August list
If you feel a paper should belong to another category, or that we missed a relevant paper just let us know. Participation is most welcome!
Categories:
- Attacks and defenses
- Blockchain-general
- Blockchain-noncrypto uses
- Ethereum
- Financial
- Internet of Things (IoT)
Attacks and defenses
An Eye for an Eye: Economics of Retaliation in Mining Pools
Authors: Yujin Kwon, Hyoungshick Kim, Yung Yi, Yongdae Kim
Abstract: Currently, miners typically join mining pools to solve cryptographic puzzles together, and mining pools are in high competition. This has led to the development of several attack strategies such as block withholding (BWH) and fork after withholding (FAW) attacks that can weaken the health of PoW systems and but maximize mining pools’ profits. In this paper, we present strategies called Adaptive Retaliation Strategies (ARS) to mitigate not only BWH attacks but also FAW attacks. In ARS, each pool cooperates with other pools in the normal situation, and adaptively executes either FAW or BWH attacks for the purpose of retaliation only when attacked. In addition, in order for rational pools to adopt ARS, ARS should strike to an adaptive balance between retaliation and selfishness because the pools consider their payoff even when they retaliate. We theoretically and numerically show that ARS would not only lead to the induction of a no-attack state among mining pools, but also achieve the adaptive balance between retaliation and selfishness.
Once a MAN: Towards Multi-Target Attack via Learning Multi-Target Adversarial Network Once
Authors: Jiangfan Han, Xiaoyi Dong, Ruimao Zhang, Dongdong Chen, Weiming Zhang, Nenghai Yu, Ping Luo, Xiaogang Wang
Abstract: Modern deep neural networks are often vulnerable to adversarial samples. Based on the first optimization-based attacking method, many following methods are proposed to improve the attacking performance and speed. Recently, generation-based methods have received much attention since they directly use feed-forward networks to generate the adversarial samples, which avoid the time-consuming iterative attacking procedure in optimization-based and gradient-based methods. However, current generation-based methods are only able to attack one specific target (category) within one model, thus making them not applicable to real classification systems that often have hundreds/thousands of categories. In this paper, we propose the first Multi-target Adversarial Network (MAN), which can generate multi-target adversarial samples with a single model. By incorporating the specified category information into the intermediate features, it can attack any category of the target classification model during runtime. Experiments show that the proposed MAN can produce stronger attack results and also have better transferability than previous state-of-the-art methods in both multi-target attack task and single-target attack task. We further use the adversarial samples generated by our MAN to improve the robustness of the classification model. It can also achieve better classification accuracy than other methods when attacked by various methods.
Bitcoin Security under Temporary Dishonest Majority
Authors: Georgia Avarikioti, Lukas Kaeppeli, Yuyi Wang, Roger Wattenhofer
Abstract: We prove Bitcoin is secure under temporary dishonest majority. We assume the adversary can corrupt a specific fraction of parties and also introduce crash failures, i.e., some honest participants are offline during the execution of the protocol. We demand a majority of honest online participants on expectation. We explore three different models and present the requirements for proving Bitcoin’s security in all of them: we first examine a synchronous model, then extend to a bounded delay model and last we consider a synchronous model that allows message losses.
Blockchain-general
HyperService: Interoperability and Programmability Across Heterogeneous Blockchains
Authors: Zhuotao Liu, Yangxi Xiang, Jian Shi, Peng Gao, Haoyu Wang, Xusheng Xiao, Bihan Wen, Yih-Chun Hu
Abstract: Blockchain interoperability, which allows state transitions across different blockchain networks, is critical functionality to facilitate major blockchain adoption. Existing interoperability protocols mostly focus on atomic token exchange between blockchains. However, as blockchains have been upgraded from passive distributed ledgers into programmable state machines (thanks to smart contracts), the scope of blockchain interoperability goes beyond just token exchange. In this paper, we present HyperService, the first platform that delivers interoperability and programmability across heterogeneous blockchains. HyperService is powered by two innovative designs: (i) a developer-facing programming framework that allows developers to build cross-chain applications in a unified programming model; and (ii) a secure blockchain-facing cryptography protocol that provably realizes those applications on blockchains. We implement a prototype of HyperService in about 35,000 lines of code to demonstrate its practicality. Our experiment results show that (i) HyperService imposes reasonable latency, in order of seconds, on the end-to-end execution of cross-chain applications; (ii) the HyperService platform is scalable to continuously incorporate additional production blockchains.
