Solana JIT: Lessons from fuzzing a smart-contract compiler

Presented at DEF CON 30 (2022), Aug. 14, 2022, 2 p.m. (45 minutes)

Solana is a blockchain with a $37 billion dollar market cap with the security of that chain relying on the security of the smart contracts on the chain - and we found very little research on the actual execution environment of those contracts. In contrast to Ethereum, where contracts are mostly written in Solidity and then compiled to the Ethereum Virtual Machine, Solana uses a different approach: Solana contracts can be written in C, Rust, and C++, and are compiled to eBPF. Underneath the hood, Solana uses rBPF: A Rust BPF implementation with a just-in-time compiler. Given the security history of eBPF in the Linux kernel, and the lack of previous public, low-level Solana research, we decided to dig deeper: We built Solana reverse-engineering tooling and fuzzing harnesses as we slowly dug our way into the JIT - eventually discovering multiple out-of-bounds vulnerabilities.

Presenters:

• Thomas Roth / stacksmashing   as Thomas Roth
  Thomas Roth is a security researcher from Germany. In the past he has published research on topics like TrustZone, fault injection, payment terminals, cryptocurrency-wallets and embedded security.

Links:

• https://forum.defcon.org/node/242283
• https://infocon.org/cons/DEF CON/DEF CON 30/DEF CON 30 video and slides/DEF CON 30 - Thomas Roth - Solana JIT - Lessons from fuzzing a smart-contract compiler.mp4
• https://infocon.org/cons/DEF CON/DEF CON 30/DEF CON 30 video and slides/DEF CON 30 - Thomas Roth - Solana JIT - Lessons from fuzzing a smart-contract compiler.srt (subtitles)
• https://www.youtube.com/watch?v=8E7XOHQiRPE

Similar Presentations:

• NolaCon 2018 / Hacking Smart Contracts--A Methodology
• Hackfest 2017 / Hacking Smart Contracts
• DEF CON 25 (2017) / Hacking Smart Contracts