Tineola: Taking a Bite Out of Enterprise Blockchain

Presented at DEF CON 26 (2018), Aug. 11, 2018, noon (45 minutes)

Blockchain adaptation has reached a fever pitch, andthe community is late to the game of securing these platforms against attack. With the open source community enamored with the success of Ethereum, the enterprise community has been quietly building the next generation of distributed trustless applications on permissioned blockchain technologies. As of early 2018, an estimated half of these blockchain projects relied on the Hyperledger Fabric platform. In this talk we will discuss tools and techniques attackers can use to target Fabric. To this end we are demoing and releasing a new attack suite, Tineola, capable of performing network reconnaissance of a Hyperledger deployment, adding evil network peers to this deployment, using existing trusted peers for lateral network movement with reverse shells, and fuzzing application code deployed on Fabric. As George Orwell said: "Who controls the past controls the future. Who controls the present controls the past." This talk will demonstrate how a sufficiently armed red team can modify the blockchain past to control our digital future.

Presenters:

• Parsia Hakimian - Synopsys, Senior Consultant
  Parsia Hakimian is a senior consultant at Synopsys with seven years of security industry experience. He has worked on enterprise blockchains, online multiplayer games, stock exchange platforms, mobile device management suites, and IoT devices. On a different continent, he was a C developer, university instructor, and single-player game cheater. Parsia is currently evangelizing Golang to the security community and practicing in-memory fuzzing.
• Stark Riedesel - Synopsys, Senior Consultant
  Stark Riedesel is a senior consultant at Synopsys with six years of security industry experience. He has filled a variety of roles, including penetration tester, researcher, lecturer, and security architect. Stark's active areas of research are public and private blockchain platforms, NoSQL-based exploitation techniques, and container orchestration. Outside work,Stark speaks and hosts CTF events at the Dallas, Texas, OWASP chapter and local universities.

Links:

• https://defcon.org/html/defcon-26/dc-26-speakers.html#Riedesel
• https://infocon.org/cons/DEF CON/DEF CON 26/DEF CON 26 video and slides/DEF CON 26 - Riedesel and Hakimian - Tineola Taking a Bite Out of Enterprise Blockchain.mp4
• https://infocon.org/cons/DEF CON/DEF CON 26/DEF CON 26 video and slides/DEF CON 26 - Riedesel and Hakimian - Tineola Taking a Bite Out of Enterprise Blockchain.srt (subtitles)
• https://www.youtube.com/watch?v=xKYIde5jh_8

Similar Presentations:

• Black Hat Asia 2015 / Decentralized Malware on the Blockchain
• Black Hat USA 2021 / How I Used a JSON Deserialization 0day to Steal Your Money on the Blockchain
• DEF CON 30 (2022) / FROM ZERO TO HERO IN A BLOCKCHAIN SECURITY Workshop