Towards Blockchain-enabled Searchable Encryption
Authors: Qiang Tang
Abstract: Distributed Leger Technologies (DLTs), most notably Blockchain technologies, bring decentralised platforms that eliminate a single trusted third party and avoid the notorious single point of failure vulnerability. Since Nakamoto’s Bitcoin cryptocurrency system, an enormous number of decentralised applications have been proposed on top of these technologies, aiming at more transparency and trustworthiness than their traditional counterparts. These applications spread over a lot of areas, e.g. financial services, healthcare, transportation, supply chain management, and cloud computing. While Blockchain brings transparency and decentralised trust intuitively due to the consensus of a (very large) group of nodes (or, miners), it introduces very subtle implications for other desirable properties such as privacy. In this work, we demonstrate these subtle implications for Blockchain-based searchable encryption solutions, which are one specific use case of cloud computing services. These solutions rely on Blockchain to achieve both the standard privacy property and the new fairness property, which requires that search operations are carried out faithfully and are rewarded accordingly. We show that directly replacing the server in an existing searchable encryption solution with a Blockchain will cause undesirable operational cost, privacy loss, and security vulnerabilities. The analysis results indicate that a dedicated server is still needed to achieve the desired privacy guarantee. To this end, we propose two frameworks which can be instantiated based on most existing searchable encryption schemes. Through analysing these two frameworks, we affirmatively show that a carefully engineered Blockchain-based solution can achieve the desired fairness property while preserving the privacy guarantee of the original searchable encryption scheme simultaneously.
DNA based Network Model and Blockchain
Authors: M. A. El-Edkawy, A. M. El-Dosuky, Taher Hamza
Abstract: Biological cells can transmit, process and receive chemically encoded data in the same way as network devices transmit, process, and receive digitally encoded data. Communication protocols have led to the rapid development of computer networks. Therefore, we need to develop communication protocols for biological cell networks, which will lead to significant development, especially in medical applications where surgery or delivery of drugs can be performed using nanoscale devices. Blockchain is a peer-to-peer network that contains a series of clusters to make a valid and secure transaction. Blockhain technology is used in many areas such as e-commerce, public services, security, finance, Internet stuff, etc. Although blockchain has a major impact on Internet technology, it suffers from time problems and scalability. DNA computing is the execution of computations using natural molecules, especially DNA. DNA gaps above silicon because of massive parallelism, size and storage density. In this paper, biological cells and DNA are used to create the necessary protocols for the networks to be used in the performance of the cell-based communication system. The proposed hybrid solution involves DNA as well as calculated on an enzymatic basis, where each contributes to the function of a given protocol. Also a correspondence between blockchain and DNA is proposed that can be utilized to create DNA based blockchain.
Detecting Fraudulent Accounts on Blockchain: A Supervised Approach
Authors: Michal Ostapowicz, Kamil Żbikowski
Abstract: Applications of blockchain technologies got a lot of attention in recent years. They exceed beyond exchanging value and being a substitute for fiat money and traditional banking system. Nevertheless, being able to exchange value on a blockchain is at the core of the entire system and has to be reliable. Blockchains have built-in mechanisms that guarantee whole system’s consistency and reliability. However, malicious actors can still try to steal money by applying well known techniques like malware software or fake emails. In this paper we apply supervised learning techniques to detect fraudulent accounts on Ethereum blockchain. We compare capabilities of Random Forests, Support Vector Machines and XGBoost classifiers to identify such accounts basing on a dataset of more than 300 thousands accounts. Results show that we are able to achieve recall and precision values allowing for the designed system to be applicable as an anti-fraud rule for digital wallets or currency exchanges. We also present sensitivity analysis to show how presented models depend on particular feature and how lack of some of them will affect the overall system performance.
Trustable and Automated Machine Learning Running with Blockchain and Its Applications
Authors: Tao Wang, Xinmin Wu, Taiping He
Abstract: Machine learning algorithms learn from data and use data from databases that are mutable; therefore, the data and the results of machine learning cannot be fully trusted. Also, the machine learning process is often difficult to automate. A unified analytical framework for trustable machine learning has been presented in the literature. It proposed building a trustable machine learning system by using blockchain technology, which can store data in a permanent and immutable way. In addition, smart contracts on blockchain are used to automate the machine learning process. In the proposed framework, a core machine learning algorithm can have three implementations: server layer implementation, streaming layer implementation, and smart contract implementation. However, there are still open questions. First, the streaming layer usually deploys on edge devices and therefore has limited memory and computing power. How can we run machine learning on the streaming layer? Second, most data that are stored on blockchain are financial transactions, for which fraud detection is often needed. However, in some applications, training data are hard to obtain. Can we build good machine learning models to do fraud detection with limited training data? These questions motivated this paper; which makes two contributions. First, it proposes training a machine learning model on the server layer and saving the model with a special binary data format. Then, the streaming layer can take this blob of binary data as input and score incoming data online. The blob of binary data is very compact and can be deployed on edge devices. Second, the paper presents a new method of synthetic data generation that can enrich the training data set. Experiments show that this synthetic data generation is very effective in applications such as fraud detection in financial data.
