Trust Factors and Insider Threats in Permissioned Distributed Ledgers - An Analytical Study and Evaluation of Popular DLT Frameworks

Permissioned distributed ledgers have recently captured the attention of organizations looking to improve efficiency, transparency and auditability in value network operations. Often the technology is regarded as trustless or trust-free, resulting in a false sense of security. In this work, we review the various trust factors present in distributed ledger systems. We analyze the different groups of trust actors and their trust relationships to the software layers and inherent components of distributed ledgers. Based on these analyses, we investigate how insiders may conduct attacks based on trust in distributed ledger components. To verify practical feasiblity of these attack vectors, we conduct a technical study with four popular permissioned distributed ledger frameworks: Hyperledger Fabric, Hyperledger Sawtooth, Ethereum and R3 Corda. Finally, we highlight options for mitigation of these threats.

[1]  Dipankar Dasgupta,et al.  A survey of blockchain from security perspective , 2019, J. Bank. Financial Technol..

[2]  Günther Pernul,et al.  Minimizing insider misuse through secure Identity Management , 2012, Secur. Commun. Networks.

[3]  V. Dixit,et al.  Yield enhancement strategies for artemisinin production by suspension cultures of Artemisia annua. , 2008, Bioresource technology.

[4]  Michel R. V. Chaudron,et al.  Integrity management in component based systems , 2004, Proceedings. 30th Euromicro Conference, 2004..

[5]  Tom Mens,et al.  An empirical comparison of dependency network evolution in seven software packaging ecosystems , 2017, Empirical Software Engineering.

[6]  Thomas Locher,et al.  When Can a Distributed Ledger Replace a Trusted Third Party? , 2018, 2018 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData).

[7]  Michael Dahlin,et al.  Making Byzantine Fault Tolerant Systems Tolerate Byzantine Faults , 2009, NSDI.

[8]  Florian Hawlitschek,et al.  The limits of trust-free systems: A literature review on blockchain technology and trust in the sharing economy , 2018, Electron. Commer. Res. Appl..

[9]  Rachid El Bansarkhani,et al.  PQChain: Strategic Design Decisions for Distributed Ledger Technologies against Future Threats , 2018, IEEE Security & Privacy.

[10]  Garrick Hileman,et al.  2017 Global Blockchain Benchmarking Study , 2017 .

[11]  Garrick Hileman,et al.  Global Blockchain Benchmarking Study , 2010 .

[12]  Code Willing In Code We Trust , 2019, Wilmott Magazine.

[13]  Victor Vianu,et al.  Invited articles section foreword , 2010, JACM.

[14]  Houston H. Carr,et al.  Threats to Information Systems: Today's Reality, Yesterday's Understanding , 1992, MIS Q..

[15]  Elisa Bertino,et al.  DetAnom: Detecting Anomalous Database Transactions by Insiders , 2015, CODASPY.

[16]  Carl Colwill,et al.  Human factors in information security: The insider threat - Who can you trust these days? , 2009, Inf. Secur. Tech. Rep..

[17]  Florian Glaser,et al.  Pervasive Decentralisation of Digital Infrastructures: A Framework for Blockchain enabled System and Use Case Analysis , 2017, HICSS.

[18]  Hector Garcia-Molina,et al.  Taxonomy of trust: Categorizing P2P reputation systems , 2006, Comput. Networks.

[19]  Marko Vukolic,et al.  Hyperledger fabric: a distributed operating system for permissioned blockchains , 2018, EuroSys.

[20]  Peng Jiang,et al.  A Survey on the Security of Blockchain Systems , 2017, Future Gener. Comput. Syst..

[21]  Caitlin Lustig,et al.  Algorithmic Authority: The Case of Bitcoin , 2015, 2015 48th Hawaii International Conference on System Sciences.

[22]  Marko Vukolic,et al.  Blockchain Consensus Protocols in the Wild (Keynote Talk) , 2017, DISC.

[23]  Pieter H. Hartel,et al.  Rethinking Blockchain Security: Position Paper , 2018, 2018 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData).

[24]  Marcello Ceci,et al.  Trust in Smart Contracts is a Process, As Well , 2017, Financial Cryptography Workshops.

[25]  Marko Vukolic,et al.  Blockchain Consensus Protocols in the Wild , 2017, DISC.

[26]  Prateek Saxena,et al.  Making Smart Contracts Smarter , 2016, IACR Cryptol. ePrint Arch..

[27]  Fan Zhang,et al.  Town Crier: An Authenticated Data Feed for Smart Contracts , 2016, CCS.

[28]  Nitin Afzulpurkar,et al.  Use of supervised discretization with PCA in wavelet packet transformation-based surface electromyogram classification , 2009, Biomed. Signal Process. Control..

[29]  Alysson Neves Bessani,et al.  State Machine Replication for the Masses with BFT-SMART , 2014, 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[30]  Edward Amoroso,et al.  Toward an approach to measuring software trust , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[31]  Corina Sas,et al.  Exploring Trust in Bitcoin Technology: A Framework for HCI Research , 2015, OZCHI.

[32]  F. Berkers,et al.  Techruption Consortium Blockchain : what it takes to run a blockchain together , 2018 .

[33]  Vincent Gramoli,et al.  The Attack of the Clones against Proof-of-Authority , 2019, NDSS.

[34]  Beng Chin Ooi,et al.  BLOCKBENCH: A Framework for Analyzing Private Blockchains , 2017, SIGMOD Conference.

[35]  Vivien Quéma,et al.  RBFT: Redundant Byzantine Fault Tolerance , 2013, 2013 IEEE 33rd International Conference on Distributed Computing Systems.

[36]  Roberto Baldoni,et al.  PBFT vs Proof-of-Authority: Applying the CAP Theorem to Permissioned Blockchain , 2018, ITASEC.

[37]  Jared Saia,et al.  Breaking the O(n2) bit barrier: scalable byzantine agreement with an adaptive adversary , 2010, PODC.

[38]  Roel Wieringa,et al.  External Insider Threat: A Real Security Challenge in Enterprise Value Webs , 2010, 2010 International Conference on Availability, Reliability and Security.

[39]  Andreas G. Veneris,et al.  Astraea: A Decentralized Blockchain Oracle , 2018, 2018 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData).

[40]  Theodora A. Varvarigou,et al.  Blockchains for Supply Chain Management: Architectural Elements and Challenges Towards a Global Scale Deployment , 2019, Logistics.

[41]  Eli Ben-Sasson,et al.  Scalable, transparent, and post-quantum secure computational integrity , 2018, IACR Cryptol. ePrint Arch..

[42]  Dawn M. Cappelli,et al.  Spotlight On: Programmers as Malicious Insiders -- Updated and Revised , 2013 .

[43]  Hans Schaffers,et al.  The Relevance of Blockchain for Collaborative Networked Organizations , 2018, PRO-VE.

[44]  Cesare Pautasso,et al.  The Blockchain as a Software Connector , 2016, 2016 13th Working IEEE/IFIP Conference on Software Architecture (WICSA).

[45]  Mukesh K. Mohania,et al.  Internet of Blockchains: Techniques and Challenges Ahead , 2018, 2018 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData).

[46]  James B. D. Joshi,et al.  A trust-and-risk aware RBAC framework: tackling insider threat , 2012, SACMAT '12.

[47]  Miguel Castro,et al.  Practical byzantine fault tolerance and proactive recovery , 2002, TOCS.