Open access peer-reviewed chapter
OWASP Top 10 application security risks—2017 and blockchain resistance [12].
Abstract
A blockchain is a technology that allows the storage and transmission of information without a control body. Technically, it is a distributed database in which the information sent by users is verified and grouped into blocks, thus forming a chain. Thanks to the secure encryption of the data and the fact that new transactions are linked to the previous ones, it is almost impossible to modify the old records without modifying the following ones. On the other hand, the control of the blockchain by more than half of the nodes in the network (by consensus) makes it impossible to falsify the data in the blockchain. However, this public/private, anonymous, and unforgeable ledger that is the blockchain contains a set of information (metrics, logs, etc.) that can provide clues for an efficient monitoring and allow the reinforcement of the security of the blockchain that could be discussed in the future with the advent of quantum machines.
Keywords
- blockchain
- monitoring
- framework
- blockchain security
- smart contract
- big data
- metrics
1. Introduction
Blockchain is now one of the most important technologies to have emerged in recent years. Many experts believe that this technology has the potential to change the world over the next two decades. Although it is still in its infancy, corporate giants are interested in its applications in several areas. So far, venture capitalists have invested billions of dollars in this field, with several applications [1]
Indeed, the applications of blockchain seem close to infinite [2]. While one immediately thinks of its financial applications—international payments, money transfers, complex financial products—blockchain can also solve problems and create new opportunities in healthcare, defense, management, supply chains, luxury, and other industries. At more advanced stages, blockchain could give rise to what Gartner calls the “programmable economy” [3], powered by entirely new business models that eliminate all kinds of middlemen. Given the importance of blockchain in the technological evolution of society, including across industries, especially the financial sector, researchers have undertaken considerable work to further strengthen the security level of this technology.
Indeed, work on the methodologies for encrypting the data preceding and following each block has made the data of the blockchain virtually unbreakable. In addition, the security of the blockchain is also due to the fact that several computers called nodes to store the blockchain. In addition to that, to modify the ledger, one would have to take control of at least 50% of the nodes in the network and their computing power in order to modify the data in the blockchain [4]. This is a difficult feat to accomplish, especially for a public blockchain such as the one behind bitcoin. With the advent of the quantum machine, this unparalleled security within the blockchain may be challenged in the future. Therefore, blockchain monitoring [1] could add an important layer of security to the blockchain. However, our work will consist in discussing and studying this topic while proposing, at the end of this study, an efficient and exploitable blockchain monitoring methodology [5] in order to allow a good understanding of the topic.
1.1 Blockchain technology
A blockchain is a technology that allows information to be stored and transmitted without a control body [6]. Technically, it is a distributed database in which the information sent by users is verified and grouped at regular intervals into blocks, thus forming a chain. The whole is secured by cryptography. By extension, a blockchain is a distributed database that manages a list of records that are protected against alteration or modification by storage nodes [7]. Not all blockchains work in the same way. For example, they may differ in their consensus mechanisms, whose rules prevail depending on the technology that updates the ledger [1]. But fundamentally, a blockchain is a distributed and secure record of all transactions made since the beginning of the distributed system [8]. By extension, a blockchain constitutes a database that contains the history of all exchanges made between its users since its creation as shown in Figure 1 [9].
Figure 1.
Block in blockchain technology.
However, there are public blockchains, open to all, and private blockchains, whose access and use are limited to a certain number of actors. A public blockchain can therefore be likened to a public, anonymous, and unforgeable accounting ledger. As the mathematician Jean-Paul Delahaye writes, one must imagine “a very large notebook, which everyone can read freely and for free, on which everyone can write, but which is impossible to erase and indestructible” [10], which is well illustrated in the figure above. Today, blockchains cover several aspects of computer security because of the numerous researches made around this technology.
1.2 Security aspects of blockchain information
The basic security properties of the blockchain stem from both advances in cryptography and the design and implementation of bitcoin. Theoretically, the first secure blockchain was formulated using cryptography in 1991.