Aleph: Efficient Atomic Broadcast in Asynchronous Networks with Byzantine Nodes
Authors: Adam Gągol, Damian Leśniak, Damian Straszak, Michał Świętek
Abstract: The spectacular success of Bitcoin and Blockchain Technology in recent years has provided enough evidence that a widespread adoption of a common cryptocurrency system is not merely a distant vision, but a scenario that might come true in the near future. However, the presence of Bitcoin’s obvious shortcomings such as excessive electricity consumption, unsatisfying transaction throughput, and large validation time (latency) makes it clear that a new, more efficient system is needed.
We propose a protocol in which a set of nodes maintains and updates a linear ordering of transactions that are being submitted by users. Virtually every cryptocurrency system has such a protocol at its core, and it is the efficiency of this protocol that determines the overall throughput and latency of the system. We develop our protocol on the grounds of the well-established field of Asynchronous Byzantine Fault Tolerant (ABFT) systems. This allows us to formally reason about correctness, efficiency, and security in the strictest possible model, and thus convincingly prove the overall robustness of our solution.
Our protocol improves upon the state-of-the-art HoneyBadgerBFT by Miller et al. by reducing the asymptotic latency while matching the optimal communication complexity. Furthermore, in contrast to the above, our protocol does not require a trusted dealer thanks to a novel implementation of a trustless ABFT Randomness Beacon.
HotPoW: Finality from Proof-of-Work Quorums
Authors: Patrik Keller, Rainer Böhme
Abstract: We build a bridge between the notions of Byzantine and Nakamoto consensus by developing a theory of proof-of-work quorums. This theory yields stochastic uniqueness of quorums as a function of the quorum size, a security parameter. We employ the theory in HotPoW, a scalable permissionless distributed log protocol that supports finality based on the pipelined three-phase commit previously presented for HotStuff. Additionally, we present a simulation framework for distributed consensus protocols, which we use for evaluating the proposed protocol and variants with adversarial modifications. Results show that the protocol can tolerate network latency, churn, and targeted attacks on consistency and liveness at small overhead compared to deployed systems.
Blockguard: Adaptive Blockchain Security
Authors: Shishir Rai, Kendric Hood, Mikhail Nesterenko, Gokarna Sharma
Abstract: We consider the problem of varying the security of blockchain transactions according to their importance. This adaptive security is achieved by using variable size consensus committees. To improve performance, such committees function concurrently. We present two algorithms that allow adaptive security by forming concurrent variable size consensus committees on demand. One is based on a single joint blockchain, the other is based on separate sharded blockchains. For in-committee consensus, our algorithms may use various available byzantine-robust fault tolerant algorithms (BFT). We implement synchronous BFT, asynchronous BFT and proof-of-work consensus. We thoroughly evaluate the performance of our adaptive security algorithms.
Blockchain-noncrypto uses
Blockchain-based Personal Data Management: From Fiction to Solution
Authors: Nguyen Truong, Kai Sun, Yike Guo
Abstract: The emerging blockchain technology has enabled various decentralised applications in a trustless environment without relying on a trusted intermediary. It is expected as a promising solution to tackle sophisticated challenges on personal data management, thanks to its advanced features such as immutability, decentralisation and transparency. Although certain approaches have been proposed to address technical difficulties in personal data management; most of them only provided preliminary methodological exploration. Alarmingly, when utilising Blockchain for developing a personal data management system, fictions have occurred in existing approaches and been promulgated in the literature. Such fictions are theoretically doable; however, by thoroughly breaking down consensus protocols and transaction validation processes, we clarify that such existing approaches are either impractical or highly inefficient due to the natural limitations of the blockchain and Smart Contracts technologies. This encourages us to propose a feasible solution in which such fictions are reduced by designing a novel system architecture with a blockchain-based “proof of permission” protocol. We demonstrate the feasibility and efficiency of the proposed models by implementing a clinical data sharing service built on top of a public blockchain platform. We believe that our research resolves existing ambiguity and take a step further on providing a practically feasible solution for decentralised personal data management.
Towards a Supply Chain Management System for Counterfeit Mitigation using Blockchain and PUF
Authors: Leonardo Aniello, Basel Halak, Peter Chai, Riddhi Dhall, Mircea Mihalea, Adrian Wilczynski
Abstract: The complexity of today’s supply chain, organised in several tiers and including many companies located in different countries, makes it challenging to assess the history and integrity of procured physical parts, and to make organisations really accountable for their conduct. This enables malicious practices like counterfeiting and insertion of back doors, which are extremely dangerous, especially in supply chains of physical parts for industrial control systems used in critical infrastructures, where a country and human lives can be put at risk. This paper aims at mitigating these issues by proposing an approach where procured parts are uniquely identified and tracked along the chain, across multiple sites, to detect tampering. Our solution is based on consortium blockchain and smart contract technologies, hence it is decentralised, highly available and provides strong guarantees on the integrity of stored data and executed business logic. The unique identification of parts along the chain is implemented by using physically unclonable functions (PUFs) as tamper-resistant IDs. We first define the threat model of an adversary interested in tampering with physical products along the supply chain, then provide the design of the tracking system that implements the proposed anti-counterfeiting approach. We present a security analysis of the tracking system against the designated threat model and a prototype evaluation to show its technical feasibility and assess its effectiveness in counterfeit mitigation. Finally, we discuss several key practical aspects concerning our solution ad its integration with real supply chains.
