Thomas Roth - Solana JIT: Lessons from fuzzing a smart-contract compiler



Thomas Roth, Hacker, He/Him

Presentation Title: Solana JIT: Lessons from fuzzing a smart-contract compiler
Length of presentation: 45 minutes
Tool

Solana is a blockchain with a $37 billion dollar market cap with the security of that chain relying on the security of the smart contracts on the chain - and we found very little research on the actual execution environment of those contracts. In contrast to Ethereum, where contracts are mostly written in Solidity and then compiled to the Ethereum Virtual Machine, Solana uses a different approach: Solana contracts can be written in C, Rust, and C++, and are compiled to eBPF. Underneath the hood, Solana uses rBPF: A Rust BPF implementation with a just-in-time compiler. Given the security history of eBPF in the Linux kernel, and the lack of previous public, low-level Solana research, we decided to dig deeper: We built Solana reverse-engineering tooling and fuzzing harnesses as we slowly dug our way into the JIT - eventually discovering multiple out-of-bounds vulnerabilities.

SPEAKER BIO(S)
Thomas Roth is a security researcher from Germany. In the past he has published research on topics like TrustZone, fault injection, payment terminals, cryptocurrency-wallets and embedded security.


REFERENCES:
Qmonnet’s rBPF: https://github.com/qmonnet/rbpf
eBPF-for-Ghidra (Base for the Ghidra loader):
https://github.com/Nalen98/eBPF-for-Ghidra
Solana’s rBPF fork: https://github.com/solana-labs/rbpf
AFL++: https://github.com/AFLplusplus/AFLplusplus
eBPF: https://ebpf.io/