Blockchains and Security

Grammar-Based Evolutionary Fuzzing for JSON-RPC APIs and the Division of Responsibilities

Master thesis (2022)

Authors

L.S. Veldkamp Applied Sciences

Contributors

A. Panichella Software Engineering - EEMCS (supervisor 1)
Mitchell Olsthoorn Software Engineering - EEMCS (supervisor 1)
E. Kalmar Science Education and Communication - AS (supervisor 1)
C. Wehrmann Science Education and Communication - AS (supervisor 2)
S.E. Verwer Cyber Security - EEMCS (supervisor 2)
P.A.N. Bosman Algorithmics - EEMCS (supervisor 2)
Faculty
Electrical Engineering, Mathematics and Computer Science
Copyright: © 2022 Lisette Veldkamp
Fuzzing Software Testing Blockchain Framing Test Generation JSON-RPC API Evolutionary Algorithm Responsibility Division Media Content Analysis
More Info
expand_more

Published Date

18-08-2022

Language

English

Reuse Rights

Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.

Faculty

Electrical Engineering, Mathematics and Computer Science

Abstract

The continual increase in cyber crime revolving blockchain applications calls for secure blockchain systems and clarity on the division of security responsibilities. This research is an integrated project between two master programmes at the Delft University of Technology: Computer Science and Communication Design for Innovation, and focuses on software testing and security responsibilities.

In this study, we investigate if grammar-based fuzzing, a popular approach for identifying bugs in software, is effective on JSON-RPC systems like blockchain applications Ripple and Ethereum. Furthermore, we evaluate whether we can improve upon traditional grammar-based fuzzing by using evolutionary search.
We introduce GEFRA, a black-box grammar-based fuzzing tool that generates tests for JSON-RPC APIs.
Using a diversity-based fitness function that leverages system feedback, GEFRA is able to effectively guide the search process towards new test cases that obtain additional test coverage.

Additionally, various perspectives on blockchain security responsibilities are investigated. A media content analysis was performed and interviews were conducted with legal and blockchain experts.
News media frequently frame end users as responsible for the prevention of blockchain attacks. While attackers are legally responsible, users are left to deal with the consequences if attackers cannot be found. Responsibilities generally end up with users as decentralisation is the core idea of blockchain. Legislation may be the only solution to define a clear division of responsibilities.