Since smart contracts can autonomously transfer values and rights on a blockchain, they are an attractive target for cyberattacks. The working group of Prof. Dr. Lucas Davi has developed a solution for protecting smart contracts in cooperation with NEC Laboratories Europe GmbH.
Stakeholders from very different industries attribute great potential to the blockchain. This is primarily due to the fact that smart contracts, which are based on blockchain technology, offer many possibilities. A smart contract is a piece of software in which contractual regulations are written down as code. These follow a typical “if-then” logic: If the coded requirements are fulfilled, a certain contract clause automatically comes into force. In this way, values and rights can be transferred between stakeholders without human intervention. Potential fields of application for this efficient and independent technology range from finance, insurance and energy to healthcare and production industries.
But as versatile as smart contracts are – they are also vulnerable, since they have to be programmed, after all. And because smart contracts are a relatively new technology, they are prone to bugs and errors. The DAO (short for “Decentralized Autonomous Organization”) had to experience this painfully. In 2016, the case hit the media headlines: The DAO realized a gigantic crowdfunding project with smart contracts in the blockchain Etherum and collected crypto money (Ether) worth over 140 million US dollars. Due to a weak point in the smart contracts, attackers were able to divert more than 3.6 million ether – around 50 million US dollars – of the collected money.
Closing Reentrancy Gaps
The DAO attack exploited a so-called reentrancy gap: In simple terms, the attackers could repeatedly enter the smart contracts and withdraw a certain amount without updating the ledger.
In cooperation with Dr. Ghassan Karame and Wenting Li from NEC Laboratories Europe GmbH, Michael Rodler and Prof. Dr. Lucas Davi (Secure Software Systems group, see picture) have shown that novel reentrancy attacks can be developed that bypass existing analysis tools. In addition, they have developed a security technology to protect smart contracts from reentrancy attacks. The special thing about their solution: in contrast to most other approaches, they concentrate on smart contracts that have already been published and deployed. This addresses one of the biggest issues in protecting smart contracts. Like all information on the blockchain, smart contracts are unchangeable. For this reason, it is not possible to fix errors and bugs afterwards, as it is usual for PC software, for example.
The new defense method called Sereum is based on runtime monitoring of smart contracts. In order to automatically recognize and prevent inconsistent conditions the data flows of the smart contracts are supervised during their execution by means of dynamic taint-tracking. In this way, sophisticated reentrancy attacks can be prevented without knowing the semantics of the smart contracts. Tests have shown that Sereum does not lead to a significant overhead at runtime and prevents attacks like the DAO attack.
The partners will present the solution in February 2019 at the NDSS Symposium in San Diego. This is one of the most important academic IT security conferences in the world.
You can inform yourself about the project and the new reentrancy attacks on the project website of the SYSSEC group
Also interesting: An interview with Dr. Ghassan Karame from NEC Laboratories Europe GmbH. In the video, the project partner talks about his research work in the area of blockchain and IoT security: https://www.nec.com/en/global/rd/special/pinnacle/ghassan_karame.html