TY - GEN
T1 - Following the "Thread": Toward Finding Manipulatable Bottlenecks In Blockchain Clients
AU - Wu, Shuohan
AU - Li, Zihao
AU - Zhou, Hao
AU - Luo, Xiapu
AU - Li, Jianfeng
AU - Wang, Haoyu
N1 - Publisher Copyright:
© 2024 Owner/Author.
PY - 2024/9/11
Y1 - 2024/9/11
N2 - Blockchain clients are the fundamental element of the blockchain network, each keeping a copy of the blockchain's ledger. They play a crucial role in ensuring the network's decentralization, integrity, and stability. As complex software systems, blockchain clients are not exempt from bottlenecks. Some bottlenecks create new attack surfaces, where attackers deliberately overload these weak points to congest client's execution, thereby causing denial of service (DoS). We call them manipulatable bottlenecks. Existing research primarily focuses on a few such bottlenecks, and heavily relies on manual analysis. To the best of our knowledge, there has not been any study proposing a systematic approach to identify manipulatable bottlenecks in blockchain clients. To bridge the gap, this paper delves into the primary causes of bottlenecks in software, and develops a novel tool named ThreadNeck to monitor the symptoms that signal these issues during client runtime. ThreadNeck models the clients as a number of threads, delineating their inter-relationship to accurately characterize the client's behavior. Building on this, we can identify the suspicious bottlenecks and determine if they could be exploited by external attackers. After applying ThreadNeck to four mainstream clients developed in different programming languages, we totally discover 13 manipulatable bottlenecks, six of which are previously unknown.
AB - Blockchain clients are the fundamental element of the blockchain network, each keeping a copy of the blockchain's ledger. They play a crucial role in ensuring the network's decentralization, integrity, and stability. As complex software systems, blockchain clients are not exempt from bottlenecks. Some bottlenecks create new attack surfaces, where attackers deliberately overload these weak points to congest client's execution, thereby causing denial of service (DoS). We call them manipulatable bottlenecks. Existing research primarily focuses on a few such bottlenecks, and heavily relies on manual analysis. To the best of our knowledge, there has not been any study proposing a systematic approach to identify manipulatable bottlenecks in blockchain clients. To bridge the gap, this paper delves into the primary causes of bottlenecks in software, and develops a novel tool named ThreadNeck to monitor the symptoms that signal these issues during client runtime. ThreadNeck models the clients as a number of threads, delineating their inter-relationship to accurately characterize the client's behavior. Building on this, we can identify the suspicious bottlenecks and determine if they could be exploited by external attackers. After applying ThreadNeck to four mainstream clients developed in different programming languages, we totally discover 13 manipulatable bottlenecks, six of which are previously unknown.
KW - Blockchain
KW - Bottleneck
KW - DoS Attack
UR - http://www.scopus.com/inward/record.url?scp=85205530237&partnerID=8YFLogxK
U2 - 10.1145/3650212.3680372
DO - 10.1145/3650212.3680372
M3 - Conference article published in proceeding or book
AN - SCOPUS:85205530237
T3 - ISSTA 2024 - Proceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis
SP - 1440
EP - 1452
BT - ISSTA 2024 - Proceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis
A2 - Christakis, Maria
A2 - Pradel, Michael
PB - Association for Computing Machinery, Inc
T2 - 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis, ISSTA 2024
Y2 - 16 September 2024 through 20 September 2024
ER -