Vulnerability research | Fuzzing | Reversing | WebAssembly | Ethereum
2020/02/18 @ wasmer medium
In the last months I’ve been working developing fuzzing targets to find bugs and create patches for the Wasmer WebAssembly runtime.
In this post we will learn what is fuzzing, why it is important for WebAssembly runtimes and what kind of bugs fuzzing helped to detect.
2019/07/16 @ webassembly-security.com
Is WebAssembly already used in the wild?
The answer is of course YES and some WebAssembly modules are potentially running right now in your browser if you are using Google web services. Recently, Google was using WebAssembly for the beta version of Google Earth but also in production for services like Google Keep.
2019/05/21 @ Northsec 2019
In this workshop, I will first introduce WebAssembly concepts and why it’s consider as a “game changer for the web”. Secondly, I will expose different techniques (Static/Dynamic analysis) and tools (Octopus, Wasabi, …) to perform a WebAssembly module analysis. Finally, we will hands-on with basic examples (crackmes) and go throws some real-life cryptominer and web-browsers plugins using WebAssembly module.
Along the talk, I will only used open source tools.
link / slides (not yet) / repository
2019/01/21 @ Geneva Annual Blockchain Congress 2019
Ethereum is one of the top5 cryptocurrency on the market cap and the major public smart contract platform. This position is due partially to the possibility to create decentralized applications (Dapps) by writing smart contracts. The Solidity source code can contains flaws (reentrancy, integer overflow/underflow, bad randomness, backdoor, …) and it’s important to keep security in mind when developing smart contracts.
After this workshop delivered by Quoscient, attendees will be able to create simple Ethereum smart contract, upload and interact with them on the blockchain.
We will also discuss about major security flaws/vulnerabilities that have occurred on the Ethereum main-net and how to prevent them from a developer point of view.
The following points will be covered in the workshop:
slides
2018/11/08 @ BlackAlps 2018
Ethereum is the reference of smart contract platform due to the possibility to create decentralized applications (Dapps) by writing smart contracts. The Solidity source code of those smart contracts are not always available and can contains flaws (reentrancy, integer overflow/underflow, bad randomness, backdoor, ….). Some smart contract handle thousand of ETH and can’t be modified once pushed into the blockchain. More than 90% of them doesn’t provide the associated Solidity source code and that’s also why be able to reverse and analyze Ethereum smart contract (only with the EVM bytecode) make even more sense.
This workshop is intended to bring attendees the basic skills (theoretical and practical) to analyze Ethereum smart contracts. After the workshop, they will be able to reverse, debug and find basic vulnerabilities into real-life smart contracts without having the Solidity source code.
The following points will be covered in the workshop:
2018/11/01 @ Devcon iv.
Reverse engineering is a common technique used by security researcher to understand and analyze the behavior of closed-source binaries.
If you apply this to Ethereum smart contract (and more specifically on the EVM bytecode), thats allow you to analyze and verify the result of your Solidity source code compilation.
From a developer point of view, it can save you a lot of time and money if you succeed to detect flaws and missing bytecode optimization.
Also, providing the Solidity source code it’s not mandatory during the smart contract creation, that’s why being able to directly reverse the EVM bytecode make even more sense if you want to understand the behavior of external smart contracts.
2018/09/15 @ ToorCon XX – 2018
WebAssembly (WASM) is a new binary format currently developed and supported by all major browsers including Firefox, Chrome, WebKit /Safari and Microsoft Edge through the W3C. This new format have been designed to be “Efficient and fast“, “Debuggable“ and “Safe” that why it is often called as the “game changer for the web“. More than one year after the “official” release, it is not only used “for the web” by web browsers but also in some (huge) other projects like Blockchain Smart Contract platforms (EOS and Ethereum).
I will first introduce WebAssembly concepts and who currently used it in the wild. Secondly, I will show different WebAssembly VM available and explain the security measures implemented into it. Finally, I will show you, throw real life WASM modules, how to do static analysis, using techniques such as reversing, control flow and calls flow analysis, to understand deeper its behaviors. Along the talk, I will used multiple open source tools but mainly the one that I have developed and that is already available on Github (Octopus).