Holistic specifications for robust programs

Functional specifications describe what program components can do: the sufficient conditions to invoke components' operations. They allow us to reason about the use of components in a closed world setting, where components interact with known client code, and where the client code must establish the appropriate pre-conditions before calling into a component. Sufficient conditions are not enough to reason about the use of components in an \emph{open world} setting, where components interact with external code, possibly of unknown provenance, and where components may evolve over time. In this open world setting, we must also consider the possible external code. \emph{necessary} conditions, i.e, what are the conditions without which an effect will not happen. In this paper we propose the Chainmail specification language for writing {holistic specifications that focus on necessary conditions (as well as sufficient conditions). We give a formal semantics for \Chainmail, and discuss several examples. The core of \Chainmail has been mechanised in the Coq proof assistant

ETHTID: Deployable Threshold Information Disclosure on Ethereum

We address the Threshold Information Disclosure (TID) problem on Ethereum: An arbitrary number of users commit to the scheduled disclosure of their individual messages recorded on the Ethereum blockchain if and only if all such messages are disclosed. Before a disclosure, only the original sender of each message should know its contents. To accomplish this, we task a small council with executing a distributed generation and threshold sharing of an asymmetric key pair. The public key can be used to encrypt messages which only become readable once the threshold-shared decryption key is reconstructed at a predefined point in time and recorded on-chain. With blockchains like Ethereum, it is possible to coordinate such procedures and attach economic stakes to the actions of participating individuals. In this paper, we present ETHTID, an Ethereum smart contract application to coordinate Threshold Information Disclosure. We base our implementation on ETHDKG [1], a smart contract application for distributed key generation and threshold sharing, and adapt it to fit our differing use case as well as add functionality to oversee a scheduled reconstruction of the decryption key. For our main cost saving optimisation, we show that the security of the underlying cryptographic scheme is maintained. We evaluate how the execution costs depend on the size of the council and the threshold and show that the presented protocol is deployable on Ethereum with a council of more than 200 members with gas savings of 20-40% compared to ETHDKG

ETHTID: Deployable Threshold Information Disclosure on Ethereum

We address the Threshold Information Disclosure (TID) problem on Ethereum: An arbitrary number of users commit to the scheduled disclosure of their individual messages recorded on the Ethereum blockchain if and only if all such messages are disclosed. Before a disclosure, only the original sender of each message should know its contents. To accomplish this, we task a small council with executing a distributed generation and threshold sharing of an asymmetric key pair. The public key can be used to encrypt messages which only become readable once the threshold-shared decryption key is reconstructed at a predefined point in time and recorded on-chain. With blockchains like Ethereum, it is possible to coordinate such procedures and attach economic stakes to the actions of participating individuals. In this paper, we present ETHTID, an Ethereum smart contract application to coordinate Threshold Information Disclosure. We base our implementation on ETHDKG [1], a smart contract application for distributed key generation and threshold sharing, and adapt it to fit our differing use case as well as add functionality to oversee a scheduled reconstruction of the decryption key. For our main cost saving optimisation, we show that the security of the underlying cryptographic scheme is maintained. We evaluate how the execution costs depend on the size of the council and the threshold and show that the presented protocol is deployable on Ethereum with a council of more than 200 members with gas savings of 20--40\% compared to ETHDKG

A Capability-Based Module System for Authority Control

The principle of least authority states that each component of the system should be given authority to access only the information and resources that it needs for its operation. This principle is fundamental to the secure design of software systems, as it helps to limit an application\u27s attack surface and to isolate vulnerabilities and faults. Unfortunately, current programming languages do not provide adequate help in controlling the authority of application modules, an issue that is particularly acute in the case of untrusted third-party extensions. In this paper, we present a language design that facilitates controlling the authority granted to each application module. The key technical novelty of our approach is that modules are first-class, statically typed capabilities. First-class modules are essentially objects, and so we formalize our module system by translation into an object calculus and prove that the core calculus is type-safe and authority-safe. Unlike prior formalizations, our work defines authority non-transitively, allowing engineers to reason about software designs that use wrappers to provide an attenuated version of a more powerful capability. Our approach allows developers to determine a module\u27s authority by examining the capabilities passed as module arguments when the module is created, or delegated to the module later during execution. The type system facilitates this by identifying which objects provide capabilities to sensitive resources, and by enabling security architects to examine the capabilities passed into and out of a module based only on the module\u27s interface, without needing to examine the module\u27s implementation code. An implementation of the module system and illustrative examples in the Wyvern programming language suggest that our approach can be a practical way to control module authority

Against Financial Literacy Education

The dominant model of regulation in the United States for consumer credit, insurance, and investment products is disclosure and unfettered choice. As these products have become increasingly complex, consumers’ inability to understand them has become increasingly apparent, and the consequences of this inability more dire. In response, policymakers have embraced financial literacy education as a necessary corollary to the disclosure model of regulation. This education is widely believed to turn consumers into “responsible” and “empowered” market players, motivated and competent to make financial decisions that increase their own welfare. The vision is of educated consumers handling their own credit, insurance, and retirement planning matters by confidently navigating the bountiful unrestricted marketplace. Although the vision is seductive, promising both a free market and increased consumer welfare, the predicate belief in the effectiveness of financial literacy education lacks empirical support. Moreover, the belief is implausible, given the velocity of change in the financial marketplace, the gulf between current consumer skills and those needed to understand today’s complex non-standardized financial products, the persistence of biases in financial decisionmaking, and the disparity between educators and financial services firms in resources with which to reach consumers. Harboring this belief may be innocent, but it is not harmless; the pursuit of financial literacy poses costs that almost certainly swamp any benefits. For some consumers, financial education appears to increase confidence without improving ability, leading to worse decisions. When consumers find themselves in dire financial straits, the regulation through education model blames them for their plight, shaming them and deflecting calls for effective market regulation. Consumers generally do not serve as their own doctors and lawyers and for reasons of efficient division of labor alone, generally should not serve as their own financial experts. The search for effective financial literacy education should be replaced by a search for policies more conducive to good consumer financial outcomes

Against Financial Literacy Education

The dominant model of regulation in the United States for consumer credit, insurance, and investment products is disclosure and unfettered choice. As these products have become increasingly complex, consumers’ inability to understand them has become increasingly apparent, and the consequences of this inability more dire. In response, policymakers have embraced financial literacy education as a necessary corollary to the disclosure model of regulation. This education is widely believed to turn consumers into “responsible” and “empowered” market players, motivated and competent to make financial decisions that increase their own welfare. The vision is of educated consumers handling their own credit, insurance, and retirement planning matters by confidently navigating the bountiful unrestricted marketplace. Although the vision is seductive, promising both a free market and increased consumer welfare, the predicate belief in the effectiveness of financial literacy education lacks empirical support. Moreover, the belief is implausible, given the velocity of change in the financial marketplace, the gulf between current consumer skills and those needed to understand today’s complex non-standardized financial products, the persistence of biases in financial decisionmaking, and the disparity between educators and financial services firms in resources with which to reach consumers. Harboring this belief may be innocent, but it is not harmless; the pursuit of financial literacy poses costs that almost certainly swamp any benefits. For some consumers, financial education appears to increase confidence without improving ability, leading to worse decisions. When consumers find themselves in dire financial straits, the regulation through education model blames them for their plight, shaming them and deflecting calls for effective market regulation. Consumers generally do not serve as their own doctors and lawyers and for reasons of efficient division of labor alone, generally should not serve as their own financial experts. The search for effective financial literacy education should be replaced by a search for policies more conducive to good consumer financial outcomes