Vulnerability research | Fuzzing | Reversing | WebAssembly | Ethereum
2020/03/03 @ EthCC 2020
In this talk, I briefly introduce WebAssembly concepts , Ewasm specificity and opcodes/instructions. Secondly, I show how to create Ewasm smart contract and expose different techniques/tools to perform WebAssembly module closed-source analysis. Finally, we go through some basic examples to apply reversing (reverse engineering) on those Ewasm contracts and understand the logic inside.
2019/10/22 @ Hack.lu 2019
In this workshop, I will first introduce WebAssembly concepts and why it’s consider as a “game changer for the web”. Secondly, I will expose how to analyze a WebAssembly module using different techniques (static & dynamic) as well as some open-source tools that make you the life easier (Octopus, Wasabi, …). Finally, we will hands-on with simple examples/crackmes and finally go throws the analysis of cryptominers.
The following point will be discussed in this workshop.
link / slides / repository
2019/07/16 @ webassembly-security.com
Is WebAssembly already used in the wild?
The answer is of course YES and some WebAssembly modules are potentially running right now in your browser if you are using Google web services. Recently, Google was using WebAssembly for the beta version of Google Earth but also in production for services like Google Keep.
2019/06/17 @ FIRST conference 2019
More than one year after the “official” release, it’s heavily used in the wild to perform Cryptojacking (illegitimate in-browser mining) using online services, like Coinhive, that provides simple Javascript API and uses WebAssembly module to make mining even more efficient and profitable than using pure JavaScript.
First, I will introduce WebAssembly concepts and how it is currently used. Secondly, I will analyze some Cryptominer module using static and dynamic analysis (reversing, decompilation, DBI, …) applied on WebAssembly. Finally, I will expose some techniques to detect and mitigate them.
2019/05/21 @ Northsec 2019
In this workshop, I will first introduce WebAssembly concepts and why it’s consider as a “game changer for the web”. Secondly, I will expose different techniques (Static/Dynamic analysis) and tools (Octopus, Wasabi, …) to perform a WebAssembly module analysis. Finally, we will hands-on with basic examples (crackmes) and go throws some real-life cryptominer and web-browsers plugins using WebAssembly module.
Along the talk, I will only used open source tools.
link / slides (not yet) / repository
2019/02/18 @ EthCC 2019
At Devcon4, Vitalik annonced that WebAssembly (wasm) will be part of Ethereum 2.0 (Serenity). It’s already possible to compile smart contracts to wasm modules and run them in the Kovan network.
Using WebAssembly smart contract doesn’t mean using secure smart contract.
In this talk, I will explain what’s inside a WebAssembly module and illustrate how to analyze wasm Ethereum smart contracts to find vulnerabilities and unoptimization.
2019/02/18 @ QuoScient Medium
In part two of our mini-series (see part #1) describing how cybercrime actors are using the Ethereum blockchain for fraudulent means, we analyze a clipboard hijacker malware targeting Bitcoin and Ethereum users. This malware, renamed ClipboardWalletHijacker by Qihoo360 Security Center, was first discovered in June 2018, after having infected 300 thousand computers within a week.
2018/11/08 @ BlackAlps 2018
Ethereum is the reference of smart contract platform due to the possibility to create decentralized applications (Dapps) by writing smart contracts. The Solidity source code of those smart contracts are not always available and can contains flaws (reentrancy, integer overflow/underflow, bad randomness, backdoor, ….). Some smart contract handle thousand of ETH and can’t be modified once pushed into the blockchain. More than 90% of them doesn’t provide the associated Solidity source code and that’s also why be able to reverse and analyze Ethereum smart contract (only with the EVM bytecode) make even more sense.
This workshop is intended to bring attendees the basic skills (theoretical and practical) to analyze Ethereum smart contracts. After the workshop, they will be able to reverse, debug and find basic vulnerabilities into real-life smart contracts without having the Solidity source code.
The following points will be covered in the workshop:
2018/11/01 @ Devcon iv.
Reverse engineering is a common technique used by security researcher to understand and analyze the behavior of closed-source binaries.
If you apply this to Ethereum smart contract (and more specifically on the EVM bytecode), thats allow you to analyze and verify the result of your Solidity source code compilation.
From a developer point of view, it can save you a lot of time and money if you succeed to detect flaws and missing bytecode optimization.
Also, providing the Solidity source code it’s not mandatory during the smart contract creation, that’s why being able to directly reverse the EVM bytecode make even more sense if you want to understand the behavior of external smart contracts.
2018/10/18 @ hack.lu 2018
This workshop is intended to bring attendees the basic skills (theoretical and practical) to analyze Ethereum smart contracts. After the workshop, they will be able to reverse, debug and find basic vulnerabilities into real-life smart contracts without having the Solidity source code.
The following points will be covered in the workshop: