EN

Alliance Chain Security Solution

SlowMist technology is committed to the construction of blockchain ecological security and has implemented comprehensive security solutions for many of the well-known digital currency exchanges, wallets, public blockchains, smart contracts and other projects in the global public blockchain ecosystem. SlowMist Technology, as the Vice-director Unit of Fujian Provincial Blockchain Development Promotion Association and Fujian Provincial Blockchain Association, was the first batch to be selected into the "2018 China Blockchain Industry White Paper" by the Ministry of Industry and Information Technology. At the same time, SlowMist is also one of the five-member units of the Guangdong-Hong Kong-Macao Greater Bay Area Blockchain and Cyber Security Technology Joint Lab. With the development of the consortium blockchain ecology, in 2019, SlowMist Technology has cooperated with the Internet Information Office of multiple provinces to implement a multi-level security audit for the consortium blockchain of the local government, enterprise, and public institution from underlying technology to application layer, and found vulnerabilities and weak points of multiple scenarios, multiple applications, and multiple forms of consortium blockchain systems and their supporting systems. SlowMist technology has implemented a number of security studies in the research area of the consortium blockchain and has achieved results. It has systematic experience in multi-scenario blockchain system security practices. The consortium blockchain full-cycle security construction solution proposed by SlowMist Technology is committed to improving the security and controllability of enterprises to the currently immature blockchain technology system, allowing the blockchain security system to be multi-leveled and standardized, thereby protecting the area blockchain applications can be implemented quickly and securely.

Processing Flow

Consortium Blockchain Security Solution Architecture Table

Security Audit Item

Blockchain Business Layer

Audit Classification Audit Category Audit Subclass
Production Network Security DNS Security DDoS Attack
DNS Spoofing
DNS Redirection
Load Balancing Strategy Polling Logic Detection
Firewall Configuration Strategy Intra-domain Security Strategy
DDoS Defense Strategy Anti-DDoS Advanced
High Performance Equipment
CDN Flow Cleaning
Load Balancing
Flow Control
Source Authentication
Session Mechanism Strategy
Port Security Minimize Service Ports
Disable Weak Passwords
Open SSH Key Login
Authority Security Hierarchical Authorization Strategy
CA Certificate/Domain Control
Personnel Management
Server Security Basic configuration security SSH Private key login
Password complex rules
Prevent root user logging in to SSH
Modify SSH default port
Setting up a Jumpserver
Minimize service ports
Firewall rules
Third-party login authentication module
Logging strategy
Upgrade and patch strategy System updates automatically
Application update
Vulnerability Patch Update
Third-party module security Software Vulnerability Review
Encryption defect
Injection Vulnerability
Code Vulnerability
Application Services Security Security certification signature
Service alarm notification
Password policy
Data transmission encryption
Storage encryption
Access Control
Server firewall
API service security black and white list of IP
Encrypted connection
Avoid MITM attacks
API Injection
Denial of service attack
Client connection authentication and authorized access
WAF service
Database service security Certificate encrypted connection
Complex password strategy
Black and white list of registered addresses
Configure the Port to Not Allow Public Access
Multi-replica
Log retention
Data Backup
Software update
Caching service security Configure the Port to Not Allow Public Access
Complex password strategy
Multi-replica
Data Backup
encrypted connection
Update bug patches in a timely manner
Black and white list of login
Private key management service security No open interface
Actively connect external interface to synchronize data
Data transmission encryption
Data Backup
Data encryption storage
Grab Data to be Signed
Interface cannot obtain private key data in plain text
Node service security IP whitelist restricted access
whitelist restricted access
Log retention
Multi-node confirmation data
Detect if the Program Crashes
Node upgrade update
Application security App running environment security detection strategy iOS Jailbreak Detection
Virtual machine detection
Android ROOT detection
App code decompilation strategy Source code obfuscation
Instruction set obfuscation
VM Shelling
Local storage security Sandbox storage
Key chain security
Cookie Security
Cache processing
Log sensitive information processing
Communication Security Strategy Use SSL
Certificate verification
Authentication and authorization Strategy Captcha Mechanism Design
Bypassing authentication
Unauthorized Access
API Interface Security Replay Attack
XSS/SQL Injection
Business Logic Security Identity Authentication Security
Business Consistent Security
Business Data Security
Data Input Format Detection
Password Recovery Logic
Confirmation Code Security
Business Authorization Security
Business Process Security
Business Interface Security
Front-end security XSS
CSRF
CORS
Click Jacking
Console Code Injection
Input Security Command Execution
XXE
Deserialization
SSRF
Overflow
SQL Injection
Code Injection
Template Injection

Blockchain Technology Layer

Serial Number Audit Class Audit Subclass
1 Static Security Examining Built-in Function Security
Standard Library Security Audit
Third-party Libraries Security Audit
Injection Audit
Serialization Algorithm Audit
Memory-leak Detection
Arithmetic Operation Audit
Resource Consumption Audit
Exception Handing Audit
Log Security Audit
2 P2P Security Number of Node Connections Audit
Node Performance Audit
Message Format Validation
Communication Encryption Audit
Alien Attack Audit
3 RPC Security RPC Permission Audit
Malformed Data Request Audit
Communication Encryption Audit
CORS Policy Audit
4 Encrypted And Signature Security Random Number Generation Algorithm Audit
Keystore Audit
Cryptographic Component Call Audit
Hash Strength Audit
Length Extension Attack Audit
Crypto Fuzzing Test
5 Account and Transaction Model Security Authority Verification Audit
Replay Attack Audit
"False Top-up" Audit
6 System contract security audit refers to "Smart Contract Security Audit"
7 Consensus Security Staking Logic Audit
Block Verification Audit
Merkle-Tree Audit
8 Code Compliance Audit Code Forking Audit
Code Patch Audit
Roadmap Audit
Top-up Program Audit