From Cyber to BlockChain, How Can Security Carry On

Ever since web 1.0, 30 years of human efforts have been made to guard the security of WWW. Together with the technology breakthroughs like online banking, cloud computing and IoT, cyber attack also diverges into multiple directions. As Steve Herrod, Managing Director of General Catalyst and Ex-CTO of VMWare, mentioned last week, those attacks widely affecting daily activities include spear phishing, distributed denial-of-service, and even national-wise network break down.

“Security sucks overall”, said in Steve’s talk. It’s a constant racing between technology innovations and hackers’ creativity. One thing catches my eyes is RansomWare, a type of malicious software from crypto-virology that threatens to publish the victim’s data or perpetually block access to it unless a ransom is paid. [1] It’s such an adaptive adjustment hackers made to their own advantage, since blockchain itself only became popular around August 2014. [1] Put the malicious purpose aside, it’s a perfect application of blockchain’s anonymity. It makes me think:

 

What are the different security vulnerabilities blockchain is bringing to the play?

Comparably, blockchain provides a more secure ecosystem with 2 major solutions: encryption and decentralization. Every transaction on top of blockchain is forcibly 256-bit encrypted, and there is no centralized identity management server like social security center. These drive out traditional breaching methods like man-in-the-middle attack and identity server attack.

But new vulnerabilities also get introduced.

51% Attack

The decentralized consensus is made upon majority votes. If someone owns more than 50% of the computing power on blockchain, he or she is able to convince anyone to commit transactions. [2]

Cleartext Transaction

Transaction calculation on blockchain is based on deltas. That said; everything on the chain needs to be clear text for participators to digest. Unlike old-school servers hiding everything behind the door, all computational steps are exposed, gives the malicious easy access to any imperfection.

 

Assuming all loopholes can be closed in theory. What about implementation errors? Human mistake is nothing new to software development. But with the immutability of blockchain, once DApp[3] gets released on the chain, it’s wild out under hackers’ hunt. And who gets hurt ultimately? Always the masses. Therefore, to expand usability of blockchain to cross-areas, it screams for revolutionary security solutions.

 

What are the solutions we have today?

Looking for extensibility of such brilliant invention, iterative versions of blockchain are constantly released. Most famous one is Ethereum and its DApp. While the major usages of DApp these days are cryptocurrency and simple-logic games, we can’t stop lying high expectation on this industry.

Test Coverage

Similar to traditional tech industry solutions, human scrutiny and quality tests are necessary. There are many loophole-scanning software available these days, just like the antivirus programs on your laptop. By running through potential known issues, your DApp is at least free from existing attacks. But that places the benignant on passive position. Any chance to radically safeguard the blockchain world? Keep the immutability in mind.

Formal Verification

I recently came across an emerging solution spreading in blockchain field – formal verification framework. The key is to mathematically prove a system is bug-free. I was fascinated by this solution as it’s approaching the essential problem from inside out. A company called CertiK proposed this idea initially. Although the implementation remains mystery to me, the idea is still convincing, as its bug-free CertiKOS backboning the project is already proven hack-resistant and on use. [4]

 

In the end, security is an endless battle intertwined with tech evolving. No once-for-all solution should ever be counted on. What we can do is to collect small steps, under supervise of hackers, and together turn it into big leaps.

 

 

 

[1] https://en.wikipedia.org/wiki/Ransomware

[2] https://www.investopedia.com/terms/1/51-attack.asp

[3] https://en.wikipedia.org/wiki/Decentralized_application

[4] https://certik.org/