1 of 16

The Multibillion Dollar Software Supply Chain of Ethereum

César Soto Valero, Martin Monperrus, and Benoit Baudry

KTH

1

https://github.com/chains-project/ethereum-ssc

cesarsv@kth.se

2 of 16

$ whoami

2

  • From Cuba
    • BSc and MSc in Computer Science
  • PhD student at KTH since 2018
    • Automatic software debloating
    • Dependency management
    • Software diversity
  • Enthusiastic techy guy

cesarsv@kth.se

3 of 16

3

“Pretty much everywhere you look, you find open-source software.”

“Even when you look at proprietary software, chances are it’s actually 70% or more open-source.”

cesarsv@kth.se

4 of 16

Agenda

4

  1. Software supply chains in the Ethereum ecosystem
    • Why? How? What?
  2. Research opportunities for CHAINS
    • Dependency vulnerability mitigation
    • Dependency diversification
    • Dependency debloating

cesarsv@kth.se

5 of 16

Ethereum

5

  • Largest blockchain platform
  • Distributed system
    • Decentralized transactions
    • Consensus protocols
    • Smart contracts
    • Bored apes

cesarsv@kth.se

6 of 16

Ethereum

6

👩‍💻

🏦

🏣

Ethereum node

Ethereum node

Ethereum node

Ethereum node

Ethereum node

cesarsv@kth.se

7 of 16

Nodes

7

  • Several implementations
    • Geth, Erigon (Go)
    • Akula (Rust)
    • Nethermind (C#, .NET)
    • Besu, Teku (Java)
    • . . .

Ethereum node

cesarsv@kth.se

8 of 16

besu-core

8

cesarsv@kth.se

9 of 16

besu-core

9

  • Depends on:
    • 29 other Besu modules
    • 51 different third-party dependencies
    • 16 different supplier organizations

cesarsv@kth.se

10 of 16

Software supply chain

10

Besu

Teku

Unique Internal Dependencies

41

57

Unique Third-Party Dependencies

355

293

Unique Suppliers

165

146

cesarsv@kth.se

11 of 16

Diversity

11

cesarsv@kth.se

12 of 16

Diversity

12

  • Both Teku and Besu use Log4j
  • Log4j was vulnerable in 2021 (CVE-2021-44228)
  • There are diverse suppliers of logging facilities available
    • Logback
    • TinyLog
    • SLF4J
    • . . .

cesarsv@kth.se

13 of 16

Remediation

13

  • There is a lack of tools in Besu and Teku for:
    • Keeping dependencies up-to-date
    • Removing unused dependencies
    • Handling vulnerable dependencies

cesarsv@kth.se

14 of 16

Remediation

14

Besu

Teku

Outdated Third-Party Dependency Versions (Dependabot)

3

1

Outdated Third-Party Dependency Versions (Renovate)

49

19

cesarsv@kth.se

15 of 16

Conclusions

15

  • Besu and Teku depend on hundreds of libraries provided by a variety of supplier organizations.
  • The supply chains of Besu and Teku share a majority of their third-party dependencies.
  • Besu and Teku will eventually embed automatic dependency remediation tools in their pipeline.
  • Hardening the software supply chain is critical for any major software project with a high stake.

cesarsv@kth.se

16 of 16

Read the full article

16

“The Multibillion Dollar Software Supply Chain of Ethereum,” IEEE Computer, 2022.

cesarsv@kth.se