54,272 research outputs found
TxT: Real-time Transaction Encapsulation for Ethereum Smart Contracts
Ethereum is a permissionless blockchain ecosystem that supports execution of
smart contracts, the key enablers of decentralized finance (DeFi) and
non-fungible tokens (NFT). However, the expressiveness of Ethereum smart
contracts is a double-edged sword: while it enables blockchain programmability,
it also introduces security vulnerabilities, i.e., the exploitable
discrepancies between expected and actual behaviors of the contract code. To
address these discrepancies and increase the vulnerability coverage, we propose
a new smart contract security testing approach called transaction
encapsulation. The core idea lies in the local execution of transactions on a
fully-synchronized yet isolated Ethereum node, which creates a preview of
outcomes of transaction sequences on the current state of blockchain. This
approach poses a critical technical challenge -- the well-known
time-of-check/time-of-use (TOCTOU) problem, i.e., the assurance that the final
transactions will exhibit the same execution paths as the encapsulated test
transactions. In this work, we determine the exact conditions for guaranteed
execution path replicability of the tested transactions, and implement a
transaction testing tool, TxT, which reveals the actual outcomes of Ethereum
transactions. To ensure the correctness of testing, TxT deterministically
verifies whether a given sequence of transactions ensues an identical execution
path on the current state of blockchain. We analyze over 1.3 billion Ethereum
transactions and determine that 96.5% of them can be verified by TxT. We
further show that TxT successfully reveals the suspicious behaviors associated
with 31 out of 37 vulnerabilities (83.8% coverage) in the smart contract
weakness classification (SWC) registry. In comparison, the vulnerability
coverage of all the existing defense approaches combined only reaches 40.5%.Comment: To appear in IEEE Transactions on Information Forensics and Securit
Link Before You Share: Managing Privacy Policies through Blockchain
With the advent of numerous online content providers, utilities and
applications, each with their own specific version of privacy policies and its
associated overhead, it is becoming increasingly difficult for concerned users
to manage and track the confidential information that they share with the
providers. Users consent to providers to gather and share their Personally
Identifiable Information (PII). We have developed a novel framework to
automatically track details about how a users' PII data is stored, used and
shared by the provider. We have integrated our Data Privacy ontology with the
properties of blockchain, to develop an automated access control and audit
mechanism that enforces users' data privacy policies when sharing their data
across third parties. We have also validated this framework by implementing a
working system LinkShare. In this paper, we describe our framework on detail
along with the LinkShare system. Our approach can be adopted by Big Data users
to automatically apply their privacy policy on data operations and track the
flow of that data across various stakeholders.Comment: 10 pages, 6 figures, Published in: 4th International Workshop on
Privacy and Security of Big Data (PSBD 2017) in conjunction with 2017 IEEE
International Conference on Big Data (IEEE BigData 2017) December 14, 2017,
Boston, MA, US
Recommended from our members
An Approach to Using Non Safety-Assured Programmable Components in Modest Integrity Systems
Programmable components (like personal computers or smart devices) can offer considerable benefits in terms of usability and functionality in a safety-related system. However there is a problem in justifying the use of programmable components if the components have not been safety justified to an appropriate integrity (e.g. to SIL 1 of IEC 61508). This paper outlines an approach (called LowSIL) developed in the UK CINIF nuclear industry research programme to justify the use of non safety-assured programmable components in modest integrity systems. This is a seven step approach that can be applied to new systems from an early design stage, or retrospectively to existing systems. The stages comprise: system characterisation, component suitability assessment, failure analysis, failure mitigation, identification of additional defences, identification of safety evidence requirements, and collation and evaluation of evidence. In the case of personal computers, there is supporting guidance on usage constraints, claim limits on reliability, and advice on “locking down” the component to maximise reliability. The approach is demonstrated for an example system. The approach has been applied successfully to a range of safety-related systems used in the nuclear industry
- …