Projects

Projects running or completed in our research unit

BREADS

Building Robust and Explainable AI-based Defenses for Computer Security

2024 – 2030 •  Vienna Science and Technology Fund (WWTF)  •  PI Daniel Christopher Arp
Abstract

Almost no day goes by without news of severe cyber attacks against companies, public facilities, and critical infrastructure—including even hospitals and power plants. Although the incentives of malicious actors that conduct these attacks are manifold, the vast majority are primarily perpetrated to gain financial profit. As a result, a large network of professional, fraudulent actors has emerged in recent years, leading to a wide variety of malicious activities with which companies and law enforcement agencies must contend on a daily basis.

Traditional defenses, like signature-based systems for spam and intrusion detection, require manual effort to update their detection patterns. Thus, they are unsuitable for coping with the large number of fast-evolving malicious activities that emerge every day. To counter this threat, machine learning-based techniques have been extensively explored, as these methods extract effective detection patterns from large amounts of data automatically. Although promising, these learning-based detection methods suffer from severe drawbacks that limit their applicability in real-world settings.

First of all, the underlying models are often very complex and their decision-making process is hard to interpret even for human analysts with expert knowledge. Secondly, learning-based systems have shown to perform badly if train and test distributions differ; a phenomenon known as dataset shift that affects many security domains. As a result, these systems either fail completely in real-world settings or become outdated quickly, requiring continuous retraining of the underlying machine learning models, which is time consuming and computationally expensive. Even worse, very recently, it has been found that the state-of-the-art learning model ChatGPT itself has already been used by malicious actors to generate new frauds automatically, thereby potentially transforming the way fraudsters operate. Consequently, the impressive capabilities of recent learning-based models raise serious concerns regarding their potential misuse by malicious actors, as these learning models will change the threat landscape in the upcoming years and likely speed-up the evolution of new fraud schemes even further.

To keep pace with the fast-evolving threat landscape, we aim to address three key security research questions throughout this project. In particular, we want to better understand the decision-making process of current learning-based methods in security, and to use this knowledge to improve their robustness in the presence of dataset shift. We also plan to leverage and enhance the developed methods to understand and properly address the rising threat introduced by AI-generated fraud. The project is divided into three parts:

1. In the first part of this project, we seek to develop methods to help us better understand the decision-making process of learning models in security. To this end, we plan to develop novel techniques that allow for the identification of high-level concepts relevant to the prediction of a learning model in security. Using these techniques, we aim to gain insight into why the performance of current models decreases over time and how dataset shifts differ among security fields.

2. In the second part, we plan to develop new learning-based methods that can cope with different types of dataset shift in various security domains. Here, we guide our research along the following two dimensions: First, we want to explore different feature representations and assess their robustness in the face of dataset shift. Second, we plan to examine alternative strategies to cope with dataset shift, such as methods from the active learning field. By combining the best performing techniques from both dimensions, we aim to improve the robustness of current learning methods in security as compared to the current state of the art.

3. Finally, in the third part of this project, we use the previously developed techniques to analyze and address with a fast-evolving security threat that will change the future threat landscape: The rise of AI-generated fraud, such as deep-fake images and videos, misleading information, and even sophisticated malware. The speed and scale of such developments in recent years make it likely that this novel threat will become one of the biggest challenges for security researchers. Equipped with the new techniques developed throughout this project, however, we aim to be able to tackle these these threats as they emerge.

BlockSec

Formal Methods for Secure Blockchain-Oriented Programming

2025 – 2030 •  European Commission  •  PI Matteo Maffei

COnFIDE

Cryptographic Foundations of Privacy in Distributed Ledgers

2020 – 2027 •  Vienna Science and Technology Fund (WWTF)  •  PI Georg Fuchsbauer
Abstract

We are observing a trend towards decentralization, reflected in technologies such as blockchains and distributed ledgers. These enable currencies without banks, community-based platforms without commercial actors, and many more. Central to all such systems is their transparency, allowing anyone to verify the system state, which makes trust in central parties obsolete. However, transparency conflicts with protection of user privacy (meanwhile even legally enforced by GDPR) and current systems cause huge environmental damage.

The goal of COnFIDE is to use cryptography to reconcile public verifiability with privacy in distributed ledgers, and to improve efficiency and sustainability of decentralized systems, avoiding wasting energy (as for mining Bitcoins) and storage (as for massive duplication of obsolete transaction data).

