Abstract
Permissioned distributed ledgers have recently captured the attention of organizations looking to improve efficiency, transparency and auditability in value network operations. Often the technology is regarded as trustless or trust-free, resulting in a false sense of security. In this work, we review the various trust factors present in distributed ledger systems. We analyze the different groups of trust actors and their trust relationships to the software layers and inherent components of distributed ledgers. Based on these analyses, we investigate how insiders may conduct attacks based on trust in distributed ledger components. To verify practical feasiblity of these attack vectors, we conduct a technical study with four popular permissioned distributed ledger frameworks: Hyperledger Fabric, Hyperledger Sawtooth, Ethereum and R3 Corda. Finally, we highlight options for mitigation of these threats.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
Ethereum only allows upgrades if the contract has been set up in a modular way.
References
Adler, J., Berryhill, R., Veneris, A., Poulos, Z., Veira, N., Kastania, A.: ASTRAEA: a decentralized blockchain oracle. In: 2018 IEEE International Conference on Blockchain (2018). https://doi.org/10.1109/Cybermatics_2018.2018.00207
Al Khalil, F., Butler, T., O’Brien, L., Ceci, M.: Trust in smart contracts is a process, as well. In: Brenner, M., et al. (eds.) FC 2017. LNCS, vol. 10323, pp. 510–519. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70278-0_32
Amoroso, E., Nguyen, T., Weiss, J., Watson, J., Lapiska, P., Starr, T.: Toward an approach to measuring software trust. In: Proceedings of 1991 IEEE Computer Society Symposium on Research in Security and Privacy, pp. 198–218 (1991). https://doi.org/10.1109/RISP.1991.130788
Androulaki, E., et al.: Hyperledger fabric: a distributed operating system for permissioned blockchains. In: Proceedings of the Thirteenth EuroSys Conference, EuroSys 2018, pp. 30:1–30:15. ACM, New York (2018). https://doi.org/10.1145/3190508.3190538
Aublin, P.L., Mokhtar, S.B., Quema, V.: RBFT: redundant byzantine fault tolerance. In: Proceedings of International Conference on Distributed Computing Systems, pp. 297–306 (2013). https://doi.org/10.1109/ICDCS.2013.53
Bansarkhani, R.E., Geihs, M., Buchmann, J.: PQChain: strategic design decisions for distributed ledger technologies against future threats. IEEE Secur. Priv. (2018). https://doi.org/10.1109/MSP.2018.3111246
Baracaldo, N., Joshi, J.: A Trust-and-risk aware RBAC framework: tackling insider threat. In: SACMAT 2012: Proceedings of the 17th ACM symposium on Access Control Models and Technologies (2012)
Ben-Sasson, E., Bentov, I., Horesh, Y., Riabzev, M.: Scalable, transparent, and post-quantum secure computational integrity. Eprint.Iacr.Org (2018). https://doi.org/10.1016/j.bspc.2009.02.004
Bessani, A., Sousa, J., Alchieri, E.E.P.: State machine replication for the masses with BFT-SMART. In: DSN, vol. 6897, pp. 355–362, December 2014. https://doi.org/10.1109/DSN.2014.43
Cachin, C., Vukolic, M.: Blockchain consensus protocols in the wild. In: Richa, A.W. (ed.) 31st International Symposium on Distributed Computing (DISC 2017). Leibniz International Proceedings in Informatics (LIPIcs), vol. 91, pp. 1:1–1:16. Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik, Dagstuhl (2017). https://doi.org/10.4230/LIPIcs.DISC.2017.1
del Castillo, M.: Blockchain 50: Billion Dollar Babies (2019). https://www.forbes.com/sites/michaeldelcastillo/2019/04/16/blockchain-50-billion-dollar-babies
Castro, M., Liskov, B.: Practical byzantine fault tolerance and proactive recovery. ACM Trans. Comput. Syst. 20(4), 398–461 (2002). https://doi.org/10.1145/571637.571640
Chia, V., et al.: Rethinking blockchain security: position paper. In: 2018 IEEE International Conference on Blockchain (2018). http://arxiv.org/abs/1806.04358
Clement, A., Wong, E., Alvisi, L., Dahlin, M., Marchetti, M.: Making byzantine fault tolerant systems tolerate Byzantine faults. In: NSDI 2009: Proceedings of the 6th USENIX symposium on Networked systems design and implementation (2009). https://doi.org/10.1145/1989727.1989732
Collins, M., Cappelli, D.M., Caron, T., Trzeciak, R.F., Moore, A.P.: Spotlight on: programmers as malicious insiders-updated and revised. Technical report, Software Engineering Institute, Carnegie Mellon University (2013)
Colwill, C.: Human factors in information security: The insider threat - who can you trust these days? Information Security Technical Report (2009). https://doi.org/10.1016/j.istr.2010.04.004
Dasgupta, D., Shrein, J.M., Gupta, K.D.: A survey of blockchain from security perspective. J. Bank. Financ. Technol. (2019). https://doi.org/10.1007/s42786-018-00002-6
De Angelis, S., Aniello, L., Baldoni, R., Lombardi, F., Margheri, A., Sassone, V.: PBFT vs proof-of-authority: applying the CAP theorem to permissioned blockchain. CEUR Workshop Proceedings, vol. 2058, pp. 1–11 (2018)
Decan, A., Mens, T., Grosjean, P.: An empirical comparison of dependency network evolution in seven software packaging ecosystems. Empir. Softw. Eng. (2019). https://doi.org/10.1007/s10664-017-9589-y
Deventer, M.O., et al.: Techruption Consortium Blockchain: what it takes to run a blockchain together. In: Proceedings of 1st ERCIM Blockchain Workshop 2018, Amsterdam, Netherlands 8–9 May 2018. European Society for Socially Embedded Technologies (EUSSET) (2018)
Dinh, T.T.A., Wang, J., Chen, G., Liu, R., Ooi, B.C., Tan, K.L.: BLOCKBENCH: a framework for analyzing private blockchains. In: Proceedings of the 2017 ACM International Conference on Management of Data, SIGMOD 2017, pp. 1085–1100. ACM, New York (2017). https://doi.org/10.1145/3035918.3064033. http://doi.acm.org/10.1145/3035918.3064033
Ekparinya, P., Gramoli, V., Jourjon, G.: The attack of the clones against proof-of-authority. CoRR (2019). http://arxiv.org/abs/1902.10244
ENISA: ENISA threat landscape report 2018. Technical report, ENISA (2019). https://doi.org/10.2824/622757
Ethereum Foundation: Go-Ethereum Website (2019). https://geth.ethereum.org
Franqueira, V.N.L., van Cleeff, A., van Eck, P., Wieringa, R.: External insider threat: a real security challenge in nterprise value webs. In: 2010 International Conference on Availability, Reliability and Security, pp. 446–453, February 2010. https://doi.org/10.1109/ARES.2010.40
Fröwis, M., Böhme, R.: In code we trust? In: Garcia-Alfaro, J., Navarro-Arribas, G., Hartenstein, H., Herrera-Joancomartí, J. (eds.) ESORICS/DPM/CBT -2017. LNCS, vol. 10436, pp. 357–372. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-67816-0_20
Fuchs, L., Pernul, G.: Minimizing insider misuse through secure Identity Management. Secur. Commun. Netw. (2012). https://doi.org/10.1002/sec.314
Gambetta, D.: Can we trust trust? In: Trust: Making and Breaking Cooperative Relations, pp. 213–237. Blackwell (1988)
Glaser, F.: Pervasive decentralisation of digital infrastructures: a framework for blockchain enabled system and use case analysis. In: HICSS 2017 Proceedings, pp. 1543–1552 (2017). https://doi.org/10.1145/1235
Hawlitschek, F., Notheisen, B., Teubner, T.: The limits of trust-free systems: a literature review on blockchain technology and trust in the sharing economy. Electron. Commer. Res. Appl. 29 (2018). https://doi.org/10.1016/j.elerap.2018.03.005
Hearn, M.: Corda: a distributed ledger (2016). https://docs.corda.net/head/_static/corda-technical-whitepaper.pdf
Hileman, G., Rauchs, M.: 2017 Global Blockchain Benchmarking Study (2017)
Huseby, D.: Security Code Audits - Hyperledger Wiki (2019). https://wiki.hyperledger.org/display/HYP/Security+Code+Audits
Hussain, S.R., Sallam, A., Bertino, E.: DetAnom: detecting anomalous database transactions by insiders. In: CODASPY 2015 - Proceedings of the 5th ACM Conference on Data and Application Security and Privacy (2015). https://doi.org/10.1145/2699026.2699111
Li, X., Jiang, P., Chen, T., Luo, X., Wen, Q.: A survey on the security of blockchain systems. Futur. Gener. Comput. Syst. (2017). https://doi.org/10.1016/j.future.2017.08.020. http://www.sciencedirect.com/science/article/pii/S0167739X17318332
