Blockchain Archives - Page 2 of 3 - CUTTING EDGE VISIONARIES

Day14 – “Why?” & “What in?” Security & Blockchain?

March 27, 2020June 8, 2020 by Aman Pandeyin Blockchain, Blog Series, Computer Science, Cyber security, Uncategorized, YantrikaLeave a Comment

Reading Time: 3 minutes

author: aman

Blog IV - Part I - Day 14

Let us get some dirty hands on Solidity, to exploit some very dangerous Ethereum - Solidity bugs.

2 Bugs/vulenrabilities in this very micro-blog. Covering bugs like, Denial of Service with Block Gas Limit, where the attacker exploits the bug by taking benefit from limited GAS available for each transaction, and unchecked_send() bug, which when made by mistake, could be a disaster to the host contract holder, and users.

Let us do it...

In this micro-blog

delegatecall (the proxy calls) (SWC-112) (Inclusion of Functionality from Untrusted Control Sphere)
DoS With Block Gas Limit (SWC - 128)
Integer Overflow (SWC - 101)
Reentrancy Bug(DAO attack) (Improper Enforcement of Behavioral Workflow) (SWC-107)
uncheckedSend() (SWC - 113)
tx.origin bug
Variable Shadowing (SWC-119)

1. dos_gas.sol() [check out the exploitation of the bug at this gist])(https://gist.github.com/johnsoncarl/480aee528f35b8579c7dcf87c61c59d2)

DOS with Block Gas limit is A denial of service attack, where a host contract denies to perform its duties due to limited amount of gas provided for each transaction (about 3 million).

    for(uint i=0;i<500;i++) {
        listAddresses.push(msg.sender);
    }

Here to make the contract to always true change the upper bound of i to some lesser value, say i<100. Increase the value to fail it at a certain point.

uncheckedSend() [check out the exploitation of the bug at this gist])()

Whenever a contract, say sender, transfers the ether to another contract,say receiver, the payable function of the receiver is triggered, and this can be misused. For eg. payable function of the receiver contains some computationally heavy instructions, it can cause transfer() to fail and send() function to return false. Thus if the send() is not checked, it may cause a bug called uncheckedSend.

Also, since send() doesn't propogate the exception, its harmful of the users to use it.

contract attacker{
    bool public flag=false;
    function change() public{
		if(!flag) 	flag=true;
		else    	flag=false;
	}
	function() external payable {if(flag)	revert();}
}
contract Test{
	attacker a = new attacker();
	bool private flag0 = true;
	bool private status;
	function set0(int val) public returns (bool){
    		if (val % 10 == 0) {a.change();}
    		else flag0=false;
  	}
    function echidna_send() public payable returns(bool){
			address(this).transfer(msg.value);
            return address(a).send(0);
		}
	function() external payable{}
}

Here, echidna_send() will be the main function whose bool value will be checked by the tool.

payable functions : payable functions are necessary for the contract to accept the ether. Whenever a contract, say sender, transfers the ether to another contract,say receiver, the payable function of the receiver is triggered.
echidna_send() : contains address(this).transfer(msg.value); which is responsible for transferring ether to the Test contract. Which will then be transferred to the the instance of the contract attacker, a. Note: we are transferring 0 ethers to the contract address and then to the instance a. As address.send() doesn't revert state whenever the payment fails. So we try to return its bool value, which is then catched by echidna_send(), and thus by the tool. This is the value that the tool mainly checks for, and thus will be able to tell whether the contract payment through send was completed or not.
set0(int val) : random value is provided to set0(int val) as argument. Which then waits for the no. satisfy the condition if (val % 10 == 0). As soon as this value is catched, it triggeres change() function of the contract.
change() : This is responsible for flipping the flag value. So as soon as this function is triggered, flag=false changes to true, and now revert state in the payable will be activated. Now, the contract attacker, will be reverting each transaction made to it.

So this is how it works: [a is the instance if contract attacker] We first start running the contract with a.flag == false, and wait for a value in set(int val), to flip the flag of contract a to true, and thus activating the revert in payable. This will fail everytime the payment is made. And since, the send() doesn't revery any exception, it shall revert true of false. Which is catched by echidna_send(), and will be returned to the tool, to state that the payment could not be completed.

View this thread for more about address.send and address.transfer

I took it exactly from the exploitation repo I made earlier. Please email directly, in case of any doubts:

aman0902pandey(@)gmail.com

Adding gist frames here

DoS With Block Gas Limit (SWC - 128)

uncheckedSend() (SWC - 113)

Thanks!!!

Day13 – “Why?” & “What in?” Security & Blockchain?

March 26, 2020June 8, 2020 by Aman Pandeyin Blockchain, Blog Series, Computer Science, Cyber security, Uncategorized, YantrikaLeave a Comment

Reading Time: 3 minutes

author: aman

Blog III - Part III - Day 13

Understanding Hyperproperties and Blockchain together. And how this could be so big!

Let's get in....

In this micro-blog

Safety and Liveness - Another 2 very Important terms

As already explained, Property is a set of traces(traces are the set of System states). So, intuitively the Properties are the set of all the traces, where the system can reach.

