Alexander Dax, R. Künnemann, Sven Tangermann, M. Backes
Being the most widely used and comprehensive standard for hardware security modules, cryptographic tokens and smart cards, PKCS#11 has been the subject of academic study for years. PKCS#11 provides a key store that is separate from the application, so that, ideally, an application never sees a key in the clear. Again and again, researchers have pointed out the need for an import/export mechanism that ensures the integrity of the permissions associated to a key. With version 2.40, for the first time, the standard included authenticated deterministic encryption schemes. The interface to this operation is insecure, however, so that an application can get the key in the clear, subverting the purpose of using a hardware security module. This work proposes a formal model for the secure use of authenticated deterministic encryption in PKCS#11, including concrete API changes to allow for secure policies to be implemented. Owing to the authenticated encryption mechanism, the policy we propose provides more functionality than any policy proposed so far and can be implemented without access to a random number generator. Our results cover modes of operation that rely on unique initialisation vectors (IVs), like GCM or CCM, but also modes that generate synthetic IVs. We furthermore provide a proof for the deduction soundness of our modelling of deterministic encryption in Böhl et.al.'s composable deduction soundness framework.
{"title":"How to Wrap it up - A Formally Verified Proposal for the use of Authenticated Wrapping in PKCS#11","authors":"Alexander Dax, R. Künnemann, Sven Tangermann, M. Backes","doi":"10.1109/CSF.2019.00012","DOIUrl":"https://doi.org/10.1109/CSF.2019.00012","url":null,"abstract":"Being the most widely used and comprehensive standard for hardware security modules, cryptographic tokens and smart cards, PKCS#11 has been the subject of academic study for years. PKCS#11 provides a key store that is separate from the application, so that, ideally, an application never sees a key in the clear. Again and again, researchers have pointed out the need for an import/export mechanism that ensures the integrity of the permissions associated to a key. With version 2.40, for the first time, the standard included authenticated deterministic encryption schemes. The interface to this operation is insecure, however, so that an application can get the key in the clear, subverting the purpose of using a hardware security module. This work proposes a formal model for the secure use of authenticated deterministic encryption in PKCS#11, including concrete API changes to allow for secure policies to be implemented. Owing to the authenticated encryption mechanism, the policy we propose provides more functionality than any policy proposed so far and can be implemented without access to a random number generator. Our results cover modes of operation that rely on unique initialisation vectors (IVs), like GCM or CCM, but also modes that generate synthetic IVs. We furthermore provide a proof for the deduction soundness of our modelling of deterministic encryption in Böhl et.al.'s composable deduction soundness framework.","PeriodicalId":249093,"journal":{"name":"2019 IEEE 32nd Computer Security Foundations Symposium (CSF)","volume":"25 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126319825","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Language-Based Information Flow Control (IFC) provides strong security guarantees for untrusted code, but often suffers from a non-negligible rate of false alarms. Multi-execution based techniques promise to provide security guarantees without raising any false alarms. However, all known multi-execution approaches introduce extraneous performance overheads which are rarely studied. In this work, we lay down the foundations for optimisation techniques aimed at reducing these overheads to a managable level, thus helping to make multi-execution more practical. We characterise our optimisations as data-and control-oriented. Data-oriented optimisations reduce storage overheads— which also helps to remove unnecessary repeated computations. In contrast, computation-oriented optimisations rely on program annotations in order to reduce needless computation. These annotations motivate the need for a new, stronger, theoretical notion of transparency— i.e., a stronger notion for characterising the lack of false alarms. To show the efficacy of our optimisation techniques, we apply them to two case-studies: a secure (faceted) database and a chat server written in a multi-execution based IFC framework. Our case-studies clearly show that our optimisations significantly reduce the storage and computational overhead, sometimes from exponential to polynomial order. All of our formal results are accompanied by mechanised proofs in Agda.