Blockchain based access control systems: State of the art and challenges
Authors: Sara Rouhani, Ralph Deters
Abstract: Access to the system resources. The current access control systems face many problems, such as the presence of the third-party, inefficiency, and lack of privacy. These problems can be addressed by blockchain, the technology that received major attention in recent years and has many potentials. In this study, we overview the problems of the current access control systems, and then, we explain how blockchain can help to solve them. We also present an overview of access control studies and proposed platforms in different domains. This paper presents the state of the art and the challenges of blockchain-based access control systems.
3D Marketplace: Distributed Attestation of 3D Designs on Blockchain
Authors: Sofia Belikovetsky, Oded Leiba, Asaf Shabtai, Yuval Elovici
Abstract: Additive manufacturing (AM), or 3D printing, is an emerging manufacturing technology that is expected to have far-reaching socioeconomic, environmental, and geopolitical implications. As the use of this technology increases, the need for validation of 3D designs grows. In order to create a marketplace in which 3D designs are traded, it is necessary to develop a platform that enables the attestation of the 3D designs and promotes truthfulness. In this paper, we introduce a novel concept of a distributed marketplace that will support the attestation of 3D printing designs. We build a mathematical trust model that ensures truthfulness among rational, selfish, and independent agents, which is based on a reward/penalty system. The payment for participating in the evaluation is calculated by factoring in agents’ reputation and peer feedback. Moreover, we describe the architecture and the implementation of the trust model on blockchain using smart contracts for the creation of a distributed marketplace. Our model relies both on theoretical and practical best practices to create an unique platform that elicit effort and truthfulness from the participants.
Blockchain Tree for eHealth
Authors: Sergii Kushch, Silvio Ranise, Giada Sciarretta
Abstract: The design of access control mechanisms for healthcare systems is challenging: it must strike the right balance between permissions and restrictions. In this work, we propose a novel approach that is based on the Blockchain technology for storage patient medical data and create an audit logging system able to protect health data from unauthorized modification and access. The proposed method consists of a tree structure: a main chain linked with the patient’s identity and one or several Subchains which are used for storing additional critical data (e.g., medical diagnoses or access logs).
Privacy-Aware Distributed Mobility Choice Modelling over Blockchain
Authors: David Lopez, Bilal Farooq
Abstract: A generalized distributed tool for mobility choice modelling is presented, where participants do not share personal raw data, while all computations are done locally. Participants use Blockchain based Smart Mobility Data-market (BSMD), where all transactions are secure and private. Nodes in blockchain can transact information with other participants as long as both parties agree to the transaction rules issued by the owner of the data. A case study is presented where a mode choice model is distributed and estimated over BSMD. As an example, the parameter estimation problem is solved on a distributed version of simulated annealing. It is demonstrated that the estimated model parameters are consistent and reproducible.
A Taxonomic Approach to Understanding Emerging Blockchain Identity Management Systems
Authors: Loic Lesavre, Priam Varin, Peter Mell, Michael Davidson, James Shook
Abstract: Identity management systems (IDMSs) are widely used to provision user identities while managing authentication, authorization, and data sharing both within organizations as well as on the Internet more broadly. Traditional identity systems typically suffer from single points of failure, lack of interoperability, and privacy issues such as encouraging mass data collection and user tracking. Blockchain technology has the potential to support novel data ownership and governance models with built-in control and consent mechanisms, which may benefit both users and businesses by alleviating these concerns; as a result, blockchain-based IDMSs are beginning to proliferate. This work categorizes these systems into a taxonomy based on differences in architecture, governance models, and other salient features. We provide context for the taxonomy by describing related terms, emerging standards, and use cases, while highlighting relevant security and privacy considerations.
Spams meet Cryptocurrencies: Sextortion in the Bitcoin Ecosystem
Authors: Masarah Paquet-Clouston, Matteo Romiti, Bernhard Haslhofer, Thomas Charvat
Abstract: In the past year, a new spamming scheme has emerged: sexual extortion messages requiring payments in the cryptocurrency Bitcoin, also known as sextortion. This scheme represents a first integration of the use of cryptocurrencies by members of the spamming industry. Using a dataset of 4,340,736 sextortion spams, this research aims at understanding such new amalgamation by uncovering spammers’ operations. To do so, a simple, yet effective method for projecting Bitcoin addresses mentioned in sextortion spams onto transaction graph abstractions is computed over the entire Bitcoin blockchain. This allows us to track and investigate monetary flows between involved actors and gain insights into the financial structure of sextortion campaigns. We find that sextortion spammers are somewhat sophisticated, following pricing strategies and benefiting from cost reductions as their operations cut the upper-tail of the spamming supply chain. We discover that one single entity is likely controlling the financial backbone of the majority of the sextortion campaigns and that the 11-month operation studied yielded a lower-bound revenue between \$1,300,620 and \$1,352,266. We conclude that sextortion spamming is a lucrative business and spammers will likely continue to send bulk emails that try to extort money through cryptocurrencies.