Now, there are two things to be well noted, there are certain states "where a system should never reach & certain states where a system should eventually reach.

Well these are termed as "Safety" and "Liveness" trace properties. Where: Safety: is the property that prescribes that a system should never reach some bad state , while Livenes: is the property that prescribes that a system shoudl "eventually" reach some "Good State".

Give some time understanding this stuff. These are 2 very important terms when thinking about System proofs.

Every trace property is an intersection of safety & liveness property.

Blockchain & Hyperproperties

A very straight explanation from Hyperpoperties paper[1], says

"If systems are modeled as sets of execution traces [35], then the extension of a system property is a set of sets of traces or, equivalently, a set of trace properties. We name this type of set a hyperproperty."

Thus these safety and liveness property are said as heypersafety & hyperliveness.

Every property of any system anywhere can be defined in terms of these hyperproperties...

Now you must remember there was a CIA triangle, that Hrishabh explained about in Winter School 2019, which stands for : (take an example of something stored inside a locker)

C -> Confidentiality	can't see what is inside the locker
I -> Integrity	can't tamper what is inside the locker
A -> Availability	can't destroy the locker's availability

If you think very crucially, you'll find that only confidentiality and intergrity are the two properties concerned with the secure information flow.

The most invincible idea behind blockchain is the safety of data.

To ensure the flow of data never goes in wrong hands, which is described by the very term secure information flow.

Now considering application of hyperproperties in the Blockchain, let us take 2 traces of blockchain:

π1 & π2.

There are two ways hyperoperties to check here!

Non-interference: if some commands are issued by the high-level users (say the general of the army, that should not reach to the ears of the soldier). These should be removable, without the low-level user noticing any changes.
Observational Determinism: System should always appear deterministic to the trusted users, or in this case high level users.

Suppose, in the blockchain, there are two traces, π1 & π2.

This is clipped form Dr. Pramod's teaching. It explains about Observational Determinism, but not with Blockchain

The upper one is π1(set of states as viewed by high level) and lower one is π2(set of states as viewed by low level).

High-Level user is that user, who can make changes to the Blockchain. And Low-level are the ones, who can just look at the states and retrieve data.

Now, whenever some critical input is given by the high level user(like, a general take some decision), it should not be noticed by the low-levels(the soldiers).

So, in OBSERVATIONAL DETERMINISM, the states of blockchain observed by both the low level and high level user should be same. (Notice that obs_T between the two traces,showing the observations being made.)

That is all, this has a very crucial implications in the field of Systems, and even larger when applied to Blockchain.

How this could be so big?

This is very big thing. Though introduced back in 2003(observational determinism) & 1982(non interference), these hyperproperties turns out to be very crucial checks in the security.

Just consider a statement:

"If the low level is able to see the change made by the high level, there is the safety issues with Confidentiality adn Intergrity of the data."

Hope you got a very intuitive feel about these stuff.

Hope you had a great read.

See y'all....

Day12 – “Why?” & “What in?” Security & Blockchain?

March 25, 2020June 8, 2020 by Aman Pandeyin Blockchain, Blog Series, Computer Science, Cyber security, Uncategorized, YantrikaLeave a Comment

Reading Time: 4 minutes

author: aman

Blog III - Part II - Day 12

In this blog, we’ll vaguely discuss the Hyperproperties and Information Flow thing.

As continued, this blog will contain the understandings from the Teachings of Dr Pramod, from SAT SMT Winter School 2018[1]. I will try to portray my understanding from his teachings and is working with him closely on Blockchain, I suppose it earned me a proper understanding.

Let us do this....

In this micro-blog

Let us check this vaguely
2-trace property
Hyperproperties
How this could be so big?

Let us check it vaguely

We'll play a game, known as Distinguishability Game.

We pose a challenge game between attacker and a defender, where the attacker needs to exploit flow of information and the defender has to prevent it.

2 people:


attacker	defender

Situation: There are two systems behind a wall, say system_0 and system_1, and the attacker just have the access to a function foo(x). He doesn't know, whenever he makes a call, to what system does this does the call go to.

The attacker is just like any other user, but who is trying to attack an arrangement behind a wall, popularly known as adversaries.

The defender is the arrangement behind the wall, which diverts the calls to different systems, which have following secret keys: "secret_b" , where b -> {0,1}. i.e. secret_0 or secret_1.

