Author: tewari

Security Analysis of Etheruem Smart Contracts with Mythril

Mythril is an open-source security analysis tool for EVM bytecode, courtesy of ConsenSys. It is also a component of their Security Analysis Service – Mythx. Mythril detects security vulnerabilities in smart contracts built for Ethereum and other EVM-compatible blockchains.

Vulnerabilities found by Mythril are reported with reference to the weaknesses listed on the Smart Contract Weakness Classification Registry (SWC Registry). I will use two entries from SWC Registry for the examples in this article:

  • SWC-106 – Due to missing or insufficient access controls, malicious parties can self-destruct the contract.
  • SWC-107 – One of the major dangers of calling external contracts is that they can take over the control flow. In the reentrancy attack (a.k.a. recursive call attack), a malicious contract calls back into the calling contract before the first invocation of the function is finished.

Install Mythril on Windows

> docker import mythril/myth

https://mythril-classic.readthedocs.io/en/master/installation.html

Get test files from github

Source code for these tests is on github : mythril-tests. Clone the repo locally and adjust the paths in the commands below to match your local environment.

Analyze a local smart contract

Analysis of SelfDestructMultiTxFeasible.sol

> docker run -v E:\share\:/data mythril/myth -v4 analyze /data/mythx-tests\05222022-25/SelfDestructMultiTxFeasible.sol

Mythril reports an instance of SWC-106 vulnerability:


Analysis of SimpleDAO.sol

> docker run -v E:\share\:/data mythril/myth -v4 analyze /data/mythx-tests\05222022-25/SimpleDAO.sol

Mythril reports three instances of SWC-107 and one instance of SWC-105:

Analysis of a flatenned contract file

File containing the two test contracts returns five instances of vulnerabilities of both contracts:

> docker run -v E:\share\:/data mythril/myth -v4 analyze /data/mythx-tests\05222022-25/flatenned-01.sol

Analyze a contract with imported contract

Most smart contracts import other contracts to reuse functionality. You do not have to flatten the contracts into one file. Mythril can work with contracts with imports specified in them : SimpleDAOWithImport.sol

> docker run -v E:\share\:/data mythril/myth -v4 analyze /data/mythx-tests\05222022-26/SimpleDAOWithImport.sol

Analyze a contract with @OpenZeppelin style import

Mythril relies on solc for compiling contract source code. For @OpenZeppelin style imports, you have to specify –solc-json file containing remapping for solc to locate the referenced files : SimpleDAOWith-OzImport.sol

> docker run -v E:\share\:/data mythril/myth -v4 analyze /data/mythx-tests\05222022-26/SimpleDAOWith-OzImport.sol –solc-json=/data/solc-args.json

Analyzing On-Chain Contracts

Mythril can analyze contracts deployed on the blockchain directly. You do not need source code of the contract. Support for infura is built-in, you can also use custom RPC endpoint. Replace INFURA_ID with your Infura project id and CONTACT_ADDRESS with the address of your contract on the blockchain :

> docker run mythril/myth -v4 analyze –rpc infura-rinkeby –infura-id INFURA_ID -a CONTACT_ADDRESS

KHEL Coin on Ethereum

KhelCoin (KHEL) is an ERC-20 token available on Ethereum blockchain. It is a Smart Contract created with Solidity, OpenZeppelin, Truffle, Ganache, Remix, web3.js and VSCode. It is currently available on Rinkeby test network. It will be launched on the Mainnet in the near future.

You can get KHEL coins from this website – KHEL Coin ICO

%KhelCoin The Game Coin Metamask is needed to view your balance or buy KHEL Coins Click here to download Metamask METAMASK

Head over to the ICO website. You will be prompted to install Metamask and connect to your account on Rinkeby testnet. Click on “Buy KHEL Coins” button to get your own coins!

Source code is on github – https://github.com/ashtewari/khelcoin

Puzzle Icon Credit: https://www.flaticon.com/free-icons/puzzle

Kusto Queries on AKS Clusters

Kusto query language can be used to get insights into Azure Kubernetes Service (AKS) clusters. Container insights collects data from AKS clusters and forwards it to Log Analytics workspace, if enabled for a cluster. This data is available for querying in the Azure Monitor. Here is an example of how you can query the pods not in running state in specific namespaces. 

KubePodInventory 
| where Namespace in ("dv","test","prod") 
| where ContainerStatus != "Running" 
| where ContainerStatusReason !in ("", "Completed") 
| distinct Namespace, Name
Run Time range : Last 24 hours E] Save v 14 Share v 1 2 3 4 5 KubePodInventory I where Namespaceän ('dv', 'test', 'prod') I where ContainerStatusu != "Running" I where ContainerStatusReasone ! in ('I", "Completed") I distinct Namespace, Name Results Chart @ Display time (UTC+OO:OO) v Columns v Completed. Showing results from the last 24 hours. > Namespace dv prod Y Name Y app2 app2

The following query includes the name of the AKS cluster and renders the output as a stacked bar chart.

KubePodInventory 
| where Namespace in ("dv","test","prod") 
| where ContainerStatus != "Running" 
| where ContainerStatusReason !in ("", "Completed") 
| distinct ClusterName, Namespace, Name 
| summarize dcount(Name) by ClusterName, Namespace 
| render columnchart kind=stacked100
Run Time range : Last 24 hours E] Save v 14 Share v + New alert rule Export v Pin to dashboard 1 2 3 4 5 6 7 8 KubePodInventory I where Namespace in ('dv', 'test', 'prod') I where ContainerStatus ! = "Running" I where ContainerStatusReason ! in ('I", "Completed") I distinct ClusterName, Namespace, Name summarize dcount(Name) by ClusterName, Namespace render columnchart kind=stacked100 Results Chart @ Display time (UTC+OO:OO) v Completed. Showing results from the last 24 hours. 00:00.7 2 records z o 100 50 dv O aksdemol ClusterName prod Activate Windows Go to Settings to activate Windows.

You can include multiple AKS clusters in the scope in which this query is executed by clicking on [Select scope] hyperlink.


Create an Azure Dashboard panel with this output by clicking on [Pin to dashboard] button.

AIG Demo v/ Private dashboard New dashboard v Auto refresh : Off Analytics rq-aksdashboard CD Refresh Full screen UTC Time : Past 24 hours aksdemol test 62 Edit Share Add filter ClusterName Download aksdem02 Clone e Assign z o 100 75 50 25 dv prod

You can also execute this Kusto query directly using powershell.

$workspaceName = "DefaultWorkspace-6637b095-xxxx-xxxx-xxxx-xxxxxxxxxxx-EUS" 
$workspaceRG = "defaultresourcegroup-eus" 
$WorkspaceID = (Get-AzOperationalInsightsWorkspace -Name $workspaceName -ResourceGroupName $workspaceRG).CustomerID 

$query = 'KubePodInventory | where Namespace in ("dv","test","prod") | where ContainerStatus != "Running" | where ContainerStatusReason !in ("", "Completed") | distinct ClusterName, Namespace, Name | summarize dcount(Name) by ClusterName, Namespace' 

$result = Invoke-AzOperationalInsightsQuery -WorkspaceId $WorkspaceID -Query $query -Timespan (New-TimeSpan -days 1) 
$result.results

This allows you to include the results of your custom Kusto queries in any reports you might run using Azure Automation Runbooks.

PowerShell v Q) PS /home/ash> PS /home/ash> PS /home/ash> Q o PS /home/ash> $workspaceName "DefaultWorkspace-6637b095 PS / home/ash> $workspaceRG "defaultresourcegroup-eus" PS / home/ash> $WorkspaceID (Get-AzOperationa11nsightsWorkspace -Name $workspaceName -ResourceGroupName $workspaceRG) . CustomerID 'KubePodInventory I where Namespace in ("dv" , "test" , "prod") I where ContainerStatus ! = "Running" I where Container PS / home/ash> $query I distinct ClusterName, Namespace, Name I summarize dcount(Name) by ClusterName, Namespace' PS / home/ash> $result Invoke-AzOperationa11nsightsQuery -Workspaceld $WorkspaceID -Query $query -Timespan (New-TimeSpan -days 3) PS / home/ash> $result.results ClusterName Namespace dcount_Name aksdemol aksdemol aksdem02 dv prod test 1 1 1 PS / home/ash> PS / home/ash> PS /home/ash>

AKS – Adding SSH Keys to VMSS Nodes

You can connect to Azure Kubernetes Service (AKS) nodes using ssh. It is documented here: Connect with SSH to Azure Kubernetes Service (AKS) cluster nodes for maintenance or troubleshooting.

