Skip to main content
SpringerLink
Log in

Trust Factors and Insider Threats in Permissioned Distributed Ledgers

An Analytical Study and Evaluation of Popular DLT Frameworks

  • Chapter
  • First Online:
Transactions on Large-Scale Data- and Knowledge-Centered Systems XLII

Part of the book series: Lecture Notes in Computer Science ((TLDKS,volume 11860))

Abstract

Permissioned distributed ledgers have recently captured the attention of organizations looking to improve efficiency, transparency and auditability in value network operations. Often the technology is regarded as trustless or trust-free, resulting in a false sense of security. In this work, we review the various trust factors present in distributed ledger systems. We analyze the different groups of trust actors and their trust relationships to the software layers and inherent components of distributed ledgers. Based on these analyses, we investigate how insiders may conduct attacks based on trust in distributed ledger components. To verify practical feasiblity of these attack vectors, we conduct a technical study with four popular permissioned distributed ledger frameworks: Hyperledger Fabric, Hyperledger Sawtooth, Ethereum and R3 Corda. Finally, we highlight options for mitigation of these threats.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    github.com/bft-smart/fabric-orderingservice.

  2. 2.

    github.com/hyperledger/sawtooth-pbft.

  3. 3.

    sphincs.cr.yp.to.

  4. 4.

    zeromq.org.

  5. 5.

    www.amqp.org.

  6. 6.

    cve.mitre.org.

  7. 7.

    Ethereum only allows upgrades if the contract has been set up in a modular way.

References

  1. Adler, J., Berryhill, R., Veneris, A., Poulos, Z., Veira, N., Kastania, A.: ASTRAEA: a decentralized blockchain oracle. In: 2018 IEEE International Conference on Blockchain (2018). https://doi.org/10.1109/Cybermatics_2018.2018.00207

  2. Al Khalil, F., Butler, T., O’Brien, L., Ceci, M.: Trust in smart contracts is a process, as well. In: Brenner, M., et al. (eds.) FC 2017. LNCS, vol. 10323, pp. 510–519. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70278-0_32

    Chapter  Google Scholar 

  3. Amoroso, E., Nguyen, T., Weiss, J., Watson, J., Lapiska, P., Starr, T.: Toward an approach to measuring software trust. In: Proceedings of 1991 IEEE Computer Society Symposium on Research in Security and Privacy, pp. 198–218 (1991). https://doi.org/10.1109/RISP.1991.130788

  4. Androulaki, E., et al.: Hyperledger fabric: a distributed operating system for permissioned blockchains. In: Proceedings of the Thirteenth EuroSys Conference, EuroSys 2018, pp. 30:1–30:15. ACM, New York (2018). https://doi.org/10.1145/3190508.3190538

  5. Aublin, P.L., Mokhtar, S.B., Quema, V.: RBFT: redundant byzantine fault tolerance. In: Proceedings of International Conference on Distributed Computing Systems, pp. 297–306 (2013). https://doi.org/10.1109/ICDCS.2013.53

  6. Bansarkhani, R.E., Geihs, M., Buchmann, J.: PQChain: strategic design decisions for distributed ledger technologies against future threats. IEEE Secur. Priv. (2018). https://doi.org/10.1109/MSP.2018.3111246

    Article  Google Scholar 

  7. Baracaldo, N., Joshi, J.: A Trust-and-risk aware RBAC framework: tackling insider threat. In: SACMAT 2012: Proceedings of the 17th ACM symposium on Access Control Models and Technologies (2012)

    Google Scholar 

  8. Ben-Sasson, E., Bentov, I., Horesh, Y., Riabzev, M.: Scalable, transparent, and post-quantum secure computational integrity. Eprint.Iacr.Org (2018). https://doi.org/10.1016/j.bspc.2009.02.004