Game Initialisation

secret_0 := {0,1,2,3}
secret_1 := {4,5,6,7}
publicx := {10,11,12,13}
whenever a normal user makes a call, "only publicx is called, and thus the values inside it are returned"

Game Execution

there are a lot of calls to foo(x) made from across the world, and by the users with different access levels, i.e. admins & normal user
so the calls by a normal user are interspersed calls made by the admins

Finalisation

if attacker is able to identify which system in system_b the call is sent to, he wins, as this information should not be made available to the "normal user"

---> Now consider the following picture

The attacker will try to observe the value of "r", and specially "he will be looking for any unexpected values"

Considering this program, try to make following calls to the system(both normal user and admins included),

• priv_level = sup_user, foo(1), obs = ∅ • priv_level = user, foo(1), obs = 11 • priv_level = sup_user, foo(2), obs= ∅ ........ These calls will go on forever the attacker will

But, now if the program has been like the following, and we bagin with our game:

we start with the following calls, (notice the introduction of variable t)

priv_level = sup_user, foo(1), obs = ∅
priv_level = user, foo(4),
- obs = 2 -> b = 0
- obs = 6 -> b = 1

Woosh!!! Did you realise here attacker wins the game, by observing the value of r & t.

If the value returned to the attacker is 2 clearly the secret key b, chosen will be b = 0 and if the value returned to the attacker is 6 clearly the secret key b, chosen will be b = 1

The system just leaked the information.

AFAIK, during my study I encountered this incident had already been reported, where the highly confidential data was leaked due a misprinted "=", I may be wrong though. But, This is a very critical exploitation of Information Flow.

In the very next blog, I'll take a use case of blockchain, and try to determine for such observations for it.

Thanks y'all..

and yeah, Amid this Corona virus thing, be safe...

_ Team CEV

Day11 – “Why?” & “What in?” Security & Blockchain?

March 23, 2020June 8, 2020 by Aman Pandeyin Blockchain, Blog Series, Computer Science, Cyber security, Uncategorized, YantrikaLeave a Comment

Reading Time: 2 minutes

author: aman

Blog III - Part I - Day 11

Hope the blogs are going pretty well.

In this very blog, divided into several micro-blogs, I'll be explaining about the Hyperproperties. This particular thing will take you to the most obvious level of understanding the computer systems. And in this particular micro-blog, I'll tell about hyperproperties, directly.

Most of the work will be taken from the teachings of my mentor Dr Pramod Subramanyan[1], IITK. He is Doctorate from UPenn and Post-Doctorate from UC, Berkeley, and one of the smartest individual I have ever met.

I will try to prepare everything from my understanding...

In this micro-blog

Let us check this vaguely
2-trace property
Hyperproperties
How this could be so big?

Hyperproperties

This excerpt is from #Day08 blog, where I have tried to give a few intuitive explanations about Formal Methods and Verifications.

This explains about the states.

One more definition I want to speak about is traces, which are just the sequence of states.

e.g. for a system S the Trace(S) can be intuitively understood as,

t1 = S1 -> S2 -> S3....

where, Sn is the state of the system, at a certain point.

"A Trace Property is a set of Infinite states."

"A hyperproperty is a set of sets of infinite traces, or equivalently a set of trace properties."

{{S1, S2, S3, ...}, {S1, S2, S4, ...}, {S1, S4, S6, ...} ....}

The interpretation of a hyperproperty as a security policy is that the hyperproperty is the set of systems allowed by that policy. Each trace property in a hyperproperty is an allowed system, specifying exactly which executions must be possible for that system.

Trace properties are satisfied by traces, whereas hyperproperties are satisfied by sets of traces.

These hyperproperties are largely employed as a tool to measure Secure information flow, and many other security issues.

Actually I started in the exact order written in the above checkbox. But switched it to explaining the Hyperproperties first. Just try giving a thought over, "Hyperproperties and Blockchain"

See y'all on the next blog...

Day10 – “Why?” & “What in?” Security & Blockchain?

March 22, 2020June 8, 2020 by Aman Pandeyin Blockchain, Computer Science, Cyber security, Uncategorized, YantrikaLeave a Comment

Reading Time: 3 minutes

author: aman

Blog II - Part III - Day 10

Apologies for not being able to write the #Day10 blog on time. But this blog will contain some wonderful things, actually applicable in the field of Security of blockchain.

I will pick up just one case I have worked on extensively, followed by the intuitive trails of other cases, you can think of logically. The blogs will be mostly texts so, just read.

Lets get through...

In this micro-blog

Information Flow and Vulnerability : Just a CASE

The theory of Information Flow draws some important points in the direction of how the data flows, i.e. the access of information to different type of users. Let's try to understand it from a critical point of view...

The PLOT

Suppose you are an NSA Agent, just like Edward Snowden was, and you need to design a system that just have to fetch data to the other "normal" employees that serve the government.

Now the government employee simply query about the data and gets the required data. But it's perfectly normal right y'all... What is the problem?

The Challenge

The thing is that, there are a certain "high-level" access to information and certain "low-level" access to information. The critical point in Information Flow expresses the fact that, the high level access information should not be accessed by the people who have low-level access. In this case, the govt. employee should never access the information that only an NSA employee should have access to.

If there is anyway, the government employee is somehow able to find out the high level information, it is a security flaw.

There was this machine learning competition, where the people were given anonymised IMBD data(i.e. the identity of people were removed). One of the participant was able to apply some stastical techniques to deanonymise the data, i.e. he was able to identify the people. This is clearly a fault in securing information, which those participants should not have access to.

