secondary title
How do you view the importance of blockchain security?
At present, the blockchain is still in a relatively early stage, but security issues have been repeatedly reported, and people will question whether the blockchain technology is safe. How should we view the importance of blockchain security? In this regard, the guests agreed that security is the top priority in the blockchain field.
Kushen CTO Ye Fei said that security is undoubtedly the core issue in the blockchain field. At present, the security issues of the blockchain mainly focus on the security of the co-governance mechanism, the security of the private key, and the security of the smart contract.
Are there any innovations in offensive and defensive technologies in the blockchain field?
Are there any innovations in offensive and defensive technologies in the blockchain field?
Security is also an eternal theme in the Internet field. Internet security mainly solves logical flaws and exploited problems from the perspective of logical correctness and technical computing structure, and solves these offensive and defensive problems. Regarding the offensive and defensive issues in the blockchain field, the guests said that the blockchain is not absolutely safe, and the problem needs to be solved from different aspects.
Duan Gang believes that the security construction of blockchain enterprises is similar to that of traditional enterprises, and the most critical thing is the security awareness and security skill building of enterprise employees. Enterprises need to establish security rules and regulations, provide security awareness and skills training for employees, and improve the security coding capabilities of technical personnel, in order to solve corporate security problems from the source. In addition, third-party companies can be invited to conduct security tests on the business.
Regarding the security issues of smart contracts and DApps, Ren Kunpeng, head of Peking University’s blockchain technology team, said that blockchain start-up companies may not have sufficient financial support, so they will use open source smart contract formal verification tools, or open source tools to detect DApp or Smart contract security. However, unlike some traditional development frameworks, blockchain technology has strong security coding standards, so it is particularly important to promote developers' awareness of secure coding. In addition, DApp needs to fully audit the logic of the program.
secondary title
How to do a good job in the security construction of blockchain games?
Recently popular blockchain games such as Last Winner and Fomo3D have some loopholes. Is there a solution to this kind of security problem? In this regard, the guests have different views.
Ren Kunpeng said that if the public chain security technology can be developed to a strong credible security guarantee, these security problems can be completely solved.
On the other hand, Guo Yang, head of security at SlowMist Technology, believes that blockchain games such as Fomo3D have fully risen to the level of human nature, and there are many temptations, which are no longer things that security companies can stop after disclosure. Many imitation Fomo3D games have serious problems, such as the contract authority is directly controlled by the project party, and there is the possibility of withdrawing coins and running away. It is recommended that you do not touch this kind of fund game.
Ye Fei said that the security of smart contracts is endless, and it may be a program problem or a virtual machine problem.
So how should blockchain games improve their safety factor? The guests believed that developers need to maintain good coding habits, and project parties need to do a good job in auditing.
secondary title
What role do security service companies play in the blockchain ecosystem?
Now there are various security loopholes in the blockchain industry, and some technology security companies are also committed to the layout of ecological security, providing users with security solutions and services, but different companies have different entry points.
In this regard, Duan Gang believes that more and more companies pay attention to security, and the participation of companies from all aspects is conducive to the healthy development of the blockchain ecology. He also said that talent is a crucial factor for the safe development of the entire blockchain industry in the future.
secondary title
The following is the transcript of the roundtable forum:
Host Li Xueting:Thank you for coming to our meeting today. Let me introduce myself first. I am Li Xueting, an analyst at the Research Institute. The topic of our roundtable forum today is the attack and defense of blockchain security. This is the case. We invite all guests to do it first A self-introduction, starting with Mr. Ye.
Ye Fei:Hello everyone, I am Ye Fei, CTO of Kushen. Mr. Yuan has just introduced the basic situation of Kushen Wallet. Generally speaking, our team focuses on the storage link and is the earliest professional cold wallet team in China. I personally entered this industry relatively early and have been working on technology. I am an out-and-out Bitcoin fan. I have been fascinated by it since I saw Satoshi Nakamoto’s paper. I hope my sharing today will be helpful to everyone. .
Section Steel:Hello everyone, I am Duan Gang, the founder of Kanxue. Kanxue is a developer community. It was founded in 2000. After 18 years of development, it now focuses on PC, mobile, smart devices, blockchain security research and reverse engineering. Everyone is welcome to participate.
