DEF CON 30

author: Nathan Acks
date: 2022-08-14

Today’s the last day of DEF CON 30. I’m planning on spending most of my time in the Lockpicking, Physical Security, Packet Hacking, and IoT villages today, so not too many notes.

Solana JIT

Solana smart contracts support more languages than just Rust, including C, C++, etc. Rust is the most common choice, however.

In Solana, only a single “leader” node computes the next chain state. Other nodes verify that the hash of this state is good; the “leader” node rotates with every transaction.

The Solana smart contract (“JIT”) compiler outputs eBPF ELF bytecode - the same code used by the Linux kernel for packet filtering.

eBPF runs on a simple 64-bit RISC VM; Solana uses some custom memory mapping that makes its implementation different from that of the Linux kernel.

eBPF code is uploaded directly to the Solana blockchain. Code is executed in a stateless fashion; global variables are not allowed.

The VM that runs this eBPF bytecode is not particularly safe, per Solana’s own notes.

One result of this work was a Solana-specific eBPF loader for Ghidra!

Solana smart contracts do not support verifiable builds in the same way that Ethereum does.

When fuzzing, what you’re really looking for is SEGFAULTs, as these are likely vulnerabilities. You should definitely not get SEGFAULTs from VMs.

Note that by default eBPF purposefully introduces randomness into program execution. So when fuzzing eBPF bytecode, this functionality needs to be disabled in order to ensure reproducibility.

Also, make sure you aren’t fuzzing with ASLR turned on!

It turns out, however, that the Solana VM contains a “verifier” process that prevents SEGFAULTs from impacting the host system. (Not entirely clear how this works.)

It turns out that Solana has since invested a lot of effort in adding fuzzing capabilities to their JIT compiler and associated VM; at this point, none of the bugs discovered here are exploitable, and the Solana VM is much more locked-down.

DEF CON Closing Ceremonies

Wow, DEF CON attendees really don’t like the press…

Apparently sexual harassment incidents were up this year…

A smaller number of press this year relative to pre-COVID times, though more than last year. almost 50% of the press this year were “non-traditional” (YouTubers, etc.).

Network infrastructure: Cisco switches + Aruba access points, with custom FreeBSD-based firewalls.

14.2 TB of traffic to the Internet total this year - that’s more than any previous DEF CON.

WPA3 systems were only fully supported for Linux-based systems (this aligns with my experience - I could not get my iOS/iPadOS devices to connect to that network).

Apparently no attendees from China were able to make it this year, which is why there was a special feed for China.

DEF CON actually provides feedback (on request) to all rejected speakers.

The Data Duplication Village is starting to (anecdotally) notice that external drives older than 5 years are seeing a significant failure rate.

DEF CON 31 will be at Cesar’s Forum again from August 10 - 13, 2023.