Browse > Article
http://dx.doi.org/10.13089/JKIISC.2019.29.2.309

Analysis of Blockchain Software Vulnerability against OS Command Injection Attack  

Kim, Byoungkuk (Korea University)
Hur, Junbeom (Korea University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.29, no.2, 2019 , pp. 309-320 More about this Journal
Abstract
Blockchain has been developed as a key technology for many cryptocurrency systems such as Bitcoin. These days, blockchain technology attracts many people to adopt it to various fields beyond cryptocurrency systems for their information sharing and processing. However, with the development and increasing adoption of the blockchain, security incidents frequently happen in the blockchain systems due to their implementation flaws. In order to solve this problem, in this paper, we analyze the software vulnerabilities of Bitcoin and Ethereum, which are the most widely used blockchain applications in real world. For that purpose, we conduct an in-depth analysis of source code of them to detect software vulnerabilities, and examine an OS command injection attack exploiting the detected ones.
Keywords
Blockchain; CryptoCurrency; static analysis; software vulnerability;
Citations & Related Records
연도 인용수 순위
  • Reference
1 Bitcoin, "Bitcoin: a peer-to-peer electronic cash system" https://bitcoin.org/bitcoin.pdf, 2018.
2 RedHat, "Red hat product security risk report: 2015," RedHat, 2016.
3 Synopsys, "Coverity releases security spotlight report on critical security defects in open source projects" https://news.synopsys.com/2014-10-15-Coverity-Releases-Security-Spotlight-Report-on-Critical-Security-Defects-in-Open-Source-Projects, 2018.
4 CoinMarketCap, "Top 100 cryptocurre ncies by market capitalization" https://coinmarketcap.com/ko/, 2018.
5 Skybox Security, "Vulnerability and threat trends analysis of current vulnerabilities, exploits and threats in play," 10242018, Skybox Security, 2018.
6 Alfred J. Menezes, Paul C. van Oorschot and Scott A. Vanstone, Handbook of applied cryptography, CRC Press, 1996.
7 Xiaoqi Li, Peng Jiang, Ting Chen, Xiapu Luo and Qiaoyan Wen, "A survey on the security of blockchain systems," Future Generation Computer Systems, Mar. 2017.
8 M. Niranjanamurthy, B. N. Nithya and S. Jagannatha, "Analysis of blockchain technology: pros, cons and SWOT," Cluster Computing, pp. 1-15, Mar. 2018.
9 Financial Security Institute, "Blockchain application technology development and industry-specific implementation," Security Research Department-2017-002, Financial Security Institute, 2017.
10 CWE, "Software weakness" https://cwe.mitre.org/about/faq.html#A.1, 2018.
11 CWE, "CWSS" http://cwe.mitre.org/cwss/cwss_v1.0.1.html, 2018.
12 CWE, "CWE/SANS Top 25 Most Dan-gerous Software Errors" http://cwe.m-itre.org/top25/index.html, 2018.
13 B. Kim, "Open source software security issues and applying a secure coding scheme," KIISE Transactions on Computing Practices, 23(8), pp. 487-491, Aug. 2017.   DOI
14 A. Gosain and G, Sharma, Static analysis: a survey of techniques and tools, Springer, 2015.
15 Gartner, "Magic quadrant for application security testing," G00327353, Gartner, 2018.
16 Y. Kim, "BlockChain issue," Hanwha Investment and Securities, 2018.
17 Micro Focus, "Securing your enterprise software: security fortify static code analyzer," 361-000070-003, Micro Focus, 2018.
18 CWE, "OS command injection" http://cwe.mitre.org/data/definitions/78.html, 2018.
19 IBM, "System()" https://www.ibm.com/support/knowledgecenter/en/ssw_ibm_i_73/rtref/system.htm, 2018.
20 IBM, "Popen" https://www.ibm.com/support/knowledgecenter/en/ssw_aix_72/com.ibm.aix.basetrf1/popen.htm, 2018.
21 Barkly, "Wannacry attacks" https://blog.barkly.com/preventing-next-wann-acry-ransomware-infection, 2018.
22 GNU, "Bash reference manual" https://www.gnu.org/software/bash/manual/bash.html#Bash-Startup-Files, 2018.
23 GitHub, "Bitcoin core project" https://github.com/bitcoin/bitcoin, 2018.
24 Bitcoin, "Bitcoin configuration file" https://en.bitcoin.it/wiki/Running_Bitcoin#Bitcoin.conf_Configuration_File, 2018.
25 Bitcoin, "Bitcoin core api" https://bitcoin.org/en/developer-reference#bitcoin-core-apis, 2018.
26 OWASP, "OS command injection defense cheat sheet" https://www.owasp.org/index.php/OS_Command_Injection_Defense_Cheat_Sheet, 2018.
27 Microsoft, "Interprocess communications" https://docs.microsoft.com/en-us/windows/desktop/ipc/interprocess-communications, 2018.
28 W. Richard Stevens, UNIX network programming, volume 2, second edition: interprocess communications, Prentice Hall, 1999.
29 NIST, "Digital signature standard (DSS)," FIPS PUB 186-4, 2013.
30 R.L. Rivest, A. Shamir and L. Adleman, "A method for obtaining digital signatures and public-key cryptosystems," Communications of the ACM, vol. 21, no. 2, pp. 120-126, Feb. 1978.   DOI