I needed to access nodes on the System node pool for collecting some logs recently, but the process documented above was not working for me. It turns out that there were two different issues, both related to adding your SSH keys to the nodes in a virtual machine scale set (VMSS).

This is the az cli command that adds the ssh keys to the VMSS:

az vmss extension set  \
    --resource-group $CLUSTER_RESOURCE_GROUP \
    --vmss-name $SCALE_SET_NAME \
    --name VMAccessForLinux \
    --publisher Microsoft.OSTCExtensions \
    --version 1.4 \
    --protected-settings "{\"username\":\"azureuser\", \"ssh_key\":\"$(cat ~/.ssh/id_rsa.pub)\"}"

I was running this command from powershell on a windows host. So, the first modification I needed was to escape the double quotes by doubling them. You can also use back ticks instead of doubling the double quotes.

az vmss extension set  \
    --resource-group $CLUSTER_RESOURCE_GROUP \
    --vmss-name $SCALE_SET_NAME \
    --name VMAccessForLinux \
    --publisher Microsoft.OSTCExtensions \
    --version 1.4 \
    --protected-settings "{\""username\"":\""azureuser\"", \""ssh_key\"":\""$(cat ~/.ssh/id_rsa.pub)\""}"

The second issue was due to the fact that ssh-keygen adds a comment to the id_rsa.pub file. By default, it adds username@hostname as the comment at the end of the file . Normally, this comment wouldn’t cause any problems, but in this case it was causing an error – “Invalid escape sequence \uXXXX”.

The problem was that my domain user name starts with character ‘u’ and “domain\userid1” was being interpreted as containing a unicode character “\useri” which is obviously not a valid unicode character. The workaround here is to either delete the comment from the id_rsa.pub file (it works just fine without it) or to override the default comment when generating the ssh key by specifying your own comment via -C command line option.

ssh-keygen -C mycomment

Finally, there is another way to execute az vmss extension set command to get around both of these issues by creating a json file and passing that as the value of –protected-settings argument. Here is how –

  • Create a json file, protected_settings.json, with the following content:
{
	"username" : "azureuser",
	"ssh_key" : "REPLACE_THIS_WITH_CONTENT_OF_ID_RSA_PUB_FILE"
}
  • Pass this file as the command line argument:
az vmss extension set  \
    --resource-group $CLUSTER_RESOURCE_GROUP \
    --vmss-name $SCALE_SET_NAME \
    --name VMAccessForLinux \
    --publisher Microsoft.OSTCExtensions \
    --version 1.4 \
    --protected-settings protected_settings.json

Works like a charm!

AKS Supported Kubernetes Versions

Azure Kubernetes Service (AKS) supports specific versions of Kubernetes.
It is necessary to regularly monitor the release of new versions and upgrade your AKS clusters to supported versions in order to remain in compliance with AKS Kubernetes Version Support Policy.

AKS announces the planned date of a new minor version release and corresponding old version deprecation via AKS Release notes at least 30 days prior to removal. An email notification is sent to the subscription administrators with the planned version removal dates. You get 30 days from version removal to upgrade to a supported minor version release. Patch versions can be released anytime and you get 30 days from the removal date to upgrade to a supported patch version.

You should test new target Kubernetes versions and upgrade your AKS clusters in a timely manner. For that, it is necessary to proactively monitor the AKS release notes. This can easily become a chore in a large Enterprise environment. Here is a Powershell script to make it easier to stay on top of Kubernetes version releases in AKS and publish/share it with others: Get-AksSupportedVersions.

