Recently, the “Private Board Meeting on Blockchain Deep Learning” was held in Wanxiang Blockchain Laboratory, and Feng Xiao, Qian Chen and Feng Wang attended the conference. Security Chain Global Eco Development Officer Mingo Chin, who is among the first wave of hackers and expert on leading the building a new Blockchain security attack and defense system in China, was invited to give a keynote speech on “Blockchain security and hacker countermeasures”. He pointed out that the current Blockchain security is determined by its weakest link. Even if the Blockchain is safe., there may be loopholes in smart contracts, exchanges, wallets, and mining pools, which will not form a security loop. The existing security companies can only provide the most basic intelligent contract auditing and vulnerability scanning, which is far from the underlying protection. Security Chain is building a secure public chain + global node community through Blockchain thinking, and implementing a decentralized security ecosystem in a step-by-step manner.
Above is the summary, and the following is the selected content of this meeting.
Host: If the current Blockchain industry is in its initial phase, and Blockchain security has been very hot recently. What do you think about it?
Mingo: I think the current Blockchain situation is very similar to the beginning of the Internet, and it is also the starting state of an industry. The number of participants is extremely small, the early products are chaotic, and the participants have a high degree of belief.
The current Blockchain security is still at a fairly early stage, such as the 360EOS event, which is a watershed. Everyone notices that in addition to the theft of digital assets on the exchange, there are other security issues that will affect currency price fluctuations. It can be said that the era of cultivating people with digital assets is coming, and people’s attention to the security will be unprecedented.
However, the Blockchain is a fairly new area, and traditional security solutions are not rapidly updated for the industry. After this incident, many security organizations have emerged to promote the development of the Blockchain security ecosystem. More and more projects have raised the level of attention and investment in safety.
Host: So a large number of Blockchain security projects have emerged and become the target of many well-known investment institutions. I heard that many well-known exchanges and public chains are also investing in this field. And Security Chain has deployed security labs around the world. So what are the latest trends that you’d like to share with us?
Mingo: Yes, there is an evident increase in the the investment in Blockchain security projects in the first half of 2017. But the majority business is still centralized security related. The business mainly focuses on the smart contracts and vulnerability platforms.
Our team has always been doing basic system security research, mainly focusing on trusted computing. Our community overseas has been leading the development of world security technology. Formal Verification and Trusted Computing are two world-wide security thinking systems in the Blockchain. These two systems have been developed at home and abroad for many years, one for code (source) and the other for bottom layer (architecture). Our project is more like the latter.
Our Security Chain began to focus on the needs of this field in the last year, and have transferred many previous research results to Blockchain applications in the first half of this year. The solution to the underlying security of the system is going to be released as the Blockchain trusted framewok security solution.
At the same time, under the continuous influence of all parties, more excellent security engineers and white hats can be attracted to research on Blockchain security technology.
We have three systems: security components, secure block systems and security public chains.
A decentralized secure network and secure public chain consist of security nodes will create a new technology and business model and was born in the world’s first balanced and independent security network. At the same time, we pioneered the chain-chain model in technology, integrating the security node into the ecological chain of the public chain, and decentralized security defense system. We opened up the resources of all people to participate in security capacity building, and a global block of security personnel could participate in the construction of a Blockchain operating system. This system includes, but is not limited to, security components and nodes for vulnerability scanning, asset management, honeypots, traffic cleaning, etc., simply opening the door to a closed security world. The Blockchain technology gives us a starting point for rebuilding this secure network. We will upgrading the exsiting Blockchain security by using the basic Blockchain technology including the innovative consensus, multiple cryptography, node identity authentication, etc. and Security Chain’s original trusted hardening solution, node remote security authentication, the world’s leading dynamic defense vulnerability mechanism, security identity authentication system, etc. We promote safety and change the production relationship of the safety industry with the operation mode of pure Blockchain.
Host: I heard that you were a geek, you have organized a global hacker community before, and Blockchain security should be handy for your team. The current public concerns about wallets and exchange loopholes, what’s your solution?
Mingo: For the hardware wallet, I believe everyone knows that this is the case for both exchanges and major depositors. At the hardware level, we use the PaX/Grsecurity feature to strengthen the kernel security. When the kernel is running, we optimize the kernel through the form of kernel tuning greatly increases the difficulty of obtaining the highest administrative authority from the user space to enhance the permissions, making it more difficult for the attacker to obtain higher permissions and tuned the kernel through the vulnerability. We use non-CSM UEFI to establish firmware, bootloader and kernel signature verification chain, and properly use the trust chain established by password engineering to provide auxiliary support for system deep reinforcement and escort firmware security. We prevent bootloader (GRUB) tampering and kernel image, kernel module tampering, through integrity protection and signature verification protection, can effectively avoid the system from being tampered with in the startup process.
For the underlying (architecture), such as the recent exposure of the cold wallet vulnerability, our community developed a better solution. While everyone is sliently looking for vulnerabilities, we provide free solutions with open source. For example, on the public chain and nodes, the most simplified remote authentication process under the network architecture of the multi-chain network can be completed. At the same time, we conduct configuration customization and streghten of the application layer services, such as: selection of system password hash type, selection of Grub password hash type, selection of SSH-related Cipher Suite, selection of Apache/Nginx SSL/TLS related Cipher Suite, etc. We coordinate with constructing an entire trust chain which is comprehensive, reliable, efficient and convenient, from firmware, the bootloader to the kernel’s signature verification, to the business application layer. We prevent attacks by cryptographic algorithms destroys the confidentiality and integrity of data.