Security Wargame - Parathreat

patricio · March 13, 2024, 8:45am

Parity Security is pleased to introduce Parathreat, a security wargame designed to enhance the safety of the Polkadot SDK ecosystem by allowing participants to identify and fix security vulnerabilities in parachains, pallets, and nodes within Polkadot SDK. By playing Parathreat, you’ll get a better understanding of how the Common Security Risks can affect your project, while improving your skills in application security and programming.

Parathreat has two parts: Red Team and Blue Team.

In the first week part, you’ll play in Red Team mode; as an attacker; where your job is to find and use weaknesses in the system. This helps you learn how attackers think and what you need to watch out for. Starting from the second week, the game can be played in Blue Team mode.
In this second week part, are going to be uploaded all the ways the targets can be attacked. Using this, you can see if you thought of the same attacks during the 1st week, and focus is on fixing/preventing those problems. This helps you learn how to defend the system against real threats.

Parity Security encourages everyone interested in making their Polkadot SDK systems stronger and safer to try Parathreat. It’s a great way to test your skills and learn new ones, whether you have basic knowledge with the Substrate framework or already have some experience. To start, clone the repository, read carefully the mission’s instructions and get ready to craft your exploits!

Don’t hesitate to reach us and provide feedback.

xlc · March 14, 2024, 1:29am

That looks interesting. One suggestion, the provided e2e tests is more of integration test rather e2e test.

Ensure you’re running the exploit tests in --release mode (to simulate a closer scenario to reality)

I am not sure why release mode will make any difference but if you really want a closer scenario, I will suggest use Chopsticks.

Chopsticks is able to launch a chain from a chain spec file and then the integration will be lot closer to reality. For example, you cannot just make root origin call directly.

patricio · March 14, 2024, 9:39am

Thanks for the feedback! I agree 100%, an E2E framework will be use in the next mission for sure, working on that. For the current mission, the idea is to have a more simplistic environment focused in pallet application layer.

The compiler adds extra checks when a crate is not built in release mode. Those checks mitigate some of the vulnerabilities (i.e. arithmetic overflows). Therefore, to have a more realistic scenario (still not fully real as you mention), the release mode is necessary.

xlc · March 14, 2024, 10:16am

this will be a better way without giving out too much hint

Topic		Replies	Views
Test frameworks and utilities for Polkadot and friends Tech Talk	3	637	April 17, 2023
A new test network for Polkadot Digest	17	1530	October 24, 2023
Parachain Technical Summit - Next Steps Tech Talk roadmap , frame , polkadot-summit	24	4078	November 1, 2022
Polkadot SDK Version Manager security , release-analysis	1	285	April 18, 2024
Common Vulnerabilities in Substrate/Polkadot Development Ecosystem security	7	1700	February 6, 2024

Security Wargame - Parathreat

Related Topics