Announcement

Collapse
No announcement yet.

Thomas Roth - Solana JIT: Lessons from fuzzing a smart-contract compiler

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Thomas Roth - Solana JIT: Lessons from fuzzing a smart-contract compiler

    Thomas Roth - Solana JIT: Lessons from fuzzing a smart-contract compiler



    Thomas Roth, Hacker, He/Him

    Presentation Title: Solana JIT: Lessons from fuzzing a smart-contract compiler
    Length of presentation: 45 minutes
    Tool

    Solana is a blockchain with a $37 billion dollar market cap with the security of that chain relying on the security of the smart contracts on the chain - and we found very little research on the actual execution environment of those contracts. In contrast to Ethereum, where contracts are mostly written in Solidity and then compiled to the Ethereum Virtual Machine, Solana uses a different approach: Solana contracts can be written in C, Rust, and C++, and are compiled to eBPF. Underneath the hood, Solana uses rBPF: A Rust BPF implementation with a just-in-time compiler. Given the security history of eBPF in the Linux kernel, and the lack of previous public, low-level Solana research, we decided to dig deeper: We built Solana reverse-engineering tooling and fuzzing harnesses as we slowly dug our way into the JIT - eventually discovering multiple out-of-bounds vulnerabilities.

    SPEAKER BIO(S)
    Thomas Roth is a security researcher from Germany. In the past he has published research on topics like TrustZone, fault injection, payment terminals, cryptocurrency-wallets and embedded security.


    REFERENCES:
    Qmonnet’s rBPF: https://github.com/qmonnet/rbpf
    eBPF-for-Ghidra (Base for the Ghidra loader):
    https://github.com/Nalen98/eBPF-for-Ghidra
    Solana’s rBPF fork: https://github.com/solana-labs/rbpf
    AFL++: https://github.com/AFLplusplus/AFLplusplus
    eBPF: https://ebpf.io/
    Last edited by number6; July 2, 2022, 01:06.
Working...
X