ForSmart

Effective Formal Methods for Smart-Contract Certification

2023 – 2027 •  Vienna Science and Technology Fund (WWTF)  •  PI Laura Kovacs  •  PI Matteo Maffei  •  PI Maria Christakis

SCALE2

Scalable, Private, and Interoperable Layer 2

2023 – 2027 •  Vienna Science and Technology Fund (WWTF)  •  PI Georgia Avarikioti
Partners
  • Institute of Science and Technology Austria, Klosterneuburg, Austria
Publications
  • Brief Announcement: Musketeer - Incentive-Compatible Rebalancing for Payment Channel Networks
    Avarikioti, Z., Schmid, S., & Tiwari, S. (2024). Brief Announcement: Musketeer - Incentive-Compatible Rebalancing for Payment Channel Networks. In PODC ’24: Proceedings of the 43rd ACM Symposium on Principles of Distributed Computing (pp. 306–309).
    DOI: 10.1145/3662158.3662809 Metadata
    Abstract
    We revisit the severely limited throughput problem of cryptocurrencies and propose a novel rebalancing approach for Payment Channel Networks (PCNs). PCNs are a popular solution for increasing the blockchain throughput, however, their benefit depends on the overall users' liquidity. Rebalancing mechanisms are the state-of-the-art approach to maintaining high liquidity PCNs. However, existing opt-in rebalancing mechanisms exclude users that may assist in rebalancing for small service fees, leading to suboptimal solutions and under-utilization of the PCNs' bounded liquidity.We introduce the first rebalancing approach for PCNs that includes all users, following a "all for one and one for all" design philosophy that yields optimal throughput. The proposed approach introduces a double-auction rebalancing problem, which we term Musketeer, where users can participate as buyers (paying fees to rebalance) or sellers (charging fees to route transactions). The desired properties are tailored to the unique characteristics of PCNs, including the novel game-theoretic property of cyclic budget balance that is a stronger variation of strong budget balance.Basic results derived from auction theory, including an impossibility and multiple mechanisms that either achieve all desiderata under a relaxed model or sacrifice one of the properties, are presented. We also propose a novel mechanism that leverages time delays as an additional cost to users. This mechanism is provably truthful, cyclic budget balanced, individually rational and economic efficient but only with respect to liquidity.
  • Musketeer: Incentive-Compatible Rebalancing for Payment Channel Networks
    Avarikioti, Z., Schmid, S., & Tiwari, S. (2024). Musketeer: Incentive-Compatible Rebalancing for Payment Channel Networks. In R. Böhme & L. Kiffer (Eds.), 6th Conference on Advances in Financial Technologies (AFT 2024) (pp. 1–22).
    DOI: 10.4230/LIPIcs.AFT.2024.13 Metadata
    Abstract
    In this work, we revisit the severely limited throughput problem of cryptocurrencies and propose a novel rebalancing approach for Payment Channel Networks (PCNs). PCNs are a popular solution for increasing the blockchain throughput, however, their benefit depends on the overall users’ liquidity. Rebalancing mechanisms are the state-of-the-art approach to maintaining high liquidity in PCNs. However, existing opt-in rebalancing mechanisms exclude users that may assist in rebalancing for small service fees, leading to suboptimal solutions and under-utilization of the PCNs’ bounded liquidity. We introduce the first rebalancing approach for PCNs that includes all users, following a “all for one and one for all” design philosophy that yields optimal throughput. The proposed approach introduces a double-auction rebalancing problem, which we term Musketeer, where users can participate as buyers (paying fees to rebalance) or sellers (charging fees to route transactions). The desired properties tailored to the unique characteristics of PCNs are formally defined, including the novel game-theoretic property of cyclic budget balance that is a stronger variation of strong budget balance. Basic results derived from auction theory, including an impossibility and multiple mechanisms that either achieve all desiderata under a relaxed model or sacrifice one of the properties, are presented. We also propose a novel mechanism that leverages time delays as an additional cost to users. This mechanism is provably truthful, cyclic budget balanced, individually rational and economic efficient but only with respect to liquidity.

