d2 access control 2 access cess contr trol ol
play

D2: Access Control #2: Access cess Contr trol ol Similar to - PowerPoint PPT Presentation

Jul 23, 2023 •433 likes •547 views

D2: Access Control #2: Access cess Contr trol ol Similar to OWASP Top 10 Insufficient access control and authentication checks Insecure access control methods Private, internal functions and data are accessible through a

  1. D2: Access Control

  2. #2: Access cess Contr trol ol  Similar to OWASP Top 10  Insufficient access control and authentication checks  Insecure access control methods  Private, internal functions and data are accessible through a contract's public/external functions  Results in unauthorized access  Loss : estimated at 150,000 ETH (~$30M USD at the time) Portland State University CS 410/510 Blockchain Development & Security

  3. Walkthr kthroug ough h sc scen enario ario  A smart contract designates the address which initializes it as the contract's owner in an initialization function  Grants special privileges such as the ability to withdraw the contract's funds.  Initialization function not protected and can be called by anyone — even after it has already been called  Allows anyone to become the owner of the contract and take its funds. Portland State University CS 410/510 Blockchain Development & Security

  4. Ex Example ple  Owning a wallet contract (7/19/2017)  https://blog.zeppelin.solutions/on-the-parity-wallet-multisig-hack-405a8c12e8f7 It was possible to turn the Parity Wallet library contract into a regular multi-sig wallet and become an owner of it by calling the initWallet function. -- Parity  Could have been up to ~$180M, but white hat hackers "stole" the rest and returned it to rightful owners  https://medium.freecodecamp.org/a-hacker-stole-31m-of-ether-how-it- happened-and-what-it-means-for-ethereum-9e5dc29e33ce Portland State University CS 410/510 Blockchain Development & Security

  5. Code e vul ulnerability nerability exa xample ple #1  Contract's initialization function sets the caller of the function as its owner. function initContract () public { owner = msg.sender; }  Logic is detached from the contract's constructor and does not keep track of the fact that it has already been called.  Anyone can call initContract after contract creation to become owner Portland State University CS 410/510 Blockchain Development & Security

  6. Code e vul ulnerability nerability exa xample ple #2  Parity WalletLibrary in example  Library used to implement common wallet functions  Initializer allows one to specify withdraw limit and owners function initWallet(address[] _owners, uint _required, uint _daylimit) { initDaylimit(_daylimit); initMultiowned(_owners, _required); }  Library implemented as an external contract call to reduce costs  Rather than have each contract deploy a copy of the exact same library code, wallets do this…  Then, use delegatecall() to invoke its functions  DELEGATECALL instruction in EVM takes call and invokes the exact same one on the contract you're using it on Portland State University CS 410/510 Blockchain Development & Security

  7.  Issue within fallback function  Fallback receives payment if someone sends you $  Otherwise, msg.data has unknown function call that should be handled by library since no function in contract matches  delegatecall dispatches unknown calls to library function() payable { if (msg.value > 0) Deposit(msg.sender, msg.value); else if (msg.data.length > 0) _walletLibrary.delegatecall(msg.data); }  Issue: ALL public calls in library can now be called (including initWallet again!)  Leads to..  Rogue initWallet https://etherscan.io/tx/0x707aabc2f24d756480330b75fb4890ef6b8a26ce0554e c80e3d8ab105e63db07  Rogue transfer out of wallet https://etherscan.io/tx/0x9654a93939e98ce84f09038b9855b099da38863b3c2e 0e04fd59a540de1cb1e5 Portland State University CS 410/510 Blockchain Development & Security

  8. Code e vul ulnerability nerability exa xample ple #3  MetaCoin contract for purchasing and exchanging coins  sendCoin call to doTransfer from msg.sender to receiver  What errors are there?  doTransfer not set to internal (can be called externally)  No check on from being msg.sender in doTransfer  Bonus vulnerability: Underflow and overflow on balances update not checked Portland State University CS 410/510 Blockchain Development & Security

  9. Code e vul ulnerability nerability exa xample ple #4  Same contract  What is the error?  Contract's password set to "private", but appears in clear on blockchain  Find secretPassword and mint coins  Everything is public by design  Contract code & storage  Transaction contents  Private modifier does nothing for secrecy! Portland State University CS 410/510 Blockchain Development & Security

  10. Rem emed ediation iation  Remove all catch-all function dispatchers (specify exact calls allowed)  Ensure calls are internal , unless intended to be external  Validate identity before execution using modifiers and via require contract Unprotected{ address private owner; modifier onlyOwner { require(msg.sender==owner); _; } function constructor() public { owner = msg.sender; } // This function should be protected function changeOwner_broken(address _newOwner) public { owner = _newOwner; } function changeOwner_fixed(address _newOwner) public onlyOwner { owner = _newOwner; } } Portland State University CS 410/510 Blockchain Development & Security

