This year marks 5 year since I gave my first blockchain/web3 related presentation at DEFCON 25 when I presented Porosity which was an experimental decompiler and static analysis tool for Ethereum Virtual Machine bytecode, but also mentioned on why we should keep an eye on WebAssembly Virtual Machines back when eWASM was being drafted and an option for Ethereum as a replacement for EVM itself.
Since then, new layer 1 blockchains have emerged such as Solana (eBPF-variant), and NEAR & Polkadot (WebAssembly) as part of a new wave of architectures relying on the LLVM compiler and ELF file formats, instead of reinventing the wheel like the Ethereum Virtual Machine and Solidity programming language.
This also means that the foundation of existing tools can be leveraged and re-used for fuzzing such as AFL++ as both Patrick Ventuzelo (@Pat_Ventuzelo) and Thomas Roth (@ghidraninja) demonstrated.
Patrick Ventuzelo (@Pat_Ventuzelo) explained how he fuzzed standalone VMs and parsing libraries for WASM (Binaryen, WABT, WAMR, Radare2, wasmer (used by NEAR :)), wasmtime, etc.) in his A Journey into Fuzzing WebAssembly Virtual Machines presentation, while Thomas Roth (@ghidraninja) focused on fuzzing the Solana’s eBPF Virtual Machine (based on Quentin Monnet’s interpreter & just-in-time compiler: rbpf) in his Solana JIT: Lessons from fuzzing a smart-contract compiler presentation. Funny enough, Thomas ended up with a bug collision with a bug also discovered by addison from secret club.
Both talks are focusing on fuzzing layer-1 blockchains at the virtual machines level, which I find very interesting as it was my first immediate reaction when I first heard that smart-contracts in the web3 World were basically running on virtual machines which I find as interesting as the work on layer-2 from other groups such as neodyme.
Interestingly enough, none of the layer-1 I mentioned in my 2017 blogpost about “smart-contract languages to follow” has been covered this year or is nearly relevant enough to be covered. The only points that I made which happened to be correct were that:
- Ethereum Virtual Machine ended up very primitive, not designed to scale and will very likely end up in a lot of wasted resources (which we witnessed in 2021 during the NFT boom)
- Smart-contract needs to be formally verifiable
Polkadot/Subtrate (led by Gavin Wood) were not announced yet at the time but this 2018 blogpost on wasm on the blockchain gives a pretty good introduction on blockchain VMs and the requirements they were working on.
I do find interesting that as we move forward with traditional and web3 application security, the importance of both memory-safe and formally veriable languages such as rust cannot be ignored - while we see vendors announcing new features for memory-unsafe applications just like AWS Graviton3 processors with PAC-support and ARM shipping its first CHERI-enabled prototype processors as explained in this beautiful blogpost by the legendary Saar Amar (@AmarSaar). You can learn more about CHERI in this video by Richard Grisenthwaite.
In the short and medium term, Nathan Hamiel (@nathanhamiel) reminded us in his Web3’s Security Journey presentation of the current problems we have seen in web3 including cross-blockchain bridges which remain highly & super vulnerable, user-fronting threats (wallets etc.) and why security professionals should pay more attention due to the several bug bounty programs but also the fact most of the heists involve nation-state attackers such as North Korea. As Justine Bone (@justinmbone) and I also mentioned during our closing BlackHat keynote-roundtable Conclusions and Key Takeaways from Black Hat USA 2022 - crypto is here to stay, and regardless of if infosec people like it or not, we never saw heist of that magnitude (e.g. Ronin Network $600M+ heist) ever before and the tech stacks are growing more and more complex by the day.
Good times.