Blockchain adaptation has reached a fever pitch, andthe community is late to the game of securing these platforms against attack. With the open source community enamored with the success of Ethereum, the enterprise community has been quietly building the next generation of distributed trustless applications on permissioned blockchain technologies. As of early 2018, an estimated half of these blockchain projects relied on the Hyperledger Fabric platform.
In this talk we will discuss tools and techniques attackers can use to target Fabric. To this end we are demoing and releasing a new attack suite, Tineola, capable of performing network reconnaissance of a Hyperledger deployment, adding evil network peers to this deployment, using existing trusted peers for lateral network movement with reverse shells, and fuzzing application code deployed on Fabric.
As George Orwell said: "Who controls the past controls the future. Who controls the present controls the past." This talk will demonstrate how a sufficiently armed red team can modify the blockchain past to control our digital future.
Speakers:
- Stark Riedesel, Synopsys, Senior Consultant
- Parsia Hakimian, Synopsys, Senior Consultant
Stark Riedesel
Stark Riedesel is a senior consultant at Synopsys with six years of security industry experience. He has filled a variety of roles, including penetration tester, researcher, lecturer, and security architect. Stark’s active areas of research are public and private blockchain platforms, NoSQL-based exploitation techniques, and container orchestration. Outside work,Stark speaks and hosts CTF events at the Dallas, Texas, OWASP chapter and local universities.
Parsia Hakimian
Parsia Hakimian is a senior consultant at Synopsys with seven years of security industry experience. He has worked on enterprise blockchains, online multiplayer games, stock exchange platforms, mobile device management suites, and IoT devices. On a different continent, he was a C developer, university instructor, and single-player game cheater. Parsia is currently evangelizing Golang to the security community and practicing in-memory fuzzing.
Detailed Presentation:
Comments