Blockchain technology is an exciting new technology with a great deal of potential. With this potential comes the need to explore the security of this new technology. There has been a great deal of work in this space; however, no comprehensive threat model exists that classifies all potential threats and attack vectors within the blockchain ecosystem. When discussing potential security threats to a system and attempting to analyze whether a system is secure by design, it' is extremely useful to have a framework to use in classifying known attacks and pointing out ones that potentially have been overlooked. In this post, blockchain security threats are mapped to STRIDE, a well-known threat model developed by Microsoft, to create an effective threat model for the blockchain.
STRIDE and the Blockchain
The STRIDE framework was developed by Microsoft to help in threat modeling. Each letter in the STRIDE acronym is designed to refer to one of the most common threats in cybersecurity:
Spoofing: Spoofing refers to the ability of the attacker to masquerade as another on the system.
Tampering: Tampering attacks violate the integrity of the data stored on the protected system.
Repudiation: Repudiation is the ability of a user to deny that they have taken a certain action.
Information Disclosure: Breaches of confidentiality fall under information disclosure.
Elevated Privileges: If a user manages to gain unauthorized levels of control over the system, this is a privilege escalation attack.
In the context of the blockchain, we can break up elevated privileges based upon whether the attacker has unauthorized access to a user’s account, an elevated level of control over the blockchain system (i.e. in a 51% attack), or unauthorized permissioned access to a smart contract.
The STRIDE framework is useful for defining the potential effects that certain vulnerabilities or attacks can have on the security of a system. However, blockchain systems are a complete environment, including everything from the cryptographic primitives that underpin their security to the smart contracts that extend the functionality of the blockchain system.
In order to have a meaningful discussion about a blockchain threat model, it’s useful to break up the blockchain ecosystem into its various levels. For the purposes of this post, the following breakdown is used:
Fundamentals: The underlying components used to build the blockchain.
Cryptographic Primitives: The hash functions and public key cryptography used to ensure data integrity and provide user authentication.
Data Structures: The structure of the blocks used to store transaction data and the hash functions used to chain them together.
Protocols: The definitions of how blockchain nodes should interact when working to maintain the shared distributed ledger.
Consensus:
Block Creation:
Infrastructure: The nodes that work to maintain the distributed ledger and the network that they use to communicate.
Nodes: Computers running the blockchain software and maintaining a copy of the distributed ledger.
Network: The underlying network that the nodes use to communicate and the protocols that define how communications occur within the blockchain ecosystem.
Advanced: Many blockchain solutions do not limit themselves to the basic blockchain protocol defined in the Bitcoin whitepaper. These advanced components are an important component of these blockchain’s security and their threat model.
Smart Contracts: Smart contracts allow third-party code to be uploaded to and executed on the distributed ledger.
Blockchain Extensions: The basic blockchain technology can be extended by systems built either on top of it (state channels, side chains, etc.) or through connections to external systems via APIs.
With the STRIDE threat model and the framework of the blockchain ecosystem, we have what we need to begin threat modeling for the blockchain.
Blockchain Threat Modeling
The blockchain threat model is presented in the table below. Using the STRIDE model and the levels of the blockchain ecosystem, it’s possible to classify each attack vector based upon its potential effects. Each cell shows the different attacks that can be used to affect a given component of the STRIDE model at a level of the blockchain ecosystem. Each attack vector includes mouse-over text that describes how the particular effect can be accomplished by that attack.
|
Spoofing
Authenticity
|
Tampering
Integrity
|
Repudiation
Non-Repudiation
|
Information Disclosure
Confidentiality
|
Denial of Service
Denial of Service
|
Elevated Privileges
Privilege Escalation
|
||||
|---|---|---|---|---|---|---|---|---|---|
|
Account
Attack has unauthorized access to blockchain account.
|
Blockchain
Attacker has unauthorized level of control over blockchain.
|
Smart Contract
Attacker has unauthorized access to protected smart contract functionality.
|
|||||||
|
Fundamentals
Blockchain is based upon cryptographic primitives and the block and chain data structures.
|
Cryptographic Primitives
Hash functions and public key cryptography are essential to access control and data integrity on the blockchain.
|
Private Key
Compromising a user's private key allows an attacker to generate transactions on their behalf.
Phishing
Phishing emails can be used to steal private keys, which allows the attacker to masquerade as a legitimate user.