$aksVersionsJson = az aks get-versions --location eastus

$aksVersions = $aksVersionsJson | ConvertFrom-Json
$aksVersions.orchestrators.upgrades.orchestratorVersion 

$data = $aksVersions.orchestrators | Select-Object `
    -Property @{Name="Version";Expression={$_.orchestratorVersion}} `
            , @{Name="Default";Expression={$_.default}} `
            , @{Name="Preview";Expression={$_.isPreview}} `
            , @{Name="Upgrades";Expression={$_.upgrades.orchestratorVersion -join ", "}}

$versionTable = $data | ConvertTo-Html -Fragment 
$versionTableString = $versionTable | Out-String
$html = New-Object -ComObject "HTMLFile"
$html.IHTMLDocument2_write($versionTableString)
$tables = $html.body.getElementsByTagName("table")

$rptString = ""
ForEach($table in $tables){
    ForEach($row in $table.rows){
            $cellCount = 0
            ForEach($cell in $row.cells){
                $cellCount++
                if(($cellCount -eq 2) -and ($cell.innertext -eq 'True'))
                {
                    $row.className = "OkStatus"
                }
                if(($cellCount -eq 3) -and ($cell.innertext -eq 'True'))
                {
                    $row.className = "WarningStatus"
                }
        }
    }
    $rptString += $table.outerHTML
}

$reportDate = $(get-date -DisplayHint DateTime) | Out-String
$fileTS = $(get-date -Format "yyyyMMdd") 
$fileName = "aks-versions-$fileTS.html"

$rptTitle = "<h1>AKS Kubernetes Versions</h1><p>$reportDate</p>"
$report = ConvertTo-Html -Title "AKS Versions" -Body "$rptTitle $rptString" -Head $header
$report | Out-File "$fileName"

It creates an HTML report of currently supported Kubernetes versions in AKS along with their respective upgrade paths. Here is an example of the report generated by the script referenced above :

AKS Kubernetes Versions

Sunday, November 8, 2020 8:47:42 PM

Version Default Preview Upgrades
1.16.13 1.16.15, 1.17.9, 1.17.11
1.16.15 1.17.9, 1.17.11
1.17.9 1.17.11, 1.18.6, 1.18.8
1.17.11 True 1.18.6, 1.18.8
1.18.6 1.18.8, 1.19.0
1.18.8 1.19.0
1.19.0 True

Reference: How To Create An HTML Report With PowerShell

Universal Windows Platform Application on Raspberry Pi

Universal Windows Platform (UWP) provides a common app platform on every device that runs Windows 10. The core APIs in UWP are the same on all Windows devices – including Desktop PC, Mobile Phone, XBox, Hololens, IOT devices and others

You can target specific device capabilities of a device family with extension SDKs, but you don’t have to do that if you are only using core APIs. Those core APIs include a very impressive set of UI capabilities. What that means is that you can create a UWP application using C# and XAML which will run on an ARM based processor on Raspberry Pi – because Windows 10 IOT Core runs on that.

Universal Windows Platform (UWP) has come a long way. I decided to dust off my good old Raspberry Pi 2B and take it for a spin last weekend.

The goal was simply to create a Hello World UWP application, deploy it on Windows 10 IOT running on Raspberry Pi (RPi), without using any device specific extension SDKs. Here is the stack – 

Create a simple UWP application in Visual Studio 2019. 

Install Windows 10 IOT Core on Raspberry Pi 2B and connect the device to a 50″ screen TV. 

Select ARM in the target platform drop down and Click on Remote Machine to Run/Debug Application on RPi device.

Select RPi device for deployment.

Deployment of UWP on RPi is complete. 

UWP application running on RPi. 

I updated the UWP application to include Syncfusion Chart control. Did you know that you can get a Community License for the entire product line (including Blazor, Xamarin and UWP controls) from Syncfusion?

UWP application is now running on RPi, attached to the Visual Studio debugger running on the development machine (Windows Surface). 

No device specific extension SDKs were referenced, just the core UWP APIs were used.

Code is on github.