    Article  Google Scholar 

  9. Bessani, A., Sousa, J., Alchieri, E.E.P.: State machine replication for the masses with BFT-SMART. In: DSN, vol. 6897, pp. 355–362, December 2014. https://doi.org/10.1109/DSN.2014.43

  10. Cachin, C., Vukolic, M.: Blockchain consensus protocols in the wild. In: Richa, A.W. (ed.) 31st International Symposium on Distributed Computing (DISC 2017). Leibniz International Proceedings in Informatics (LIPIcs), vol. 91, pp. 1:1–1:16. Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik, Dagstuhl (2017). https://doi.org/10.4230/LIPIcs.DISC.2017.1

  11. del Castillo, M.: Blockchain 50: Billion Dollar Babies (2019). https://www.forbes.com/sites/michaeldelcastillo/2019/04/16/blockchain-50-billion-dollar-babies

  12. Castro, M., Liskov, B.: Practical byzantine fault tolerance and proactive recovery. ACM Trans. Comput. Syst. 20(4), 398–461 (2002). https://doi.org/10.1145/571637.571640

    Article  Google Scholar 

  13. Chia, V., et al.: Rethinking blockchain security: position paper. In: 2018 IEEE International Conference on Blockchain (2018). http://arxiv.org/abs/1806.04358

  14. Clement, A., Wong, E., Alvisi, L., Dahlin, M., Marchetti, M.: Making byzantine fault tolerant systems tolerate Byzantine faults. In: NSDI 2009: Proceedings of the 6th USENIX symposium on Networked systems design and implementation (2009). https://doi.org/10.1145/1989727.1989732

    Article  Google Scholar 

  15. Collins, M., Cappelli, D.M., Caron, T., Trzeciak, R.F., Moore, A.P.: Spotlight on: programmers as malicious insiders-updated and revised. Technical report, Software Engineering Institute, Carnegie Mellon University (2013)

    Google Scholar 

  16. Colwill, C.: Human factors in information security: The insider threat - who can you trust these days? Information Security Technical Report (2009). https://doi.org/10.1016/j.istr.2010.04.004

    Article  Google Scholar 

  17. Dasgupta, D., Shrein, J.M., Gupta, K.D.: A survey of blockchain from security perspective. J. Bank. Financ. Technol. (2019). https://doi.org/10.1007/s42786-018-00002-6

    Article  Google Scholar 

  18. De Angelis, S., Aniello, L., Baldoni, R., Lombardi, F., Margheri, A., Sassone, V.: PBFT vs proof-of-authority: applying the CAP theorem to permissioned blockchain. CEUR Workshop Proceedings, vol. 2058, pp. 1–11 (2018)

    Google Scholar 

  19. Decan, A., Mens, T., Grosjean, P.: An empirical comparison of dependency network evolution in seven software packaging ecosystems. Empir. Softw. Eng. (2019). https://doi.org/10.1007/s10664-017-9589-y

    Article  Google Scholar 

  20. Deventer, M.O., et al.: Techruption Consortium Blockchain: what it takes to run a blockchain together. In: Proceedings of 1st ERCIM Blockchain Workshop 2018, Amsterdam, Netherlands 8–9 May 2018. European Society for Socially Embedded Technologies (EUSSET) (2018)

    Google Scholar 

  21. Dinh, T.T.A., Wang, J., Chen, G., Liu, R., Ooi, B.C., Tan, K.L.: BLOCKBENCH: a framework for analyzing private blockchains. In: Proceedings of the 2017 ACM International Conference on Management of Data, SIGMOD 2017, pp. 1085–1100. ACM, New York (2017). https://doi.org/10.1145/3035918.3064033. http://doi.acm.org/10.1145/3035918.3064033

  22. Ekparinya, P., Gramoli, V., Jourjon, G.: The attack of the clones against proof-of-authority. CoRR (2019). http://arxiv.org/abs/1902.10244