A proposal to improve the efficiency of the cryptographic blockchain was published in 1993, incorporating Merkle trees and placing multiple documents in a block. The blockchain is designed to ensure a number of inherent security attributes, such as consistency, proof of forgery, resistance to a distributed denial of service (DDoS) attack, pseudonymity resistance to a double attack, and OWASP resistance. However, to use the blockchain for secure distributed storage, additional security and privacy properties are required. In this section, we describe the fundamental security and privacy properties of blockchains before addressing the topic of monitoring blockchain systems with the aim of proposing a methodology for exploring, analyzing, and visualizing the behaviors of blockchain actors. In this chapter, we will only deal with the monitoring of applications.
1.2.1 Controlling data consistency
The criteria that are required for a functional blockchain are the following:
a replicated register that only allows the irreversible addition of data;
a data protection.
In a traditional database, it is possible to guarantee these properties by controlling access to the registry, which implies having confidence in the entity that maintains it.
The blockchain solution is to decentralize and replicate the maintenance of the registry between several locations. Thus, the participating entities do not need to trust each other, and it works as long as enough entities are actually trustworthy and do not form coalitions (of more than 51%). This honesty is motivated by a reward for producing blocks that are cryptographically protected. All of these blocks are replicated in a P2P network (with no central node), avoiding a single point of failure [11].
Satoshi Nakamoto’s initial blockchain was permissionless, meaning that anyone could participate in maintaining the registry, without the need to register first. This meant that it would work efficiently regardless of the number of participating entities.
Later, a variation more suited to certain applications emerged: consortium blockchains, where participating entities are pre-registered. The registry can be faster and more reliable, while still being controlled by the majority of participants.
1.2.2 Defending against DDoS (“denial service attack”)
A denial of service attack is called a DoS attack on a host. It is a type of cyberattack that disrupts hosted Internet services, making the host machine or network resource on the host unavailable to intended users. DoS attacks attempt to overload the host system or network resource on the host by flooding it with unnecessary requests, thereby blocking the execution of legitimate services. The DDoS attack refers to a “distributed” DoS attack, meaning that the flooding attack of incoming traffic to a victim comes from many disparate sources spread across the Internet [11]. A DDoS attacker can compromise and use one person’s computer to attack another computer by taking advantage of security vulnerabilities or weaknesses. By taking advantage of a set of compromised computers in this way, a DDoS attacker can send huge amounts of data to a hosting website or send spam to specific email addresses. Therefore, it is very difficult to prevent the attack by simply jamming the individual sources one by one. The arm wrestling depends on the rate of repair of these compromised nodes versus the success rate of compromising computer nodes in the network. The major concern in a DDoS attack is the availability of the blockchain and is related to the question of whether a DDoS attacker can make the blockchain unavailable by taking down part or all networks. The answer to this question is no, thanks to the fully decentralized construction and maintenance of the blockchain, particularly the bitcoin system that has a large network (interconnected node), as well as the consensus protocol for generating new blocks and adding them to the blockchain, which ensures that the processing of blockchain transactions can continue even if several blockchain nodes are offline. For a cyberattacker to successfully take the blockchain offline, he or she must gather sufficient computing resources to compromise a very large portion of the blockchain nodes on the entire blockchain network. The larger the blockchain network, the harder it is to pull off such a large DDoS attack [11]. This is the case with the bitcoin blockchain network, which continues to grow and now has 14719 nodes worldwide retrieved on Sat Dec 18 16:24:33 2021 +01 in bitnodes.io and as shown in Figure 2.
Figure 2.
Live Map shows concentration of reachable bitcoin nodes found in countries around the world.
1.2.3 Resistance to double spending attacks
The double-spending attack in the context of the bitcoin blockchain refers to a specific problem unique to digital currency transactions. It should be noted that the double-spending attack can be considered a general security problem due to the fact that digital information can be replicated relatively easily. Specifically, in digital token exchange transactions, such as electronic money, there is a risk that the holder will duplicate the digital token and send multiple identical tokens to multiple recipients. If inconsistency can be incurred due to duplicate digital token transactions (e.g., spending the same bitcoin token twice), then the problem of double spending becomes a serious security threat. To prevent duplication, bitcoin evaluates and verifies the authenticity of each transaction using the transaction logs on its blockchain with a consensus protocol. By ensuring that all transactions are included in the blockchain, in which the consensus protocol allows everyone to publicly verify the transactions in a block before committing the block to the global blockchain, this ensures that the sender of each transaction only spends the bitcoins he or she legitimately owns. In addition, each transaction is signed by its sender using a secure digital signature algorithm. This ensures that if someone forges the transaction, the verifier can easily detect it. The combination of transactions signed using digital signatures and public verification of transactions using majority consensus ensures that the blockchain can withstand the double-spending attack [11].