Guo Yang:Hello everyone, I am Guo Yang, the security director of SlowMist Technology. You can also call me One Piece, because everyone in the security industry will have a nickname. Our SlowMist Technology focuses on the field of blockchain security, which is itself based on traditional security, but compared with traditional security, we feel that the field of blockchain security has more room for development and imagination, so we at SlowMist decided to focus on blockchain security area. No matter it is Bitcoin, Ethereum, or EOS, we will continue to pay attention to the security of this area, including the domestic public chain VeChain, Ontology and we have specific cooperation. If there are project parties or other partners who need to provide security services You can come to Xiamen to visit Slow Mist and talk about business, after all, the seafood in Xiamen is great.
Ren Kunpeng:Hello everyone, I am the research director of the Peking University Blockchain Technology Group. The Peking University Blockchain Technology Group is also preparing for the Peking University Blockchain Association. The direction of our research group is divided into two directions: public chain development and chain data security analysis. , our group has developed a transaction security analysis system for BCH, and I myself have done some research on the Web, including binary security.
Li Xueting:Thank you for your introduction. Now the discussion is starting. We all know that blockchain is an emerging technology, and its development momentum is very fast, but it is not safe enough. We think that the industry is now in a Schrödinger situation, and blockchain seems to be in a state of Being hacked successfully and not having any accidents, blockchain security seems to have been advancing in offense and defense. Today, experts are invited to discuss this topic with us. First of all, we know that the blockchain is still in a relatively early stage, but security issues have been repeatedly reported, and people will question whether blockchain technology has the characteristics of security. I would like to ask the four guests at the scene,How do you view the importance of blockchain security?
Ye Fei:Security is undoubtedly the core issue in the blockchain field. However, this topic is a bit big and can be classified simply. First of all, at the blockchain level, the security issue of the consensus mechanism has always existed. Now there are many chains that are vulnerable to PoW attacks; at the digital asset level, the core security issue is the custody of private keys; In addition, there is another type of security issue that has been frequently mentioned recently, that is, the security issue of smart contracts. Whether it is an individual or an enterprise, if you want to enter this industry, you need to give priority to safety issues. If there is a safety problem, it may be the end of the game.
Section steel:In terms of security, all computer systems and applications will have a security problem. The essence of blockchain security is the comprehensive embodiment of traditional computer network or some application security. One of the important reasons why hackers pay more attention to blockchain security is that Interest, traditional mining of some security holes, those hackers want to realize, they need to find a reliable buyer to realize. The blockchain has a particularity. Through some technologies, these hackers use exchanges or loopholes, or mining bases to directly obtain virtual currency, which gives him great economic incentives. In addition, from a legal point of view, for example, our banking system also has security issues, but why do we seldom hear of any loopholes in banks being exposed or causing some losses? There is a criminal issue. The blockchain is transnational, anarchic and trendless, and the cost of crime is low. Therefore, those hackers have invested a lot of energy in this aspect because of their interests or risk assessment in this area. The security is in the blockchain, just like Ye What Mr. Fei said is the most important thing. The success or failure of a blockchain project, security acts as a one-vote veto system. If security is not considered at the beginning of this project, it may cause this security to become the project’s priority. One of the most critical factors of failure, thank you.
Guo Yang:I very much agree with the views of the previous two seniors. Safety is the top priority. Let me give you an example. For example, in real work, you say that you have a million in your account at the bank and you lose it. At this time, you can go to the bank. , the bank can help you trace this record back and find it. In the world of blockchain, it is almost impossible to retrieve it. For example, someone lost tens of thousands of bitcoins. I don’t think any company or individual dares to stand up and say that he will be able to get the coins back. Yes. For anyone, the bitcoins you own cannot be transferred by others without your private key. Of course, this is true for both victims and attackers, and it is difficult to retrieve them. So this example will make everyone understand: safety is the top priority.
Ren Kunpeng:From a developer's point of view, we hope that the blockchain system will become more and more secure. The assets of our developers, including users' assets, are kept on the chain. If hackers find a loophole, they may be very It is easy to transfer the assets of us and users, and the blockchain itself is based on complete cryptography, but it has some advantages of decentralization, security, and non-tampering. These advantages become the exposure points of these vulnerabilities, including Data privacy has been exposed. I think that with the development of blockchain technology, security is the first priority, because before the rise of the Internet, without the development of public key cryptography, the Internet would not be able to reach today, so I feel safe. Chain development is a top priority.
Li Xueting:Thank you to the four guests. The four experts are specialized in their respective fields. Everyone has reached a consensus that security is very important to the development of the blockchain. The solution to the security problem of the blockchain is indeed imminent. The general also mentioned the development of the Internet. We know that in the field of the Internet, security has always been an eternal theme. Internet security mainly solves the problems of logical flaws and exploits from the perspective of logical correctness and technical computing structure, and solves these offensive and defensive problems.In the field of blockchain, as an emerging field, what technological innovations are there in the link of offense and defense?I also want to ask teachers to share.