W4MP

Fixing the Broken Bridge Between Mobile Apps and the Web

2023 – 2027 •  Vienna Science and Technology Fund (WWTF)  •  PI Martina Lindorfer
Abstract

The Web undertook a progressive conceptual switch from a mesh of interconnected documents to an application distribution platform. In parallel, smartphones and tablets changed the way people consume Web content. With Web apps being ubiquitous, mobile platforms are introducing new mechanisms to integrate Web content into the operating system: in addition to apps embedding browsers, cross-platform apps can be developed using Web frameworks with little to no app development experience. At the same time, powerful Web APIs are in development to close the gap between Web and native apps.

The security and privacy implications of this ongoing transformation have yet to be explored. In particular, the security analysis is hampered by the fast-changing nature of Web and mobile platforms and the contrasting evolution of functionalities across different OSes and browsers. Previous work mainly focused on security and privacy issues affecting either websites or mobile apps in isolation.

We propose to develop a unified framework that will enable us to rigorously evaluate the security implications of the intersection between Web and mobile platforms. We plan to shed light on new ways that Web and mobile apps can interact with each other and how these interactions could potentially lead to security and privacy issues. We will conduct large-scale measurements to confirm the impact of our findings, and we will propose remediation strategies for the emerging mechanisms analyzed.

SFB SPyCoDe

Semantic and Cryptographic Foundations of Security and Privacy by Compositional Design

