Bridging the gap between application technology and security

By Lipika Bhattacharya

SMU Office of Research & Tech Transfer – Technology experts often refer to blockchain as the genie that is yet to be unleashed from the bottle. Theoretically, a blockchain is a distributed database – a giant global spreadsheet that can be accessed by millions and millions of users worldwide across various platforms and systems. Since it is distributed and open source, the underlying code of a blockchain and any changes to it are visible to everyone; thereby creating a lot of possibilities for businesses worldwide.

One such obvious possibility is that of authenticating and settling transactions without the need for an intermediary. Touted as the blockchain technology that will replace lawyers, smart contracts are computer programs that can digitally facilitate and enforce a contract and its transactions without the involvement of third parties. Associate Professor Sun Jun’s research attempts to analyze systems implementing smart contracts and posits solutions to make such contracts more secure.

In practice, smart contracts are automatically executed on a distributed blockchain infrastructure and often involve monetary transactions as part of the contract. Although smart contracts have the potential to revolutionize many industries, they are susceptible to vulnerabilities. It is thus desirable to develop tools for validating smart contracts to identify vulnerabilities, ideally before they are deployed. Professor Sun’s research focuses on a variety of techniques on the automatic analysis of smart contracts.

Even a simple vulnerability in a smart contract could impact many customers and leave it unarmed against an attempt at financial fraud. In 2017, a virtual venture capital fund contract launched under a DAO (distributed autonomous organization) was hacked; an attacker stole more than 3.5 million Ether (equivalent to about USD 45 million at the time) exploiting a vulnerability in the contract. 

Citing a simple example of possible vulnerability in a smart contract, Professor Sun explained: “For example, if a contract is supposed to be executed on the condition that it is approved, and the contract is approved once it has been signed by a corresponding signer, the program needs to be verified to check if it satisfies this condition. If the program calls the execute function before the sign function due to a programming error, the contract is exposed to vulnerability.”

A popular technology in the world of blockchain is Ethereum – an open-source distributed computing platform and operating system which features scripting functionality for smart contracts. The platform uses a token Ether, which can be transferred between accounts and acts as the cryptocurrency. Another cryptocurrency used for smart contracts is Bitcoin, which was the first virtual currency to offer the promise of lower transaction fees than traditional online payment mechanisms.

There is widespread talk in business corridors of the potential of blockchain technology to disrupt existing business models. Professor Sun, who has a PhD from the National University of Singapore and joined the School of Information Systems, Singapore Management University in 2019, believes, that to make the blockchain technology an everyday reality, it has to be initiated to drive operational efficiencies. In his research paper, ‘sFuzz: An Adaptive Fuzzer for Smart Contracts’, Professor Sun introduces an innovative testing engine for contracts running on Ethereum called sFuzz.  sFuzz adopts a lightweight, adaptive fuzzing strategy to test various failure possibilities and tries to maximize code coverage through vector optimization.

Advantages of Blockchain for Businesses

In any given system, the blockchain is a public ledger of all transactions that have ever been executed. As more transactions get completed, more blocks are added in a linear, chronological order through cryptography, ensuring they remain virtually impervious to manipulation and fraud. The idea behind blockchain is therefore to create a tamper-proof record of all transactions on the network, transparent to all participants.

It also makes the process less costly, provides greater regulatory compliance, and reduces risk by building transparency, thus enhancing the efficiency of execution. Moreover, all blocks are time-stamped, allowing easier tracking. The primary advantage with the smart contracts in blockchain, however, is the availability of pre-set conditions, which helps automate transactions.

Vulnerabilities in Smart Contracts

Arithmetic overflows and underflows are one common vulnerability posed by smart contracts. For example, if a data variable in a code can only hold a specific number of integers, and the user input is not checked properly, it can result in an erroneous transaction.

Vulnerabilities in smart contracts are usually caused by bugs and inconsistencies in the code. Transaction-related vulnerabilities can be exploited by hackers to steal funds from vulnerable contracts. Hence the risk of using smart contracts is undeniably high.

Smart contracts offer diverse security challenges, some of which erupt from the constraints that smart contracts have inbuilt within the system. Unlike traditional software, smart contracts cannot be patched or upgraded once deployed. Secondly, they are written in a new ecosystem of languages and runtime environments which may not have been tested enough through long-term usage. Moreover, contracts are relatively difficult to test, especially since their runtimes allow them to interact with other smart contracts and external off-chain services.

As they are easily accessible on the platform, they could be invoked repeatedly by transactions from a large number of users. Thirdly, since coins on a blockchain often have significant value, attackers are highly incentivised to find and exploit bugs in contracts.

Interest from Market Leaders

Although smart contracts, along with blockchain technology, have yet to see widespread adoption in the tech space, some renowned companies have already jumped on the bandwagon. Chinese conglomerate Alibaba has ventured into blockchain and launched the Alibaba Cloud BaaS (Blockchain as a Service) platform. The platform supports ‘the full lifecycle management including development, testing, installation, and upgrade of smart contracts’.

Professor Sun summarized, “As we see more interest from industry leaders like Alibaba, we are confident that our work on smart contracts will become increasingly useful for organizations in the years to come. Our solution sFuzz is showing positive test results in our experiments. Although still under development, it has managed to garner quite a bit of interest from multiple companies and research organizations.”

Deep Neural Networks and Artificial Intelligence

Another technology, part of a broader family of machine learning networks, is Deep Neural Networks (DNN) which has shown to be useful in a wide range of applications. Neural networks are a set of algorithms, modelled loosely after the human brain, that are designed to recognize patterns and are an important research area in the Artificial Intelligence (AI) arena. Neural networks help to cluster and classify information. They help to group unlabeled data according to similarities amongst example inputs and extract features that are fed to other algorithms for clustering and classification. DNN’s have been shown to be susceptible to adversarial samples, i.e. probable inputs to machine learning models that an attacker could have intentionally designed to cause the model to make a mistake.

In his other area of research, Professor Sun looks at adversarial samples that increase the vulnerability of DNN’s. In his paper, ‘Adversarial Sample Detection for Deep Neural Network through Model Mutation Testing’, presented at the International Conference on Software Engineering, he proposes an alternative approach to detect adversarial samples at runtime. He observes that adversarial samples are much more sensitive than normal samples, particularly for random mutations.

DNN’s are being increasingly applied in decision systems like automatic speech recognition, image recognition, malware detection and natural language processing models and even drug discovery and toxicology research. As the AI spectrum continues to remodel human life, researchers dig in deeper to find solutions that build efficiency into systems. The opportunities and capabilities are substantial, and Professor Sun informs that many enterprises are proactively investing in deep learning for building out their existing applications as well as developing new solutions.

Back to Research@SMU Aug 2019 Issue