Hacking Substrate with Chaos Pallet

Hacking Substrate with Chaos Pallet

Introduction

If you have followed QRUCIAL workshops at Polkadot Hungary meetups, you already know how to prepare a development environment for Substrate and how to compile your own version. Security is crucial (pun intended) for all serious projects, and in this tutorial we show you how to security test your own Substrate system using Chaos Pallet.
This blog post assumes you run Linux and understand the basic concepts of blockchain, consensus, pallets and the Substrate architecture. If you are not, you can read through these links and come back when you are ready for hacking!

Threat model

Before getting engaged in any security assessment, it is important to have a look at the threat model. You can use these three questions in most scenarios.

What do we want to protect?
– The Substrate network we create (attack vectors are covered in ChaosScope’s README).

What are the goals of the protection?
– Confidentiality (cryptographic keys are sufficiently secure and stored securely)
– Integrity (data is consistent, blockchain is immutable, block generation is sufficiently secure)
– Availability (users can access and use the network efficiently)
This is call a CIA Triad.

Who are the threat actors?
– Attackers sending requests from outside (e.g. Extrinsics)

How many resources do we want to spend on the security assessment and protection?
– In this tutorial, we spend 1 hour for the testing as we are focusing on the learning process. We spend 1 or more hours analysing the findings and researching on protection.

If you’d like to learn more about Threat Modeling, you can use NIST resources or contact us.

Testing with ChaosScope

“Chaoscope makes Substrate Runtimes behave in ways that they’re not supposed to…”
– What does it mean? ChaosScope uses subxt to inject requests. A more accurate explanation is that we are injecting Extrinsics aka transactions. We are attacking the Substrate system from the Pallet Chaos pallet or through the PolkadotJS web interface, like we are coming from an external point of view (now we consider nodes also external to each other, as each of them are individual parts of the whole network).

We are using a forked repository in this tutorial, as we are not aware what Linux system you are using and what is installed. The reason is the original ChaosScope repo does not include dependency checks and might mess up your Substrate setup. So the original repository was forked and in this tutorial, we are using that fork. You need all tools installed that are needed to compilate Substrate. CahosScope should be working on Kali, Fedora, Ubuntu and btw Arch systems.

The following commands are used from your choice of terminal to compile and start the base Substrate system with Chaos Pallet included.

git clone https://github.com/smilingSix/chaoscope
cd chaosscope
bash chaosscope.sh

You should see the following if everything works as expected.

What is happening now? You Substrated started to run and Chaos is being created. You can also check your local listening network ports and filter the output using grep or egrep
netstat -tunlp | egrep 'node|substrate'

The part “0.0.0.0:30333” means anyone can connect to the port 30333 (except if it is fire walled), to our Substrate node. The “127.0.0.1:9944” means these ports (you should also see port 9933 and 9615) are listening only locally, reachable only through direct access from your machine. If you want to learn more about networking on linux, you can read the “Learn the networking basics” guide.

Also, you can attach to the screen that was started by the script we just ran.

screen ls
screen -r

Now, it is time for some visualization and looking into more what is happening without Substrate system.

– Open Polkadot JS app
– Swith to the local development network (click “Switch”):

– You can skip this step if you are ok with the default development accounts:
—Alternatively, install the Polkadot.js extension for interacting with your running node and also to monitor what is happening.
– After installation, create your first account. Here is the official guide if you need help with it.

– Now, try to make a transaction from Polkadot JS app and see if it works.

– Meanwhile, if you wait long enough, you will see your Substrate going down:

– Time to restart the whole thing and play with the attacks.
killall node-template # Stop all processes that are called node-template
substrate-node-chaos/target/release/node-template # Start the Substrate Node

– You can call the attack binaries separately.
./target/release/chaoscope -h # Use help on what you can do with this tool
./target/release/chaoscope overflow-adder -n 10000000 # Example

– You can also send Extrinsics manually through PolkadotJS app under Developer -> Extrinsics menu. We recommend you to check out all possibilities and explore this tool as well. There are many ways to break a system.

– Have fun hacking! 👾👾👾

Evaluating chaos aka results and fixing issues

– What have you found? Which ways could you break your own running Substrate network?
– Using the findings, now we can also write an exploit that targets Substrate nodes. How? Maybe in another blog post… 😉
– Note 1: You can monitor logs from your Substrate node (log to file or see stdout)
– Note 2: For issues found in Rust, refer to the “Rust security guidelines” article

Conclusion

We have added a pallet to our Substrate system which helps us to uncover different kind of vulnerabilities (e.g. DoS, overflows, economic attacks, etc.). Tests were limited to a single node, and it clearly shows why a standalone system is weak and why high capacity nodes are required to secure a blockchain system.
Also, we are sure if you have followed through this blog post, you also learned a lot. If you have questions, you can ask them on a 1337 Matrix group (info below, you need to hack in) or send us a message on QRUCIAL Twitter.

How to get into the matrix group: you need to know ALICE’s secret seed and use it as a passphrase for that:

-----BEGIN PGP MESSAGE-----
jA0ECQMC2AmpZeteyHT/0msBDZHMQ+hZWPLPicCmyF5O1zzbf8ancHlmGJAsEMv8
nKWiSz6aDZkSMjjMFy13xrL66Z0Ycd0znre6yoBeffbB7AMb3Z460JhWrRrFefL2
NKacdmy2HqlAbBct24WKKfhZ8x8vMTcqSdCBHA==
=di7R
-----END PGP MESSAGE-----