Ye Fei:The topic of attack and defense is also very big. I still keep the private key that I am more familiar with. To put it simply, if the attack on the private key is aimed at an individual, generally speaking, someone directly takes the private key, or indirectly steals the auxiliary key. Memorizing words, for example, users do not pay attention to backup, and put them in centralized servers such as mailboxes; another is phishing websites, which attack trading platforms, and some directly attack hot wallets, or attack platform databases, create false withdrawals, and indirectly steal assets.
We found that the above problems have one thing in common, that is, the private key is connected to the Internet, so basically in this industry until 2014, everyone has a consensus, that is, to do cold wallets and cold signatures to ensure that the private key is not connected to the Internet at all. It is the core idea of our defense. But it is more difficult to be completely cold, because when we initiate a transaction, there will be a link to the Internet anyway. Therefore, we thought of the hot and cold separation architecture. The hardware cold wallet is responsible for managing the private key, such as generating the private key and signing, and the connected app is responsible for querying network information, broadcasting transactions, etc., and the two exchange information through the QR code.
We discussed this plan with traditional cryptography experts, and they found it very interesting. They thought it was a dimensionality reduction solution. Rather than staying connected to the Internet, and then trying to build a solid line of defense and defending hard, it is better to just cut off the Net, this is the core idea of the defense of Kushen Wallet.
Section Steel:The security construction of blockchain enterprises is similar to that of traditional enterprises. In the early stage of development, most enterprises often put the number of users and business development speed first, and often ignore the security construction of enterprises, which brings a lot of security problems. . From the inside of the enterprise, it is more important to establish corporate security rules and regulations, especially the training of employee awareness and security skills. There are also some corporate rules and regulations, including code auditing and security programming skills. Make an internal improvement to solve enterprise security problems from the source. This includes the blockchain itself.
After this is done, third-party companies can be invited to conduct some security tests on this platform or these exchanges, and cooperate with the inside and outside to bring security to a new level. The key is the employees' safety awareness, safety skills and safety system.
Guo Yang:My point of view coincides with the two of you. It is a human problem to achieve safety in the end. But let me put it here first, there is no absolute safety. No matter what you do, whether you are in a traditional industry or a blockchain industry, there is no absolute security. But when hackers come to attack, we at SlowMist are equivalent to helping customers defend, but unknown attacks can’t be known, so when we provide security services for a project, we will first simulate hackers from the periphery in a black box Attack, find the weak points of the system and the existing security risks, and then cooperate with the project party to take defensive measures from the inside in a gray box manner. There was an incident in Beijing before that the operation and maintenance company stole the company's bitcoins. This kind of internal attack requires internal risk control and the establishment of a complete security system. One is an external hacker attack. If you have not done professional Security audits, or the lack of security awareness of its own employees, the exchange can easily become the victim.
There are different security solutions for different projects, such as how to store your private key in the user's mobile phone when making a wallet, such as how to design your private key signature service on a trading website, etc. The core idea is to ensure the security of private keys and data.
A vulnerability broke out recently. We found that many hackers took maliciously constructed pictures and uploaded maliciously constructed fake ID card "pictures" to all trading websites that can upload pictures. Once the ID card "picture" is uploaded, the entire server triggers malicious commands. Execution, the hacker will get the SSH connection of this server, and further get the database user name and password, the hacker can directly change the database, add some money to the account for direct transactions, and after the transaction is completed, the hacker will delete all his operation records in the database , to balance the corresponding accounts. It is very difficult to check the abnormal situation on the trading website, unless it is found that the process of the server is abnormal, or some malicious scripts are found. In this case, if it is not a professional security personnel, or the operation and maintenance has no security awareness come out. When we provide customers with security services, we will provide corresponding solutions, such as how to defend, how to stop losses quickly after problems occur, and guide customers to review how to avoid similar security incidents from happening again next time.
Of course, security must be based on mutual trust between the two parties. If the customer does not trust you, then your security will be difficult to carry on. At present, the customers we serve have great trust in SlowMist, because we can bring them a sense of security, which is very important.
Ren Kunpeng:I especially agree with the views of the previous three seniors, because I am doing blockchain development myself, and I am more interested in blockchain security. Our development here may usually encounter some security issues in smart contracts including Dapp. Let me briefly talk about my views on blockchain offense and defense from these two aspects.