{"title":"Optimising Faceted Secure Multi-Execution","authors":"Maximilian Algehed, Alejandro Russo, C. Flanagan","doi":"10.1109/CSF.2019.00008","DOIUrl":"https://doi.org/10.1109/CSF.2019.00008","url":null,"abstract":"Language-Based Information Flow Control (IFC) provides strong security guarantees for untrusted code, but often suffers from a non-negligible rate of false alarms. Multi-execution based techniques promise to provide security guarantees without raising any false alarms. However, all known multi-execution approaches introduce extraneous performance overheads which are rarely studied. In this work, we lay down the foundations for optimisation techniques aimed at reducing these overheads to a managable level, thus helping to make multi-execution more practical. We characterise our optimisations as data-and control-oriented. Data-oriented optimisations reduce storage overheads— which also helps to remove unnecessary repeated computations. In contrast, computation-oriented optimisations rely on program annotations in order to reduce needless computation. These annotations motivate the need for a new, stronger, theoretical notion of transparency— i.e., a stronger notion for characterising the lack of false alarms. To show the efficacy of our optimisation techniques, we apply them to two case-studies: a secure (faceted) database and a chat server written in a multi-execution based IFC framework. Our case-studies clearly show that our optimisations significantly reduce the storage and computational overhead, sometimes from exponential to polynomial order. All of our formal results are accompanied by mechanised proofs in Agda.","PeriodicalId":249093,"journal":{"name":"2019 IEEE 32nd Computer Security Foundations Symposium (CSF)","volume":"41 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128651907","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Most classical consensus protocols rely on a leader to coordinate nodes' voting efforts. One novel idea that stems from blockchain-style consensus is to rely, instead, on a "longestchain" idea for such coordination. Such a longest-chain idea was initially considered in randomized protocols, where in each round, a node has some probability of being elected a leader who can propose the next block. Recently, well-known systems have started implementing the deterministic counterpart of such longest-chain protocols — the deterministic counterpart is especially attractive since it is even simpler to implement than their randomized cousins. A notable instantiation is the Aura protocol which is widely shipped with Parity's open-source Ethereum implementation. Interestingly, mathematical analyses of deterministic, longest-chain protocols are lacking even though there exist several analyses of randomized versions. In this paper, we provide the first formal analysis of deterministic, longest-chain-style consensus. We show that a variant of the Aura protocol can defend against a Byzantine adversary that controls fewer than 1 fraction of the nodes, and this resilience parameter is tight. 3 Based on insights gained through our mathematical treatment, we point out that Aura's concrete instantiation actually fails to achieve the resilience level they claim and thus clarify existing misconceptions. Finally, while our tight proof for the longest-chain protocol is rather involved and non-trivial; we show that a variant of the "longest-chain" idea which we call "largest-set" enables a textbook construction that admits a simple proof (albeit with slower confirmation).
{"title":"Analysis of Deterministic Longest-Chain Protocols","authors":"E. Shi","doi":"10.1109/CSF.2019.00016","DOIUrl":"https://doi.org/10.1109/CSF.2019.00016","url":null,"abstract":"Most classical consensus protocols rely on a leader to coordinate nodes' voting efforts. One novel idea that stems from blockchain-style consensus is to rely, instead, on a \"longestchain\" idea for such coordination. Such a longest-chain idea was initially considered in randomized protocols, where in each round, a node has some probability of being elected a leader who can propose the next block. Recently, well-known systems have started implementing the deterministic counterpart of such longest-chain protocols — the deterministic counterpart is especially attractive since it is even simpler to implement than their randomized cousins. A notable instantiation is the Aura protocol which is widely shipped with Parity's open-source Ethereum implementation. Interestingly, mathematical analyses of deterministic, longest-chain protocols are lacking even though there exist several analyses of randomized versions. In this paper, we provide the first formal analysis of deterministic, longest-chain-style consensus. We show that a variant of the Aura protocol can defend against a Byzantine adversary that controls fewer than 1 fraction of the nodes, and this resilience parameter is tight. 3 Based on insights gained through our mathematical treatment, we point out that Aura's concrete instantiation actually fails to achieve the resilience level they claim and thus clarify existing misconceptions. Finally, while our tight proof for the longest-chain protocol is rather involved and non-trivial; we show that a variant of the \"longest-chain\" idea which we call \"largest-set\" enables a textbook construction that admits a simple proof (albeit with slower confirmation).","PeriodicalId":249093,"journal":{"name":"2019 IEEE 32nd Computer Security Foundations Symposium (CSF)","volume":"5 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130870496","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
P. Vasilikos, H. R. Nielson, F. Nielson, Boris Köpf
Timing-based side-channel attacks have matured from an academic exercise to a powerful attack vector in the hand of real-world adversaries. A widely deployed countermeausure against such attacks is to reduce the accuracy of the clocks that are available to adversaries. While a number of high-profile attacks show that this mitigation can be side-stepped, there has not been a principled analysis of the degree of security it provides until now. In this paper, we perform the first information-flow analysis with respect to adversaries with coarse-grained clocks. To this end, we define an adversary model that is parametric in the granularity of the clock and connect it with a system model based on timed automata. We present algorithms for translating such a system to an information-theoretic channel, which enables us to analyze the leakage using standard techniques from quantitative information-flow analysis. We use our techniques to derive insights about the effect of reducing clock resolution on security. In particular, (1) we show that a coarse-grained clock might leak more than a fine-grained one, (2) we give a sufficient condition for when increasing the grain of the clock we achieve better security, and (3) we show that the attack techniques used in the literature form a strict hierarchy in terms of the information an adversary can extract using them. Finally, we illustrate the expressiveness of our development on a case study of a system that uses RSA signatures.