  23. ENISA: ENISA threat landscape report 2018. Technical report, ENISA (2019). https://doi.org/10.2824/622757

  24. Ethereum Foundation: Go-Ethereum Website (2019). https://geth.ethereum.org

  25. Franqueira, V.N.L., van Cleeff, A., van Eck, P., Wieringa, R.: External insider threat: a real security challenge in nterprise value webs. In: 2010 International Conference on Availability, Reliability and Security, pp. 446–453, February 2010. https://doi.org/10.1109/ARES.2010.40

  26. Fröwis, M., Böhme, R.: In code we trust? In: Garcia-Alfaro, J., Navarro-Arribas, G., Hartenstein, H., Herrera-Joancomartí, J. (eds.) ESORICS/DPM/CBT -2017. LNCS, vol. 10436, pp. 357–372. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-67816-0_20

    Chapter  Google Scholar 

  27. Fuchs, L., Pernul, G.: Minimizing insider misuse through secure Identity Management. Secur. Commun. Netw. (2012). https://doi.org/10.1002/sec.314

    Article  Google Scholar 

  28. Gambetta, D.: Can we trust trust? In: Trust: Making and Breaking Cooperative Relations, pp. 213–237. Blackwell (1988)

    Google Scholar 

  29. Glaser, F.: Pervasive decentralisation of digital infrastructures: a framework for blockchain enabled system and use case analysis. In: HICSS 2017 Proceedings, pp. 1543–1552 (2017). https://doi.org/10.1145/1235

  30. Hawlitschek, F., Notheisen, B., Teubner, T.: The limits of trust-free systems: a literature review on blockchain technology and trust in the sharing economy. Electron. Commer. Res. Appl. 29 (2018). https://doi.org/10.1016/j.elerap.2018.03.005

    Article  Google Scholar 

  31. Hearn, M.: Corda: a distributed ledger (2016). https://docs.corda.net/head/_static/corda-technical-whitepaper.pdf

  32. Hileman, G., Rauchs, M.: 2017 Global Blockchain Benchmarking Study (2017)

    Google Scholar 

  33. Huseby, D.: Security Code Audits - Hyperledger Wiki (2019). https://wiki.hyperledger.org/display/HYP/Security+Code+Audits

  34. Hussain, S.R., Sallam, A., Bertino, E.: DetAnom: detecting anomalous database transactions by insiders. In: CODASPY 2015 - Proceedings of the 5th ACM Conference on Data and Application Security and Privacy (2015). https://doi.org/10.1145/2699026.2699111

  35. Li, X., Jiang, P., Chen, T., Luo, X., Wen, Q.: A survey on the security of blockchain systems. Futur. Gener. Comput. Syst. (2017). https://doi.org/10.1016/j.future.2017.08.020. http://www.sciencedirect.com/science/article/pii/S0167739X17318332

  36. Litke, A., Anagnostopoulos, D., Varvarigou, T.: Blockchains for supply chain management: architectural elements and challenges towards a global scale deployment. Logistics 3(1) (2019). https://doi.org/10.3390/logistics3010005

    Article  Google Scholar 

  37. Loch, K.D., Carr, H.H., Warkentin, M.E.: Threats to information systems: today’s reality, yesterday’s understanding. MIS Q. (1992). https://doi.org/10.1163/18781527-00401005

    Article  Google Scholar 

  38. Locher, T., Obermeier, S., Pignolet, Y.A.: When can a distributed ledger replace a trusted third party? In: IEEE International Conference on Blockchain (2018). http://arxiv.org/abs/1806.10929

  39. Lustig, C., Nardi, B.: Algorithmic authority: the case of Bitcoin. In: Proceedings of the Annual Hawaii International Conference on System Sciences (2015). https://doi.org/10.1109/HICSS.2015.95

  40. Luu, L., Chu, D.H., Olickel, H., Saxena, P., Hobor, A.: Making smart contracts smarter. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security - CCS 2016 (2016). https://doi.org/10.1145/2976749.2978309

