Characterizing the Cost of Introducing Secure Programming Patterns and Practices in Ethereum

Ethereum is blockchain-based platform which enables the development and deployment of smart contracts. Smart contracts are computer programs that provide automation for the governance of decentralized autonomous organizations (DAO). However, while the Blockchain technology is secure, smart contracts are only as secure as the programmers has designed it to be. Therefore, smart contract exposes vulnerabilities that can be exploited by attackers and threaten the viability of the DAOs. This study presents a case study which investigated how security programming patterns and practices from other programming languages can be applied in Solidity – Ethereum programming language. We have characterized the cost of introducing these patterns and practices. We identified 30 security programming patterns and practices from C++, JAVA which can be applicable to Solidity and implemented ten in a representative smart contract. The results show that the application of the ten security patterns and practices identified and implemented increases the cost of the smart contract (when compared to the baseline). Furthermore, we argue that this difference is not significant and should not deter any programmers into introducing the security patterns and practices into their smart contracts.

[1]  Sergei Tikhomirov,et al.  SmartCheck: Static Analysis of Ethereum Smart Contracts , 2018, 2018 IEEE/ACM 1st International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB).

[2]  James A. Whittaker,et al.  How to Break Web Software: Functional and Security Testing of Web Applications and Web Services , 2006 .

[3]  David A. Wheeler,et al.  Secure Programming for Linux and Unix HOWTO , 2003 .

[4]  Sukrit Kalra,et al.  ZEUS: Analyzing Safety of Smart Contracts , 2018, NDSS.

[5]  Massimo Bartoletti,et al.  A Survey of Attacks on Ethereum Smart Contracts (SoK) , 2017, POST.

[6]  Xiapu Luo,et al.  Under-optimized smart contracts devour your money , 2017, 2017 IEEE 24th International Conference on Software Analysis, Evolution and Reengineering (SANER).

[7]  Charles P. Pfleeger,et al.  Security in computing , 1988 .

[8]  Peter Sommerlad,et al.  Security Patterns: Integrating Security and Systems Engineering , 2006 .

[9]  Uwe Zdun,et al.  Smart contracts: security patterns in the ethereum ecosystem and solidity , 2018, 2018 International Workshop on Blockchain Oriented Software Engineering (IWBOSE).

[10]  Chris Dannen Bridging the Blockchain Knowledge Gap , 2017 .

[11]  Ramesh Nagappan,et al.  Core Security Patterns: Best Practices and Strategies for J2EE, Web Services, and Identity Management , 2005 .

[12]  Marlon Dumas,et al.  Optimized Execution of Business Processes on Blockchain , 2016, BPM.

[13]  Austen Rainer,et al.  Case Study Research in Software Engineering - Guidelines and Examples , 2012 .

[14]  Hironori Washizaki,et al.  A survey on security patterns , 2008 .

[15]  Peter McBurney,et al.  Validation and Verification of Smart Contracts: A Research Agenda , 2017, Computer.