2023 – 2026 •  Austrian Science Fund (FWF)  •  PI Laura Kovacs  •  PI Matteo Maffei
Partners
  • Institute of Science and Technology Austria, Klosterneuburg, Austria
  • TU Graz, Graz, Austria
  • Universität Klagenfurt, Klagenfurt, Austria
  • Universität Wien, Wien
Publications
  • A TPRF-based pseudo-random number generator
    Andreeva, E., & Weninger, A. (2024). A TPRF-based pseudo-random number generator. Journal of Surveillance, Security and Safety, 5, 36–51.
    DOI: 10.20517/jsss.2023.45 Metadata
    Abstract
    Most cryptographic applications use randomness that is generated by pseudo-random number generators (PRNGs). A popular PRNG practical choice is the NIST standardized CTR_DRBG. In their recent ACNS 2023 publication, Andreeva and Weninger proposed a new and more efficient and secure PRNG called FCRNG. FCRNG is based on CTR_DRBG and uses the 𝑛-to-2𝑛 forkcipher expanding primitive ForkSkinny as a building block. In this work, we create a new BKRNG PRNG, which is based on FCRNG and employs the novel 𝑛-to-8𝑛 expanding primitive Butterknife. Butterknife is based on the Deoxys tweakable blockcipher (and thus AES) and realizes a tweakable expanding pseudo-random function. While both blockciphers and forkciphers are invertible primitives, tweakable expanding pseudo-random functions are not. This functional simplification enables security benefits for BKRNG in the robustness security game - the standard security goal for a PRNG. Contrary to the security bound of CTR_DRBG, we show that the security of our BKRNG construction does not degrade with the length of the random inputs, nor the number of requested output pseudo-random bits. We also empirically verify the BKRNG security with the NIST PRNG test suite and the TestU01 suite. Furthermore, we show the 𝑛-to-8𝑛 multi-branch expanding nature of Butterknife contributes to a significant speed-up in the efficiency of BKRNG compared to FCRNG. More concretely, producing random bits with BKRNG is 30.0% faster than FCRNG and 49.2% faster than CTR_DRBG.
  • Bribe & Fork: Cheap PCN Bribing Attacks via Forking Threat
    Avarikioti, Z., Kędzior, P., Lizurej, T., & Michalak, T. (2024). Bribe & Fork: Cheap PCN Bribing Attacks via Forking Threat. In R. Böhme & L. Kiffer (Eds.), 6th Conference on Advances in Financial Technologies (AFT 2024) (pp. 1–22).
    DOI: 10.4230/LIPIcs.AFT.2024.11 Metadata
    Abstract
    In this work, we reexamine the vulnerability of Payment Channel Networks (PCNs) to bribing attacks, where an adversary incentivizes blockchain miners to deliberately ignore a specific transaction to undermine the punishment mechanism of PCNs. While previous studies have posited a prohibitive cost for such attacks, we show that this cost can be dramatically reduced (to approximately $125), thereby increasing the likelihood of these attacks. To this end, we introduce Bribe & Fork, a modified bribing attack that leverages the threat of a so-called feather fork which we analyze with a novel formal model for the mining game with forking. We empirically analyze historical data of some real-world blockchain implementations to evaluate the scale of this cost reduction. Our findings shed more light on the potential vulnerability of PCNs and highlight the need for robust solutions.
  • Brief Announcement: Musketeer - Incentive-Compatible Rebalancing for Payment Channel Networks
    Avarikioti, Z., Schmid, S., & Tiwari, S. (2024). Brief Announcement: Musketeer - Incentive-Compatible Rebalancing for Payment Channel Networks. In PODC ’24: Proceedings of the 43rd ACM Symposium on Principles of Distributed Computing (pp. 306–309).
    DOI: 10.1145/3662158.3662809 Metadata
    Abstract
    We revisit the severely limited throughput problem of cryptocurrencies and propose a novel rebalancing approach for Payment Channel Networks (PCNs). PCNs are a popular solution for increasing the blockchain throughput, however, their benefit depends on the overall users' liquidity. Rebalancing mechanisms are the state-of-the-art approach to maintaining high liquidity PCNs. However, existing opt-in rebalancing mechanisms exclude users that may assist in rebalancing for small service fees, leading to suboptimal solutions and under-utilization of the PCNs' bounded liquidity.We introduce the first rebalancing approach for PCNs that includes all users, following a "all for one and one for all" design philosophy that yields optimal throughput. The proposed approach introduces a double-auction rebalancing problem, which we term Musketeer, where users can participate as buyers (paying fees to rebalance) or sellers (charging fees to route transactions). The desired properties are tailored to the unique characteristics of PCNs, including the novel game-theoretic property of cyclic budget balance that is a stronger variation of strong budget balance.Basic results derived from auction theory, including an impossibility and multiple mechanisms that either achieve all desiderata under a relaxed model or sacrifice one of the properties, are presented. We also propose a novel mechanism that leverages time delays as an additional cost to users. This mechanism is provably truthful, cyclic budget balanced, individually rational and economic efficient but only with respect to liquidity.
  • Concurrently Secure Blind Schnorr Signatures
    Fuchsbauer, G., & Wolf, M. (2024). Concurrently Secure Blind Schnorr Signatures. In Advances in Cryptology – EUROCRYPT 2024 (pp. 124–160).
    DOI: 10.1007/978-3-031-58723-8_5 Metadata
    Abstract
    Many applications of blind signatures, e.g. in blockchains, require compatibility of the resulting signatures with the existing system. This makes blind issuing of Schnorr signatures (now being standardized and supported by major cryptocurrencies) desirable. Concurrent security of the signing protocol is required to thwart denial-of-service attacks. We present a concurrently secure blind-signing protocol for Schnorr signatures, using the standard primitives NIZK and PKE and assuming that Schnorr signatures themselves are unforgeable. Our protocol is the first to be compatible with standard Schnorr implementations over 256-bit elliptic curves. We cast our scheme as a generalization of blind and partially blind signatures: we introduce the notion of predicate blind signatures, in which the signer can define a predicate that the blindly signed message must satisfy. We provide implementations and benchmarks for various choices of primitives and scenarios, such as blindly signing Bitcoin transactions only when they meet certain conditions specified by the signer.