Shor's Algorithm
Shor's algorithm breaks traditional asymmetric cryptography, allowing an attacker to forge digital signatures on transactions and blocks.
|
Grover's Algorithm
Grover's algorithm decreases the security of hash functions, making it easier for an attacker to find collisions and break blockchain immutability.
|
Private Key
Compromising a user's private key allows an attacker to read any encrypted data meant for them.
Shor's Algorithm
Shor's algorithm breaks traditional asymmetric cryptography, allowing an attacker to decrypt encrypted messages.
|
Private Key
Compromising a user's private key gives an attacker unauthorized access to their account.
Shor's Algorithm
Shor's algorithm breaks traditional asymmetric cryptography, allowing an attacker to guess a user's private key and access their account.
|
||||
|
Data Structure
Blockchain has defined formats for transactions and blocks. Vulnerabilities in these data structures or how they are processed can impact blockchain security.
|
Transaction Malleability
The hash of a transaction depends upon the transaction's digital signature. This can be regenerated by the original signer, creating an identical transaction with a different hash.
|
||||||||
|
Protocol
Blockchain protocols like consensus algorithms and the block creation process codify how the network interacts and maintains a decentralized, distributed ledger.
|
Consensus
The blockchain consensus algorithm defines how the blockchain is updated in a decentralized fashion.
|
51%
A 51% attack allows the attacker to rewrite the history of the blockchain, breaking its integrity.
Long-Range
In a long-range attack, the attacker generates a conflicting version of a Proof of Stake blockchain and gets it accepted, breaking the integrity of the distributed ledger.
Nothing at Stake
In a Nothing at Stake attack, a Proof of Stake block forger signs two conflicting versions of the blockchain.
|
51%
In a 51% attack, the attacker rewrites the history of the blockchain, allowing them to deny that past transactions are part of the official ledger.
Long-Range
In a long-range attack, the attacker rewrites the history of the blockchain, allowing them to deny that past transactions are part of the official ledger.
|
51%
A 51% attacker controls the blockchain and can refuse to add transactions to it, performing a DoS attack against its users.
Artificial Difficulty Increases
If an attacker suddenly withdraws a large percentage of a Proof of Stake network's mining resources, the block difficulty target is too high for the remaining nodes. Since blocks cannot be found at the desired block rate, this implements a DoS attack.
Long-Range
A long-range attacker controls the blockchain and can refuse to add transactions to it, performing a DoS attack against its users.
|
51%
A 51% attack gives the attacker control of the distributed ledger.
Long-Range
A long-range attack gives the attacker control of the distributed ledger.
Selfish Mining
Selfish mining allows the attacker to create more blocks than their percentage of mining power should allow. This increases their level of control over the distributed ledger.
SPV Mining
SPV mining allows the attacker to create more blocks than their percentage of mining power should allow. This increases their level of control over the distributed ledger.
|
||||
|
Block Creation
The block creation process defines how the selected block creator creates new blocks and ensures their validity.
|
Frontrunning
Blockchains publish transactions to the entire network before adding them to the distributed ledger. An attacker who sees a transaction can create a competing one with a higher transaction fee so that it is processed before the transaction that was created first.
|
Transaction Flooding
By flooding the blockchain network with spam transactions, an attacker uses up the blockchain's capacity, delaying the addition of other blocks to the ledger. Also, any spam transactions that are included in the ledger are retained forever, consuming storage and processing resources on the nodes.
|
SPV Mining
SPV mining allows the attacker to create more blocks than their percentage of mining power should allow. This increases their level of control over the distributed ledger.
|
||||||
|
Infrastructure
Blockchain infrastructure consists of the endpoints running blockchain software and the network that connects them.
|
Nodes
Exploitation of the computers running the blockchain software.
|
Malware
Malware can be used to steal private keys, which allows the attacker to masquerade as a legitimate user.
|
Malware
Malware can be used to perform eclipse and routing attacks. It can also be used to steal private keys, allowing the attacker to create fake transactions on the user's behalf.
|
Malware
Malware can be used to intercept communications or steal private keys, allowing an attacker to view private or permissioned data without authorization.
|
Failure to Update
Failing to update blockchain software could mean that a user does not follow a hard fork and cannot access the blockchain.
