Tineola is a tool for attacking Hyperledger Fabric. Here we focus on some high-level concepts and security issues in enterprise blockchain platforms.
Parsia Hakimian and Stark Riedesel presented Tineola at DEF CON 26
Enterprise blockchain platforms are one of the big questions faced by many corporations, including some of our customers. And when our customers come to us with complex problems, we take their unique situations into consideration and come up with tailored solutions. So when our customers started asking us about blockchain, we responded by creating our open source tool Tineola.
Tineola is the first publicly available tool for attacking Hyperledger Fabric (hereafter Fabric). Fabric is the most popular enterprise blockchain platform and counts for around half of all deployments in this space. We recently demonstrated Tineola during our talk at DEF CON 26 in Las Vegas. In this article we introduce our tool and focus on the high-level concepts and issues in enterprise blockchain platforms. For technical details, please refer to the Tineola repository and our white paper.
The word blockchain reminds us of Bitcoin and Ethereum. This is not surprising; cryptocurrencies get a lot of media attention. It’s very convenient to hook the reader by attaching a price tag in the millions of dollars to an article about virtual currency theft. Enterprise blockchain platforms, by contrast, have mostly stayed out of the news. Nonetheless, corporations have invested a lot of resources into developing these platforms, mostly for solving noncryptocurrency challenges at scale. IDC estimates that investment in enterprise blockchain platforms in 2019 will be nearly $3 billion.
There are many different public blockchains, such as cryptocurrencies. Every day a new initial coin offering (ICO) captures the market with a seemingly novel idea. But the enterprise blockchain scene is dominated by only three major platforms: Hyperledger, Quorum, and R3. Companies from a wide array of disciplines are building on these platforms. Technology companies are usually at the forefront, but other industries, such as finance, auto, accounting, healthcare, and logistics, are active participants in these ecosystems. The senior leadership of these companies has decided enterprise blockchain is a useful technology that helps them streamline their information processing and data-sharing operations.
A Gartner article published in March 2018 reports a total of 396 enterprise blockchain engagements in 2018, compared to 115 for 2017. Out of these 400 programs, 14 were in production with limited functionality, and 17 were in the implementation phase. In a few years, this technology will be part of the critical infrastructure of our society.
In our paper, we analyze the promises of blockchain platforms, including immutability (once data is written to the blockchain, it can’t be modified) and programmability (rules of the blockchain are codified in smart contracts). But in reality, blockchain faces several challenges, some even stemming from its strengths. Owing to blockchain’s promise of immutability, for instance, fraudulent transactions and sensitive information can’t be removed from the blockchain once written, which leads also to privacy concerns.
We created Tineola to help us during security assessments performed on Fabric deployments. We’ve used it to deploy back-doored smart contracts with offensive security functionalities such as command execution and reverse shells. Tineola takes advantage of design choices in Fabric that put a substantial amount of trust in peers and smart contracts. In short, here’s what Tineola can do:
We demoed our tool at DEF CON using a narrative on an insurance application based on Fabric. The insurance application is the most complex open source Fabric example and a good use case for enterprise blockchain. We started as Tom, an employee of a repair shop participating in this system. We showed how Tom can use Tineola to take advantage of vulnerabilities in the application to commit insurance fraud.
Tom used Tineola to read the blockchain and discover log-in credentials for Carol, who had previously bought insurance for her bicycle. Tom logged into the portal as Carol and submitted a fraudulent insurance claim. Later Tom directly called the smart contract as an insurance agent and approved the claim. Finally, Tom logged into the repair shop portal as himself and marked the repair as complete.
During our talk we emphasized the importance of having secure examples in platform documentation. Examples are important because everyone uses them as learning material. They form the building blocks of technical knowledge. Insecure examples lead to vulnerabilities and technical debt down the road. Having secure blueprints, configuration, coding guidelines, and documentation is a must for every platform and doubly for new technologies like enterprise blockchains.
During our research we noticed anti-patterns. We think they are useful to defenders. Smart contracts are mission-critical programs, and as my co-author Stark Riedesel has said, developers must adopt software security practices when developing blockchain applications. Here are some of the anti-patterns we demoed them at DEF CON:
Parsia Hakimian is a senior security consultant in Synopsys Software Integrity Group. Over the past few years, he has tested enterprise blockchains, online multiplayer games, stock exchange platforms, mobile device management suites, and IoT devices. Two continents ago, he was a C developer, university instructor, and single-player game cheater. Parsia is currently learning blockchain security, promoting Golang in the security community, and practicing in-memory fuzzing.