Software Integrity

 

Tineola: Taking a bite out of enterprise blockchain

Parsia Hakimian and Stark Riedesel presented Tineola at DEF CON 26

Parsia Hakimian and Stark Riedesel presented Tineola at DEF CON 26

Enterprise blockchain platforms are one of the big questions faced by many corporations, including some of our customers. And when our customers come to us with complex problems, we take their unique situations into consideration and come up with tailored solutions. So when our customers started asking us about blockchain, we responded by creating our open source tool Tineola.

Tineola is the first publicly available tool for attacking Hyperledger Fabric (hereafter Fabric). Fabric is the most popular enterprise blockchain platform and counts for around half of all deployments in this space. We recently demonstrated Tineola during our talk at DEF CON 26 in Las Vegas. In this article we introduce our tool and focus on the high-level concepts and issues in enterprise blockchain platforms. For technical details, please refer to the Tineola repository and our white paper.

What are enterprise blockchains?

The word blockchain reminds us of Bitcoin and Ethereum. This is not surprising; cryptocurrencies get a lot of media attention. It’s very convenient to hook the reader by attaching a price tag in the millions of dollars to an article about virtual currency theft. Enterprise blockchain platforms, by contrast, have mostly stayed out of the news. Nonetheless, corporations have invested a lot of resources into developing these platforms, mostly for solving noncryptocurrency challenges at scale. IDC estimates that investment in enterprise blockchain platforms in 2018 will be over $2 billion.

There are many different public blockchains, such as cryptocurrencies. Every day a new initial coin offering (ICO) captures the market with a seemingly novel idea. But the enterprise blockchain scene is dominated by only three major platforms: Hyperledger, Quorum, and R3. Companies from a wide array of disciplines are building on these platforms. Technology companies are usually at the forefront, but other industries, such as finance, auto, accounting, healthcare, and logistics, are active participants in these ecosystems. The senior leadership of these companies has decided enterprise blockchain is a useful technology that helps them streamline their information processing and data-sharing operations.

A Gartner article published in March 2018 reports a total of 396 enterprise blockchain engagements in 2018, compared to 115 for 2017. Out of these 400 programs, 14 were in production with limited functionality, and 17 were in the implementation phase. In a few years, this technology will be part of the critical infrastructure of our society.

In our paper, we analyze the promises of blockchain platforms, including immutability (once data is written to the blockchain, it can’t be modified) and programmability (rules of the blockchain are codified in smart contracts). But in reality, blockchain faces several challenges, some even stemming from its strengths. Owing to blockchain’s promise of immutability, for instance, fraudulent transactions and sensitive information can’t be removed from the blockchain once written, which leads also to privacy concerns.

Tineola demo

We created Tineola to help us during security assessments performed on Fabric deployments. We’ve used it to deploy back-doored smart contracts with offensive security functionalities such as command execution and reverse shells. Tineola takes advantage of design choices in Fabric that put a substantial amount of trust in peers and smart contracts. In short, here’s what Tineola can do:

  • Enroll in the Fabric network and act as a member.
  • Submit custom transactions.
  • Deploy chaincode, including built-in malicious smart contracts.
  • Use popular web application proxy tools such as Burp for chaincode fuzzing.
  • Read and display the information stored on the blockchain.

We demoed our tool at DEF CON using a narrative on an insurance application based on Fabric. The insurance application is the most complex open source Fabric example and a good use case for enterprise blockchain. We started as Tom, an employee of a repair shop participating in this system. We showed how Tom can use Tineola to take advantage of vulnerabilities in the application to commit insurance fraud.

Tom used Tineola to read the blockchain and discover log-in credentials for Carol, who had previously bought insurance for her bicycle. Tom logged into the portal as Carol and submitted a fraudulent insurance claim. Later Tom directly called the smart contract as an insurance agent and approved the claim. Finally, Tom logged into the repair shop portal as himself and marked the repair as complete.

Secure examples are necessary

During our talk we emphasized the importance of having secure examples in platform documentation. Examples are important because everyone uses them as learning material. They form the building blocks of technical knowledge. Insecure examples lead to vulnerabilities and technical debt down the road. Having secure blueprints, configuration, coding guidelines, and documentation is a must for every platform and doubly for new technologies like enterprise blockchains.

Lessons learned

During our research we noticed anti-patterns. We think they are useful to defenders. Smart contracts are mission-critical programs, and as my co-author Stark Riedesel has said, developers must adopt software security practices when developing blockchain applications. Here are some of the anti-patterns we demoed them at DEF CON:

  • Sensitive information disclosure. Tom used Tineola to read the blockchain and discovered Carol’s log-in credentials for the insurance portal.
  • Missing authorization controls. The insurance application used in our demo did not have any authorization controls. Tom directly called smart contracts and approved insurance claims.
  • Lack of input validation and encoding in chaincode. During our research, we discovered multiple JSON injection vulnerabilities in example code, and we exploited one in our talk using Tineola’s HTTP proxy bridge.
  • Unauthenticated CouchDB. The web interface of CouchDB allows unauthenticated users to interact with the database as administrator. We demonstrated this insecure configuration by connecting to a CouchDB instance and modifying data.
  • Unrestricted chaincode container networks. Fabric’s smart contracts run in a Docker container not segmented from the rest of the network. We deployed Tineola’s built-in malicious smart contract, installed nmap and mapped the network, used SSH to forward a port to our machine, connected directly to the internal state database of a peer, and modified an insurance contract. The modified insurance contract was stored on the blockchain and propagated through the network discreetly.

Take a bite out of enterprise blockchain before it takes a bite out of you.

Get the white paper now.