Malware
Malware on a user's computer can impede access to the blockchain at a variety of levels, including filtering or blocking traffic and terminating blockchain processes. This both denies access to them and degrades the efficiency of the blockchain since the user cannot contribute to block creation.
|
MSP Misconfig
A misconfigured Membership Services Provider (MSP) could allow an attacker to grant themselves unauthorized permissions on the blockchain.
|
|||
|
Network
The blockchain runs on traditional networking. Attacking this network can impact the security of the blockchain.
|
Eclipse/Routing
Eclipse and routing attacks rely on isolating users, which can be accomplished by attacking the network level. An attacker can perform double-spend against users in different isolated pieces of an eclipsed network.
Network Design
A poorly designed network can enable an eclipse or routing attack by limiting the number of connections between different groups of users in the network. Overwhelming communication links can also essentially isolate different portions of the network.
|
Network Design
If a private or permissioned blockchain relies on the security of the underlying network to manage access, an attacker may be able to gain visibility by compromising network components (routers, etc.).
|
Eclipse/Routing
Eclipse and routing attacks can be performed at the network level by destroying or filtering communication links. Isolating portions of the network from one another decreases the block rate and causes the shorter chain to be discarded when the network reconnects.
Network Design
A poorly designed network may not be capable of managing the overhead necessary for a blockchain system, so bandwidth limitations could impact functionality.
Physical Attacks
An attacker physically severing communication links or tampering with devices (routers, etc.) could cause the functionality of the blockchain solution to be degraded.
PoS DoS
A Denial of Service attack against the legitimate block creator in a Proof of Stake blockchain means that an opportunity to create a block may be missed. This decreases the efficiency and capacity of the blockchain.
MSP DoS
A Denial of Service attack against a Membership Services Provider (MSP) may deny legitimate users access to the blockchain system.
|
Eclipse/Routing
An eclipse or routing attack allows an attacker to corrupt a user's view of the blockchain and get them to act in the attacker's interests. This can give the attacker a level of control over the blockchain greater than they should have based on their percentage of the scarce resource (computational power, stake, etc.).
|
|||||
|
Advanced
The basic blockchain protocol has been extended by the creation of smart contract platforms and allowing connections to external software and devices through APIs.
|
Smart Contracts
Smart contracts extend the functionality of the basic blockchain protocol by allowing third-party code to run on the distributed ledger.
|
Delegatecall
Delegatecall allows a smart contract to run in the scope of another smart contract. This can give the attacker unauthorized access to protected functionality within the smart contract.
|
Arithmetic
Integer overflow and underflow vulnerabilities can be exploited to bypass checks on transactions and other protected operations, allowing the attacker to perform unauthorized actions.
Bad Randomness
Generating strong randomness is difficult in smart contracts, making it possible for attackers to cause smart contracts to take unanticipated actions.
Reentrancy
Reentrancy vulnerabilities allow malicious smart contracts to force vulnerable ones to take unauthorized actions.
Short Addresses
Short address vulnerabilities trick vulnerable smart contracts into performing transactions with a greater amount of value than was authorized.
Timestamp Dependence
Some smart contracts are designed to take action before or after a specific time. Since time on the blockchain is flexible and dependent on block creators, a malicious block creator can force unanticipated behavior.
Unchecked Returns
In Ethereum, some low-level functions throw an exception and others return false and continue running upon failure. Failing to check return values may cause a smart contract to continue executing after an unexpected failure.
|
Access Control
Some smart contracts have protected kill switches. A failure in controlling access to these functions can allow a DoS attack against these contracts.
Out of Gas
Ethereum limits the amount of gas that a transaction can use. Forcing a smart contract into a state where it needs more gas than the limit to run can make it incapable of running.
|
Access Control
Poor management of access control within a smart contract can give an attacker elevated privileges within the contract.
Delegatecall
The use of delegatecall allows a called smart contract to run code with the privileges of the calling smart contract.
|
||||
|
Blockchain Extensions
Blockchain extensions build on top of the blockchain protocol (like state channels and side chains) or connect blockchains to external software via APIs.
|
Insecure APIs
Exploitation of external software or hardware with access to a blockchain account may allow an attacker to perform actions masquerading as that account's owner.
|
Insecure APIs
Exploitation of external software or hardware with access to a blockchain account may allow an attacker to gain access to protected functionality available to that account's owner.
|
|||||||
This blockchain threat model represents my personal attempt to classify the currently known attack vectors against blockchain systems and is designed to be a constant work in progress as new attack vectors are discovered against blockchain systems. I plan to continue to update and refine this model and would appreciate any comments or input.