The participants applied the technique called "Differential learning" to de-anonymise the data. This is just a way in which a certain information can be exploited. But understanding this thing, will be a bit more complex.

Let me give you a simple example, of how the access to variables can be exploited to leak certain information.

example[1]
suppose there are 2 variable, l & h. l ->

Low-level variable, some info. that both the govt employee and NSA can know about
h -> high-level variable, some info. that ""only"" the NSA agent should know abt

now, being a government employee I write a certain program:

var l, h
if h = true:
    l = 3
else
    l = 42

The govt. employee runs the program, and check the value of l after it finishes.
Now, by the value of l, whether it is 3 or 42, the govt. employee will be able to find the current state of value of h.

Isn't it much obvious? But it is clearly a big Vulnerability. The government employee should never come to know about the value of h. Now, he can make various queries to the NSA Database, and make certain conclusions of the results obtained. "The similar way the machine learning people were able to do." 😉

In the very next BLOG, I will tell about HYPERPROPERTIES, the very basic way to find out if a SYSTEM LEAKS SOME INFORMATION, the term was introduced by F B Scheidner and MR Clarkson, in 2010 in Cornell University.

I will also, cover, how this particular thing is used in Blockchain. This will be the very start where we will be employing BLOCKCHAIN examples, to understanf its seurity aspects.

Let us first get some responses on this blog.

Day09 – “Why?” & “What in?” Security & Blockchain?

March 20, 2020June 8, 2020 by Aman Pandeyin Blockchain, Computer Science, Cyber security, Uncategorized, YantrikaLeave a Comment

Reading Time: 2 minutes

author: aman

Blog II - Part II - Day 09

Hope you people got an intuition about the Formal Methods & Verifications in the latest blog. However, if you feel like having a query, that possibly I can solve, please drop an email to aman0902pandey@gmail.com.

This blog will cover the explanation about what is known as, First-Order Logic. Plus in the very next micro-blog, most importantly what was my approach, with Dr Pramod, at IIT Kanpur. And the applications of Formal Methods in it. This one will only roam around the First-Order-Logics....

Lets get in...

In this micro-blog

First Order Logic

Well, the first order logic has several philosophical theories. I'll stay with the one most understood by me.

The FOL, are the extensions of the logics, to what we call as Propositional Logics. The only difference is that the FOL also covers the predicates and quantifications.

Quite confusing, right!?

Lets break them into smaller parts.

Propositional Logics: These logics only covers the "propositional arguments", which are the statements which are logical(i.e. they can be true or false). The propositional formulas, are written by using certain symbols.

*remember the same thing you've learned in your school times....

here, p,q,r,s are the predicates, for eg.(p -> people who are quarantined for 6 days), and the complete notation in the above image is the propositional formula.

Predicates: can be simply defined as a few functions/operations with have either of the 2 values: 0 or 1. This is very important when we will be discussing the satisfiability in checking the systems. That will eventually lead to an understanding of how these are applied to the real world problems, and security, as we'll be discussing in case of blockchain.
Quantifications: simply stands for "quantifying" things or better to say objects. The FOLs also try to give no. to the objects. and that's it.

So, the FOLs are the way to represent a few conditions, with the use of propositional symbols, predicates, functions & Symbols, quantifiers. These representations lead to some "understanding", and this understanding is called as "interpretations".

These interpretations are the whole lot which governs the mathematical science behind using these logics while describing a secure systems.

Propositional logics are also known as zeroth-order-logic as it is extending the First-Order-Logic

Don't lose your heart, if you were not able to understand somethings, or anything at all. A few examples, and applications have got your back.

Keep Up....

Day08 – “Why?” & “What in?” Security & Blockchain?

March 18, 2020June 8, 2020 by Aman Pandeyin Blockchain, Blog Series, Computer Science, Cyber security, Uncategorized, YantrikaLeave a Comment

Reading Time: 3 minutes

author: aman

Blog II - Part I - Day 08

The last blog was written by Kaushik, the Applied Physics Freshman student, beautifully covered the diverse applications of Blockchain and the challenges/risks involved with the use of the current form of Blockchain technology..

This blog will cover straight definitions and their super intuitive explanations(as far as I can make), about the FORMAL METHODS & VERIFICATIONS. What are they? and Why are they?

Plus I'll try to give a brief about my work, in the later part of this blog.(in another micro-blog)

Buckle up a bit, the logics and thinking coming up...

In this micro-blog

Formal Methods
Formal Verification
First Order Logic
..... will keep adding

-----

There was a series of events which motivated me to begin this series.

This was when I was talking to one of the Sophomore year members in CEV, Shtakshi, Comps. Shtakshi has a huge interest in mathematics and love logics, but as a normal sophomore problems, she has a lot of options to explore because of which she didn't have any particular choice.

As a normal 3rd year member's job suggests, I tried explaining her about the field I have worked on, The FORMAL METHODS, and how crucial is it for Computer Researches.

I will put up a more "formal" definition and a more "informal" definition. You can always miss the formal definitions.