1.2.4 Defying the attacks of the majority consensus (51%)
A 51% attack is an attack that targets the so-called Proof of Work (PoW) or Proof of Stake (PoS) blockchains.
This attack refers to the risks of cheating in the majority consensus protocol. One of these risks is often referred to as the 51% attack, particularly in the context of double spending.
An example of a 51% attack can occur if one cooperative becomes too large relative to the others, which can allow for a 51% attack, when they agree to carry out a conspiracy, such as in vote counting or illegally transferring cryptocurrencies to one or more target wallets, reversing authentic transactions as if they never happened, etc.
Today, measures have been taken on large-scale blockchains like bitcoin to resist this type of attack, but it is still exploitable.
1.2.5 Resistance to OWASP
The Open Web Application Security Project (OWASP) is an online community working on web application security [12]. While OWASP’s top ten vulnerabilities list is designed to describe vulnerabilities faced by web application developers, nine of OWASP’s ten vulnerabilities also apply to blockchain systems. Even though the blockchain ecosystem has been designed to solve most of the security issues faced in web application and information system design due to the use of advanced cryptographic mechanisms and 51% consensus in blockchain, it is worth noting that the avenues for monitoring remain unexplored, and it is worth considering the possibilities of investigating the implementation of the blockchain monitoring mechanism (Table 1).
| Top 10 OWASP | Applicable / resistance |
|---|---|
| injection | Yes/Yes |
| Broken Authentication | Yes/Yes |
| Sensitive Data Exposure | Yes/Yes |
| XML External Entities (XXE) | No/Yes |
| Broken Access Control | Yes/Yes |
| Security Misconfiguration | Yes/Yes |
| Cross-Site Scripting (XSS) | Yes/Yes |
| Insecure Deserialization | Yes/Yes |
| Using Components with Known Vulnerabilities | Yes/Yes |
| Insufficient Logging & Monitoring | Yes / Not explore |
Table 1.
1.3 A blockchain system to monitor
Figure 3 summarizes the blockchain layout that we see the need to include monitoring. A typical blockchain network consists of a set of interconnected nodes that act in pairs. These nodes are typically hosted in a cloud or on-premises infrastructure, where the blockchain execution engine is configured natively on a virtual machine (VM) or using containerization technologies such as Docker or a physical machine. Transactions submitted to the blockchain network are broadcast to all pairs and newly created blocks are propagated, so that all pairs have an up-to-date copy of the shared ledger. To get a snapshot of the block, in terms of transaction events and associated metadata, all you need to do is monitor one of the pairs. And this is typically done using blockchain explorer, which listens for events and provides some visualization of the number of transactions received, queued, processed, and finally consolidated into a new block. However, this level of monitoring does not provide any clues about the resource utilization of that node, the health of other nodes, or the latency experienced within the blockchain network.
Figure 3.
Blockchain system to monitor.
Another key element that must be monitored to achieve end-to-end visibility of a blockchain-based solution is the off-chain components that include the application layer (decentralized application). The DAPP layer [1] includes a user interface, storage, and SDK (Software Development Kit) API (Application Program Interface) components, through which interaction with a blockchain node is possible.
1.4 Blockchain framework monitoring
Effective monitoring and management of a blockchain system require a framework that can integrate data, process generated events, and provide adequate visualization of blockchain-related metrics. This framework [13] must be flexible and support deployment configurations of off-blockchain applications and blockchain nodes individually. As shown in Figure 4, the diagram describes a proposed blockchain monitoring framework, which includes the following:
A monitoring agent [14, 15], which is deployed on each blockchain node (blockchain network agent) and associated applications (agent provider), can read logs generated as part of the transaction process and relay data about processor, memory, and device usage. I / O.
