Blockchain Development and Security

Instructor: Wu-chang Feng and Charles Wright
Contact and discussion: Office hours: here
Resources
Useful links
Course Description This class provides an overview of blockchain systems, how they are built, and how they can be exploited. Students will get hands-on experience working with public blockchains such as Ethereum as well as build and deploy permissioned blockchains using Hyperledger Sawtooth on Google Cloud Platform. They will then examine security vulnerabilities in blockchain systems and how they may be automatically exploited.

Schedule

Week Topic Slides Assignments Read/Listen
1 Course Overview
Overview and Applications
Underpinnings of blockchains
Public-key cryptography, Digital Signatures
Hash functions and properties
00a
00b
01a

Cheating agreement

Accounts setup
podcast
paper
2
Consensus protocols
Crash vs Byzantine fault-tolerance
Voting-based (BFT, Paxos)
Lottery-based (Proof-of-work, Proof-of-stake)
Blockchain Development
Bitcoin, Hyperledger overviews
02a
Paper selections

Hyperledger Sawtooth Python codelabs
Consensus article
Bitcoin overview
3
Ethereum & Smart Contracts overview (DApps)
Solidity programming (language overview, basic types and constructs)
02b
Solidity Labs #1-2 Ethereum beige paper
4
Solidity programming (Web3.js, ERC20, ICOs)
Ethereum tools (Metamask, EtherScan, MyCrypto, Remix)
02b
Solidity Labs #3-4  
5 Blockchain security overview
DASP Top 10
SI CTF intro
Blockchain security (secrets)
D6: Bad Randomness
03a
03b
D0_Donation
D6_LockBox, D6_HeadsOrTails
D6_Lottery (submit in repo as lottery)
(Not so) smart contracts
6 Blockchain security (EVM/language issues)
D3: Arithmetic issues (Types)
D2/D5: Access Control / Denial of Service
D1/D4: Re-entrancy / Unchecked low-level calls
D9/D10: Off-chain attacks / Unknown
Blockchain security (Mining issues)
D7/D8.Dx: Front-running / Time manipulation / 51%
03c D3: D3_TokenSale
D2/D5: D2_PiggyBank, D2_SecureBank, D5_RecordLabel
D1/D4: D1_D4_TrustFund
D10: D10_SlotMachine
TBD
7 Symbolic execution and smart contracts
Intro to symbolic execution
Manticore
04a Manticore codelabs TBD
8 Symbolic execution and smart contracts
Intro to symbolic execution
Manticore
     
9 Monday: TBD
Wednesday: Presentations
  • Uses (Nick, Justin)
  • Hyperledger Fabric (Nathaniel, Ian)
  • Block size vs. Block time (Brian, Kallen)
  • Lightning network approaches (Matthew, Danniel S.)
  • Cosmos Internet of Blockchains (Mel, Eduardo)
    article+rubric
Uses paper
Fabric paper
Block-size/time podcast
Lightning podcast
Cosmos paper

10
Monday: Presentations
  • Mining centralization and the 51% attack (Kelsey, Cole)
  • Reversing smart-contracts (Amanda, Bailee)
  • Fuzzing smart contracts (Tatiana, Chris)
  • Automatic smart contract exploitation (Yian/Ivan)
Wednesday: Presentations
  • Lamport, Shostak, Pease, "The Byzantine Generals Problem". (Andre, Phuong)
  • Castro, Liskov, "Practical Byzantine Fault Tolerance", 1999. (Jeff, Daniel C.)
  • CryptoNight/CryptoNote memory-bound proof-of-work algorithm (Seth, Mike M.)
  • Zcash (Jesse, Jordan)
    51 paper #
Reversing paper
Fuzzing paper
Exploitation paper
Byzantine paper
PBFT paper
CryptoNote paper
Zcash paper
Wed. 6/12
 (12:30pm-2:20pm)
Final exam (open notes up to 10 pages, closed electronics)      
Fri. 6/14
 (11:59pm)
Final project due in Bitbucket, MediaSpace      

Course objectives

  • Examine the underpinnings of blockchain systems and their applications
  • Develop and deploy blockchain applications and smart contracts (DApps)
  • Analyze smart contracts for security vulnerabilities
  • Exploit smart contract vulnerabilities
  • Use symbolic execution to automatically reveal smart contract vulnerabilities
 

Policies

Grading
Attendance and participation 10%
Lab notebook 40%
Bitbucket code 10%
Presentation 10%
Final exam (covering readings and presentations) 20%
Final Project 10%
Attendance and participation To encourage collaboration and to establish a positive learning community, attendance and participation throughout the term will be graded. In addition, mutual respect, tolerance, and encouragement are expected, while comments seeking to demean, embarrass, or otherwise disrupt others' ability to learn are not. Specific examples of participation include asking questions, helping other students out, and identifying mistakes in the course content either in class or on the Slack channel.
Academic misconduct
  • Includes allowing another student to copy your work unless specifically allowed by the instructor.
  • Includes copying blocks of code from external sources without proper attribution
  • Results in a grade of 0 for the assignment or exam.
  • Results in the initiation of disciplinary action at the university level.

Assignments

Assignments and notebook
Assignments will be given covering the course material. You will perform each one, while maintaining a shared lab notebook (a single Google or Office Doc) that documents your progress through the exercises.  Include screenshots and ensure that they include either your OdinID or your Google Cloud Platform project identifier in them.  You will submit your final lab notebook on D2L. The notebook will be graded based upon the following rubric:
  • Neatness and organization
  • Completeness
  • Inclusion of OdinID or project identifier in screenshots
Bitbucket
For assignments that require code to be written, you will include your code via a private Bitbucket repository that is shared with the instructor. The code will be graded upon the following rubric:
  • Overall functionality
  • Code documentation (such as Docstrings, comments)
  • Code readability and modularity
  • git repository activity (commits, commit messages, tags)
Final project
You (and/or a partner) will choose from a number of options for a project. Then, via a will create a narrated screencast of no more than 20 minutes per person, you will demonstrate the work you have done via a code or level walkthrough. The screencast should be uploaded to the course's MediaSpace channel. For projects that require code or a codelab walkthrough, submit your final project files in Bitbucket under the directory "final". The project can be selected from the following:
  • Solving additional SI levels not previously assigned or Ethernaut levels
  • Solving an additional SI and Ethernaut level with Manticore that has not been covered in the labs and creating a codelab walkthrough of it
  • Creating a DApp of your own.