Formal Language:

Formal Definition says: (You can skip though)

In mathematics, computer science, and linguistics, a formal language consists of words whose letters are taken from an alphabet and are well-formed according to a specific set of rules. The alphabet of a formal language consist of symbols, letters, or tokens that concatenate into strings of the language.[1]

Informal Definition says:

It is just like, when you use normal languages(say english), what you brain really comprehends is only what that sentence "actually" means, and not the meaning of each word (eg. "the boy is running" your brain comprehends it to the "boy" & "running") or You say "I have Ice-cream rolls, the roll, x, such that 1cm³ < x < 5cm³, goes to box A, <1cm³ goes to B, and >5cm³ goes to C..... What brain really comprehends here is 3 boxes, 3 categories, and place the ICE-CREAM rolls accordingly."

The first formal language is thought to be the one used by Gottlob Frege in his Begriffsschrift (1879), literally meaning "concept writing", and which Frege described as a "formal language of pure thought."

This is the formal languages are all about. You just have to write what actually exists and is important. Just in case you need actual example[2]

Formal Methods:

Formal Definition says: (You can skip this one too) Find wikipedia definition here[3]

Informal Definition says: Whenever you try to use these formal languages to represent "states" (or say various computer states), and derive a few specifications of the computer systems, then the representation is called as the Formal representation and the deriving specifications and using them is called Formal Methods.

States are the condition in which a system currently is. For e.g. ""A light switch can be either on or off, and it can be toggled from one or the other. The current position of the switch (on or off) is the state of the switch. If you change the position of the switch you have changed it’s state.

Specifications are simply a few states that a system "must follow" and a few that a system "must not follow".

If you wonder this thing can be applied to literally anything. Computer Sciences are just an application.

For e.g. "A machine in a factory has a lever, a grinder and a conveyer belt" So, you may "always want" a state when the following happen -> Lever is lifted up (i.e. the machine is on) -> Conveyer belt is running -> Grinder is running

could be represented as follows:

Unfaulty state

Part	(1-> on, 0-> off)
Lever	1
Conveyer Belt	1
Grinder	1

but, you may never want a state where the lever is ""off"" but the conveyer belt is running. i.e.

faulty state

Part	(1-> on, 0-> off)
Lever	0
Conveyer Belt	1
Grinder	1

Similarly, this works for every computer system. And thus, used largely in Computer Science Researches, specially when researching for bugs and vulnerabilities in the system.

Formal Verifications:

When you use, these methods to "Verify that the system under observations is following certain specfications or not", these methods are called the Formal Verifications.

Hope that gets clear.

Please share the blog to make its reach high.

Thank you for your time. Gears down!!!

Day07 – “Why?” & “What in?” Security & Blockchain?

March 17, 2020June 8, 2020 by Kaushik Chandrain Yantrika, Blockchain, Blog Series, Computer Science, Cyber securityLeave a Comment

Reading Time: 10 minutes

Blockchain is often described as merely the technology behind the “Cryptocurrencies” and people fail to perceive the avenues it opens for the greater good of mankind. In reality, Blockchain is to cryptocurrency as to what the Internet is to email.

You never thought about applying blockchain in different domains for the upliftment of the society because you were too busy trading in Bitcoins and ether to mint money since that’s what you think the most about. (pun intended)

Do you know why blockchain is one of the hot research topics? Well, you don’t need to worry because we have got you covered. In this blog, we’ll go through the various prospects Blockchain offers to us, the challenges which can be tackled with the proper implementation and the hindrances which raise questions on its viability.

Applications of Blockchain

The reason you’re familiar with blockchain is probably because of cryptocurrencies but it turns out that blockchain is actually a pretty reliable way of storing data about other types of transactions, as well. In fact, blockchain technology can be used to store data about property exchanges, stops in a supply chain, and even votes for a candidate. Still wondering how? Let’s explore…

Confidentiality

Aadhar and security of the citizens, from birth to death, all changes in our circumstances would be stored in a global decentralised system that cannot be altered without a trace that would log everything about that alteration. You get married? You insert the info. You need to provide proof for the taxman to get a deduction? You give him a code that would access only this information and nothing else. No more ID theft.
One of the challenges hospitals face is the lack of a secure platform to store and share data, and they are often victims of hacking because of outdated infrastructure. Blockchain technology can allow hospitals to safely store data like medical records and share it with authorized professionals or patients. Moreover, this can improve data security and even help with accuracy and speed of diagnosis. For instance, your file would be online and your doctor will not have access to your cigarette addiction unless it will interfere with your liver treatment.
Blockchain can come handy in Property rights. For instance, your step brother sells your garage but keeps the house of your grandmother? Recorded and accessible only for the potential buyer. The DNA analyser discovered your step brother has a stepbrother i.e. you then you will be added automatically to the property title even if you’re in Zambia and your phone will beep to give you the good news. (See how blockchain can make you rich even without Bitcoins)

Transparency

Tired of not getting the RTI response on the latest government deal and expenditure? Blockchain allows you to check online what has been done on the 27.01.20 between 10.20 and 10.30 and see where is your tax money and what has been done (or not) with it.
You give your 100 bitcoins for water infrastructure in Nigeria? You will see exactly where your money went and you won’t have the surprise of discovering that 99 went for the wages of the charity and one for the corrupted mayor that needed a pool in his garden.
Blockchain potentially allows us the ability to vote in a manner that’s impervious to outside meddling or the influence of corruption. Creating an immutable, publicly-viewable ledger of recorded votes would be a massive step toward making elections fairer and more democratic.
Even if your government is defaulting on its loans or your bank fails, you will still have an unaffected backup pool of money to draw from since many people were restricted to withdraw cash from PMC Bank and the most recent case being Yes Bank which can cause inconvenience to the ones who truly need it.