A log collection engine that continuously manages log information and sends it for further processing.
Collects metrics that will allow us to sort and filter information in the blockchain network (agent blockchain network) and the DAPP (agent Provider) such as:
The time and date the transaction was initiated.
The time it took for the request to succeed or fail.
The size of the request or response.
The endpoint for which the transaction was sent (distributed network).
The entries of the endpoint.
The execution details of the environment.
Status of the request, whether it failed or not.
The network code of the request. This will be one of the standard HTTP/HTTP status codes.
The origin of the request.
Monitor the creation of smart contracts.
The agent-broker [16] collects from the two smart agents a large amount of log data to organize and index it into corresponding documents, which are shared and stored for analysis [1].
A visualization platform connected to the broker-agent consumes the data collected by the nodes and provides statistics on the efficiency of the blockchain nodes and the network overview [17].
It allows parties to conduct analytical research and generate reports.
Figure 4.
Blockchain system monitoring framework.
Based on the proposed monitoring framework, there are important indicators that can be extracted and help strengthen the security of the blockchain while ensuring the protection of funds in the case of cryptocurrencies and personal data:
Analyze how the blockchain’s transaction processing and consensus mechanism uses the resources of the underlying infrastructure [1].
Provide visibility into an end-to-end business transaction presented is initiated by a dApp user and captured in the blockchain.
Allow miner pools to integrate/remove specific machines (CPU, graphics card, etc.) based on machine performance needs.
Visualize the 51% of attack attempts that can occur when a group of miners attempt to perform a conspiracy.
Combine and correlate block and transaction events from each node and determine the performance and throughput of the blockchain network.
Configure a noninvasive monitoring solution that can be dynamically enabled for each embedded pair and also supports a common network provider model.
Advertisement
2. Conclusions
Today, billions of dollars have been invested in cryptocurrencies whose core technology is blockchain, while solutions and techniques to effectively monitor existing blockchain networks are not well thought out and are almost nonexistent. The main reason is that few commercial use cases have not yet translated into blockchain production systems or that most smart contracts or cryptocurrencies are of the “fire-forge” type (i.e., designating a crypto or smart contract whose postlaunch monitoring no longer requires the intervention of the platform operator). Furthermore, the decentralized nature of blockchain raises the following question: is monitoring of the entire blockchain network really necessary [18, 19]? What are the indicators that could be obtained if it were possible to propose an effective tool or methodology for monitoring the blockchain? Could these indicators be used for big data analysis [20]? Therefore, we proposed a framework for monitoring a blockchain system in a general way, based on several existing applications and system monitoring solutions applicable to the blockchain ecosystem. In addition, the implementation of a blockchain monitoring system could detect anomalies or fraud throughout the system and, for example, reject transactions even before the blockchain records are updated.
The next step in our work would be to follow an approach that would allow us to design a model on a private blockchain to see the possibilities of exploitation, and to list all the information, logs, and statistics that can be used in a larger (public) blockchain.
References
- 1.
Kanga DB, Azzouazi M, el Ghoumrari MY, Daif A. Management and monitoring of blockchain systems. Procedia Computer Science. 2020; 177 :605-612. DOI: 10.1016/j.procs.2020.10.086 - 2.
Reijers W, Coeckelbergh M. The blockchain as a narrative technology: Investigating the social ontology and normative configurations of cryptocurrencies. Philosophy & Technology. 2018; 31 (1):103-130. DOI: 10.1007/s13347-016-0239-x - 3.
Herraiz-Faixó F, Arroyo-Cañada FJ, López-Jurado MP, Lauroba-Pérez AM. Digital and programmable economy applications: A smart cities congestion case by fuzzy sets. Journal of Intelligent and Fuzzy Systems. 2020; 38 (5):5391-5404. DOI: 10.3233/JIFS-179632 - 4.
