skip to main content
US FlagAn official website of the United States government
dot gov icon
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
https lock icon
Secure .gov websites use HTTPS
A lock ( lock ) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Explore Research Products in the PAR
It may take a few hours for recently added research products to appear in PAR search results.


Title: Asymmetric Mempool DoS Security: Formal Definitions and Provable Secure Designs
The mempool plays a crucial role in blockchain systems as a buffer zone for pending transactions before they are executed and included in a block. However, existing works primarily focus on mitigating defenses against already identified real-world attacks. This paper introduces secure blockchain-mempool designs capable of defending against any form of asymmetric eviction DoS attacks. We establish formal security definitions for mempools under the eviction-based attack vector. Our proposed secure transaction admission algorithm, named \textsc{saferAd-CP}, ensures eviction-security by providing a provable lower bound on the cost of executing eviction DoS attacks. Through evaluation with real transaction trace replays, \textsc{saferAd-CP} demonstrates negligible latency and significantly high lower bounds against any eviction attack, highlighting its effectiveness and robustness in securing blockchain mempools.  more » « less
Award ID(s):
2139801 2104532
PAR ID:
10648670
Author(s) / Creator(s):
; ;
Publisher / Repository:
IEEE S&P (IEEE Security and Privacy)
Date Published:
Format(s):
Medium: X
Sponsoring Org:
National Science Foundation
More Like this
  1. ; ; ; ; (, 33rd USENIX Conference on Security Symposium)
    In blockchains, mempool controls transaction flow before consensus, denial of whose service hurts the health and security of blockchain networks. This paper presents MPFUZZ, the first mempool fuzzer to find asymmetric DoS bugs by exploring the space of symbolized mempool states and optimistically estimating the promisingness of an intermediate state in reaching bug oracles. Compared to the baseline blockchain fuzzers, MPFUZZ achieves a > 100× speedup in finding known DETER exploits. Running MPFUZZ on major Ethereum clients leads to discovering new mempool vulnerabilities, which exhibit a wide variety of sophisticated patterns, including stealthy mempool eviction and mempool locking. Rule-based mitigation schemes are proposed against all newly discovered vulnerabilities. 
    more » « less
  2. ; (, IEEE International Conference on Blockchain)
    A big challenge in cryptocurrency is securing the user’s keys from potential hackers because if the blockchain network confirms a transaction, nobody can rollback that. One solution to protect users is splitting the money between superwallet and sub-wallet. The user stores a large amount of money on the super-wallet and refills the sub-wallet when she needs while she uses the sub-wallet for her daily purchases. In this paper, we propose a new mechanism to create sub-wallet that we call deterministic sub-wallet. In this mechanism, the seed of sub-wallet keys is derived from super-wallet seed, and therefore super-wallet can build many sub-wallet addresses and refill them in a single blockchain transaction. Compared to existing approaches, our mechanism is less expensive, real-time, more secure against MITM attack and easier for backup and recovery. We implement a proof-of-concept on a hardware wallet and evaluate its performance. Also, we analyze the attacks and defenses in our mechanism to demonstrate that our proposed method has a higher level of security than the classic super-wallet sub-wallet model. 
    more » « less
  3. ; (, 2019 IEEE International Conference on Blockchain (Blockchain))
    A big challenge in cryptocurrency is securing a user key from potential hackers because nobody can rollback a transaction made by an attacker with a stolen key once the blockchain network confirms it. One solution to protect users is splitting the money between super-wallet and sub-wallet. The user stores a large amount of money on her super-wallet and keeps it safe; she refills the sub-wallet when she needs while using the sub-wallet for her daily purchases. In this paper, we propose a new scheme to create sub-wallet that we call deterministic sub-wallet. In this scheme, the seed of the sub-wallet keys is derived from the super-wallet master seed, and therefore the super-wallet can build many sub-wallet addresses and refill them in a single blockchain transaction. Compared to existing approaches, our mechanism is cheaper, real-time, more secure against man-in-the-middle attack and easier for backup and recovery. We implement a proof-of-concept on a hardware wallet and evaluate its performance. In addition, we analyze the attacks and defenses of this design to demonstrate that our proposed method has a higher level of security than existing models. 
    more » « less
  4. ; ; (, Proceedings on Privacy Enhancing Technologies)
    null (Ed.)
    Abstract Cryptocurrencies play a major role in the global financial ecosystem. Their presence across different geopolitical corridors, including in repressive regimes, has been one of their striking features. In this work, we leverage this feature for bootstrapping Censorship Resistant communication. We conceptualize the notion of stego-bootstrapping scheme and its security in terms of rareness and security against chosencovertext attacks. We present MoneyMorph , a provably secure stego-bootstrapping scheme using cryptocurrencies. MoneyMorph allows a censored user to interact with a decoder entity outside the censored region, through blockchain transactions as rendezvous, to obtain bootstrapping information such as a censorshipresistant proxy and its public key. Unlike the usual bootstrapping approaches (e.g., emailing) with heuristic security, if any, MoneyMorph employs public-key steganography over blockchain transactions to ensure provable cryptographic security. We design rendezvous over Bitcoin, Zcash, Monero, and Ethereum, and analyze their effectiveness in terms of available bandwidth and transaction cost. With its highly cryptographic structure, we show that Zcash provides 1148 byte bandwidth per transaction costing less than 0.01 USD as fee. 
    more » « less
  5. ; ; ; ; (, IEEE Design, Automation & Test in Europe Conference & Exhibition)
    The Unmanned aerial vehicles (UAVs) sector is fast-expanding. Protection of real-time UAV applications against malicious attacks has become an urgent problem that needs to be solved. Denial-of-service (DoS) attack aims to exhaust system resources and cause important tasks to miss deadlines. DoS attack may be one of the common problems of UAV systems, due to its simple implementation. In this paper, we present a software framework that offers DoS attack-resilient control for real-time UAV systems using containers: Container Drone. The framework provides defense mechanisms for three critical system resources: CPU, memory, and communication channel. We restrict the attacker's access to the CPU core set and utilization. Memory bandwidth throttling limits the attacker's memory usage. By simulating sensors and drivers in the container, a security monitor constantly checks DoS attacks over communication channels. Upon the detection of a security rule violation, the framework switches to the safety controller to mitigate the attack. We implemented a prototype quadcopter with commercially off-the-shelf (COTS) hardware and open-source software. Our experimental results demonstrated the effectiveness of the proposed framework defending against various DoS attacks. 
    more » « less
  • Citation Formats
  • MLA
  • APA
  • Chicago
  • BibTeX
  • Save / Share this Record
  • Send to Email