First of all, in traditional industries, if you want to ensure the security of your website, you may buy some firewalls, intrusion detection systems, and maybe some penetration testing and code audit services. However, for some blockchain start-up companies or technology Teams often do not have such a large financial support. They may use some open source smart contract formal verification tools, or some open source tools to test their DApp or smart contract security. I agree with Senior Duan very much. We developers First of all, we must cultivate an awareness of secure coding, because blockchain technology is only a few years old. Unlike some traditional development frameworks, they all have strong secure coding specifications. In terms of blockchain, I feel that this kind of Secure coding practices are especially important.
In terms of attack, I am not specialized in attack and defense. I feel that DApp developers should completely audit the logic problems of their programs, because formal verification tools may find some overflow vulnerabilities or some dangerous Function loopholes, but if a DApp itself has a problem with its application logic, it may lose a large part of its assets. That's about my point of view.
Li Xueting:Okay, ladies and gentlemen talk about security from different dimensions, including personal and user wallets, user awareness, and some institutional and technical aspects. Therefore, the Internet and blockchain are not absolutely safe, and we need to solve them from different aspects. This problem, because the application of blockchain technology has different business scenarios, we know that there are finance and laws, some copyrights, and some medical fields. Recently, we are more interested in blockchain games. We are familiar with Last Winner, After Fomo3D these games also have some loopholes, I just want to ask questions likeThere is no solution to this kind of blockchain security problem, and what aspects should blockchain games focus on to improve their safety factor?, let's start here.
Ren Kunpeng:Whether there is a solution or not is a difficult question to answer, but I think there is a solution to the two vulnerabilities of Fomo3D. My personal imagination is that it is a security flaw in Ethereum itself. If our public chain security technology can be developed to With a strong credible security guarantee, these security problems can be completely solved. The other is how we can develop a secure blockchain program based on this incomplete blockchain underlying technology. We need to understand the underlying operating mechanism better than hackers, such as sensitive functions of your Ethereum, Gas mechanism, I feel that these are more like a contest between some of our developers and hackers.
Because our technical team has also developed some games on Ethereum, including other games at the public chain level, we may invite some tests before the game goes online, including inviting some well-known security teams. Some open source testing frameworks, including the internal testing of the group, I feel that the security issues of the blockchain itself cannot support the game. If we developers pay attention to some common coding habits, we can still solve these problems.
Guo Yang:From the perspective of our security company, we found a very strange phenomenon, that is, when we SlowMist disclosed that this game has loopholes or is not safe, we recommend that you do not play it, and you will find that the more money in it, the more people will play it. After playing, at this time we will think about whether we should disclose the game Fomo3D. After the report is released, more people will learn how to reproduce the attack and become attackers. It can be seen that Fomo3D has completely risen to the level of human nature, and it is no longer something that security companies can prevent after disclosure. Sometimes we know that we may not win the lottery, but there is a fluke mentality that security can solve technical problems. But in the final analysis, human nature itself can't help it. So for this fund game, I suggest you not to play it. And the design like Fomo3D is quite conscientious. I have seen many imitations of Fomo3D. The permissions are all controlled by the project party. The Ethereum inside is completely controlled by him. There is a possibility of running away at any time. I suggest that you do not touch this kind of Game, thank you all.
Section Steel:It is the problem of whether the blockchain game has a solution or not, because with the development of blockchain technology, these games are mainly contracts. Due to this feature, the code cannot be modified after the game is launched, so do it before the game is launched. Good code auditing, as well as improving the security awareness and coding level of developers, have become issues that blockchain game companies must face.
Ye Fei:This is the security issue of smart contracts. The security of smart contracts is endless. It may be a problem of program development or a problem of the underlying virtual machine. A contract that seems to have no problems now may have problems after a period of time, so security is endless. We don't know what kind of pitfalls there will be in the future, but pitfalls that others have stepped on in the past should be avoided as much as possible. It is already very good to be able to do this. We see that there are many problematic contracts on the chain. In fact, most of them have the same problem. Now many people publish contracts, and they still find a copy of the source code or publish it by themselves. This is easy to step on the pitfalls of the predecessors. The best way is to find a professional team to provide a copy, or submit the written contract to them for review.
Li Xueting: Okay, as Mr. Ye said just now, for example, if the developer of a blockchain game project wants to develop this smart contract, some security audits are required before some game smart contracts, because blockchain games like Fomo3D The scope of influence is relatively large, and once the incident of being attacked occurs, the loss will be relatively serious, and these users and developers are also urged to be cautious.
