Xia Zhou,Yujie Bu,Meng Xu,Yajin Zhou,Lei Wu

DOI: https://doi.org/10.1109/tdsc.2024.3454421

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Multicore embedded systems employ a big.LITTLE architecture to combine different cores into a single microcontroller (MCU). However, resources sharing among cores raises security challenges. Once LITTLE cores (which often receive external inputs) are compromised, the whole system will be affected. Existing hardware-assisted isolation approaches use privilege separation and code instrumentation to enforce memory isolation, which suffer from inefficiencies. This paper presents u BOX , a lightweight sandbox for multicore embedded systems. The goal of u BOX is to enforce memory isolation over untrusted software (on LITTLE cores) at the same privileged level. Specifically, it uses the Memory Protection Unit (MPU) to restrict memory access by untrusted software. To protect sandbox policies, u BOX deprives the write capability of untrusted software towards MPU configurations by replacing its regular store instructions with unprivileged counterparts. Additionally, to protect u BOX 's necessary regular store instructions from being abused, u BOX 's memory is set to read-only and non-executable when running untrusted software. For the normal operation of u BOX , we use an overlooked feature of the MPU and develop secure gates that quickly disable and re-enable the MPU, allowing u BOX to execute at a permissive memory view. Our evaluation demonstrates that u BOX effectively enforces isolation with average 1.27% runtime overhead, 0.83X Flash overhead, and 36.50X SRAM overhead.

Qinwen Hu,Muhammad Rizwan Asghar,Sherali Zeadally

DOI: https://doi.org/10.1007/s00607-021-00954-6

2021-05-20

Computing

Abstract:Over the years, software applications have captured a big market ranging from smart devices (smartphones, smart wearable devices) to enterprise resource management including Enterprise Resource Planning, office applications, and the entertainment industry (video games and graphics design applications). Protecting the copyright of software applications and protection from malicious software (malware) have been topics of utmost interest for academia and industry for many years. The standard solutions use the software license key or rely on the Operating System (OS) protection mechanisms, such as Google Play Protect. However, some end users have broken these protections to bypass payments for applications that are not free. They have done so by downloading the software from an unauthorised website or by jailbreaking the OS protection mechanisms. As a result, they cannot determine whether the software they download is malicious or not. Further, if the software is uploaded to a third party platform by malicious users, the software developer has no way of knowing about it. In such cases, the authenticity or integrity of the software cannot be guaranteed. There is also a problem of information transparency among software platforms. In this study, we propose an architecture that is based on blockchain technology for providing data transparency, release traceability, and auditability. Our goal is to provide an open framework to allow users, software vendors, and security practitioners to monitor misbehaviour and assess software vulnerabilities for preventing malicious software downloads. Specifically, the proposed solution makes it possible to identify software developers who have gone rogue and are potentially developing malicious software. Furthermore, we introduce an incentive policy for encouraging security engineers, victims and software owners to participate in collaborative works. The outcomes will ensure the wide adoption of a software auditing ecosystem in software markets, specifically for some mobile device manufacturers that have been banned from using the open-source OS such as Android. Consequently, there is a demand for them to verify the application security without completely relying on the OS-specific security mechanisms.

computer science, theory & methods

Luca Olivieri,Fausto Spoto

DOI: https://doi.org/10.1007/s10009-024-00758-x

2024-07-13

International Journal on Software Tools for Technology Transfer

Abstract:Blockchain technology has created a new software development context, with its own peculiarities, mainly due to the guarantees that the technology must satisfy, that is, immutability , distributability , and decentralization of data. Its rapid evolution over the last decade implied a lack of adequate verification tools, exposing developers and users to critical vulnerabilities and bugs. This paper clarifies the extent of block chain-oriented software (BoS), that goes well beyond smart contracts. Moreover, it provides an overview of the challenges related to software verification in the blockchain context, encompassing smart contracts, blockchain layers, cross-chain applications, and, more generally, BoS. This study aims to highlight the shortcomings of the state-of-art and of the state-of-practice of software verification in that context and identify, at the same time, new research directions.

computer science, software engineering

Nasser Alsalami,Bingsheng Zhang

DOI: https://doi.org/10.1109/iwqos49365.2020.9213064

2020-01-01

Abstract:Public blockchains can be abused to covertly store and disseminate potentially harmful digital content which poses a serious regulatory issue. In this work, we show the severity of the problem by demonstrating that blockchains can be exploited to surreptitiously distribute arbitrary content. More specifically, all major blockchain systems use randomized cryptographic primitives, such as digital signatures and non-interactive zero-knowledge proofs; we illustrate how the uncontrolled randomness in such primitives can be maliciously manipulated to enable covert communication and hidden persistent storage. To clarify the potential risk, we design, implement and evaluate our technique against the widely-used ECDSA signature scheme, the CryptoNote's ring signature scheme, and Monero's ring confidential transactions. Importantly, the significance of the demonstrated attacks stems from their undetectability, their adverse effect on the future of decentralized blockchains, and their serious repercussions on users' privacy and crypto funds. Finally, we present a generic framework to immunize blockchains against these attacks.