Li Y, Ouyang K, Li N, Rahmani R, Yang H, Pei Y. A blockchain-assisted intelligent transportation system promoting data services with privacy protection. Sensors. 2020; 20 (9):2483. DOI: 10.3390/s20092483 - 5.
Li X, Jiang P, Luo X, Chen T, Wen Q. A survey on the security of blockchain systems. Future Generation Computer Systems. 2017. DOI: 10.1016/j.future.2017.08.020 - 6.
Camilleri AF, Grech A, Inamorato dos Santos A, European Commission. Blockchain in Education. Joint Research Centre; 2022. Available from: https://www.pedocs.de/volltexte/2018/15013/pdf/Grech_Camilleri_2017_Blockchain_in_Education.pdf - 7.
Labbi M, Kannouf N, Chahid Y, Benabdellah M, Azizi A. Blockchain-Based PKI for Content-Centric Networking. 2019. pp. 656-667. DOI: 10.1007/978-3-030-11196-0_54 - 8.
Umeh J. Blockchain double bubble or double trouble? ITNOW. 2016; 58 (1):58-61. DOI: 10.1093/itnow/bww026 - 9.
Saleh I. Internet of Things (IoT): Concepts, issues, challenges and perspectives. In: Challenges of the Internet of Things. John Wiley & Sons; 2018. pp. 1-26. DOI: 10.1002/9781119549765.ch1 - 10.
Desplebin O, Lux G, Petit N. L’évolution de la comptabilité, du contrôle, de l’audit et de leurs métiers au prisme de la Blockchain : une réflexion prospective. Management & Avenir. 2018; 103 (5):137. DOI: 10.3917/mav.103.0137 - 11.
Zhang R, Xue R, Liu L. Security and privacy on blockchain. ACM Computing Surveys. 2019; 52 (3):52. DOI: 10.1145/3316481 - 12.
Poston H. Mapping the OWasp top ten to blockchain. Procedia Computer Science. 2020; 177 :613-617. DOI: 10.1016/j.procs.2020.10.087 - 13.
Monitoring a Blockchain Network. 2022. Retrieved September 1, 2020, from: https://cloud.ibm.com/docs/blockchain?topic=blockchain-monitor-blockchain-network - 14.
Hernantes J, Gallardo G, Serrano N. IT infrastructure-monitoring tools. IEEE Software. 2015; 32 (4):88-93. DOI: 10.1109/MS.2015.96 - 15.
Ward R, Ward R. Cognitive conflict without explicit conflict monitoring in a dynamical agent. Neural Networks. 2006; 19 (9):1430-1436. DOI: 10.1016/j.neunet.2006.08.003 - 16.
Faci N, Bernard C, Lyon U, Meneguzzi F, Modgil S, Oren N, Miles S, Luck M. A framework for monitoring agent-based normative systems. Cloud Computing View Project RiskTrack-Tracking Tool Based on Social Media for Risk Assessment on Radicalisation View Project: A Framework for Monitoring Agent-Based Normative Systems. 2009. DOI: 10.1145/1558013.1558034 - 17.
Khan KM, Arshad J, Iqbal W, Abdullah S, Zaib H. Blockchain-enabled real-time SLA monitoring for cloud-hosted services. Cluster Computing. 2021a. DOI: 10.1007/s10586-021-03416-y - 18.
Avatangelou E, Dommarco RF, Klein M, Müller S, Nielsen CF, Soriano MPS, Schmidt A, Tazari MR, Wichert R. Conjoint PERSONA – SOPRANO Workshop. 2008. pp. 448-464. DOI: 10.1007/978-3-540-85379-4_51 - 19.
Rathee G, Balasaraswathi M, Chandran KP, Gupta SD, Boopathi CS. A secure IoT sensors communication in industry 4.0 using blockchain technology. Journal of Ambient Intelligence and Humanized Computing. 2021; 12 (1):533-545. DOI: 10.1007/s12652-020-02017-8 - 20.
Chang C-L, McAleer M, Wong W-K. Big data, computational science, economics, finance, marketing, management, and psychology: Connections. SSRN Electronic Journal. 2018. DOI: 10.2139/ssrn.3117386