Due to time constraints, our last question is this. Now our blockchain industry has various security loopholes in this ecological field, because some of our technical security companies are also committed to the layout of ecological security, providing users with Some security solutions and services, but different companies have different entry points, some like to pay more attention to formal verification, some provide some security audits, and some provide some professional security consultants and other services. Some also pay more attention to privacy and usability, and some companies pay more attention to the establishment of global communities to attract more geeks to join the community, so I would like to ask all guests,In the entire blockchain ecosystem, what role are these security service companies playing, and will these roles be extended or changed in the future?
Ye Fei:We know that the industry has now formed an ecological chain, such as upstream mining. In this link, there are dedicated mining machines, mining pools, or mine deployments; after the assets are dug out, there is a transaction link, which has always been the most A lively part; there are also teams dedicated to payment, or financial derivatives. Kushen is engaged in the storage link. Our mission is to be the protector of blockchain assets, and more specifically, to provide private key safekeeping solutions. Our company is now a financial technology company, and the core thing now is to focus on making a good hardware cold wallet.
Section Steel:The development of the blockchain security industry and technology is inseparable from the joint efforts of every company in the industry. It is a good thing that more professional companies and teams enter this field, which can make this field develop more healthily. The idea of Kanxue is to provide everyone with the learning and communication of safety concepts and skills. The security environment is different from other fields. The security environment is solved by people, unlike some fields that rely on some automated machinery to solve problems through some rules. The security field must be solved by talents, and talents are now In terms of competition, the competition is very fierce, and BAT has basically snatched away the core talents. Those small and medium-sized start-up companies, including some new company security talents, are very difficult. One is that you may not be able to find suitable people, and the other is that the cost of salary and treatment has also increased. I think the entire blockchain industry will develop safely in the future. , talent is a crucial factor. Next, I think companies from all walks of life will enter this field, and everyone will jointly promote this ecological development, and everyone will work together to make the blockchain security market bigger and better.
Li Xueting:Our blockchain industry hopes that more and more forces will join the security industry.
Guo Yang:Before answering this question, let me ask a question. Does anyone know where the name Slow Mist comes from? Congratulations to the two friends over there for answering correctly, I will send out a small gift later. At the beginning of the company's establishment, it was named Slow Mist Technology. The inspiration of Slow Mist came from the foggy forest in the science fiction novel "The Three-Body Problem". To become a safe area in the blockchain world, whether it is a wallet, a DApp or other project parties, we can bring you a sense of safety and security. Of course, we welcome more seniors who are safe, such as TK Leaders such as the leader and Yuan Ge have entered the field of blockchain security. Including when we are doing some project audits, some customers pay more attention to safety and need to be audited by multiple security companies. We will also recommend high-quality peers, such as domestic Zhichuangyu, etc., or foreign Cure53, etc., including Mr. Duan We welcome any cooperation in this area. We face these with a very open mind. All the key points of the audit on our official website of SlowMist Technology, including some skills, are all open to the outside world. After all, the blockchain world needs to use the blockchain to play and embrace the entire ecology. thank you all.
Ren Kunpeng:First of all, as a blockchain developer, I am very pleased, because after listening to the introductions of several seniors, I feel that the current blockchain security construction is particularly important for the future development of blockchain security technology. Slow Mist includes Kanxue and Ku My God, maybe Kanxue is a good communication platform for blockchain security technology enthusiasts. I also watched SlowMist open some open source projects, which is also a good way to learn. Kushen can guarantee the security of our personal wallets is particularly important. I feel that if more traditional security companies can join the blockchain security industry, it will definitely strengthen the security force in this area. I myself was originally doing web security at 360, and then I switched to blockchain technology with my graduate tutor. , Our Peking University blockchain technology team and blockchain security may do a lot of data security analysis on the blockchain chain. I feel that the blockchain itself is a large database, and it can be queried openly and transparently. However, for many security incidents, including the theft of exchanges, it is often difficult to trace the source, because the security analysis of the blockchain itself must use data analysis and rely on tools for analysis. If only code-level security cannot be achieved on the chain For data analysis, these are also two aspects of security, one is code-level security, and the other is data-level security. In terms of data-level security, I think the blockchain itself is still an area that not many people have explored. I think blockchain security still needs to rely on the original strength, including not only the original traditional security strength, but also the power of artificial intelligence to ensure its construction.
Li Xueting:As the guests said, I believe that the future attack and defense will be the normal development of the blockchain. The complexity and potential economic value of the blockchain will make the security of the blockchain increasingly fierce. How to adopt new security mechanisms and develop new security Means, and making these technologies and means safe will be the next outlet for the development of the blockchain. We also look forward to more forces joining the blockchain security industry in the future to escort our blockchain development. Thank you Distinguished guests, due to time constraints, we will stop here, thank you all.
