57 research outputs found

    LIPIcs, Volume 251, ITCS 2023, Complete Volume

    Get PDF
    LIPIcs, Volume 251, ITCS 2023, Complete Volum

    BigDipper: A hyperscale BFT system with short term censorship resistance

    Full text link
    Byzantine-fault-tolerant (BFT) protocols underlie a variety of decentralized applications including payments, auctions, data feed oracles, and decentralized social networks. In most leader-based BFT protocols, an important property that has been missing is the censorship resistance of transaction in the short term. The protocol should provide inclusion guarantees in the next block height even if the current and future leaders have the intent of censoring. In this paper, we present a BFT system, BigDipper, that achieves censorship resistance while providing fast confirmation for clients and hyperscale throughput. The core idea is to decentralize inclusion of transactions by allowing every BFT replica to create their own mini-block, and then enforcing the leader on their inclusions. To achieve this, BigDipper creates a modular system made of three components. First, we provide a transaction broadcast protocol used by clients as an interface to achieve a spectrum of probabilistic inclusion guarantees. Afterwards, a distribution of BFT replicas will receive the client's transactions and prepare mini-blocks to send to the data availability (DA) component. The DA component characterizes the censorship resistant properties of the whole system. We design three censorship resistant DA (DA-CR) protocols with distinct properties captured by three parameters and demonstrate their trade-offs. The third component interleaves the DA-CR protocols into the consensus path of leader based BFT protocols, it enforces the leader to include all the data from the DA-CR into the BFT block. We demonstrate an integration with a two-phase Hotstuff-2 BFT protocol with minimal changes. BigDipper is a modular system that can switch the consensus to other leader based BFT protocol including Tendermint

    The Blockchain Of Oz : Specifying Blockchain Failures for Scalable Protocols Offering Unprecedented Safety and Decentralization

    Get PDF
    Blockchains have starred an outstanding increase in interest from both business and research since Nakamoto’s 2008 Bitcoin. Unfortunately, many questions in terms of results that establish upper-bounds, and of proposals that approach these bounds. Furthermore, the sudden hype surrounding the blockchain world has led to several proposals that are either only partially public, informal, or not proven correct. The main contribution of this dissertation is to build upon works that steer clear of blockchain puffery, following research methodology. The works of this dissertation converge towards a blockchain that for the first time formally proves and empirically shows deterministic guarantees in the presence of classical Byzantine adversaries, while at the same time pragmatically resolves unlucky cases in which the adversary corrupts an unprecedented percentage of the system. This blockchain is decentralized and scalable, and needs no strong assumptions like synchrony. For this purpose, we build upon previous work and propose a novel attack of synchronous offchain protocols. We then introduce Platypus, an offchain protocol without synchrony. Secondly, we present Trap, a Byzantine fault-tolerant consensus protocol for blockchains that also tolerates up to less than half of the processes deviating. Thirdly, we present Basilic, a class of protocols that solves consensus both against a resilient-optimal Byzantine adversary and against an adversary controlling up to less than 2/3 of combined liveness and safety faults. Then, we use Basilic to present Zero-loss Blockchain (ZLB), a blockchain that tolerates less than 2/3 of safety faults of which less than 1/3 can be Byzantine. Finally, we present two random beacon protocols for committee sortition: Kleroterion and Kleroterion+ , that improve previous works in terms of communication complexity and in the number of faults tolerated, respectively

    Securing the Next Generation Web

    Get PDF
    With the ever-increasing digitalization of society, the need for secure systems is growing. While some security features, like HTTPS, are popular, securing web applications, and the clients we use to interact with them remains difficult.To secure web applications we focus on both the client-side and server-side. For the client-side, mainly web browsers, we analyze how new security features might solve a problem but introduce new ones. We show this by performing a systematic analysis of the new Content Security Policy (CSP)\ua0 directive navigate-to. In our research, we find that it does introduce new vulnerabilities, to which we recommend countermeasures. We also create AutoNav, a tool capable of automatically suggesting navigation policies for this directive. Finding server-side vulnerabilities in a black-box setting where\ua0 there is no access to the source code is challenging. To improve this, we develop novel black-box methods for automatically finding vulnerabilities. We\ua0 accomplish this by identifying key challenges in web scanning and combining the best of previous methods. Additionally, we leverage SMT solvers to\ua0 further improve the coverage and vulnerability detection rate of scanners.In addition to browsers, browser extensions also play an important role in the web ecosystem. These small programs, e.g. AdBlockers and password\ua0 managers, have powerful APIs and access to sensitive user data like browsing history. By systematically analyzing the extension ecosystem we find new\ua0 static and dynamic methods for detecting both malicious and vulnerable extensions. In addition, we develop a method for detecting malicious extensions\ua0 solely based on the meta-data of downloads over time. We analyze new attack vectors introduced by Google’s new vehicle OS, Android Automotive. This\ua0 is based on Android with the addition of vehicle APIs. Our analysis results in new attacks pertaining to safety, privacy, and availability. Furthermore, we\ua0 create AutoTame, which is designed to analyze third-party apps for vehicles for the vulnerabilities we found
    • …
    corecore