{"title":"Timing Leaks and Coarse-Grained Clocks","authors":"P. Vasilikos, H. R. Nielson, F. Nielson, Boris Köpf","doi":"10.1109/CSF.2019.00010","DOIUrl":"https://doi.org/10.1109/CSF.2019.00010","url":null,"abstract":"Timing-based side-channel attacks have matured from an academic exercise to a powerful attack vector in the hand of real-world adversaries. A widely deployed countermeausure against such attacks is to reduce the accuracy of the clocks that are available to adversaries. While a number of high-profile attacks show that this mitigation can be side-stepped, there has not been a principled analysis of the degree of security it provides until now. In this paper, we perform the first information-flow analysis with respect to adversaries with coarse-grained clocks. To this end, we define an adversary model that is parametric in the granularity of the clock and connect it with a system model based on timed automata. We present algorithms for translating such a system to an information-theoretic channel, which enables us to analyze the leakage using standard techniques from quantitative information-flow analysis. We use our techniques to derive insights about the effect of reducing clock resolution on security. In particular, (1) we show that a coarse-grained clock might leak more than a fine-grained one, (2) we give a sufficient condition for when increasing the grain of the clock we achieve better security, and (3) we show that the attack techniques used in the literature form a strict hierarchy in terms of the information an adversary can extract using them. Finally, we illustrate the expressiveness of our development on a case study of a system that uses RSA signatures.","PeriodicalId":249093,"journal":{"name":"2019 IEEE 32nd Computer Security Foundations Symposium (CSF)","volume":"588 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116176138","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Electronic voting systems aim at two conflicting properties, namely privacy and verifiability, while trying to minimise the trust assumptions on the various voting components. Most existing voting systems either assume trust in the voting device or in the voting server. We propose a novel remote voting scheme BeleniosVS that achieves both privacy and verifiability against a dishonest voting server as well as a dishonest voting device. In particular, a voter does not leak her vote to her voting device and she can check that her ballot on the bulletin board does correspond to her intended vote. More specifically, we assume two elections authorities: the voting server and a registrar that acts only during the setup. Then BeleniosVS guarantees both privacy and verifiability against a dishonest voting device, provided that not both election authorities are corrupted. Additionally, our scheme guarantees receipt-freeness against an external adversary. We provide a formal proof of privacy, receipt-freeness, and verifiability using the tool ProVerif, covering a hundred cases of threat scenarios. Proving verifiability required to develop a set of sufficient conditions, that can be handled by ProVerif. This contribution is of independent interest.