Ethereum
Infochain: A Decentralized System for Truthful Information Elicitation
Authors: Cyril Schreven van, Naman Goel, Boi Faltings
Abstract: Incentive mechanisms play a pivotal role in collecting correct and reliable information from self-interested agents. Peer-prediction mechanisms are game-theoretic mechanisms that incentivize agents for reporting the information truthfully, even when the information is unverifiable in nature. Traditionally, a trusted third party implements these mechanisms. We built Infochain, a decentralized system for information elicitation. Infochain ensures transparent, trustless and cost-efficient collection of information from self-interested agents without compromising the game-theoretical guarantees of the peer-prediction mechanisms. In this paper, we address various non-trivial challenges in implementing these mechanisms in Ethereum and provide experimental analysis.
Eclipsing Ethereum Peers with False Friends
Authors: Sebastian Henningsen, Daniel Teunis, Martin Florian, Björn Scheuermann
Abstract: Ethereum is a decentralized Blockchain system that supports the execution of Turing-complete smart contracts. Although the security of the Ethereum ecosystem has been studied in the past, the network layer has been mostly neglected. We show that Go Ethereum (Geth), the most widely used Ethereum implementation, is vulnerable to eclipse attacks, effectively circumventing recently introduced (Geth v1.8.0) security enhancements. We responsibly disclosed the vulnerability to core Ethereum developers; the corresponding countermeasures to our attack where incorporated into the v1.9.0 release of Geth. Our false friends attack exploits the Kademlia-inspired peer discovery logic used by Geth and enables a low-resource eclipsing of long-running, remote victim nodes. An adversary only needs two hosts in distinct /24 subnets to launch the eclipse, which can then be leveraged to filter the victim’s view of the Blockchain. We discuss fundamental properties of Geth’s node discovery logic that enable the false friends attack, as well as proposed and implemented countermeasures.
Slither: A Static Analysis Framework For Smart Contracts
Authors: Josselin Feist, Gustavo Grieco, Alex Groce
Abstract: This paper describes Slither, a static analysis framework designed to provide rich information about Ethereum smart contracts. It works by converting Solidity smart contracts into an intermediate representation called SlithIR. SlithIR uses Static Single Assignment (SSA) form and a reduced instruction set to ease implementation of analyses while preserving semantic information that would be lost in transforming Solidity to bytecode. Slither allows for the application of commonly used program analysis techniques like dataflow and taint tracking. Our framework has four main use cases: (1) automated detection of vulnerabilities, (2) automated detection of code optimization opportunities, (3) improvement of the user’s understanding of the contracts, and (4) assistance with code review. In this paper, we present an overview of Slither, detail the design of its intermediate representation, and evaluate its capabilities on real-world contracts. We show that Slither’s bug detection is fast, accurate, and outperforms other static analysis tools at finding issues in Ethereum smart contracts in terms of speed, robustness, and balance of detection and false positives. We compared tools using a large dataset of smart contracts and manually reviewed results for 1000 of the most used contracts.
Security Analysis Methods on Ethereum Smart Contract Vulnerabilities: A Survey
Authors: Purathani Praitheeshan, Lei Pan, Jiangshan Yu, Joseph Liu, Robin Doss
Abstract: Smart contracts are software programs featuring both traditional applications and distributed data storage on blockchains. Ethereum is a prominent blockchain platform with the support of smart contracts. The smart contracts act as autonomous agents in critical decentralized applications and hold a significant amount of cryptocurrency to perform trusted transactions and agreements. Millions of dollars as part of the assets held by the smart contracts were stolen or frozen through the notorious attacks just between 2016 and 2018, such as the DAO attack, Parity Multi-Sig Wallet attack, and the integer underflow/overflow attacks. These attacks were caused by a combination of technical flaws in designing and implementing software codes. However, many more vulnerabilities of less severity are to be discovered because of the scripting natures of the Solidity language and the non-updateable feature of blockchains. Hence, we surveyed 16 security vulnerabilities in smart contract programs, and some vulnerabilities do not have a proper solution. This survey aims to identify the key vulnerabilities in smart contracts on Ethereum in the perspectives of their internal mechanisms and software security vulnerabilities. By correlating 16 Ethereum vulnerabilities and 19 software security issues, we predict that many attacks are yet to be exploited. And we have explored many software tools to detect the security vulnerabilities of smart contracts in terms of static analysis, dynamic analysis, and formal verification. This survey presents the security problems in smart contracts together with the available analysis tools and the detection methods. We also investigated the limitations of the tools or analysis methods with respect to the identified security vulnerabilities of the smart contracts.
Interactive coin offerings
Authors: Jason Teutsch, Vitalik Buterin, Christopher Brown
Abstract: Ethereum has emerged as a dynamic platform for exchanging cryptocurrency tokens. While token crowdsales cannot simultaneously guarantee buyers both certainty of valuation and certainty of participation, we show that if each token buyer specifies a desired purchase quantity at each valuation then everyone can successfully participate. Our implementation introduces smart contract techniques which recruit outside participants in order to circumvent computational complexity barriers.
A Survey on Ethereum Systems Security: Vulnerabilities, Attacks and Defenses
Authors: Huashan Chen, Marcus Pendleton, Laurent Njilla, Shouhuai Xu
Abstract: The blockchain technology is believed by many to be a game changer in many application domains, especially financial applications. While the first generation of blockchain technology (i.e., Blockchain 1.0) is almost exclusively used for cryptocurrency purposes, the second generation (i.e., Blockchain 2.0), as represented by Ethereum, is an open and decentralized platform enabling a new paradigm of computing — Decentralized Applications (DApps) running on top of blockchains. The rich applications and semantics of DApps inevitably introduce many security vulnerabilities, which have no counterparts in pure cryptocurrency systems like Bitcoin. Since Ethereum is a new, yet complex, system, it is imperative to have a systematic and comprehensive understanding on its security from a holistic perspective, which is unavailable. To the best of our knowledge, the present survey, which can also be used as a tutorial, fills this void. In particular, we systematize three aspects of Ethereum systems security: vulnerabilities, attacks, and defenses. We draw insights into, among other things, vulnerability root causes, attack consequences, and defense capabilities, which shed light on future research directions.
A scalable verification solution for blockchains
Authors: Jason Teutsch, Christian Reitwießner
Abstract: Bitcoin and Ethereum, whose miners arguably collectively comprise the most powerful computational resource in the history of mankind, offer no more power for processing and verifying transactions than a typical smart phone. The system described herein bypasses this bottleneck and brings scalable computation to Ethereum. Our new system consists of a financial incentive layer atop a dispute resolution layer where the latter takes form of a versatile “verification game.” In addition to secure outsourced computation, immediate applications include decentralized mining pools whose operator is an Ethereum smart contract, a cryptocurrency with scalable transaction throughput, and a trustless means for transferring currency between disjoint cryptocurrency systems.
Retrofitting a two-way peg between blockchains
Authors: Jason Teutsch, Michael Straka, Dan Boneh
Abstract: In December 2015, a bounty emerged to establish both reliable communication and secure transfer of value between the Dogecoin and Ethereum blockchains. This prized “Dogethereum bridge” would allow parties to “lock” a DOGE coin on Dogecoin and in exchange receive a newly minted WOW token in Ethereum. Any subsequent owner of the WOW token could burn it and, in exchange, earn the right to “unlock” a DOGE on Dogecoin. We describe an efficient, trustless, and retrofitting Dogethereum construction which requires no fork but rather employs economic collateral to achieve a “lock” operation in Dogecoin. The protocol relies on bulletproofs, Truebit, and parametrized tokens to efficiently and trustlessly relay events from the “true” Dogecoin blockchain into Ethereum. The present construction not only enables cross-platform exchange but also allows Ethereum smart contracts to trustlessly access Dogecoin. A similar technique adds Ethereum-based smart contracts to Bitcoin and Bitcoin data to Ethereum smart contracts.
Financial
Modelling Crypto Asset Price Dynamics, Optimal Crypto Portfolio, and Crypto Option Valuation
Authors: Yuan Hu, T. Svetlozar Rache, J. Frank Fabozzi
Abstract: Despite being described as a medium of exchange, cryptocurrencies do not have the typical attributes of a medium of exchange. Consequently, cryptocurrencies are more appropriately described as crypto assets. A common investment attribute shared by the more than 2,500 crypto assets is that they are highly volatile. An investor interested in reducing price volatility of a portfolio of crypto assets can do so by constructing an optimal portfolio through standard optimization techniques that minimize tail risk. Because crypto assets are not backed by any real assets, forming a hedge to reduce the risk contribution of a single crypto asset can only be done with another set of similar assets (i.e., a set of other crypto assets). A major finding of this paper is that crypto portfolios constructed via optimizations that minimize variance and Conditional Value at Risk outperform a major stock market index (the S$\&$P 500). As of this writing, options in which the underlying is a crypto asset index are not traded, one of the reasons being that the academic literature has not formulated an acceptable fair pricing model. We offer a fair valuation model for crypto asset options based on a dynamic pricing model for the underlying crypto assets. The model was carefully backtested and therefore offers a reliable model for the underlying crypto assets in the natural world. We then obtain the valuation of crypto options by passing the natural world to the equivalent martingale measure via the Esscher transform. Because of the absence of traded crypto options we could not compare the prices obtained from our valuation model to market prices. Yet, we can claim that if such options on crypto assets are introduced, they should follow closely our theoretical prices after adjusting for market frictions and design feature nuances.
Internet of Things (IoT)
Integration of Blockchain and Cloud of Things: Architecture, Applications and Challenges
Authors: C Dinh Nguyen, N Pubudu Pathirana, Ming Ding, Aruna Seneviratne
Abstract: The blockchain technology is taking the world by storm. Blockchain with its decentralized, transparent and secure nature has emerged as a disruptive technology for the next generation of numerous industrial applications. One of them is Cloud of Things enabled by the corporation of Cloud computing and Internet of Things (IoT). In this context, blockchain provides innovative solutions to address challenges in Cloud of Things in terms of decentralization, data privacy and network security, while Cloud of Things offer elasticity and scalability functionalities to improve efficiency of blockchain operations. Therefore, a novel paradigm of blockchain and Cloud of Things combination, called as the BCoT model, is regarded as a promising enabler for a wide range of applied scenarios. In this paper, we present a state-of-the-art review on the BCoT integration to provide general readers with the overview of the BCoT in various aspects, including background knowledge, motivation, and integrated architecture. Particularly, we also provide an in-depth survey of BCoT applications with extensive discussion on use-case domains as well as their opportunities in 5G networks and beyond. Compared to other relevant survey papers, we present a thorough review on the emerging BCoT platforms and services which are useful to researchers and application developers in identifying and catching up with the latest technologies in this fast-growing field. Moreover, research challenges and future directions are also highlighted.
Internet of Things Enabled Policing Processes
Authors: Francesco Schiliro
Abstract: The Internet of Things (IoT) has the potential to transform many industries. This includes harnessing real-time intelligence to improve risk-based decision making and supporting adaptive processes from core to edge. For example, modern police investigation processes are often extremely complex, data-driven and knowledge-intensive. In such processes, it is not sufficient to focus on data storage and data analysis; as the knowledge workers (e.g., police investigators) will need to collect, understand and relate the big data (scattered across various systems) to process analysis.
In this thesis, we analyze the state of the art in knowledge-intensive and data-driven processes. We present a scalable and extensible IoT-enabled process data analytics pipeline to enable analysts ingest data from IoT devices, extract knowledge from this data and link them to process execution data. We focus on a motivating scenario in policing, where a criminal investigator will be augmented by smart devices to collect data and to identify devices around the investigation location, to communicate with them to understand and analyze evidence. We design and implement a system (namely iCOP, IoT-enabled COP) to assist investigators collect large amounts of evidence and dig for the facts in an easy way.
IoT Supply Chain Security: Overview, Challenges, and the Road Ahead
Authors: Junaid Muhammad Farooq, Quanyan Zhu
Abstract: Supply chain is emerging as the next frontier of threats in the rapidly evolving IoT ecosystem. It is fundamentally more complex compared to traditional ICT systems. We analyze supply chain risks in IoT systems and their unique aspects, discuss research challenges in supply chain security, and identify future research directions.
Efficient Intrusion Detection on Low-Performance Industrial IoT Edge Node Devices
Authors: Matthias Niedermaier, Martin Striegel, Felix Sauer, Dominik Merli, Georg Sigl
Abstract: Communication between sensors, actors and Programmable Logic Controllers (PLCs) in industrial systems moves from two-wire field buses to IP-based protocols such as Modbus/TCP. This increases the attack surface because the IP-based network is often reachable from everywhere within the company. Thus, centralized defenses, e.g. at the perimeter of the network do not offer sufficient protection. Rather, decentralized defenses, where each part of the network protects itself, are needed. Network Intrusion Detection Systems (IDSs) monitor the network and report suspicious activity. They usually run on a single host and are not able to capture all events in the network and they are associated with a great integration effort. To bridge this gap, we introduce a method for intrusion detection that combines distributed agents on Industrial Internet of Things (IIoT) edge devices with a centralized logging. In contrast to existing IDSs, the distributed approach is suitable for industrial low performance microcontrollers. We demonstrate a Proof of Concept (PoC) implementation on a MCU running FreeRTOS with LwIP and show the feasibility of our approach in an IIoT application.
A Secure Dual-MCU Architecture for Robust Communication of IIoT Devices
Authors: Matthias Niedermaier, Dominik Merli, Georg Sigl
Abstract: The Industrial Internet of Things (IIoT) has already become a part of our everyday life be it water supply, smart grid, or production, IIoT is everywhere. For example, factory operators want to know the current state of the production line. These new demands for data acquisition in modern plants require industrial components to be able to communicate. Nowadays, network communication in Industrial Control Systems (ICSs) is often implemented via an IP-based protocol. This intercommunication also brings a larger attack surface for hackers. If an IIoT device is influenced by attackers, the physical process could be affected. For example, a high network load could cause a high Central Processing Unit (CPU) load and influence the reaction time on the physical control side. In this paper, we introduce a dual Microcontroller Unit (MCU) setup to ensure a resilient controlling for IIoT devices like Programmable Logic Controllers (PLCs). We introduce a possible solution for the demand of secure architectures in the IIoT. Moreover, we provide a Proof of Concept (PoC) implementation with a benchmark and a comparison with a standard PLC.
Optimal Deployments of Defense Mechanisms for the Internet of Things
Authors: Mengmeng Ge, Jin-Hee Cho, A. Charles Kamhoua, Seong Dong Kim
Abstract: Internet of Things (IoT) devices can be exploited by the attackers as entry points to break into the IoT networks without early detection. Little work has taken hybrid approaches that combine different defense mechanisms in an optimal way to increase the security of the IoT against sophisticated attacks. In this work, we propose a novel approach to generate the strategic deployment of adaptive deception technology and the patch management solution for the IoT under a budget constraint. We use a graphical security model along with three evaluation metrics to measure the effectiveness and efficiency of the proposed defense mechanisms. We apply the multi-objective genetic algorithm (GA) to compute the {\em Pareto optimal} deployments of defense mechanisms to maximize the security and minimize the deployment cost. We present a case study to show the feasibility of the proposed approach and to provide the defenders with various ways to choose optimal deployments of defense mechanisms for the IoT. We compare the GA with the exhaustive search algorithm (ESA) in terms of the runtime complexity and performance accuracy in optimality. Our results show that the GA is much more efficient in computing a good spread of the deployments than the ESA, in proportion to the increase of the IoT devices.
Modeling and Analysis of Integrated Proactive Defense Mechanisms for Internet-of-Things
Authors: Mengmeng Ge, Jin-Hee Cho, Bilal Ishfaq, Seong Dong Kim
Abstract: As a solution to protect and defend a system against inside attacks, many intrusion detection systems (IDSs) have been developed to identify and react to them for protecting a system. However, the core idea of an IDS is a reactive mechanism in nature even though it detects intrusions which have already been in the system. Hence, the reactive mechanisms would be way behind and not effective for the actions taken by agile and smart attackers. Due to the inherent limitation of an IDS with the reactive nature, intrusion prevention systems (IPSs) have been developed to thwart potential attackers and/or mitigate the impact of the intrusions before they penetrate into the system. In this chapter, we introduce an integrated defense mechanism to achieve intrusion prevention in a software-defined Internet-of-Things (IoT) network by leveraging the technologies of cyberdeception (i.e., a decoy system) and moving target defense, namely MTD (i.e., network topology shuffling). In addition, we validate their effectiveness and efficiency based on the devised graphical security model (GSM)-based evaluation framework. To develop an adaptive, proactive intrusion prevention mechanism, we employed fitness functions based on the genetic algorithm in order to identify an optimal network topology where a network topology can be shuffled based on the detected level of the system vulnerability. Our simulation results show that GA-based shuffling schemes outperform random shuffling schemes in terms of the number of attack paths toward decoy targets. In addition, we observe that there exists a tradeoff between the system lifetime (i.e., mean time to security failure) and the defense cost introduced by the proposed MTD technique for fixed and adaptive shuffling schemes. That is, a fixed GA-based shuffling can achieve higher MTTSF with more cost while an adaptive GA-based shuffling obtains less MTTSF with less cost.
Learning-Aided Physical Layer Attacks Against Multicarrier Communications in IoT
Authors: Alireza Nooraiepour, U. Waheed Bajwa, B. Narayan Mandayam
Abstract: Internet-of-Things (IoT) devices that are limited in power and processing capabilities are susceptible to physical layer (PHY) spoofing attacks owing to their inability to implement a full-blown protocol stack for security. The overwhelming adoption of multicarrier communications for the PHY layer makes IoT devices further vulnerable to PHY spoofing attacks. These attacks which aim at injecting bogus data into the receiver, involve inferring transmission parameters and finding PHY characteristics of the transmitted signals so as to spoof the received signal. Non-contiguous orthogonal frequency division multiplexing (NC-OFDM) systems have been argued to have low probability of exploitation (LPE) characteristics against classic attacks based on cyclostationary analysis. However, with the advent of machine learning (ML) algorithms, adversaries can devise data-driven attacks to compromise such systems. It is in this vein that PHY spoofing performance of adversaries equipped with supervised and unsupervised ML tools are investigated in this paper. The supervised ML approach is based on estimation/classification utilizing deep neural networks (DNN) while the unsupervised one employs variational autoencoders (VAEs). In particular, VAEs are shown to be capable of learning representations from NC-OFDM signals related to their PHY characteristics such as frequency pattern and modulation scheme, which are useful for PHY spoofing. In addition, a new metric based on the disentanglement principle is proposed to measure the quality of such learned representations. Simulation results demonstrate that the performance of the spoofing adversaries highly depends on the subcarriers’ allocation patterns used at the transmitter. Particularly, it is shown that utilizing a random subcarrier occupancy pattern precludes the adversary from spoofing and secures NC-OFDM systems against ML-based attacks.
Leave a Comment