Team
Academic Staff
Jens-Rene Giesen, M.Sc.
- Room:
- S-GW 307
- Phone:
- +49 201 18-37357
- Email:
- jens-rene.giesen (at) uni-due.de
Bio:
Jens-Rene Giesen is a research assistant in the working group for System Security at the University of Duisburg-Essen.
Publications:
- Andreina, Sebastien; Cloosters, Tobias; Davi, Lucas; Giesen, Jens-Rene; Gutfleisch, Marco; Karame, Ghassan; Naiakshina, Alena; Naji, Houda: Defying the Odds: Solana’s Unexpected Resilience in Spite of the Security Challenges Faced by Developers. In: Proc. of the 31th ACM SIGSAC Conference on Computer & Communications Security (CCS). ACM, Salt Lake City, USA 2024. CitationAbstractDetails
Solana gained considerable attention as one of the most popular blockchain platforms for deploying decentralized applications. Compared to Ethereum, however, we observe a lack of research on how Solana smart contract developers handle security, what challenges they encounter, and how this affects the overall security of the ecosystem.
To address this, we conducted the first comprehensive study on the Solana platform. Our study shows, quite alarmingly, that none of the participants could detect all important security vulnerabilities in a code review task and that 83% of the participants are likely to release vulnerable smart contracts. Our study also sheds light on the root causes of developers' challenges with Solana smart contract development, suggesting the need for better security guidance and resources. In spite of these challenges, our automated analysis on currently deployed Solana smart contracts surprisingly suggests that the prevalence of vulnerabilities - especially those pointed out as the most challenging in our developer study - is below 0.3%. We explore the causes of this counter-intuitive resilience and show that frameworks, such as Anchor, are positively aiding Solana developers - even those unmindful of security - in deploying secure contracts.
- Smolka, Sven; Giesen, Jens-Rene; Winkler, Pascal; Draissi, Oussama; Davi, Lucas; Karame, Ghassan; Pohl, Klaus: Fuzz on the Beach: Fuzzing Solana Smart Contracts. In: Proc. of the 30th ACM SIGSAC Conference on Computer & Communications Security (CCS). ACM, Copenhagen, Denmark 2023. CitationAbstractDetails
Solana has quickly emerged as a popular platform for building decentralized applications (DApps), such as marketplaces for non- fungible tokens (NFTs). A key reason for its success are Solana’s low transaction fees and high performance, which is achieved in part due to its stateless programming model. Although the litera- ture features extensive tooling support for smart contract security, current solutions are largely tailored for the Ethereum Virtual Ma- chine. Unfortunately, the very stateless nature of Solana’s execution environment introduces novel attack patterns specific to Solana requiring a rethinking for building vulnerability analysis methods. In this paper, we address this gap and propose FuzzDelSol, the first binary-only coverage-guided fuzzing architecture for Solana smart contracts. FuzzDelSol faithfully models runtime specifics such as smart contract interactions. Moreover, since source code is not available for the large majority of Solana contracts, FuzzDelSol operates on the contract’s binary code. Hence, due to the lack of semantic information, we carefully extracted low-level program and state information to develop a diverse set of bug oracles covering all major bug classes in Solana. Our extensive evaluation on 6049 smart contracts shows that FuzzDelSol’s bug oracles finds impactful vulnerabilities with a high precision and recall. To the best of our knowledge, this is the largest evaluation of the security landscape on the Solana mainnet.
- Giesen, Jens-Rene; Andreina, Sebastien; Rodler, Michael; Karame, Ghassan O.; Davi, Lucas: Tutorial: Analyzing, Exploiting, and Patching Smart Contracts in Ethereum. In: Proc. of 7th IEEE Secure Development Conference (SecDev). 2022. PDFCitationAbstractDetails
Smart contracts are programs which encode business logic and execute on the blockchain. While Ethereum is the most popular blockchain platform for smart contracts, an increasing number of new blockchain platforms are also able to support smart contract execution (e.g., Solana or Cardano). Security vulnerabilities in Ethereum smart contracts have demonstrated that writing secure smart contracts is highly challenging. This is exacerbated by the fact that the exploitation of buggy smart contracts seems disproportionately easier compared to exploiting classic PC software.
In this tutorial, we overview a number of smart contract vulnerabilities focusing on the Ethereum ecosystem. We also provide an introduction to the de-facto smart contract programming language Solidity and provide a comprehensive hands-on lab tutorial that involves analyzing vulnerable smart contracts, developing proof-of-concept exploits as well as introducing security analysis tools for testing smart contracts.