{"title":"BeleniosVS: Secrecy and Verifiability Against a Corrupted Voting Device","authors":"V. Cortier, Alicia Filipiak, Joseph Lallemand","doi":"10.1109/CSF.2019.00032","DOIUrl":"https://doi.org/10.1109/CSF.2019.00032","url":null,"abstract":"Electronic voting systems aim at two conflicting properties, namely privacy and verifiability, while trying to minimise the trust assumptions on the various voting components. Most existing voting systems either assume trust in the voting device or in the voting server. We propose a novel remote voting scheme BeleniosVS that achieves both privacy and verifiability against a dishonest voting server as well as a dishonest voting device. In particular, a voter does not leak her vote to her voting device and she can check that her ballot on the bulletin board does correspond to her intended vote. More specifically, we assume two elections authorities: the voting server and a registrar that acts only during the setup. Then BeleniosVS guarantees both privacy and verifiability against a dishonest voting device, provided that not both election authorities are corrupted. Additionally, our scheme guarantees receipt-freeness against an external adversary. We provide a formal proof of privacy, receipt-freeness, and verifiability using the tool ProVerif, covering a hundred cases of threat scenarios. Proving verifiability required to develop a set of sufficient conditions, that can be handled by ProVerif. This contribution is of independent interest.","PeriodicalId":249093,"journal":{"name":"2019 IEEE 32nd Computer Security Foundations Symposium (CSF)","volume":"7 4 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132928411","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
IoT platforms enable users to connect various smart devices and online services via reactive apps running on the cloud. These apps, often developed by third-parties, perform simple computations on data triggered by external information sources and actuate the results of computation on external information sinks. Recent research shows that unintended or malicious interactions between the different (even benign) apps of a user can cause severe security and safety risks. These works leverage program analysis techniques to build tools for unveiling unexpected interference across apps for specific use cases. Despite these initial efforts, we are still lacking a semantic framework for understanding interactions between IoT apps. The question of what security policy cross-app interference embodies remains largely unexplored. This paper proposes a semantic framework capturing the essence of cross-app interactions in IoT platforms. The framework generalizes and connects syntactic enforcement mechanisms to bisimulation-based notions of security, thus providing a baseline for formulating soundness criteria of these enforcement mechanisms. Specifically, we present a calculus that models the behavioral semantics of a system of apps executing concurrently, and use it to define desirable semantic policies in the security and safety context of IoT apps. To demonstrate the usefulness of our framework, we define static mechanisms for enforcing cross-app security and safety, and prove them sound with respect to our semantic conditions. Finally, we leverage real-world apps to validate the practical benefits of our policy framework.
{"title":"Securing Cross-App Interactions in IoT Platforms","authors":"Musard Balliu, Massimo Merro, Michele Pasqua","doi":"10.1109/CSF.2019.00029","DOIUrl":"https://doi.org/10.1109/CSF.2019.00029","url":null,"abstract":"IoT platforms enable users to connect various smart devices and online services via reactive apps running on the cloud. These apps, often developed by third-parties, perform simple computations on data triggered by external information sources and actuate the results of computation on external information sinks. Recent research shows that unintended or malicious interactions between the different (even benign) apps of a user can cause severe security and safety risks. These works leverage program analysis techniques to build tools for unveiling unexpected interference across apps for specific use cases. Despite these initial efforts, we are still lacking a semantic framework for understanding interactions between IoT apps. The question of what security policy cross-app interference embodies remains largely unexplored. This paper proposes a semantic framework capturing the essence of cross-app interactions in IoT platforms. The framework generalizes and connects syntactic enforcement mechanisms to bisimulation-based notions of security, thus providing a baseline for formulating soundness criteria of these enforcement mechanisms. Specifically, we present a calculus that models the behavioral semantics of a system of apps executing concurrently, and use it to define desirable semantic policies in the security and safety context of IoT apps. To demonstrate the usefulness of our framework, we define static mechanisms for enforcing cross-app security and safety, and prove them sound with respect to our semantic conditions. Finally, we leverage real-world apps to validate the practical benefits of our policy framework.","PeriodicalId":249093,"journal":{"name":"2019 IEEE 32nd Computer Security Foundations Symposium (CSF)","volume":"37 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128427471","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Memory capabilities as supported in capability machines are very similar to fat pointers, and hence are very useful for the efficient enforcement of spatial memory safety. Enforcing temporal memory safety however, is more challenging. This paper investigates an approach to enforce temporal memory safety for stack-allocated memory in C-like languages by extending capabilities with a simple dynamic mechanism. This mechanism ensures that capabilities with a certain lifetime can only be stored in memory that has a longer lifetime. Our mechanism prevents temporal memory safety violations, yet is sufficiently permissive to allow typical C coding idioms where addresses of local variables are passed up the call stack. We formalize the desired behavior of a simple C-like language as a dependently typed operational semantics, and we show that existing compilers to capability machines do not simulate this desired behavior: they either have to break temporal safety, or they have to defensively rule out allowed behaviors. Finally, we show that with our proposed dynamic mechanism, our compiler is fully abstract.
