References of "State, Radu 50003137"
     in
Bookmark and Share    
Full Text
Peer Reviewed
See detailBlockchain Governance: An Overview and Prediction of Optimal Strategies Using Nash Equilibrium
Khan, Nida UL; Ahmad, Tabrez; Patel, Anass et al

in 3rd AUE International Research Conference (in press)

Blockchain governance is a subject of ongoing research and an interdisciplinary view of blockchain governance is vital to aid in further research for establishing a formal governance framework for this ... [more ▼]

Blockchain governance is a subject of ongoing research and an interdisciplinary view of blockchain governance is vital to aid in further research for establishing a formal governance framework for this nascent technology. In this paper, the position of blockchain governance within the hierarchy of Institutional governance is discussed. Blockchain governance is analyzed from the perspective of IT governance using Nash equilibrium to predict the outcome of different governance decisions. A payoff matrix for blockchain governance is created and simulation of different strategy profiles is accomplished for computation of all Nash equilibria. We also create payoff matrices for different kinds of blockchain governance, which were used to propose novel mathematical formulae usable to predict the best governance strategy that minimizes the occurrence of a hard fork as well as predicts the behavior of the majority during protocol updates. [less ▲]

Detailed reference viewed: 248 (21 UL)
Full Text
Peer Reviewed
See detailConFuzzius: A Data Dependency-Aware Hybrid Fuzzer for Smart Contracts
Ferreira Torres, Christof UL; Iannillo, Antonio Ken UL; Gervais, Arthur et al

in European Symposium on Security and Privacy, Vienna 7-11 September 2021 (2021, September)

Smart contracts are Turing-complete programs that are executed across a blockchain. Unlike traditional programs, once deployed, they cannot be modified. As smart contracts carry more value, they become ... [more ▼]

Smart contracts are Turing-complete programs that are executed across a blockchain. Unlike traditional programs, once deployed, they cannot be modified. As smart contracts carry more value, they become more of an exciting target for attackers. Over the last years, they suffered from exploits costing millions of dollars due to simple programming mistakes. As a result, a variety of tools for detecting bugs have been proposed. Most of these tools rely on symbolic execution, which may yield false positives due to over-approximation. Recently, many fuzzers have been proposed to detect bugs in smart contracts. However, these tend to be more effective in finding shallow bugs and less effective in finding bugs that lie deep in the execution, therefore achieving low code coverage and many false negatives. An alternative that has proven to achieve good results in traditional programs is hybrid fuzzing, a combination of symbolic execution and fuzzing. In this work, we study hybrid fuzzing on smart contracts and present ConFuzzius, the first hybrid fuzzer for smart contracts. ConFuzzius uses evolutionary fuzzing to exercise shallow parts of a smart contract and constraint solving to generate inputs that satisfy complex conditions that prevent evolutionary fuzzing from exploring deeper parts. Moreover, ConFuzzius leverages dynamic data dependency analysis to efficiently generate sequences of transactions that are more likely to result in contract states in which bugs may be hidden. We evaluate the effectiveness of ConFuzzius by comparing it with state-of-the-art symbolic execution tools and fuzzers for smart contracts. Our evaluation on a curated dataset of 128 contracts and a dataset of 21K real-world contracts shows that our hybrid approach detects more bugs than state-of-the-art tools (up to 23%) and that it outperforms existing tools in terms of code coverage (up to 69%). We also demonstrate that data dependency analysis can boost bug detection up to 18%. [less ▲]

Detailed reference viewed: 69 (9 UL)
Full Text
Peer Reviewed
See detailHSM-based Key Management Solution for Ethereum Blockchain
Shbair, Wazen UL; Gavrilov, Eugene; State, Radu UL

in IEEE International Conference on Blockchain and Cryptocurrency, 3-6 May 2021 (2021, May 03)

The security of distributed applications backed by blockchain technology relies mainly on keeping the associated cryptographic keys (i.e. private keys) in well-protected storage. Since they are the unique ... [more ▼]

The security of distributed applications backed by blockchain technology relies mainly on keeping the associated cryptographic keys (i.e. private keys) in well-protected storage. Since they are the unique proof of ownership of the underlying digital assets. If the keys are stolen or lost, there is no way to recover the assets. The cold wallet is a good candidate for basic use cases, but it has a substantial challenge for more complex applications as it does not scale. Warm and hot wallets are more convenient options for blockchain-based solutions that aim to transact in a cloud environment. In this work, we focus on Hardware Security Module (HSM) based wallet. The HSM is the de-facto standard device designed to manage high-value cryptographic keys and to protect them against hacks. In this demonstration, we present an HSM-based working prototype that secures the entire life cycle of Ethereum public and private keys. [less ▲]

Detailed reference viewed: 104 (4 UL)
Full Text
Peer Reviewed
See detailPrivacy-Preserving PayString Service
Scheidt de Cristo, Flaviene UL; Shbair, Wazen UL; Trestioreanu, Lucian Andrei UL et al

Poster (2021, May)

PayString is an initiative to make payment identifiers global and human-readable, facilitating the exchange of payment information. However, the reference implementation lacks privacy and security ... [more ▼]

PayString is an initiative to make payment identifiers global and human-readable, facilitating the exchange of payment information. However, the reference implementation lacks privacy and security features, making it possible for anyone to access the payment information as long as the PayString identifier is known. Also, this paper presents the first performance evaluation of PayString. Via a large-scale testbed, our experimental results show an overhead which, given the privacy and security advantages offered, is acceptable in practice, thus making the proposed solution feasible. [less ▲]

Detailed reference viewed: 105 (4 UL)
Full Text
Peer Reviewed
See detailFrontrunner Jones and the Raiders of the Dark Forest: An Empirical Study of Frontrunning on the Ethereum Blockchain
Ferreira Torres, Christof UL; Camino, Ramiro; State, Radu UL

in USENIX Security Symposium, Virtual 11-13 August 2021 (2021)

Ethereum prospered the inception of a plethora of smart contract applications, ranging from gambling games to decentralized finance. However, Ethereum is also considered a highly adversarial environment ... [more ▼]

Ethereum prospered the inception of a plethora of smart contract applications, ranging from gambling games to decentralized finance. However, Ethereum is also considered a highly adversarial environment, where vulnerable smart contracts will eventually be exploited. Recently, Ethereum's pool of pending transaction has become a far more aggressive environment. In the hope of making some profit, attackers continuously monitor the transaction pool and try to frontrun their victims' transactions by either displacing or suppressing them, or strategically inserting their transactions. This paper aims to shed some light into what is known as a dark forest and uncover these predators' actions. We present a methodology to efficiently measure the three types of frontrunning: displacement, insertion, and suppression. We perform a large-scale analysis on more than 11M blocks and identify almost 200K attacks with an accumulated profit of 18.41M USD for the attackers, providing evidence that frontrunning is both, lucrative and a prevalent issue. [less ▲]

Detailed reference viewed: 172 (2 UL)
Full Text
Peer Reviewed
See detailThe Eye of Horus: Spotting and Analyzing Attacks on Ethereum Smart Contracts
Ferreira Torres, Christof UL; Iannillo, Antonio Ken UL; Gervais, Arthur et al

in International Conference on Financial Cryptography and Data Security, Grenada 1-5 March 2021 (2021)

Detailed reference viewed: 55 (5 UL)
Full Text
Peer Reviewed
See detailTowards Privacy Preserving Data Centric Super App
Carvalho Ota, Fernando Kaway UL; Meira, Jorge Augusto UL; Frank, Raphaël UL et al

in Carvalho Ota, Fernando Kaway; Meira, Jorge Augusto; Frank, Raphaël (Eds.) et al 2020 Mediterranean Communication and Computer Networking Conference, Arona 17-19 June 2020 (2020, September 10)

The number of smartphone users recently surpassed the numbers of desktop users on Internet, and opened up countless development challenges and business opportunities. Not only the fact that the majority ... [more ▼]

The number of smartphone users recently surpassed the numbers of desktop users on Internet, and opened up countless development challenges and business opportunities. Not only the fact that the majority of users are connected using their smartphones, but the number of Internet users in general has popularized the massive use of data-driven applications. In this context, the concept of super apps seems to be the next game-changer for the mobile apps industry, and the challenges related to security and privacy are key aspects for keeping user data safe. Thus, by combining different components for provisioning, authentication, membership and others, we propose a novel framework that enables the creation of a super app using privacy by design principles. [less ▲]

Detailed reference viewed: 87 (6 UL)
Full Text
Peer Reviewed
See detailA Data Science Approach for Honeypot Detection in Ethereum
Camino, Ramiro Daniel UL; Ferreira Torres, Christof UL; Baden, Mathis UL et al

in 2020 IEEE International Conference on Blockchain and Cryptocurrency (ICBC) (2020, August 17)

Detailed reference viewed: 67 (3 UL)
Full Text
Peer Reviewed
See detailLeveraging eBPF to preserve user privacy for DNS, DoT, and DoH queries
Rivera, Sean UL; Gurbani, Vijay; Lagraa, Sofiane UL et al

in Proceedings of the 15th International Conference on Availability, Reliability and Security (2020, August)

The Domain Name System (DNS), a fundamental protocol that controls how users interact with the Internet, inadequately provides protection for user privacy. Recently, there have been advancements in the ... [more ▼]

The Domain Name System (DNS), a fundamental protocol that controls how users interact with the Internet, inadequately provides protection for user privacy. Recently, there have been advancements in the field of DNS privacy and security in the form of the DNS over TLS (DoT) and DNS over HTTPS (DoH) protocols. The advent of these protocols and recent advancements in large-scale data processing have drastically altered the threat model for DNS privacy. Users can no longer rely on traditional methods, and must instead take active steps to ensure their privacy. In this paper, we demonstrate how the extended Berkeley Packet Filter (eBPF) can assist users in maintaining their privacy by leveraging eBPF to provide privacy across standard DNS, DoH, and DoT communications. Further, we develop a method that allows users to enforce application-specific DNS servers. Our method provides users with control over their DNS network traffic and privacy without requiring changes to their applications while adding low overhead. [less ▲]

Detailed reference viewed: 62 (5 UL)
Full Text
Peer Reviewed
See detailWorking with Deep Generative Models and Tabular Data Imputation
Camino, Ramiro Daniel UL; Hammerschmidt, Christian UL; State, Radu UL

Scientific Conference (2020, July 17)

Datasets with missing values are very common in industry applications. Missing data typically have a negative impact on machine learning models. With the rise of generative models in deep learning, recent ... [more ▼]

Datasets with missing values are very common in industry applications. Missing data typically have a negative impact on machine learning models. With the rise of generative models in deep learning, recent studies proposed solutions to the problem of imputing missing values based various deep generative models. Previous experiments with Generative Adversarial Networks (GANs) and Variational Autoencoders (VAEs) showed promising results in this domain. Initially, these results focused on imputation in image data, e.g. filling missing patches in images. Recent proposals addressed missing values in tabular data. For these data, the case for deep generative models seems to be less clear. In the process of providing a fair comparison of proposed methods, we uncover several issues when assessing the status quo: the use of under-specified and ambiguous dataset names, the large range of parameters and hyper-parameters to tune for each method, and the use of different metrics and evaluation methods. [less ▲]

Detailed reference viewed: 102 (4 UL)
Full Text
Peer Reviewed
See detailThe rise of eBPF for non-intrusive performance monitoring
Cassagnes, Cyril UL; Trestioreanu, Lucian Andrei UL; Joly, Clement UL et al

in IEEE Xplore (2020, June 08)

In this paper, we explain that container engines are strengthening their isolation mechanisms. Therefore, nonintrusive monitoring becomes a must-have for the performance analysis of containerized user ... [more ▼]

In this paper, we explain that container engines are strengthening their isolation mechanisms. Therefore, nonintrusive monitoring becomes a must-have for the performance analysis of containerized user-space application in production environments. After a literature review and background of Linux subsystems and container isolation concepts, we present our lessons learned of using the extended Berkeley packet filter to monitor and profile performance. We carry out the profiling and tracing of several Interledger connectors using two full-fledged implementations of the Interledger protocol specifications. [less ▲]

Detailed reference viewed: 127 (10 UL)
Full Text
Peer Reviewed
See detailTokenization of Sukuk: Ethereum Case Study
Khan, Nida UL; Kchouri, Bilal UL; Yatoo, Nissar Ahmad et al

in Global Finance Journal (2020)

Sukuk is a financial instrument that provides returns similar to conventional bonds. It has served to cater to the capital requirements of big corporations and governments, while circumventing interest to ... [more ▼]

Sukuk is a financial instrument that provides returns similar to conventional bonds. It has served to cater to the capital requirements of big corporations and governments, while circumventing interest to adhere to the Shariah law. Sukuk can be touted as Shariah-compliant bonds that rank amongst the most successful and the fastest growing financial instrument in the Islamic economy. The sukuk research area is marked by a dearth of quantitative literature, compared to qualitative academic work. This paper seeks to fill this existing gap, and introduces a novel, exploratory analysis of sukuk tokenization based on a case study. The funding needs of small and medium enterprises remains largely unmet through sukuk on account of the high costs involved, among other reasons. As we show in this paper, blockchains can aid to lower the cost incurred through the tokenization of sukuk. We highlight some of the key challenges involved in the issuance of sukuk and discuss their resolution using blockchain. We also provide a taxonomy of blockchain applications in finance, with a particular focus on Islamic finance. Our paper reviews different blockchain architectures to assess their viability for tokenization. We conduct a novel case study on sukuk tokenization by implementing a basic smart contract for Sukuk al-Murabaha on Ethereum. The paper concludes by a conceptual analysis of feasibility concerns, based on a comparison of the conducted cost-benefit analysis of conventional sukuk issuance with tokenization. [less ▲]

Detailed reference viewed: 417 (27 UL)
Full Text
Peer Reviewed
See detailMobile App to SGX Enclave Secure Channel
Carvalho Ota, Fernando Kaway UL; Meira, Jorge Augusto UL; Cassagnes, Cyril UL et al

in 2019 IEEE International Symposium on Software Reliability Engineering Workshops (2020, February 13)

The current challenge for several applications is to guarantee the user’s privacy when using personal data. The broader problem is to transfer and process the data without exposing the sensitive content ... [more ▼]

The current challenge for several applications is to guarantee the user’s privacy when using personal data. The broader problem is to transfer and process the data without exposing the sensitive content to anyone, including the service provider(s). In this paper, we address this challenge by proposing a protocol to combine secure frameworks in order to exchange and process sensitive data, i.e. respecting user’s privacy. Our contribution is a protocol to perform a secure exchange of data between a mobile application and a trusted execution environment. In our experiments we show independent implementations of our protocol using three different encryption modes (i.e., CBC, ECB, GCM encryption). Our results support the feasibility and importance of an end-to-end secure channel protocol. [less ▲]

Detailed reference viewed: 63 (3 UL)
Full Text
See detailDeep dive into Interledger: Understanding the Interledger ecosystem - Part 4
Trestioreanu, Lucian Andrei UL; Cassagnes, Cyril UL; State, Radu UL

Learning material (2020)

At the technical level, the goal of Interledger is to provide an architecture and a minimal set of protocols to enable interoperability for any value transfer system. The Interledger protocol is literally ... [more ▼]

At the technical level, the goal of Interledger is to provide an architecture and a minimal set of protocols to enable interoperability for any value transfer system. The Interledger protocol is literally a protocol for interledger payments. To understand how is it possible to achieve this goal, several aspects of the technology require a deeper analysis. For this reason, in our journey to become knowledgeable and active contributor we decided to create our own test-bed on our premises. By doing so, we noticed that some aspects are well documented but we found that others might need more attention and clarification. Despite a large community effort, the task to keep information on a fast evolving software ecosystem is tedious and not always the priority for such a project. Therefore, the purpose of this document is to guide, through several hands-on activities, community members who want to engage at different levels. The document consolidates all the relevant information from generating a simple payment to ultimately create a test-bed with the Interledger protocol suite between Ripple and other distributed ledger technology. [less ▲]

Detailed reference viewed: 95 (13 UL)
Full Text
Peer Reviewed
See detailBlockPGP: A Blockchain-based Framework for PGP Key Servers
Yakubov, Alexander UL; Shbair, Wazen UL; Khan, Nida UL et al

in International Journal of Networking and Computing (2020), 10(1), 1-24

Pretty Good Privacy (PGP) is one of the most prominent cryptographic standards offering end-to-end encryption for email messages and other sensitive information exchange. PGP allows to verify the identity ... [more ▼]

Pretty Good Privacy (PGP) is one of the most prominent cryptographic standards offering end-to-end encryption for email messages and other sensitive information exchange. PGP allows to verify the identity of the correspondent in information exchange as well as the information integrity. PGP implements asymmetric encryption with certificates shared through a network of PGP key servers. In this paper, we propose a new PGP management framework with the key servers infrastructure implemented using blockchain technology. Our approach offers fast propagation of certificate revocation among PGP key servers and elimination of man-in-the-middle risks. It also grants users the required access control to update their own PGP certificates, which is not the case with the current PGP key servers. A prototype has been implemented using Ethereum blockchain and an open source key server, named Hockeypuck. Finally, we evaluated the prototype with extensive experiments. Our results show that our solution is practical and it could be integrated with the existing public PGP key servers infrastructure. [less ▲]

Detailed reference viewed: 98 (15 UL)
Full Text
Peer Reviewed
See detailIntrusion detection on robot cameras using spatio-temporal autoencoders: A self-driving car application
Amrouche, Faouzi UL; Lagraa, Sofiane UL; Frank, Raphaël UL et al

in 91st IEEE Vehicular Technology Conference, VTC Spring 2020, Antwerp, Belgium, May 25-28, 2020 (2020)

Robot Operating System (ROS) is becoming more and more important and is used widely by developers and researchers in various domains. One of the most important fields where it is being used is the self ... [more ▼]

Robot Operating System (ROS) is becoming more and more important and is used widely by developers and researchers in various domains. One of the most important fields where it is being used is the self-driving cars industry. However, this framework is far from being totally secure, and the existing security breaches do not have robust solutions. In this paper we focus on the camera vulnerabilities, as it is often the most important source for the environment discovery and the decision-making process. We propose an unsupervised anomaly detection tool for detecting suspicious frames incoming from camera flows. Our solution is based on spatio-temporal autoencoders used to truthfully reconstruct the camera frames and detect abnormal ones by measuring the difference with the input. We test our approach on a real-word dataset, i.e. flows coming from embedded cameras of self-driving cars. Our solution outperforms the existing works on different scenarios. [less ▲]

Detailed reference viewed: 147 (11 UL)
Full Text
Peer Reviewed
See detailProcess mining-based approach for investigating malicious login events
Lagraa, Sofiane UL; State, Radu UL

in IEEE/IFIP Network Operations and Management Symposium, Budapest, Hungary, April 20-24, 2020 (2020)

A large body of research has been accomplished on prevention and detection of malicious events, attacks, threats, or botnets. However, there is a lack of automatic and sophisticated methods for ... [more ▼]

A large body of research has been accomplished on prevention and detection of malicious events, attacks, threats, or botnets. However, there is a lack of automatic and sophisticated methods for investigating malicious events/users, understanding the root cause of attacks, and discovering what is really hap- pening before an attack. In this paper, we propose an attack model discovery approach for investigating and mining malicious authentication events across user accounts. The approach is based on process mining techniques on event logs reaching attacks in order to extract the behavior of malicious users. The evaluation is performed on a publicly large dataset, where we extract models of the behavior of malicious users via authentication events. The results are useful for security experts in order to improve defense tools by making them robust and develop attack simulations. [less ▲]

Detailed reference viewed: 108 (0 UL)
Full Text
Peer Reviewed
See detailTowards Usable Protection Against Honeypots
Ferreira Torres, Christof UL; Steichen, Mathis UL; State, Radu UL

in IEEE International Conference on Blockchain and Cryptocurrency, Toronto, Canada 3-6 May 2020 (2020)

The Ethereum blockchain enables the execution of so-called smart contracts. These are programs that facilitate the automated transfer of funds according to a given business logic without the participants ... [more ▼]

The Ethereum blockchain enables the execution of so-called smart contracts. These are programs that facilitate the automated transfer of funds according to a given business logic without the participants requiring to trust one another. However, recently attackers started using smart contracts to lure users into traps by deploying contracts that pretend to give away funds but in fact contain hidden traps. This new type of scam is commonly referred to as honeypots. In this paper, we propose a system that aims to protect users from falling into these traps. The system consists of a plugin for MetaMask and a back-end service that continuously scans the Ethereum blockchain for honeypots. Whenever a user is about to perform a transaction through MetaMask, our plugin sends a request to the back-end and warns the user if the target contract is a honeypot. [less ▲]

Detailed reference viewed: 76 (4 UL)
Full Text
Peer Reviewed
See detailFederated Learning For Cyber Security: SOC Collaboration For Malicious URL Detection
Khramtsova, Ekaterina; Hammerschmidt, Christian; Lagraa, Sofiane UL et al

in IEEE International Conference on Distributed Computing Systems (ICDCS) (2020)

Managed security service providers increasingly rely on machine-learning methods to exceed traditional, signature- based threat detection and classification methods. As machine- learning often improves ... [more ▼]

Managed security service providers increasingly rely on machine-learning methods to exceed traditional, signature- based threat detection and classification methods. As machine- learning often improves with more data available, smaller orga- nizations and clients find themselves at a disadvantage: Without the ability to share their data and others willing to collaborate, their machine-learned threat detection will perform worse than the same model in a larger organization. We show that Feder- ated Learning, i.e. collaborative learning without data sharing, successfully helps to overcome this problem. Our experiments focus on a common task in cyber security, the detection of unwanted URLs in network traffic seen by security-as-a-service providers. Our experiments show that i) Smaller participants benefit from larger participants ii) Participants seeing different types of malicious traffic can generalize better to unseen types of attacks, increasing performance by 8% to 15% on average, and up to 27% in the extreme case. iii) Participating in Federated training never harms the performance of the locally trained model. In our experiment modeling a security-as-a service setting, Federated Learning increased detection up to 30% for some participants in the scheme. This clearly shows that Federated Learning is a viable approach to address issues of data sharing in common cyber security settings. [less ▲]

Detailed reference viewed: 76 (6 UL)