig deep or cover wide ground, but usually not both.
Before our consultants get down to brass tacks, Deja collaborates with clients on a scoping assessment to understand and plan for the complexities, goals, and limits of the project. Questions we ask clients to consider include:
What is the security assessment’s objective?
Which environments do you plan to integrate with or build from (such as Ethereum, HyperLedger, NEO, or others)?
How is authentication and authorization managed?
Are you using any custom network protocols or protocol extensions?
The answers to these questions help determine our fit as business partners, and guide the execution of the engagement from start to finish.
After scoping, based on need, objectives, and stage of development, Deja vu Security provides clients with a custom set of blockchain-focused services, including threat modeling and secure design review, security code review, ledger penetration testing, application fuzz testing, cryptocurrency and transaction verification and testing, and peer-to-peer network testing.
During threat modeling and a review of the project’s design, our consultants look critically at the usage and integration of blockchain and cryptocurrency in the system’s design as a whole, and hunt for logic and overall systemic risks. The threat modeling and design review stage is in essence a bird’s-eye view, and provides clients with a better understanding of their security risks, holistically.
Our security code review involves deep analysis of the project’s code to uncover implementation-based security flaws and deviations from business logic. As part of the final report we deliver to clients, our consultants offer mitigation strategies and detailed fixes for the complex security vulnerabilities they’ve discovered.
Deja’s ledger penetration testing is done from an attacker’s perspective and tests the application’s deployment; this type of critical analysis complements other code reviews our consultants perform.
Application fuzz testing makes use of fuzz testing technologies including the foundational and long-running Peach Fuzzer automated fuzz testing platform. Fuzzing is a tool bad actors use to break into systems via data mutation and fault injection, so Deja’s consultants use the same process to find previously unknown vulnerabilities and report them to our clients.
Clients often ask us to verify that their usage of cryptocurrency primitives, transaction verification, transaction implementation, and transaction logic are all correct. They do this by exercising the project’s virtual machine and contract primitives in order to ensure it performs expected executions. If it doesn’t, into the report it goes. This service is called our cryptocurrency and transaction verification/testing.
One other—and the last detailed here—critical service blockchain clients ask us for is peer-to-peer network testing. During this part of the process, our consultants dig into the distribution network implementation and protocol, prodding the system to uncover threats that could result in Denial of Service attacks or other exploits.
These are the standard assessments clients tend to ask us for, but each project is highly individualized; because Deja’s blockchain experts are holistic and well-rounded, we can customize each engagement to tackle whatever clients need our help with.
In 2014, Deja was tasked with assessing what has become one of the world’s most foundational blockchain technologies: Ethereum itself. The Ethereum Foundation knew Deja specialized in custom-made assessments of end-to-end security, and had the expertise and enthusiasm needed for such a complex and nascent project. Deja conducted design reviews (quasi-Turing-complete VM, wire protocols, transaction integrity), solution reviews (end-to-end process, smart contracts, hashing), protocol/P2P/network reviews (DoS, compromise and degradation of the network), code reviews (data structures, variables, threading), and fuzz testing (using the standard-setting Peach Fuzzer platform). Ethereum Co-Founder Jeffrey Wilcke honored us with kind words about our work: “It was like staring blindly at a piece of code, then having someone come up and immediately identify the issue. We were able to resolve severe issues only with [Deja’s] help, for which we are incredibly grateful.” On the holistic nature of Deja’s skills, Ethereum’s Manager of Security Audits, Dr. Jutta Steiner, said, “From the very first conversation when we started looking for a company that could add value to Ethereum’s security audit…we were impressed by [Deja’s] width and depth of challenging the theoretical assumptions as well as coming up with suggestions for hardening the code base.”
In 2017, Mona El Isa worked with Reto Trinkler on building an Ethereum-based smart contract system called Melon (run by Melonport AG). To facilitate its necessary security assessments, Mona tried out a variety of security companies, but was unimpressed: “We engaged with auditors who were, frankly, not technical enough in their analysis…It is imperative for auditors to dive deep into the code. We looked for someone who could challenge our developers on this front.” That’s when Deja came into the picture and conducted a full assessment, finding a half-dozen significant issues and eleven minor issues (one might call them “yellow lights”). To do so, our security consultants had to work with Solidity, a “new language, [a] new environment. There aren’t a lot of stable and mature tools” (Dan Wessling, Senior Security Consultant at Deja). Melonport was pleased: “You know it’s good work when you’ve got people challenging you in different areas. It shows they have done a thorough analysis. These require some thought from you. An audit that doesn’t challenge doesn’t provide value.” George Hallam, previously of the Ethereum Foundation and now with Melonport, tweeted, “In the crypto/blockchain world, security should ALWAYS be the primary concern. No. Compromises. Ever. Very glad then that Melonport has been working with some of the best minds in the space to audit, improve and secure [its] code. Brilliant work Deja vu Security!”
Status is essentially a mobile operating system that facilitates decentralized operations for iOS/Android phone users: cryptocurrency wallets, decentralized apps (DApps), secure browsing, and so on. Status founders Jarrad Hope and Carl Bennetts are a pair of blockchain proponents who are highly optimistic about the technology; Nabil Naghdy, Status COO, said, “We believe in moving decentralization forward, full transparency, and self-sovereignty…Jarrad and Carl encoded a meaning into the name Status: ‘the state of us.’” But like any good blockchain developer, the folks at Status knew asking outside experts for an assessment of their security wasn’t an option—it was key. Status had three main issues they wanted Deja to work on in 2018: financial transaction integrity, protection against data leakage, and protection against hacking and malicious actors. Deja’s security consultants conducted a multi-faceted assessment, looking at where the user controls data the application is taking in; the configurations of services, frameworks, and libraries; sensitive data storage, management, and clearing; cryptography; backup phrase entropy; and more. We found four highly critical vulnerabilities and a handful of others ranging from medium-to-critical risk; among the vulnerabilities were issues with API implementation and potentially malicious DApps taking advantage of the platform. Status was so happy with the quality of our work that they immediately asked to book us for another round of assessments.
Deja’s done all this and more in the blockchain space not because we’re big, but because we’re boutique, and even the cybersecurity industry’s biggest corporations can’t compete. Our skills are extensive and highly technical: We’ve identified potential security gaps deep and buried in major blockchain technologies. But we’re also holistic: We look at technologies as a whole, analyzing them from the very top to the very bottom, from the beginning of the process of using them to the end. The fact that both foundational and nascent blockchain technology creators—from the early days of Ethereum itself to brand-new platforms—keep leaning on Deja’s expertise proves you can place your trust in us.