{"title":"Temporal Safety for Stack Allocated Memory on Capability Machines","authors":"Stelios Tsampas, Dominique Devriese, F. Piessens","doi":"10.1109/CSF.2019.00024","DOIUrl":"https://doi.org/10.1109/CSF.2019.00024","url":null,"abstract":"Memory capabilities as supported in capability machines are very similar to fat pointers, and hence are very useful for the efficient enforcement of spatial memory safety. Enforcing temporal memory safety however, is more challenging. This paper investigates an approach to enforce temporal memory safety for stack-allocated memory in C-like languages by extending capabilities with a simple dynamic mechanism. This mechanism ensures that capabilities with a certain lifetime can only be stored in memory that has a longer lifetime. Our mechanism prevents temporal memory safety violations, yet is sufficiently permissive to allow typical C coding idioms where addresses of local variables are passed up the call stack. We formalize the desired behavior of a simple C-like language as a dependently typed operational semantics, and we show that existing compilers to capability machines do not simulate this desired behavior: they either have to break temporal safety, or they have to defensively rule out allowed behaviors. Finally, we show that with our proposed dynamic mechanism, our compiler is fully abstract.","PeriodicalId":249093,"journal":{"name":"2019 IEEE 32nd Computer Security Foundations Symposium (CSF)","volume":"7 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132843067","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
We develop new foundations on transaction untraceability for CryptoNote-style blockchain systems. In particular, we observe new attacks; develop theoretical foundations to model transaction untraceability; provide the least upper bound of transaction untraceability guarantee; provide ways to efficiently and automatically verify whether a given ledger achieves optimal transaction untraceability; and provide a general solution that achieves provably optimal transaction untraceability. Unlike previous cascade effect attacks (ESORICS' 17 and PETS' 18) on CryptoNote-style transaction untraceability, we consider not only a passive attacker but also an active adaptive attacker. Our observed attacks allow both types of attacker to trace blockchain transactions that cannot be traced by using the existing attacks. We develop a series of new games, which we call "The Sun-Tzu Survival Problem", to model CryptoNote-style blockchain transaction untraceability and our identified attacks. In addition, we obtain seven novel results, where three of them are negative and the rest are positive. In particular, thanks to our abstract game, we are able to build bipartite graphs to model transaction untraceability, and provide reductions to formally relate the hardness of calculating untraceability to the hardness of calculating the number of perfect matchings in all possible bipartite graphs. We prove that calculating transaction untraceability is a #P-complete problem, which is believed to be even more difficult to solve than NP problems. In addition, we provide the first result on the least upper bound of transaction untraceability. Moreover, through our theoretical results, we are able to provide ways to efficiently and automatically verify whether a given ledger achieves optimal transaction untraceability. Furthermore, we propose a simple strategy for CryptoNote-style blockchain systems to achieve optimal untraceability. We take Monero as a concrete example to demonstrate how to apply this strategy to optimise the untraceability guarantee provided by Monero.