Payments and Transactions

We don’t want foreign companies to track our day to day transactions like Gpay, PayPal or Paytm (Yeah Paytm is owned by Alibaba and Softbank) plus transaction costs are way lower.
You don’t need to convert your rupees to dollars or yen every now and then. Blockchain can let you get rid of fiat money and lead to a much-stabilised exchange rate in future (no relation with “Future Markets”) unaffected by the happenings in the global trade and commodity markets.
When you use credit and debit cards to make purchases (especially online), you’re trusting the vendor with information that other people could use to steal from you. This means that, if your financial information is stolen from the vendor, your money will be at risk.

Transforming the Economy

Bitcoin’s value doesn’t fluctuate like market collapse like black Monday. In fact, Bitcoin emerged right after the 2008 crisis. Since cryptocurrency is still an emerging technology, the value of the various digital currencies can be volatile (discussed below), but the system was designed to not be inflationary in the long run. There are many aspects of cryptocurrency which contribute to its non-inflationary nature.
Each cryptocurrency has a finite, set limit on the total number of coins that will come into existence. For example, the total number of bitcoins that can ever come into existence is 21,000,000
There are controls and techniques in each cryptocurrency’s protocol that ensure that the process by which new coins come into existence is controlled and predictable over time. This means that we can accurately predict how much of a certain cryptocurrency will exist at any given time in the future.
There is no money-issuing agency which can decide to mint more currency or enact fiscal policy that decreases the value of the currency. Just imagine the future where everyone will be trading in cryptos and not deal through dollars, yen and other troublesome conversions.

Eliminating Middlemen

Eliminating the middleman (I call them leeches). You want to sell something, you access a free site powered by blockchain, list your item and sell it without having to pay ebay and PayPal commission. You want to sell a book? You can do it for 0.01$ and you could have 1m readers that would be willing to pay that 0.01$, not 1000 that would pay 10$ from which 9.9 go to the publisher and 1m that would download it from piratebay because they cannot afford to pay $10.
You don’t need to purchase the expensive Netflix and Prime subscription to binge watch your favourite movies and series. Blockchain will give rise to the “Wikileaks of the common”.
FACEBOOK owns three of the most popular social media platforms with in-app messaging service, Facebook, WhatsApp and Instagram respectively. Giving a private entity this much power is insanity at peak provided the recently infamous “Cambridge Analytica data crisis”.

Decentralisation

Energy management has been a highly centralized industry for a long time. Energy producers and users cannot buy it directly from each other and have to go through the public grid or a trusted private intermediary. For example, “TransactiveGrid” is a startup using Ethereum that allows customers to buy and sell energy from each other in a peer-to-peer way.
A completely decentralized internet, where ISPs aren’t needed anymore. This is what “Skycoin” does with Skywire. They will soon provide their custom built 1Gbps antennas for $100, which have a range of 10 miles and provide high speed internet to 7,000 people and with their mesh network on top probably 20,000 people. You only need 2,000 antennas per European country to cover the whole continent and the data is stored on Skyminers.

Information Security

It’s interesting to note that multiple types of information theft keep occurring, way more than most people realize. A good example of this is the April 2014 “Heartbleed” bug in the openSSL cryptographic software. Hundreds of popular online services were hacked before the bug was disclosed, including big names like Facebook, Google, Instagram, Pinterest, Tumblr, Twitter, Yahoo, Yahoo Mail, Gmail, Dropbox, TurboTax, and GoDaddy.
Ever got suspicious of the ad about the book in your Facebook and Instagram feed which you just added to your Flipkart wishlist? Companies like Flipkart, Amazon, Facebook, Google and many more are spying on your data making you vulnerable. Blockchain provides you the mask you need to stay safe from this virus (read corona).
With the increasing role of IoT in our lives, it’s high time we stop trusting Siri and Alexa. Blockchain is one of the ways to protect our virtual presence and stop the ways MNCs manipulate us through the data they receive in various forms. Remember, data is the most precious thing out there.

CHALLENGES OF BLOCKCHAIN

A blockchain is a kind of database and computational platform, with advantages and disadvantages compared to conventional technologies. Sometimes a blockchain may be an appropriate choice in the design of a software system, but for many purposes, conventional technologies will be more appropriate. Let’s explore the challenges further.

Wastage of Energy

The public Bitcoin and Ethereum blockchains use a consensus mechanism called ‘Proof of Work’ which requires all mining nodes to compete to solve a difficult cryptographic puzzle. However, the world-wide pool of computers performing this cryptographic puzzle creates significant electricity usage, most of which is ‘wasted’ by not leading directly to a successful puzzle solution.
Though alternative consensus mechanisms are being developed for public blockchains, such as ‘Proof of Stake’, which do not use a computationally expensive puzzle, and will be markedly more energy-efficient, the massive redundancy in the large number of processing nodes in a blockchain system will always mean that more electricity is used than in a centralised non-replicated database. This is an inevitable trade-off for the distributed trust and increased availability offered by a blockchain.

Criminal Activity

Through some third-party trading platform which supports cryptocurrencies, the user can either buy or sell any product. Since there is a high level of anonymity in this process, it would be very difficult to track the behaviour of the user, let alone the subject to legal sanctions.
There are several methods fraudsters use to conceal their criminal activities, including altering or deleting information in a company’s accounting systems, changing electronic or paper documents and creating fraudulent files.
However as pointed out by Ross Mauri of IBM Systems, “Using a shared digital ledger can help reduce fraud because it increases the visibility and transparency of the transactions made throughout a supply chain and between members of a business network. Participants can see the history and transfer of assets, so fraudulent transactions are easier to identify. Plus, to tamper with the transaction records on a blockchain, an individual or group of individuals in collusion would have to control a majority of the system.” So, the security claims remain disputable and prone to attacks.

Blockchain Efficiency

The efficiency of blockchain themselves may become overloaded with complex consensus mechanism as well as invalid data. For example, most popular consensus mechanisms which are used in blockchain are proof of work, which is referred to as a “waste of computing resources” by the researcher.
It is usually said that there are efforts to develop more efficient and hybrid consensus mechanisms that combine PoW and Proof of Stake (PoS). In addition to that, blockchain will produce a lot of information, data, transaction data, contract bytecode which may be useless and outdated.
“There are several smart contracts which contain no code or totally the same code in Ethereum, and many smart contracts won’t be executed after its deployment. An efficient data cleanup and detention mechanism can be used to enhance the execution efficiency of the blockchain systems.”

Private Key Security

Access to a blockchain requires both a public and a private key (the private key of the user is the identity and security credential). Keys are cryptic strings of characters of sufficient length to make the odds of guessing them truly astronomical. However, the user generates and maintains these rather than a third-party agency.
An attacker can recover a user’s private key because it may not have enough randomness during the signature process. Once the user’s private key is lost, the user won’t be able to recover it again. Since blockchain does not depend on any centralized third-party trusted institutions, if the private key of the user is stolen, it would be very difficult to track the behaviours of the criminal to recover the modified blockchain information.

51% Vulnerability

The level of vulnerability for attackers to control and exploit the entire blockchain in the consensus mechanism is 51%.To be specific, in the PoW-based blockchain, if a single miner’s hashing power accounts for more than 50% of the total hashing power of the entire blockchain, then it can result to the launching of the 51% attack.
Hence, the concentration of mining power in some mining pools may result in the fear of an inadvertent situation, such as a single pool controlling more than half of all the computing power.”

Double Spending

Though the consensus mechanism of the blockchain can validate a transaction, it’s still possible to avoid double spending or using the same cryptocurrency myriad times for transactions.
The attacker can exploit the intermediate time between the two transactions initiated and confirmation so that an attack can be launched quickly.

Smart Contracts Vulnerability

Smart contracts aren’t that smart after all. While being executed, smart contracts may have security vulnerabilities which are caused by program defects.
A survey by ScienceDirect shows that 8,833 out of 19,366 Ethereum smart contracts are vulnerable to bugs like transaction-ordering dependence, timestamp dependence, and mishandled exceptions. Not to mention that smart contracts are also pretty under-optimized.

Untested Code

Despite the nearly 8-year history of Bitcoin, blockchains not dedicated to cryptocurrencies are still heavily experimental. As such, some DLT creators are tempted to deploy insufficiently-tested code on live blockchains. One now-infamous example is that of The DAO attack. Aman already discussed this in his blog which you can access here.
The hack resulted from the attacker exploiting two vulnerabilities in The DAO code. The hacker knew that the code was designed to allow both a split, and a transfer of tokens between accounts. The hacker also realized that the code would not update account balances fast enough to prevent transferring the same tokens more than once. Since the code did not decrement the original account balances after each transfer, there was nothing to stop the same tokens from being replicated about 40 times each, without the original tokens being destroyed and it was exploited to the extent that $55 Million worth of ether was transferred.

It was very exciting for me to come up with this and I hope you enjoyed it.

In future blogs, I would talk about the impact of blockchain in the economy and what it holds for us in the future.

Thank You for your time!

– Kaushik Chandra

Ist year : MSc – Physics

Day06 – “Why?” & “What in?” Security & Blockchain?

March 16, 2020June 8, 2020 by Aman Pandeyin Blockchain, Blog Series, Computer Science, Cyber security, Uncategorized, YantrikaLeave a Comment

Reading Time: 2 minutes

author: aman

Blog I - Part VI - Day 06

This blog will cover the motivation to what lead me write this blog series. I will be covering a few intriguing bugs(in the very next BLOG), which could seriously be enlightening to the people reading, and yeah, may serve the target of this blog series, of showing the people to what is called as "The road not taken"

Let's go through...

In this micro-blog

What am I talking about?
Why am I talking about it?
- Have you heard before? (The "goto fail;", Heartbeat, Meltdown, Spectre)
What the world is upto against such ____ ?
Basic Challenges faced
Unimportant sounding complete terms
Motivation behind

Motivation Behind

The motivation to start this blog series came right from the incident where, PRIYANSH, the same 2nd year CEV members, who reached out to me regarding the BACKDOOR thing.

Just give it a clear view, everyone is now using the tech to transfer money, to share data, to create a "online portfolio" on instagram, ... bla bla bla.. almost everywhere. The people are more accepting towards new technology, for ex. the UPI, initially people resisted, now using it almost everywhere. Atleast in my city, Surat.

You are so surrounded by data exchange, that a day without internet is honestly a day spent sleeping.

Since, blockchain hype has caught a boom, just like Machine Learning, people still can't come over from learning to make applications, and actually focusing on the very ways they can make it safe to use.

It is clearly demand > supply.

So much work in developing applications and so less in securing them. The reason why the most of the BIG Institutions spend a lot of time in doing these critical researches.

The DAO bug I had talked about caused nearly $50 million worth ETH lost in the hands of attacker. Just because he was able to find and exploit the smart contract. The another attack famously called "Parity WAllet MULTI-SIG attack", frozen the use of around 500,000ETH. The bug caused due to improper checks in the smart contract functions.

Next one is even more interesting, When a user submits a transaction with no to field, it is interpreted as a contract deployment. If they also leave out the data field this results in a contract being deployed with no code. If the transaction has ETH attached to it then the ETH becomes inaccessible as it is given to the "contract" even though the contract has no code associated with it. This problem most commonly occurs when someone constructs a transaction incorrectly (accidentally leaving off the to field) but can also occur when someone attempts to create a contract but accidentally leaves out the data. In either case, it is easy to identify and the proper owner is obvious (transaction submitter).

These motivated me enough to work in that directed. In the direction of security DISTRIBUTED LEDGER TECHNOLOGY, in general. BLOCKCHAIN, is just a type of DLT.

A lot to come ahead... Keep your spirits high...

Cheers...!!!

Day05 – “Why?” & “What in?” Security & Blockchain?

March 15, 2020June 8, 2020 by Aman Pandeyin Blockchain, Blog Series, Computer Science, Cyber security, Uncategorized, YantrikaLeave a Comment

Reading Time: 2 minutes

author: aman

Blog I - Part V - Day 05

The challenges faced while creating a secure software is quite straight, and so straight are the solutions. This blog covers the very two terms to tell about how to measure the realiability of a secure system.

Plus, after covering a lot of scenarios, I will try to connect the dots for you people, to be able to comprehend the further blogs.

It gotta be a little boring one. But very essential.

In this micro-blog

What am I talking about?
Why am I talking about it?
- Have you heard before? (The "goto fail;", Heartbeat, Meltdown, Spectre)
What the world is upto against such ____ ?
Basic Challenges faced
Unimportant sounding complete terms
Motivation behind

Unimportant sounding complete terms

So, there could be two ways, either you take the code of the software you want to check vulnerability of, and check its path on various and varying input sets or just run the program under "instrumented" conditions and check for likely bugs. Simple to understand, take program and try to understand its structure and the critical conditions it can reach, or, make a sandbox(a testing environment to isolate your program from rest of the system), and test your program for faults.

The terms used for this are Static and Dynamic,

Static analysis
- Inspect code or run automated method to find errors or gain confidence about their absence
- Try to aggregate the program behavior over a large number of paths without enumerating them explicitly
Dynamic analysis
- Run code, possibly under instrumented conditions, to see if there are likely problems
- Enumerate paths but avoid redundant ones

The two following terms, tells about the measure of a "should be used", software analysers. There is always a great deal of researches in the Universities across the globe, to create the better software.

Soundness “Sound for reporting correctness”

or equivalently There is a bug  Analysis finds a bug Completeness “Complete for reporting correctness”

Property	Definition
Soundness	Analysis says no bugs -> No bugs
Completeness	No bugs -> Analysis says no bugs

In a funny manner, it simply means that if a program analyser says that a program has no bugs, it "actually doesn't have any bug". And, completeness is when if there are "NO BUGS", the program analyser should be able to tell that there are no bugs.

Think for a while, how these terms are so powerful, in context of an efficient program analyser.

During my research at IITK, Dr Pramod took me to work on a FUZZER, which is simply a Dynamic kind of software analyser, which fuzz(input) the software program with random inputs, and checks for its failure in accordance with the INVARIANTS(specifications) provided.

a lot more to cover, before ending this major blog, and starting with the new one.

See ya.. Cheers.!!