  41. Marti, S., Garcia-Molina, H.: Taxonomy of trust: categorizing P2P reputation systems. Comput. Netw. (2006). https://doi.org/10.1016/j.comnet.2005.07.011

    Article  MATH  Google Scholar 

  42. MetaMask Contributors: MetaMask (2019). https://metamask.io/

  43. Muskens, J., Chaudron, M.: Integrity management in component based systems. In: Proceedings of 30th Euromicro Conference, pp. 611–619 (2004). https://doi.org/10.1109/EURMIC.2004.1333429

  44. R3: Corda Documentation (2019). https://docs.corda.net/releases/release-V4.1/

  45. Sas, C., Khairuddin, I.E.: Exploring trust in Bitcoin technology: a framework for HCI research. In: Proceedings of the Annual Meeting of the Australian Special Interest Group for Computer Human Interaction - OzCHI 2015 (2015). https://doi.org/10.1145/2838739.2838821

  46. Schaffers, H.: The relevance of blockchain for collaborative networked organizations. In: Camarinha-Matos, L.M., Afsarmanesh, H., Rezgui, Y. (eds.) PRO-VE 2018. IAICT, vol. 534, pp. 3–17. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-99127-6_1

    Chapter  Google Scholar 

  47. Schneier, B.: Blockchain and Trust - Schneier on Security (2019). https://www.schneier.com/blog/archives/2019/02/blockchain_and_.html

  48. Swihart, J., Winston, B., Bowe, S.: Zcash Counterfeiting Vulnerability Successfully Remediated - Zcash (2019). https://z.cash/blog/zcash-counterfeiting-vulnerability-successfully-remediated/

  49. The Linux Foundation: Hyperledger Sawtooth Documentation (2019). https://sawtooth.hyperledger.org/docs/core/releases/1.1.5/contents.html

  50. United States Department of Homeland Security: A Roadmap for Cybersecurity Research (2009). https://doi.org/10.1016/j.biortech.2007.06.061

    Article  Google Scholar 

  51. Vo, H.T., Wang, Z., Karunamoorthy, D., Wagner, J., Abebe, E., Mohania, M.: Internet of blockchains: techniques and challenges ahead. In: 2018 IEEE International Conference on Blockchain. IEEE (2018). https://doi.org/10.1109/Cybermatics_2018.2018.00264

  52. Xu, X., Pautasso, C., Zhu, L., Gramoli, V., Ponomarev, A., Tran, A.B., Chen, S.: The blockchain as a software connector. In: Proceedings of 2016 13th Working IEEE/IFIP Conference on Software Architecture, WICSA 2016, pp. 182–191. IEEE, April 2016. https://doi.org/10.1109/WICSA.2016.21

  53. Zhang, F., Cecchetti, E., Croman, K., Juels, A., Shi, E.: Town crier: an authenticated data feed for smart contracts. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (2016). https://doi.org/10.1145/2976749.2978326

Download references

Author information

Authors and Affiliations

  1. Department of Information Systems, University of Regensburg, Regensburg, Germany

    Benedikt Putz & Günther Pernul

Authors
  1. Benedikt Putz
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Günther Pernul
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Benedikt Putz .

Editor information

Editors and Affiliations

  1. IRIT, Paul Sabatier University, Toulouse, France

    Abdelkader Hameurlain

  2. FAW, University of Linz, Linz, Austria

    Roland Wagner

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer-Verlag GmbH Germany, part of Springer Nature

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Putz, B., Pernul, G. (2019). Trust Factors and Insider Threats in Permissioned Distributed Ledgers. In: Hameurlain, A., Wagner, R. (eds) Transactions on Large-Scale Data- and Knowledge-Centered Systems XLII. Lecture Notes in Computer Science(), vol 11860. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-60531-8_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-662-60531-8_2

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-662-60530-1

  • Online ISBN: 978-3-662-60531-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation