Compositional Security for Reentrant Applications

03/15/2021
by   Ethan Cecchetti, et al.
0

The disastrous vulnerabilities in smart contracts sharply remind us of our ignorance: we do not know how to write code that is secure in composition with malicious code. Information flow control has long been proposed as a way to achieve compositional security, offering strong guarantees even when combining software from different trust domains. Unfortunately, this appealing story breaks down in the presence of reentrancy attacks. We formalize a general definition of reentrancy and introduce a security condition that allows software modules like smart contracts to protect their key invariants while retaining the expressive power of safe forms of reentrancy. We present a security type system that provably enforces secure information flow; in conjunction with run-time mechanisms, it enforces secure reentrancy even in the presence of unknown code; and it helps locate and correct recent high-profile vulnerabilities.

READ FULL TEXT
POST COMMENT

Comments

There are no comments yet.

Authors

page 1

page 2

page 3

page 4

01/06/2021

sGUARD: Towards Fixing Vulnerable Smart Contracts Automatically

Smart contracts are distributed, self-enforcing programs executing on to...
06/06/2020

Hardware-Software Contracts for Secure Speculation

Since the discovery of Spectre, a large number of hardware mechanisms fo...
09/07/2018

Empirical Vulnerability Analysis of Automated Smart Contracts Security Testing on Blockchains

The emerging blockchain technology supports decentralized computing para...
07/22/2018

Taint Tracking for WebAssembly

WebAssembly seeks to provide an alternative to running large and untrust...
03/30/2020

SmartCert: Redesigning Digital Certificates with Smart Contracts

The Transport Layer Security (TLS) protocol and its public-key infrastru...
08/29/2017

Nonmalleable Information Flow: Technical Report

Noninterference is a popular semantic security condition because it offe...
12/20/2021

Relational Models of Microarchitectures for Formal Security Analyses

There is a growing need for hardware-software contracts which precisely ...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.