S. M. Udhaya Sankar,D. Selvaraj,G.K. Monica,Jeevaa Katiravan

DOI: https://doi.org/10.14445/22315381/IJETT-V71I3P204

2023-04-24

Abstract:With the help of a shared pool of reconfigurable computing resources, clients of the cloud-based model can keep sensitive data remotely and access the apps and services it offers on-demand without having to worry about maintaining and storing it locally. To protect the privacy of the public auditing system that supports the cloud data exchange system. The data's owner has the ability to change it using the private key and publishes it in the cloud. The RSA Technique is used to produce key codes for the cloud services atmosphere's privacy utilizing the system's baseboard number, disc number, and client passcode for validation. The method is based on a cutting-edge User End Generated (UEG) privacy technique that minimizes the involvement of a third party and improves security checks by automatically documenting destructive activities. To strengthen extensibility, various authorization-assigning modalities and block access patterns were established together with current operational design approaches. In order to meet the demands for decentralization, fine-grained auditability, extensibility, flexibility, and privacy protection for multilevel data access in networked environments, the suggested approach makes use of blockchain technology. According to a thorough performance and security assessment, the current proposal is exceptionally safe and effective.

Cryptography and Security

wentao liu

DOI: https://doi.org/10.1007/978-3-642-25349-2_18

2012-01-01

Abstract:The software protection is the key technology for the shareware and it can delay and prevent the software reverse and cracking. There are many methods such as junk code, anti-debug, virtual machine, deformation, packers, encryption and verification. The software registration is the most important step of protection and it can be implemented by many forms such as network registration, license key or file, dongle. This paper introduces and compares these protection methods. Some architectures of protection based on encryption and verification are provided and they are realized by RSA encryption and many verification methods which include self verification and key data verification. The method use the exe file and DLL file to protect each other and use the license file to check and provide software function. The method uses the RSA in the license key file to register and it can make it difficult to create the key generator for the cracker.

Diego Bendersky,Ariel Futoransky,Luciano Notarfrancesco,Carlos Sarraute,Ariel Waissbein

DOI: https://doi.org/10.48550/arXiv.1006.2356

2010-06-12

Abstract:Software digital rights management is a pressing need for the software development industry which remains, as no practical solutions have been acclamaimed succesful by the industry. We introduce a novel software-protection method, fully implemented with today's technologies, that provides traitor tracing and license enforcement and requires no additional hardware nor inter-connectivity. Our work benefits from the use of secure triggers, a cryptographic primitive that is secure assuming the existence of an ind-cpa secure block cipher. Using our framework, developers may insert license checks and fingerprints, and obfuscate the code using secure triggers. As a result, this rises the cost that software analysis tools have detect and modify protection mechanisms. Thus rising the complexity of cracking this system.

Cryptography and Security

Prof. Prakash Kshirsagar,Nikita Dhakad,Himanshu Jagtap,Vedant Bhosale

DOI: https://doi.org/10.55041/ijsrem18165

2023-03-16

INTERANTIONAL JOURNAL OF SCIENTIFIC RESEARCH IN ENGINEERING AND MANAGEMENT

Abstract:There are always potential hazards from hackers, adware, malware, and viruses. Many big international corporations have experienced hacking and security breaches in the previous few years. In certain instances, this has resulted in the leakage of private and confidential information, such as bank account information, addresses, and transactions, but there are security measures in place that can block these things before they get too close to the company's private data. This is crucial for both secrecy and to avoid paying the steep fines levied on businesses that fail to adequately safeguard customer information. The project is a verification mechanism that only allows users with the proper input credentials to access the system. The project involves modules or user certificates. Security credentials come in a variety of forms. Thus, we incorporate a unique blockchain for banking security and user authentication in this proposed methodology. This degree of authentication reduces the possibility of hacking and the loss of sensitive data. Also, in the current environment, safer bank transactions are necessary due to advancements in security technologies. They have also made advances into industries, healthcare, telecommunications, and home automation, among others. A distributed ledger is basically what a blockchain is. It can keep information about who owns a certain piece of property or, for example, a bond. A permanent record of ownership can be maintained using technology, which also makes it possible for parties with a low level of trust to exchange the asset. Key Words: Custom Blockchain, Distributed Ledger, Authentications, Confidentiality, Transactions, Security System, Credentials, Banking Security, etc.

