Lessons From Two Years of Crypto Audits

Presented at Black Hat USA 2019, Aug. 7, 2019, 2:40 p.m. (50 minutes).

Over the last two years, we've completed many successful crypto audits. These audits consisted of mostly paid engagements but also unsolicited ones, as well with a mixture of blockchain projects as well as good old cryptography. We've worked for major blockchain organizations and have seen the most complex crypto protocols ever deployed at scale, which is really exciting but at the same time terrifying—what if there's a critical bug that could compromise the entire network? What if we as security auditors miss something? Questions like these loom over anyone performing an audit. There is no shortage of places things can go wrong, bugs in source code, protocol defects, incorrect implementations, and the list goes on.

In this talk we'll first describe some of the most interesting security issues we've found (at least the ones we're authorized to talk about), then we'll focus on the risks associated with one of the most popular memory-safe languages, namely Rust. We'll describe a list of sanity checks and security best practices that we use internally when auditing Rust code, along with examples from real Rust audits. Finally, we'll draw some lessons from our experience, providing advice to fellow security auditors and developers, to get the most out of a security audit.


Presenters:

  • Jean-Philippe Aumasson -  , Kudelski Security
    Jean-Philippe (JP) Aumasson is a world-renowned expert in cryptography, VP Technology at Kudelski Security, co-founder of Teserakt, and head of security of Taurus Group. JP holds a PhD from EPFL (2009) and has worked for 8 years in applied cryptography, security architecture, and cybersecurity within the Kudelski Group. JP wrote the acclaimed books Serious Cryptography (No Starch Press, 2017) and has designed widely used algorithms such as BLAKE2 and SipHash. He has performed numerous security assessments for leading blockchain and cryptocurrency organizations. He has spoken at conferences such Black Hat, DEFCON, RSAC, CCC, and Infiltrate, about applied cryptography, quantum computing, and platform security.

Links:

Similar Presentations: