Blockchain Development and Security

Instructor: Wu-chang Feng and Charles Wright
Contact and discussion: Office hours: here
Resources
Useful links
Course Description This class provides an overview of blockchain systems, how they are built, and how they can be exploited. Students will get hands-on experience working with public blockchains such as Ethereum as well as build and deploy permissioned blockchains using Hyperledger Sawtooth on Google Cloud Platform. They will then examine security vulnerabilities in blockchain systems and how they may be automatically exploited.

Schedule

Week Topic Slides Assignments Read/Listen
1 Course Overview
Overview and Applications
Underpinnings of blockchains
Public-key cryptography, Digital Signatures
Hash functions and properties
00a
00b
01a

Cheating agreement

Accounts setup
podcast
paper
2
Consensus protocols
Crash vs Byzantine fault-tolerance
Voting-based (BFT, Paxos)
Lottery-based (Proof-of-work, Proof-of-stake)
Blockchain Development
Bitcoin, Hyperledger overviews
02a
Paper selections

Hyperledger Sawtooth Python codelabs
Consensus article
Bitcoin overview
3
Ethereum & Smart Contracts overview (DApps)
Solidity programming (language overview, basic types and constructs)
02b
Solidity Labs #1-2 Ethereum beige paper
4
Solidity programming (Web3.js, ERC20, ICOs)
Ethereum tools (Metamask, EtherScan, MyCrypto, Remix)
02b
Solidity Lab #3
Solidity Lab #4
 
5 Blockchain security overview
DASP Top 10, SICTF intro
Secrets
D6: Bad Randomness
EVM/language issues
D3: Arithmetic issues (Types)
03a
03b
03c
D0_Donation
D6_Lockbox, D6_HeadsOrTails
D6_Lottery (also submit in repo as lottery)
D3_SITokenSale
(Not so)smart contracts
6
D2: Access Control
D5: Denial of Service, D4: Unchecked low-level calls
03d
03e
D2_PiggyBank, D2_SecureBank
D5_RecordLabel
 
7
D1: Re-entrancy, D: Centralization, 51%
Mining issues
D7: Front-running, D8: Time manipulation
Miscellaneous
D9: Off-chain attacks, D10: Unknown unknowns
03f
03g
03h
04a
D1_TrustFund
D10_SlotMachine
D10_D3_RainyDayFund
Manticore/geth setup lab
 
8 Symbolic execution and smart contracts
Intro to symbolic execution
Manticore
Advanced topics
04a Manticore D0_Donation lab
Manticore D2_PiggyBank lab
Manticore D6_Lockbox lab
Manticore D1_D4_TrustFund lab
9 Monday: TBD
Wednesday: Presentations
  • Uses (Nick, Justin)
  • Hyperledger Fabric (Nathaniel, Ian)
  • Block size vs. Block time (Brian, Kallen)
  • Lightning network approaches (Matthew, Danniel S.)
  • Cosmos Internet of Blockchains (Mel, Eduardo)
    article+rubric
Uses paper
Fabric paper
Block-size/time podcast
Lightning podcast
Cosmos paper

10
Monday: Presentations
  • Mining centralization and the 51% attack (Kelsey, Cole)
  • Reversing smart-contracts (Amanda, Bailee)
  • Fuzzing smart contracts (Tatiana, Chris)
  • Automatic smart contract exploitation (Yian/Ivan)
Wednesday: Presentations
  • Lamport, Shostak, Pease, "The Byzantine Generals Problem". (Andre, Phuong)
  • Castro, Liskov, "Practical Byzantine Fault Tolerance", 1999. (Jeff, Daniel C.)
  • CryptoNight/CryptoNote memory-bound proof-of-work algorithm (Seth, Mike M.)
  • Zcash (Jesse, Jordan)
    51 paper #
Reversing paper
Fuzzing paper
Exploitation paper
Byzantine paper
PBFT paper
CryptoNote paper
Zcash paper
Sun. 6/9
 (11:30pm)
Lab notebook due in D2L, Code in Bitbucket      
Wed. 6/12
 (12:30pm-2:20pm)
Final exam (open notes up to 10 pages, closed electronics)      
Fri. 6/14
 (11:59pm)
Final project due in Bitbucket, Screencast in MediaSpace      

Course objectives

  • Examine the underpinnings of blockchain systems and their applications
  • Develop and deploy blockchain applications and smart contracts (DApps)
  • Analyze smart contracts for security vulnerabilities
  • Exploit smart contract vulnerabilities
  • Use symbolic execution to automatically reveal smart contract vulnerabilities
 

Policies

Grading
Attendance and participation 10%
Lab notebook 40%
Bitbucket code 10%
Presentation 10%
Final exam (covering readings and presentations) 20%
Final Project 10%
Attendance and participation To encourage collaboration and to establish a positive learning community, attendance and participation throughout the term will be graded. In addition, mutual respect, tolerance, and encouragement are expected, while comments seeking to demean, embarrass, or otherwise disrupt others' ability to learn are not. Specific examples of participation include asking questions, helping other students out, and identifying mistakes in the course content either in class or on the Slack channel.
Academic misconduct
  • Includes allowing another student to copy your work unless specifically allowed by the instructor.
  • Includes copying blocks of code from external sources without proper attribution
  • Results in a grade of 0 for the assignment or exam.
  • Results in the initiation of disciplinary action at the university level.

Assignments

Assignments and notebook
Assignments will be given covering the course material. You will perform each one, while maintaining a shared lab notebook (a single Google or Office Doc) that documents your progress through the exercises.  Include screenshots and ensure that they include either your OdinID or your Google Cloud Platform project identifier in them.  You will submit your final lab notebook on D2L. The notebook will be graded based upon the following rubric:
  • Neatness and organization
  • Completeness
  • Inclusion of OdinID or project identifier in screenshots
Bitbucket
For assignments that require code to be written, you will include your code via a private Bitbucket repository that is shared with the instructor. The code will be graded upon the following rubric:
  • Overall functionality
  • Code documentation (such as Docstrings, comments)
  • Code readability and modularity
  • git repository activity (commits, commit messages, tags)
Final project
You (and/or a partner) will choose from a number of options for a project. Then, via a will create a narrated screencast of no more than 20 minutes per project, you will show the work you have done via a demo and a source code or level walkthrough. For group projects, each student must walkthrough the code or level he/she has written or solved. The screencast should be uploaded to the course's MediaSpace channel. For projects that require code or a codelab walkthrough, submit your final project files in Bitbucket under the directory "final". The project can be selected from the following:
  • Solving additional SI levels not previously assigned or Ethernaut levels
  • Solving an additional SI and Ethernaut level with Manticore that has not been already included in the Docker container and creating a codelab walkthrough of it
  • Creating a DApp of your own.
For projects involving CTF levels, grading will be based on the quantity and difficulty of levels solved. For projects building a DApp, your project will also be graded upon evidence on the blockchain that you have incrementally deployed and tested the contract using the wallet address in your Bitbucket repository at hw1/wallet.txt in addition to the rubrics used for grading assignments.