  11. SI CTF Lab 3.4, 3.5

Recommend

1 INTRODUCING Dayton Access Dayton Access 2 Dayton Ac Dayton Acce cess ss Dayton Access is

1 INTRODUCING Dayton Access Dayton Access 2 Dayton Ac Dayton Acce cess ss Dayton Access is

1 INTRODUCING Dayton Access Dayton Access 2 Dayton Ac Dayton Acce cess ss Dayton Access is a web portal accessible through the world wide web that allows real-time interface with Daytons ERP system 3 Dayton Ac Dayton Acce cess

568 views • 22 slides
ACCESS CESS-A-RIDE IDE SER ERVICES ICES IN NE NEW W YOR ORK CITY What t is A s Access

ACCESS CESS-A-RIDE IDE SER ERVICES ICES IN NE NEW W YOR ORK CITY What t is A s Access

ACCESS CESS-A-RIDE IDE SER ERVICES ICES IN NE NEW W YOR ORK CITY What t is A s Access cess-A-Ride? ide? New York Citys parat atransit ransit service ice providing shared-ride transportation for people with disabilities.

631 views • 33 slides
Access Control Access Control 1 Access Control Access control : ensures that all direct

Access Control Access Control 1 Access Control Access control : ensures that all direct

Access Control Access Control 1 Access Control Access control : ensures that all direct accesses to object are authorized a scheme for mapping users to allowed actions Protection objects : system resources for which protection is

576 views • 21 slides
Access Control and Protection Overview Access control: What and Why Abstract Models of

Access Control and Protection Overview Access control: What and Why Abstract Models of

Access Control and Protection Overview Access control: What and Why Abstract Models of Access Control Discretionary acces control Mandatory access control Real systems: Unix Access Control Model Access control Access

817 views • 47 slides
Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control?

Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control?

Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control? How Is Access Determined? Who Determines Access? Forms of Access Control SELinux Booleans iptables File Access Control Lists Apache Access Control

711 views • 36 slides
1 General Access Control General Access Control Control of access to memory relatively easy:

1 General Access Control General Access Control Control of access to memory relatively easy:

Role of Access Control Before closing back doors we need to close front doors Access control: determines access to files & processes in OS Fall 2008 We will return to these themes throughout the course Fall 2008 CS

512 views • 6 slides
SYSTEM DIAGRAMS Door Entry & Access Control ACCESS CONTROL ACCESS CONTROL Allowing

SYSTEM DIAGRAMS Door Entry & Access Control ACCESS CONTROL ACCESS CONTROL Allowing

SYSTEM DIAGRAMS Door Entry & Access Control ACCESS CONTROL ACCESS CONTROL Allowing residents / staff access to site areas Main entrance Vehicle entrances Pedestrian entrances Gate / Barrier entrance Bin / Bike / Refuge

336 views • 14 slides
Overview Basic Principles Access Control Methodologies Controls Access Control Designs

Overview Basic Principles Access Control Methodologies Controls Access Control Designs

Overview Basic Principles Access Control Methodologies Controls Access Control Designs Access Control Administration Accountability Chapter 2 Access Control Models Identification and Authentication Methods Lecturer:

708 views • 9 slides
Company Presentation Con Condo dor r Pr Pressu essure Con e Contr trol ol Parent Company

Company Presentation Con Condo dor r Pr Pressu essure Con e Contr trol ol Parent Company

Con Condo dor r Pr Pressu essure Con e Contr trol ol Controls & Solutions the inventor of the pressure switch! Since 1893 Company Presentation Con Condo dor r Pr Pressu essure Con e Contr trol ol Parent Company Controls

503 views • 12 slides
Outline Unix-style access control, contd CSci 5271 Multilevel and mandatory access control

Outline Unix-style access control, contd CSci 5271 Multilevel and mandatory access control

Outline Unix-style access control, contd CSci 5271 Multilevel and mandatory access control Introduction to Computer Security Access control, contd Announcements intermission Stephen McCamant Capability-based access control University

380 views • 7 slides
Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of

Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of

Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of achieving confiden5ality and integrity) Who can access What Objects : Subjects : Files/ Programs/ Sockets/ User/ process/ applica5on Hardware/

985 views • 46 slides
Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of

Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of

Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of achieving confidentiality and integrity) Who can access What Objects : Subjects : Files/ Programs/ Sockets/ User/ process/ application

1.31k views • 50 slides
Smart.Net-IP NETWORKED ACCESS CONTROL Smart.Net-IP NETWORKED ACCESS CONTROL Smart.Net-IP is a

Smart.Net-IP NETWORKED ACCESS CONTROL Smart.Net-IP NETWORKED ACCESS CONTROL Smart.Net-IP is a

Smart.Net-IP NETWORKED ACCESS CONTROL Smart.Net-IP NETWORKED ACCESS CONTROL Smart.Net-IP is a simple, modular approach to networked access control with scalability in mind. Easy management from a central location PC from anywhere with an

196 views • 9 slides
Air r Polluti ution C on Contr trol ol P Progr gram am Fee S Stakehol eholder er M