我们为cryptonote风格的区块链系统开发了交易不可追溯性的新基础。特别是,我们观察到新的攻击;建立交易不可追溯性模型的理论基础;提供交易不可追溯性保证的最小上界;提供有效和自动验证给定分类帐是否达到最佳交易不可追溯性的方法;并提供一个通用的解决方案,以实现可证明的最佳交易不可追溯性。与之前针对cryptonote风格交易不可追溯性的级联效应攻击(ESORICS' 17和PETS' 18)不同,我们不仅考虑被动攻击者,还考虑主动自适应攻击者。我们观察到的攻击允许两种类型的攻击者跟踪区块链交易,这些交易无法通过使用现有攻击来跟踪。我们开发了一系列新游戏,我们称之为“孙子生存问题”,来模拟cryptonoet风格的区块链交易不可追溯性和我们识别的攻击。此外,我们还获得了七个新颖的结果,其中三个是否定的,其余的是肯定的。特别是,由于我们的抽象博弈,我们能够构建二部图来模拟交易的不可追溯性,并提供将计算不可追溯性的硬度与计算所有可能的二部图中完美匹配数量的硬度形式化地联系起来的约简。我们证明了计算事务不可追溯性是一个# p -完全问题,它被认为比NP问题更难解决。此外,我们还提供了事务不可追溯性最小上界的第一个结果。此外,通过我们的理论结果,我们能够提供有效和自动验证给定分类帐是否达到最佳交易不可追溯性的方法。此外,我们为cryptonote风格的区块链系统提出了一个简单的策略,以实现最佳的不可追溯性。我们以门罗币为具体实例,演示如何应用这一策略来优化门罗币提供的不可追溯性保证。
{"title":"Re-Thinking Untraceability in the CryptoNote-Style Blockchain","authors":"Jiangshan Yu, M. Au, P. Veríssimo","doi":"10.1109/CSF.2019.00014","DOIUrl":"https://doi.org/10.1109/CSF.2019.00014","url":null,"abstract":"We develop new foundations on transaction untraceability for CryptoNote-style blockchain systems. In particular, we observe new attacks; develop theoretical foundations to model transaction untraceability; provide the least upper bound of transaction untraceability guarantee; provide ways to efficiently and automatically verify whether a given ledger achieves optimal transaction untraceability; and provide a general solution that achieves provably optimal transaction untraceability. Unlike previous cascade effect attacks (ESORICS' 17 and PETS' 18) on CryptoNote-style transaction untraceability, we consider not only a passive attacker but also an active adaptive attacker. Our observed attacks allow both types of attacker to trace blockchain transactions that cannot be traced by using the existing attacks. We develop a series of new games, which we call \"The Sun-Tzu Survival Problem\", to model CryptoNote-style blockchain transaction untraceability and our identified attacks. In addition, we obtain seven novel results, where three of them are negative and the rest are positive. In particular, thanks to our abstract game, we are able to build bipartite graphs to model transaction untraceability, and provide reductions to formally relate the hardness of calculating untraceability to the hardness of calculating the number of perfect matchings in all possible bipartite graphs. We prove that calculating transaction untraceability is a #P-complete problem, which is believed to be even more difficult to solve than NP problems. In addition, we provide the first result on the least upper bound of transaction untraceability. Moreover, through our theoretical results, we are able to provide ways to efficiently and automatically verify whether a given ledger achieves optimal transaction untraceability. Furthermore, we propose a simple strategy for CryptoNote-style blockchain systems to achieve optimal untraceability. We take Monero as a concrete example to demonstrate how to apply this strategy to optimise the untraceability guarantee provided by Monero.","PeriodicalId":249093,"journal":{"name":"2019 IEEE 32nd Computer Security Foundations Symposium (CSF)","volume":"9 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125556557","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Kevin Cheang, Cameron Rasmussen, S. Seshia, Pramod Subramanyan
Transient execution attacks like Spectre, Meltdown and Foreshadow have shown that combinations of microarchitectural side-channels can be synergistically exploited to create side-channel leaks that are greater than the sum of their parts. While both hardware and software mitigations have been proposed against these attacks, provable security has remained elusive. This paper introduces a formal methodology for enabling secure speculative execution on modern processors. We propose a new class of information flow security properties called trace property-dependent observational determinism (TPOD). We use this class to formulate a secure speculation property. Our formulation precisely characterises all transient execution vulnerabilities. We demonstrate its applicability by verifying secure speculation for several illustrative programs.
{"title":"A Formal Approach to Secure Speculation","authors":"Kevin Cheang, Cameron Rasmussen, S. Seshia, Pramod Subramanyan","doi":"10.1109/CSF.2019.00027","DOIUrl":"https://doi.org/10.1109/CSF.2019.00027","url":null,"abstract":"Transient execution attacks like Spectre, Meltdown and Foreshadow have shown that combinations of microarchitectural side-channels can be synergistically exploited to create side-channel leaks that are greater than the sum of their parts. While both hardware and software mitigations have been proposed against these attacks, provable security has remained elusive. This paper introduces a formal methodology for enabling secure speculative execution on modern processors. We propose a new class of information flow security properties called trace property-dependent observational determinism (TPOD). We use this class to formulate a secure speculation property. Our formulation precisely characterises all transient execution vulnerabilities. We demonstrate its applicability by verifying secure speculation for several illustrative programs.","PeriodicalId":249093,"journal":{"name":"2019 IEEE 32nd Computer Security Foundations Symposium (CSF)","volume":"9 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124200722","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: