The Hacker Mind Podcast: Fuzzing Crypto
For some people, crypto means cryptography. For others, it means cryptocurrency. Fortunately, in this episode, we’re discussing vulnerabilities in both.
Guido Vranken returns to The Hacker Mind to discuss his CryptoFuzz tool on GitHub, as well as his experience fuzzing and finding vulnerabilities in cryptographic libraries and also within cryptocurrencies such as Ethereum.
Cryptocurrency is a digital currency designed to work as a medium of monetary exchange through transactions on a computer network and is not reliant on any central authority, such as a government or bank, to uphold or maintain it. That means it falls to you to protect your cryptocurrency. And that sometimes means you keep it a wallet-- either a digital one or a hardware one. So what if you accidentally forget the password?
This really happened to Dan Reich and a friend. Back in 2018, they bought $50,000 in cryptocurrency and then locked it safely within their Trezor One wallet. That’s what you do, you put cryptocurrency in either a digital or a hardware wallet, the latter of which is basically a dongle. When they first bought the currency and put it into the wallet, it was at a low value but years later it’s value was somewhere over $2 million dollars. So Reich decided he wanted to cash out, but his friend had lost the paper where he’d written the PIN and couldn’t remember the digits.
We’ve all been there-- locked out of some account because we can’t remember the clever password we used. Well, they tried guessing what they thought was a four-digit PIN. It was actually five digits, so right there they were wrong. And after each failed attempt, the wallet doubled the wait time before they could guess again. But here’s the thing, after 16 guesses the data on the wallet would automatically erase. You know, a safety feature. So when they reached about a dozen tries, they stopped, afraid to go further.
I suppose this is like when years ago one would get a paper stock certificate stating the number of shares owned -- and if you misplaced or lost that paper certificate, you might be out say $2 million dollars. Yeah, like that. Fortunately, this is digital hardware device--the password is on a chip somewhere -- so Dan and his friend turned to a world-renowned embedded security expert, Joe Grand, who looked at the Trezor wallet. Using his amazing hacking skills and unique tools he’d built over the years, Joe was able to extract the password from the chip, and Dan was able to retrieve his cryptocurrency.
All of which speaks to the power of hacking. And in a moment I’ll introduce you to someone who hacks both the cryptographic libraries that are so important to cryptocurrencies but also the software the runs on top of these.
Welcome to The Hacker Mind, an original podcast from ForAllSecure. It's about challenging our expectations about the people who hack for a living. I'm Robert Vamosi and in this episode, I'm not going to be advising you about strategies for investing in cryptocurrency, or whether cryptocurrencies are even good. Or just a Ponzi Scheme. Nor am I going to wade into the debate about the ecological consequences of mining cryptocurrencies. Rather, in this episode I’m sticking to good old vulnerability research. They say the devil is in the details and with cryptocurrency that often means the cryptographic library isn’t implemented right, or sometimes maybe the software on top of it is just full of bugs. In a moment we’ll meet someone who is actively researching those flaws.
Vamosi: For this episode I also want to weigh in on a very controversial topic within infosec today. I’m talking about the correct use of the word crypto. Crypto is derived from the original Greek word kryptos, which simply means hidden. Now, if you’ve been around infosec for any length of time, you are probably thinking about Diffie-Hellman, RSA, Elliptical Curve, even SHA. And you’re right. Cryptography has long been shortened to crypto. But if you’re new to infosec, then you ‘re probably seeing the word crypto and you’re saying “cool, this is an episode about cryptocurrencies.” And you’d also be right. Crypto has taken on a new meaning in the mainstream as a shortened form of cryptocurrencies. And yes, it is easier to say Crypto than repeat cryptocurrency twenty times. Trust me, I know. There’s even a cryptocurrency company with that shorter name as well. for the sake of this podcast, I’m going to be clear about which we’re referring to. I say that because my guest, well, he’s one of the few people in the world who knows how to fuzz test both cryptographic libraries and cryptocurrencies. He even built his own CryptoFuzz project on gitHub.
Vranken: My name is Guido Vranken, and I work for various companies as a consultant, mostly employing fuzzing to find some security vulnerabilities. And while that's basically what I do on a day to day basis
Vamosi: You might recall the name. Guido was my guest on Episode 11, when we talked the vulnerabilities he found by fuzzing the OpenWRT protocol. And that time, more than a year ago, he told me he had been fuzz testing cryptographic libraries and was starting to look at cryptocurrency. Given the attention to cryptocurrencies in the mainstream now, It seemed like a good time to follow up with him. So, to get started, let’s define cryptocurrency. What does it mean
Vranken: Cryptocurrencies are software which allows people to transact money without a centralized source. So usually when you have when you transact money, you have banks. And things like PayPal and other companies but protected currencies, it's entirely peer to peer that there is no central point which dictates which transactions are allowed and which not. So that's basically the special thing about cryptocurrencies is that they are completely independent of any central source.
Vamosi: So cryptocurrencies are peer-to-peer currencies whose value rises and falls with demand. For instance, if you have too many virtual coins, the value drops, but if you have a scarcity, the value rises because it’s unable to meet the demand. So how do you make these virtual coins?
Vranken: Well, mining means cracking a puzzle, which has a certain amount of time and that takes like 10 seconds or something. You crack a hash and it has to have a certain amount of zeros and once that's done, you will have mined a Bitcoin or Ethereum or something like that. So it takes a lot of computing power to do this. And that's also what makes it lucrative. So there are companies which only mine cryptocurrencies and they make money by this. So, once your mine accepts the currency, the currency goes to you, and then you you're you have made money by that. So this is also a security mechanism of the network which supersets the essentially the safety of the network essentials.
Vamosi: So the different currencies -- Bitcoin, Ethereum -- are different softwares built on top of a concept known as a blockchain. Block chain has existed long before these cryptocurrencies, and it’s actually quite secure. Everytime you complete a transaction, a message digest or hash of that action is stored on the chain. Each transaction piggybacks on the previous transaction. That means you can’t go back and change something that happened in the past. To do so would change its hash and since every new hash builds on the previous hashes, that would break the blockchain. Get it? So the idea here is that every transaction is immutable -- unchangeable. And when you are talking about money, that’s a good thing, right?
Vranken: Well, the blockchain aspect makes everything immutable. So if you have like one transaction, and then you have a second then the second transaction is stored in such a way that essentially includes the first transaction in the block. So there you will essentially have a number of blocks and each block contains a hash, which is based on the previous block. So that makes it impossible to essentially change some transaction that happened two years ago because otherwise the whole block chain would be incorrect.
Vamosi: Blockchains are immutable, in that the transactions are transparent to everyone. There are still ways to hide a transaction. That’s where you’d want a tumbler. What’s that? Technically it’s known as cryptocurrency mixing. A tumbler gathers a number of funds, lumps them together and then distributes them back out again at random times, so it is very difficult to trace exact coins. It takes say $100 of bitcoin and mixes it with others, so that you still have $100 at the end, but now your $100 contains records of all these other $100 transactions. Since the blockchain is immutable, what you’re doing is obfuscating the specific transaction in question by creating even more, random transactions.
In the real world this would be similar to money laundering. Which is perhaps why in cryptocurrency we call this tumbling, or blending. The point is, after doing this the cryptocurrency can’t be directly traced back to you. Rather, it can, but it’s going to take someone a longer time to get there. This is perhaps why criminals really like using cryptocurrencies.
Okay, so a tumbler is designed to obfuscate the transactions, to hide where the money came from. There are also legitimate exchanges. Say I have Ethereum and I want to convert it to Bitcoin. Or even old school currencies.
Vranken: Yeah, I think I mean, there are exchanges like Coinbase and Kraken and some others, that also, this more complex implements. exchanges in which you can exchange for example, Bitcoin against Aetherium and a completely decentralized way. So you don't need a centralized exchange, like Coinbase.
Vamosi: What’s interesting is that there are a lot of cryptocurrencies. As much as some people talk about breaking free from the tyranny of dollars, renimbi, and rubles, we have just as many if not more cryptocurrencies. And some of these are just variations of others. So maybe you’re familiar with Bitcoin or Ethereum. But then there's a bunch of others. And it sounds like they're kind of derivative of each other’s software.
Vranken: Yes, some of them are tagged as evidence of Bitcoin databases, basically clones, but also, audits implement an entirely new system. For example, Ethereum, from the ground up, has its own logic and its own concepts. It also uses the basic concepts like peer-to-peer money and smart contracts, but it implements in an entirely different space. So some of the coins are derivatives and some are almost all from scratch.
Vamosi: I mentioned that Guido started fuzzing cryptography, which is the art of encryption, and it is a well established science. It’s the study of secure communications techniques that allow only the sender and intended recipient of a message to view its contents. And one thing that always amazes me about cryptography is that you can publicly share the algorithm for any encryption schema. It’s not a secret. In fact, is it best practice to do so? Why? That’s so others can look at it and find any faults. That’s also why you occasionally hear about depricated encryption schemes. Remember WEP? Remember DES? Yeah, someone either defeated these or came close, so their use was deprecated by the United States NSA and others. Usually the fiz was to increase the key length. So these algorithms and encryption schemas continually develop, and continually grow more complex. And the problems now aren’t necessarily with the algorithm themselves-- they’re fairly robust -- but in the implementation of these complex algorithms. And that’s why Guido started fuzzing cryptographic libraries, to see if he could find any faults. And he could
Vranken: While it basically just started as a Sunday afternoon project, I thought it would be fun to fuzz cryptographic libraries, but I kept building on it and I kept finding more bugs I find several hundreds of books by now and basically people started paying me for highlighting for extending it so that that's basically our dance. I didn't really have any plans to monetize it, but it just happened. And I keep adding code to cut too fast to find more bugs and that's basically what I wanted to keep doing.
Vamosi: So Guido built something he called Cryptofuzz. We have this concept of fuzz testing, which is to input invalid statements and then monitor the result. Wherever there’s a crash, there’s a vulnerability. Early fuzzers were random which meant they are considered kind of dumb because all they did was throw garbage at a target. Then came guided fuzzers which are considered smart because they monitor the results and then iterate variations of input based on previous good examples. What was different about creating crypto fuzz? How does it compare or is it different?
Vranken: Well, it's actually what is called a differential fossa. So it basically takes two or more cryptographic libraries. For example, openSSL and it is boringSSL by Google and then it has the same operation and both of these libraries at the same time, sequentially and then compares if the if the results are the same. And if you're not, then it makes sense that one of them has a bug. So if you have a hash function that's implemented in open SSL, and the same hash function is implemented in boring as hell, then the hash function in boards and I checked the result, if the result doesn't match, then one of them must be home. So the one nice thing about cryptography is that it's very, very strictly delineated. It very neatly describes how a certain catalog cryptographic primitives will behave. So it just makes it very, very, very nice for differential fuzzing. Because I can just come up with operations and some libraries and then compare the results.
Vamosi: So other than CryptoFuzz is there any other fuzzer that works with cryptographic libraries?
Vranken: Um, I don't, I don't think so. To be honest, there are fairly and fairly extensive fuzzing projects but I think nothing specifically geared towards fuzzing cryptography, right.
Vamosi: Given the uniqueness of his talent, Guido got asked to look at the security of a cryptographic library for a cryptocurrency.
Vranken: Yeah, so a few years ago, I didn't really know anything about cryptocurrencies, I think that was 2017. And I was contacted by someone from Ethereum. And they asked if I wanted to do some fun for them and basically at that point, I started feeling about cryptocurrencies, and kind of went from there. So but before I'm not an early adopter of anything, it's not like I've had Bitcoin since 2008 or something. It's basically 2017. And that's also when cryptocurrency started to take off, becoming quite mainstream and popular and stuff, very large market gaps, and basically been in that space since then. But I don't exclusively focus on cryptocurrencies also focus on things like openers and stuff, which are not related to cryptocurrencies, but it just happens that there's a lot of demand from the kept cryptocurrency space to audit these cryptographic implementations and related software. So that's basically what why I keep keep working in that space.
Vamosi: So when he’s looking at a cryptocurrency, does Guido use CryptoFuzz, then, exclusively for his cryptocurrency research?
Vranken: Kind of depends on what I'm, what I want, and which component I want to find bugs for. If it's like the web assembly engine and I have to find a force for that, if it's cryptography that I used to have to force but already existed before I started using cryptocurrency, so it kind of depends on which component I'm auditing.
Vamosi: So, given this background, one of the areas of vulnerabilities that Guido has researched with his tools is the cryptographic part of it. This is where Cryptofuzz makes the most sense. Cryptocurrencies are built on cryptographic libraries.
Vranken: cryptocurrencies employ a number of cryptographic primitives. One is hash functions. I'm sure some of your listeners are familiar with that.
Vamosi: A one-way hash function, also known as a message digest, is a mathematical function that takes a variable-length input string and converts it into a fixed-length binary sequence. The important point is that it is a one-way algorithm. That means it is very difficult to discover the original string from a hash alone. There are many different kinds of hash functions. What does he see most often?
Vranken: Mostly SHA256, but also other ones. When I work with cryptocurrency companies, I test these functions and check if they contain any box. So SHA256 is pretty easy to implement. So, most of the time, these don't contain any box but occasionally they do. Yeah, so like I said, the hash functions are usually fairly easy to implement. So there aren't that many bugs in that. Cryptocurrency makes heavy use of cryptography, especially elliptic curve cryptography. The elliptic curve stuff is very delicate.
Vamosi: Elliptical Curve Cryptography is public-key cryptography based on the mathematical structure of elliptic curves over finite fields. An elliptic curve is the set of points that satisfy a specific mathematical equation. If you think of an X and Y axis creating four quadrants, then the elliptical curve could be represented as a line curving through all four quadrants. A couple of interesting properties here. There is horizontal symmetry. That means any point on the curve can be reflected or mirrored over the x axis and remain the same curve. Another interesting property is that any non-vertical line will intersect the curve in at most three places.
Vranken: Elliptic curve cryptography, which is a public key cryptosystem whereby you have a public component and a private component, private component as your secret key and this costs access to all your funds. And the public component consists of public keys and signatures, which are open to anyone to see. And these electrical systems are very, very delicate, very complex, that can be small errors, which can have large consequences. And I use my software cryptofuzz , which is a fuzzer specifically for testing cryptography to test these implementations.
Vamosi: Again, encryption works by taking a message and applying some mathematical operation to it to get a random-looking number. Decryption then takes the random looking number and applies a different mathematical operation to get back to the original number.
Vranken: Elliptic curve cryptography relies on mathematics and there are a number of mathematical primitives which are implemented and if they are wrong, even slightly wrong, that can make the whole elliptical system invalid, if you will. So it's, there's a lot of moving parts, a lot of rules where you have to abide by if you are implementing something like that. So that's something that comes up often and I'm biting my nails is when I start fuzzing, a new library that I haven't tested before. It implements elliptic curve cryptography. It's almost certain that I will find something even before testing it because I'm so used to finding the elliptic curve box that I'm pretty confident that at this point, if every library hasn't at first before, then they're probably going to be bugs.
Vamosi: There’s this saying in infosec about never rolling your own encryption. That often you just don’t have enough entropy, enough randomness, so someone can come along and simply guess your keys because they’re too short, too predictable. But then there’s the implementation. When you first use cryptography, even well established cryptography, there’s a good chance that you may have done something wrong.
Vranken: And I've found a lot of bugs in the past and various cryptocurrencies like I don't know Ethereum and other ones as well, like I said, it's very delicate stuff. So it's, even for professional programmers, it's easy to get something wrong and these implementations and might software test test, and that checks after any box so and in some cases, even these implementations have Assembly optimized code, which makes it even more delicate because assembly language is very hard to get hired
Vamosi: Assembly language is any low-level programming language in which there is a very strong correspondence between the instructions in the language and the architecture's machine code instructions.
Vranken: Elliptical curve cryptography also is important to Secure Socket Layers. OpenSSL has had a number of bugs and assembly language optimizations. For example, if you have to compute the model x exponent, then open SSL implements is an assembly language and has been a number of books in this and that in turn can affect cryptography with bits, which can make us vulnerable to certain attacks.
Vamosi: You may remember Heartbleed. I covered that in Episode 10. Basically fuzzing was used to find a data leakage that was the result of a poor implementation of the Heartbeat protocol in OpenSSL. Given his work fuzzing cryptographic libraries is there anything that Guido finds more often than not in cryptocurrencies?
Vranken: Yes, one mathematical primitive is called the inverse model. It's a certain mathematical operation and this appears to be very hard to get guys and like I said, sometimes there's also implemented in assembly language because things have to be as fast as possible and assembly languages sometimes a little faster than C or C++. So that's often a source of bugs.
Vamosi: If the first area for finding vulnerabilities in cryptocurrency is cryptography, then the second area where Guido finds success is in small programs known as Smart Contracts.
Vranken: Smart contracts allows any person who is participating in an athletic event to run arbitrary code on the on the blockchain, in which you can implement it or with a logic for distributing money so you can implement a smart contract which if someone sends a certain code to it, then it sends money to another person. So, especially unlike banks, which have basically simple transactions from one building to another, you can use smart contracts to implement arbitrary logic on how this money should be distributed.
Vamosi: First of all, Smart Contracts aren’t legal contracts, so you don’t need a notary or a lawyer. Rather, they are little programs that execute on top of the cryptocurrency, that execute say a desire to sell. But, since they are little programs, they can do other things as well.
Vranken: Yeah. So as my contacts I said a little about it, of any smart contracts allow arbitrary code to be hung inside the virtual machine and this subtle machine is implemented in the cryptocurrency and basically each participant in the network like constants, smart contracts, if someone pushes it onto the network, so and it's very important, of course, that this first one machine doesn't have any box, which could allow a malicious smart contract to escape the virtual machine and result in something like arbitrary code execution.
Vamosi: Cryptocurrencies use virtual machines. What’s that? A virtual machine is a software emulation of a computer system so software is used to create computer architectures and provide functionality of a physical computer. It’s not that usual. Java uses a virtual machine to run and sandbox all its applications. The cryptocurrency Ethereum, too, has its own. It’s called EVM.
Vranken: So it's very important that these virtual machines are very safe. There are a number of different virtual machines. Ethereum implemented its own virtual machine as basically a virtual CPU has an from scratch. It's called EVM. It's implemented by Ethereum but also some cryptocurrencies use WebAssembly. So, you can compile any arbitrary program into web assembly and then call it basically on the cryptocurrencies so for example, EOS and near parity and on a computer.
Vamosi: And Guido doesn’t just use his Cryptofuzz, traditional fuzz testing plays a role here too.
Vranken: They all implement web assembly and web assembly implementations are also fairly complex because they have to run arbitrary code. Sometimes they use optimizations like just in time compilation, and all this stuff makes it very susceptible to box so that does a nice thing to be fuzzing. Oftentimes, you will also also find bugs in this purpose WebAssembly implementation because it's just very complex and very hard to get hired. And one other thing, Solana uses the Berkeley packet filter. There's also a type of programming concept which they are using, so those are three three types of four machines which are used and cryptocurrencies and almighty even more so. And so like I said, if you can have escaped the virtual machine, and from arbitrary code on the user's computer, that would be disastrous, because that's somebody who wants remote code execution. So the first machine has to be very safe. But also things like denial of service attacks. If you can hold a smart contract and then make the whole network hang or cash that, that's also disastrous because you can take the entire network down with something like that. So those are all types of weaknesses that can exist in smart contracts. And the virtual machine in which they run.
Vamosi: So far, to find vulnerabilities in cryptocurrencies, so far we’ve talked about cryptography, and smart contracts. A third area where Guido and others find vulnerabilities are in the network. Remember, cryptocurrencies are based on blockchains that are recording everything. That block chain is distributed, so everyone has a copy of it so you can’t go back and change it, because it’s baked into the block chain and there’s a consensus on what that block chain contains. Then again, there are ways that can be subverted.
Vranken: So there is no not a central server and it keeps the currency. All the participants talk to each other are called nodes. The nodes use the internet to talk to each other and they, therefore, are suspect susceptible to processing unprocessed data. From other nodes. And if the cryptocurrency contains a bug, then this could catch the node so that's also an important aspect that us cryptocurrencies have to do entirely right otherwise, the whole vulnerability space could cast a network.
Vamosi: Perhaps we should get a better understanding of what we mean when we say network.
Vranken: Yeah. So that's basically the same as the cycle of software. Which uses the network like if you have like a video game or something and you're playing with your friends and you could send malicious packets to your friends and caches computers about that that would be a vulnerability. The same is true for cryptocurrencies: the network component has to be very safe. Usually, a certain amount of certain type of information is transacted and transferred between all these nodes. And the passing of this information has to be flawless. It cannot be sold in caches or hangs of excessive memory usage of stuff like that, because if you could do that, then you can cache the whole network. We're basically sounding displeasure spec packets to all the participants on the network. So that's something that's if there's a bug in the network component, that's critical as well.