Litke, A., Anagnostopoulos, D., Varvarigou, T.: Blockchains for supply chain management: architectural elements and challenges towards a global scale deployment. Logistics 3(1) (2019). https://doi.org/10.3390/logistics3010005
Loch, K.D., Carr, H.H., Warkentin, M.E.: Threats to information systems: today’s reality, yesterday’s understanding. MIS Q. (1992). https://doi.org/10.1163/18781527-00401005
Locher, T., Obermeier, S., Pignolet, Y.A.: When can a distributed ledger replace a trusted third party? In: IEEE International Conference on Blockchain (2018). http://arxiv.org/abs/1806.10929
Lustig, C., Nardi, B.: Algorithmic authority: the case of Bitcoin. In: Proceedings of the Annual Hawaii International Conference on System Sciences (2015). https://doi.org/10.1109/HICSS.2015.95
Luu, L., Chu, D.H., Olickel, H., Saxena, P., Hobor, A.: Making smart contracts smarter. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security - CCS 2016 (2016). https://doi.org/10.1145/2976749.2978309
Marti, S., Garcia-Molina, H.: Taxonomy of trust: categorizing P2P reputation systems. Comput. Netw. (2006). https://doi.org/10.1016/j.comnet.2005.07.011
MetaMask Contributors: MetaMask (2019). https://metamask.io/
Muskens, J., Chaudron, M.: Integrity management in component based systems. In: Proceedings of 30th Euromicro Conference, pp. 611–619 (2004). https://doi.org/10.1109/EURMIC.2004.1333429
R3: Corda Documentation (2019). https://docs.corda.net/releases/release-V4.1/
Sas, C., Khairuddin, I.E.: Exploring trust in Bitcoin technology: a framework for HCI research. In: Proceedings of the Annual Meeting of the Australian Special Interest Group for Computer Human Interaction - OzCHI 2015 (2015). https://doi.org/10.1145/2838739.2838821
Schaffers, H.: The relevance of blockchain for collaborative networked organizations. In: Camarinha-Matos, L.M., Afsarmanesh, H., Rezgui, Y. (eds.) PRO-VE 2018. IAICT, vol. 534, pp. 3–17. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-99127-6_1
Schneier, B.: Blockchain and Trust - Schneier on Security (2019). https://www.schneier.com/blog/archives/2019/02/blockchain_and_.html
Swihart, J., Winston, B., Bowe, S.: Zcash Counterfeiting Vulnerability Successfully Remediated - Zcash (2019). https://z.cash/blog/zcash-counterfeiting-vulnerability-successfully-remediated/
The Linux Foundation: Hyperledger Sawtooth Documentation (2019). https://sawtooth.hyperledger.org/docs/core/releases/1.1.5/contents.html
United States Department of Homeland Security: A Roadmap for Cybersecurity Research (2009). https://doi.org/10.1016/j.biortech.2007.06.061
Vo, H.T., Wang, Z., Karunamoorthy, D., Wagner, J., Abebe, E., Mohania, M.: Internet of blockchains: techniques and challenges ahead. In: 2018 IEEE International Conference on Blockchain. IEEE (2018). https://doi.org/10.1109/Cybermatics_2018.2018.00264
Xu, X., Pautasso, C., Zhu, L., Gramoli, V., Ponomarev, A., Tran, A.B., Chen, S.: The blockchain as a software connector. In: Proceedings of 2016 13th Working IEEE/IFIP Conference on Software Architecture, WICSA 2016, pp. 182–191. IEEE, April 2016. https://doi.org/10.1109/WICSA.2016.21
Zhang, F., Cecchetti, E., Croman, K., Juels, A., Shi, E.: Town crier: an authenticated data feed for smart contracts. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (2016). https://doi.org/10.1145/2976749.2978326
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer-Verlag GmbH Germany, part of Springer Nature
About this chapter
Cite this chapter
Putz, B., Pernul, G. (2019). Trust Factors and Insider Threats in Permissioned Distributed Ledgers. In: Hameurlain, A., Wagner, R. (eds) Transactions on Large-Scale Data- and Knowledge-Centered Systems XLII. Lecture Notes in Computer Science(), vol 11860. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-60531-8_2
Download citation
DOI: https://doi.org/10.1007/978-3-662-60531-8_2
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-60530-1
Online ISBN: 978-3-662-60531-8
eBook Packages: Computer ScienceComputer Science (R0)