Bibin K. Baby,Alan Sunil,Neetha Thomas

Abstract:: Smart Contracts have gained tremendous popularity in the past few years., to the point that billons of US Dollars are currently exchanged very day through such technology. In this paper we advocate the need for a discipline of Blockchain Software Engineering, addressing the issues posed by smart contract programming and other and other application running on blockchains. We analyze a case of study where a bug discovered in a Smart Contract Library, and perhaps “unsafe” programming, allowed an attack on Parity, a wallet application, causing the freezing of about 500K Ethers. In this study we analyze the source code of Parity and the Library, and discuss how recognized best practices could mitigate, if adopted and adapted, such detrimental software misbehavior. We also specify the Smart Contract software development, which make some of the existing approaches insufficient, and call for the definition of a specific Blockchain Software Engineering.

Computer Science

Pascal Urien

DOI: https://doi.org/10.1109/csnet52717.2021.9614649

2023-03-30

Abstract:Blockchain transactions are signed by private keys. Secure key storage and tamper-proof computers are essential requirements for deploying a trusted infrastructure. In this paper, we identify some threats against blockchain wallets and propose a set of physical and logical countermeasures to thwart them. We present the crypto terminal device, operating with a removable secure element, built on open software and hardware architectures, capable of detecting a cloned device or corrupted software. These technologies are based on tamper-resistant computing (javacard), smart card anti-cloning, smart card content attestation, application firewall, bare-metal architecture, remote attestation, dynamic Physical Unclonable Function (dPUF), and programming tokens as a root of <a class="link-external link-http" href="http://trust.This" rel="external noopener nofollow">this http URL</a> paper is an extended version of the paper ''Innovative Countermeasures to Defeat Cyber Attacks Against Blockchain Wallets,'' 2021 5th Cyber Security in Networking Conference (CSNet), 2021, pp. 49-54, doi: <a class="link-https link-external" data-doi="10.1109/CSNet52717.2021.9614649" href="https://doi.org/10.1109/CSNet52717.2021.9614649" rel="external noopener nofollow">https://doi.org/10.1109/CSNet52717.2021.9614649</a>

Cryptography and Security

Guorui Yu,Shibin Zhao,Chao Zhang,Zhiniang Peng,Yuandong Ni,Xinhui Han

DOI: https://doi.org/10.1109/infocom42981.2021.9488749

2021-01-01

Abstract:Blockchains promise to provide a tamper-proof medium for transactions, and thus enable many applications including cryptocurrency. As a system built on consensus, the correctness of a blockchain heavily relies on the consistency of states between its nodes. But consensus protocols of blockchains only guarantee the consistency in the transaction sequence rather than nodes’ internal states. Instead, nodes must replay and exe-cute all transactions to maintain their local states independently. When executing transactions, any different execution result could cause a node out-of-sync and thus gets isolated from other nodes.After systematically modeling the transaction execution process in blockchains, we present a new attack INCITE, which can lead different nodes to different states. Specifically, attackers could invoke an ambiguous transaction of a vulnerable smart contract, utilize software bugs in smart contracts to lead nodes that execute this transaction into different states. Unlike attacks that bring short-term inconsistencies, such as fork attacks, INCITE can cause nodes in the blockchain to fall into a long-term inconsistent state, which further leads to great damages to the chain (e.g., double-spending attacks and expelling mining power). We have discovered 7 0day vulnerabilities in 5 popular blockchains which can enable this attack. We also proposed a defense solution to mitigate this threat. Experiments showed that it is effective and lightweight.

Zhiwei Yu,Chaokun Wang,Clark Thomborson,Jianmin Wang,Shiguo Lian,Athanasios V. Vasilakos

DOI: https://doi.org/10.1002/spe.1088

2012-01-01

Abstract:With the rapid development of cloud computing, software applications are shifting onto cloud storage rather than remaining within local networks. Software distributions within the cloud are subject to security breaches, privacy abuses, and access control violations. In this paper, we identify an insider threat to access control which is not completely eliminated by the usual techniques of encryption, cryptographic hashes, and access-control labels. We address this threat using software watermarking. We evaluate our access-control scheme within the context of a Collaboration-oriented Architecture, as defined by The Jericho Forum. Copyright © 2011 John Wiley & Sons, Ltd.