Vamosi: Remember the value of cryptocurrencies, like the stock market, fluctuate. So if you’re network goes down, and the value does something and you miss out, we could be talking about a lot of money being lost. That’s pretty significant compared with your video game going down.
Vranken: And one interesting thing to note is that unlike a lot of software, for example, video games or web servers, if you can make the program crash that's at most inconvenient, but it's not going to result in a compromise. For example, if you are running a video game, and I can crash your video game, then you can just restart. That’s inconvenient but it's not that I could have compromised your computer.
Vamosi: Right, so this speaks to the distributed nature of cryptocurrency, in that there isn’t one central bank, but copies of every translation encoded in each blockchain, copies of each blockchain distributed through the peer-to-peer network.
Vranken: But in the case of cryptocurrencies, if you can cancel network, then that could result in a lot of money being lost, because you can essentially take over the network.
Vamosi: So here’s where it gets interesting. What if you not only take down the network, but you also take over the network? Or at least a majority of the nodes on that network?
Vranken: There’s this concept in cryptocurrencies called the 51% attack, which means if you have more than 50% control of the network, then you can rewrite transactions. And you can essentially make money off that because you can undo certain transactions and or do them again. And that's an important aspect of denial of service bugs in crypto currencies that you can essentially take down a network or significant portions of it, and then assume control of the network.
Vamosi: So that got me wondering, given the 51% rules, is it better than to go with a bigger coin like Etherium than some of the smaller ones?
Vranken: Well, I don't know because I think the people who are participants in the network, they might be groups of people altogether. So I don't again, don't think it's necessarily make sense to use use a larger coin but it is true that the more participants in the network, the better the security so, yeah, but on the other hand, if you ever ever coin doesn't have many participants, then that's also an incentive to mined coins from the network. Because an Ethereum already has many miners and smaller coins, not that much. So it's also an incentive to participate in smaller coins.
Vamosi: So I know I don't want to get into the details of some of the vulnerabilities that have been exploited already. I know some of these coins have lost value for various reasons, and it's probably the easiest answer to say that their key was stolen and it was simple as that.
Vranken: Yeah, usually it doesn't the case that the key is stolen, but like I said, Is this more complex, implement arbitrary logic and sometimes it can be very complex whatever you're doing, and like I said, the distribute the money distribute money based on the arbitrary logic, and if you see for the money, and if there is a logic flaw and the complex then that can lead to sending money to the wrong person. So that's basically how these things are done. These are smart contracts, but contract bugs and usually, they're all open source. You can look at them and if you're experienced enough in cleaning the stuff then you can sometimes find bugs and that's also what the 70s These people do steal millions of dollars. Sometimes they lead to smart contracts, they find the block and if they find one, they can find a way to make the complex send money to them instead of whatever they're supposed to do.
Vamosi: After I recorded this interview with Guido, he reported on Twitter how he’d accidentally found a math vulnerability in Etherium. It isn’t likely to be exploited, he said, but it does once again point to the complicated nature of cryptography.
And in early January 2022, a company Crypto.com reported that it was missing $14 million dollars. Missing. At this time there’s no reason to suspect that someone necessarily stole the coins, though that is a possibility. Result of this and other news is that the collective belief in cryptocurrencies in general has been shattered and the value fell as various people cashed their holdings. I say that because as I produce this episode, the value of all the various cryptocurrencies have fallen. The market has lost over $1trillion dollars in the first month of 2022, for example. Why? Remember I said it is a supply and demand issue and that also relies upon one’s belief.
Which is why we need more research on cryptocurrencies. Fortunately, I have you covered. I do have a second guest coming up in the next episode to also talk about hacking cryptocurrencies. Not with fuzz testing but with more traditional static analysis testing. So, of this as a two part discussion of cryptography, with this episode, Episode 39 building the foundations and Episode 40 then expanding on the types of hacks possible. That’s coming in two weeks. I hope to see you then.
Let's keep this conversation going. DM me at Robert Vamosi on Twitter, or join me on subreddit or Discord. You can find the deets at thehackermind.com
The Hacker Mind is brought to you every two weeks commercial free from ForAllSecure.
For The Hacker Mine, I remain, the OG block chain, Robert Vamosi.