Air r Polluti ution C on Contr trol ol P Progr gram am Fee S Stakehol eholder er M

Air r Polluti ution C on Contr trol ol P Progr gram am Fee S Stakehol eholder er M Meeti eting ng January 29, 2015 Missouri Air Conservation Commission Missouri Department Natural Resources Division of Environmental Quality Air

613 views • 37 slides
Outline Basics of access control Unix-style access control CSci 5271 Introduction to Computer

Outline Basics of access control Unix-style access control CSci 5271 Introduction to Computer

Outline Basics of access control Unix-style access control CSci 5271 Introduction to Computer Security Announcements intermission Day 10: OS security: access control Multilevel and mandatory access control Stephen McCamant University of

324 views • 10 slides
Access Control Mechanisms Week 6 1 CEN-5079: 7.March.2019 Why Access Control Following

Access Control Mechanisms Week 6 1 CEN-5079: 7.March.2019 Why Access Control Following

Access Control Mechanisms Week 6 1 CEN-5079: 7.March.2019 Why Access Control Following authentication, we need to decide what the subject can access 1 Read F 1 OK 2 Bob Write to F Alice 2 F NO ! 3 Execute G G 3 OK

596 views • 56 slides
9:00 AM 12:30 PM ET Dial-in number mber (U (US): ): 1-866-952-8437 Access cess code: e:

9:00 AM 12:30 PM ET Dial-in number mber (U (US): ): 1-866-952-8437 Access cess code: e:

Advisory Panel on Clinical Trials Spring 2018 Meeting November 16th, 2018 9:00 AM 12:30 PM ET Dial-in number mber (U (US): ): 1-866-952-8437 Access cess code: e: 700-635-466 Webi binar nar URL: :

428 views • 38 slides
Em Emplo loyee ee Ac Access cess Portal tal Jim Hogg County ISD HOME PAGE FOR EMPLOYEE

Em Emplo loyee ee Ac Access cess Portal tal Jim Hogg County ISD HOME PAGE FOR EMPLOYEE

Em Emplo loyee ee Ac Access cess Portal tal Jim Hogg County ISD HOME PAGE FOR EMPLOYEE ACCESS PORTAL {insert URL for website} First time logging in choose New User Create a New User Page 1 1. . Enter your nin ine-digit so social l

211 views • 20 slides
Ac Access cess to to Equ quit ity y Fin inancin ancing g Slov ovene ene Equity ty

Ac Access cess to to Equ quit ity y Fin inancin ancing g Slov ovene ene Equity ty

Ac Access cess to to Equ quit ity y Fin inancin ancing g Slov ovene ene Equity ty Growth th Inve vest stme ment nt Progr gramm amme Gabrie riele e Todesc esca, Head d of Divisi sion on Equity ty Mandat date e Manag

552 views • 8 slides
1 Types of Power-Saving MACs The Sensor MAC (S-MAC) Three distinct classes of power-saving

1 Types of Power-Saving MACs The Sensor MAC (S-MAC) Three distinct classes of power-saving

What Is Media Access Control? Media Access Control (MAC) determines who gets access to the shared medium, and when Media Access Control In wired settings, usually just tries to avoid Greg Hackmann contention In wireless settings, can

399 views • 7 slides
Insecure Direct Object Reference IDOR ( Broken Access Control ) IDOR ( Broken Access Control ) ~#

Insecure Direct Object Reference IDOR ( Broken Access Control ) IDOR ( Broken Access Control ) ~#

Insecure Direct Object Reference IDOR ( Broken Access Control ) IDOR ( Broken Access Control ) ~# whoami Eric Biako Bsc. IT, CEH v9 Information security officer @ E-connecta Moderator @ https://legalhackmen.com IDOR ( Broken Access Control )

517 views • 12 slides
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 7 Access Control

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 7 Access Control

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 7 Access Control Fundamentals Objectives Define Access Controls List the four Access Control Models Describe logical Access Control Methods Explain the

128 views • 8 slides
DECENTRALIZED ACCESS CONTROL Sandra Siby EDIC Semester Project (DEDIS) Supervisors: Eleftherios

DECENTRALIZED ACCESS CONTROL Sandra Siby EDIC Semester Project (DEDIS) Supervisors: Eleftherios

DECENTRALIZED ACCESS CONTROL Sandra Siby EDIC Semester Project (DEDIS) Supervisors: Eleftherios Kokoris-Kogias, Prof. Bryan Ford 1 Motivation Access Control: Management of access to a resource Simple access control Static binding

494 views • 24 slides
Access Control SecAppDev 2016 Maarten Decat maarten.decat@kuleuven.be @maartendecat What is

Access Control SecAppDev 2016 Maarten Decat maarten.decat@kuleuven.be @maartendecat What is

Access Control SecAppDev 2016 Maarten Decat maarten.decat@kuleuven.be @maartendecat What is access control? Access control is the part of security that constrains the actions that are performed in a system based on access control rules .

1.4k views • 113 slides

More recommend