Tien Tuan Anh Dinh,Ji Wang,Gang Chen,Rui Liu,Beng Chin Ooi,Kian‐Lee Tan

DOI: https://doi.org/10.1145/3035918.3064033

2017-01-01

Abstract:Blockchain technologies are taking the world by storm. Public blockchains, such as Bitcoin and Ethereum, enable secure peer-to-peer applications like crypto-currency or smart contracts. Their security and performance are well studied. This paper concerns recent private blockchain systems designed with stronger security (trust) assumption and performance requirement. These systems target and aim to disrupt applications which have so far been implemented on top of database systems, for example banking, finance and trading applications. Multiple platforms for private blockchains are being actively developed and fine tuned. However, there is a clear lack of a systematic framework with which different systems can be analyzed and compared against each other. Such a framework can be used to assess blockchains' viability as another distributed data processing platform, while helping developers to identify bottlenecks and accordingly improve their platforms.

Rajesh Kumar

DOI: https://doi.org/10.55041/ijsrem11514

2022-01-24

INTERANTIONAL JOURNAL OF SCIENTIFIC RESEARCH IN ENGINEERING AND MANAGEMENT

Abstract:Since when bitcoin make an entry in cryptocurrency which is based on blockchain technology gets so much popularity just from initial phase itself, now most of the cryptocurrency are moving towards blockchain framework and using different hashing function. In this advancement most of the works are now using blockchain technology from cryptocurrency to smart online retails platforms which has been used by Walmart. since its going to be most used term and popular technology most of the attackers are targeting and just by using some loopholes and any other technical glitches or any other way they are attacking over this technology. since its going to be future and everyone is concerned for its security and privacy, here we did a good comparison of many attacks already did on this blockchain frameworks and we summarize this attacks and we tried to give our own opinion to make it more reliable and flexible. Key Words: Consensus, PoW, PoS, PoL, PoI, Bloch Chain,

Dmitry Tanana

DOI: https://doi.org/10.48550/arXiv.2301.11569

2023-01-27

Cryptography and Security

Abstract:With rise of blockchain popularity, more and more people seek to implement blockchain technology into their projects. Most common way is to take existing blockchain stack, such as Azure Blockchain Workbench or Oracle Blockchain Platform. While the blockchain technology is well-protected by its algorithms it is still vulnerable because its privacy relies on regular cryptography. And mistakes or vulnerabilities in key management protocols can affect even the most secure blockchain projects. This article considers question of vulnerabilities within Azure Blockchain Workbench key management system. We describe potential threats for each stage of key management lifecycle based on public reports and then assess how likely are those threats to realize within Azure Blockchain Workbench environment based on the technical documentation for Azure Blockchain Workbench and Azure Key Vault. Finally, we compile results of our assessment into the key management threat table with three distinct degrees of protection: fully protected, partially protected and not protected.

Jing Sun,Ian Warren,Nacha Chondamrongkul

DOI: https://doi.org/10.18293/SEKE2020-024

2020-01-01

Abstract:During the design phase, security as a nonfunctional requirement needs to be analysed to address vulnerabilities in the architecture design. Without such analysis, security vulnerabilities can be propagated to the implementation. However, security analysis is an error-prone task, especially in complex systems that apply blockchain technology. Without proper security controls applied, the interaction among software components and the blockchain may pose security risks. This paper presents a security analysis approach based on a formal model of blockchain-based architecture design. Our approach can automatically identify specific security vulnerabilities and generate informative scenarios that show how attacks may impact the blockchain. We have evaluated our approach with an example system and found it performs well in identifying an extensible class of security vulnerabilities.

Devika Kalathil Nandalal,Ramesh Bhakthavatchalu

DOI: https://doi.org/10.11591/ijece.v13i3.pp3178-3191

2023-06-01

International Journal of Electrical and Computer Engineering (IJECE)

Abstract:Globalization of the chip design and manufacturing industry has imposed significant threats to the hardware security of integrated circuits (ICs). It has made ICs more susceptible to various hardware attacks. Blockchain provides a trustworthy and distributed platform to store immutable records related to the evidence of intellectual property (IP) creation, authentication of provenance, and confidential data storage. However, blockchain encounters major security challenges due to its decentralized nature of ledgers that contain sensitive data. The research objective is to design a dedicated programmable hardware security modules scheme to safeguard and maintain sensitive information contained in the blockchain networks in the context of the IC supply chain. Thus, the blockchain framework could rely on the proposed hardware security modules and separate the entire cryptographic operations within the system as stand-alone hardware units. This work put forth a novel approach that could be considered and utilized to enhance blockchain security in real-time. The critical cryptographic components in blockchain secure hash algorithm-256 (SHA-256) and the elliptic curve digital signature algorithm are designed as separate entities to enhance the security of the blockchain framework. Physical unclonable functions are adopted to perform authentication of transactions in the blockchain. Relative comparison of designed modules with existing works clearly depicts the upper hand of the former in terms of performance parameters.

Chen Wanfa,Zheng Qing'an,Chen Shuzhen,Fu Hongyi,Chen Liang

DOI: https://doi.org/10.23919/jcc.fa.2023-0715.202406

2024-06-21

China Communications

Abstract:In recent years, blockchain technology integration and application has gradually become an important driving force for new technological innovation and industrial transformation. While blockchain technology and applications are developing rapidly, the emerging security risks and obstacles have gradually become prominent. Attackers can still find security issues in blockchain systems and conduct attacks, causing increasing losses from network attacks every year. In response to the current demand for blockchain application security detection and assessment in all industries, and the insufficient coverage of existing detection technologies such as smart contract detectiontechnology, this paper proposes a blockchain core technology security assessment system model, and studies the relevant detection and assessment key technologies and systems. A security assessment scheme based on a smart contract and consensus mechanism detection scheme is designed. And the underlying blockchain architecture supports the traceability of detection results using super blockchains. Finally, the functionality and performance of the system were tested, and the test results show that the model and solutions proposed in this paper have good feasibility.

telecommunications

Xiaoyu Li,Cheng Su,Yan Xiong,Wenchao Huang,Wansen Wang

DOI: https://doi.org/10.1109/bigcom.2019.00021

2019-01-01

Abstract:Blockchain is a decentralized cryptocurrency framework which has gained considerable attention in research and many industries. Ethereum is an implementation based on blockchain technology. Ethereum blockchain offers smart contracts, a piece of program codes which can execute and record the transactions in blockchain. Users can use smart contracts to create their own tokens based on ERC-20 standard, and token smart contracts have been used to manage and transfer tokens, carrying millions dollars worth of virtual currencies. However, keeping token smart contracts secure can be difficult. When smart contracts are deployed on Ethereum successfully, they cannot be changed. Due to the openness of Ethereum, both users and attackers can invoke contracts. So errors in smart contracts have led and will lead to a loss. For example, the DAO bug led to a 60 million US dollar loss in June 2016. Therefore, the researches on security of smart contracts are urgently important. In this paper, we use a formal approach to verify smart contracts. We apply formal verification on a concrete smart contract example, BNB contract, which is one of the most popular token contracts. We analyze the contract and discover the two attributes in the contract, one is transfer attribute involving the functions of transferring tokens operations, and the other is owner attribute which involves the authority of contract owner. We verify these two attributes respectively. We model the contract using SAPIC, the applied pi calculus and then verify by Tamarin prover. We specify the processes of modeling and verifying. The results show we cannot find an attack path. The research method reduces the complexity of verifying smart contracts and can be used to analyze complex contracts.

Shantanu Pal,Ambrose Hill,Tahiry Rabehaja,Michael Hitchens

DOI: https://doi.org/10.48550/arXiv.2206.05676

2022-06-12

Abstract:There has been considerable advancement in the use of blockchain for trust management in large-scale dynamic systems. In such systems, blockchain is mainly used to store the trust score or trust-related information of interactions among the various entities. However, present trust management architectures using blockchain lack verifiable interactions among the entities on which the trust score is calculated. In this paper, we propose a blockchain-based trust management framework that allows independent trust providers to implement different trust metrics on a common set of trust evidence and provide individual trust value. We employ geo-location as proof of interaction. Some of the existing proposals rely upon geo-location data, but they do not support trust calculation by multiple trust providers. Instead, they can only support a centralised system. Our proposed architecture does not depend upon a single centralised third-party entity to ensure trusted interactions. Our architecture is supported by provable interactions that can easily be verified using blockchain. Therefore, it allows a high degree of confidence in trust management by ensuring the actual interactions between the entities. We provide a detailed design and development of the architecture using real-world use case examples. The proof of prototype was implemented on the Ethereum blockchain platform. Experimental results demonstrate that the employment of independent trust providers adequately provides a high degree of trust scores and that the proposed architecture can be used in a real-world environment.

Distributed, Parallel, and Cluster Computing