  • CryptoVampire: Automated Reasoning for the Complete Symbolic Attacker Cryptographic Model
    Jeanteur, S., Kovács, L., Maffei, M., & Rawson, M. (2024). CryptoVampire: Automated Reasoning for the Complete Symbolic Attacker Cryptographic Model. In 2024 IEEE Symposium on Security and Privacy (SP) (pp. 3165–3183). IEEE.
    DOI: 10.1109/SP54263.2024.00246 Metadata
    Abstract
    Cryptographic protocols are hard to design and prove correct, as witnessed by the ever-growing list of attacks even on protocol standards. Symbolic models of cryptography enable automated formal security proofs of such protocols against an idealized cryptographic model, which abstracts away from the algebraic properties of cryptographic schemes and thus misses attacks. Computational models of cryptography yield rigorous guarantees but support at present only interactive proofs and/or restricted classes of protocols (e.g., stateless ones). A promising approach is given by the computationally complete symbolic attacker (CCSA) model, formalized in the BC Logic, which aims at bridging and getting the best of the two worlds, obtaining cryptographic guarantees by symbolic protocol analysis. The BC Logic is supported by a recently developed interactive theorem prover, namely Squirrel, which enables machine-checked interactive security proofs, as opposed to automated ones, thus requiring expert knowledge both in the cryptographic space as well as on the reasoning side.In this paper, we introduce the CryptoVampire cryptographic protocol verifier, which for the first time fully automates proofs of trace properties in the BC Logic. The key technical contribution is a first-order formalization of protocol properties with tailored handling of subterm relations. As such, we overcome the burden of interactive proving in higher-order logic and automatically establish soundness of cryptographic protocols using only first-order reasoning. Our first-order encoding of cryptographic protocols is challenging for various reasons. On the theoretical side, we restrict full first-order logic with cryptographic axioms to ensure that, by losing the expressivity of the higher-order BC Logic, we do not lose soundness of cryptographic protocols in our first-order encoding. On the practical side, CryptoVampire integrates dedicated proof techniques using first-order saturation algorithms and heuristics, which all together enable leveraging the state-of-the-art Vampire first-order automated theorem prover as the underlying proving engine of CryptoVampire. Our experimental results showcase the effectiveness of CryptoVampire as a standalone verifier as well as in terms of automation support for Squirrel.
  • Glimpse: On-Demand PoW Light Client with Constant-Size Storage for DeFi
    Scaffino, G., Aumayr, L., Avarikioti, G., & Maffei, M. (2023). Glimpse: On-Demand PoW Light Client with Constant-Size Storage for DeFi. In Proceedings of the 32nd USENIX Security Symposium (pp. 733–750).
    Metadata
    Abstract
    Cross-chain communication is instrumental in unleashing the full potential of blockchain technologies, as it allows users and developers to exploit the unique design features and the profit opportunities of different existing blockchains. The majority of interoperability solutions are provided by centralized exchanges and bridge protocols based on a trusted majority, both introducing undesirable trust assumptions compared to native blockchain assets. Hence, increasing attention has been given to decentralized solutions: Light and super-light clients paved the way for chain relays, which allow verifying on a blockchain the state of another blockchain by respectively verifying and storing a linear and logarithmic amount of data. Unfortunately, relays turn out to be inefficient in terms of computational costs, storage, or compatibility. We introduce Glimpse, an on-demand bridge that leverages a novel on-demand light client construction with only constant on-chain storage, cost, and computational overhead. Glimpse is expressive, enabling a plethora of DeFi and off-chain applications such as lending, pegs, proofs of oracle attestations, and betting hubs. Glimpse also remains compatible with blockchains featuring a limited scripting language such as the Liquid Network (a pegged sidechain of Bitcoin), for which we present a concrete instantiation. We prove Glimpse security in the Universal Composability (UC) framework and further conduct an economic analysis. We evaluate the cost of Glimpse for Bitcoin-like chains: verifying a simple transaction has at most 700 bytes of on-chain overhead, resulting in a one-time fee of $3, only twice as much as a standard Bitcoin transaction.
  • How (Not) to Simulate PLONK
    Sefranek, M. (2024). How (Not) to Simulate PLONK. In Security and Cryptography for Networks (pp. 96–117).
    DOI: 10.1007/978-3-031-71070-4_5 Metadata
    Abstract
    PLONK is a zk-SNARK system by Gabizon, Williamson, and Ciobotaru with proofs of constant size (0.5 KB) and sublinear verification time. Its setup is circuit-independent supporting proofs of arbitrary statements up to a certain size bound. Although deployed in several real-world applications, PLONK’s zero-knowledge property had only been argued informally. Consequently, we were able to find and fix a vulnerability in its original specification, leading to an update of PLONK in eprint version 20220629:105924. In this work, we construct a simulator for the patched version of PLONK and prove that it achieves statistical zero knowledge. Furthermore, we give an attack on the previous version of PLONK showing that it does not even satisfy the weaker notion of (statistical) witness indistinguishability.
  • Masked Iterate-Fork-Iterate: A New Design Paradigm for Tweakable Expanding Pseudorandom Function
    Andreeva, E., Cogliati, B., Lallemand, V., Minier, M., Purnal, A., & Roy, A. (2024). Masked Iterate-Fork-Iterate: A New Design Paradigm for Tweakable Expanding Pseudorandom Function. In C. Pöpper & L. Batina (Eds.), Applied Cryptography and Network Security (pp. 433–459). Springer, Cham.
    DOI: 10.1007/978-3-031-54773-7_17 Metadata
    Abstract
    Many modes of operations for block ciphers or tweakable block ciphers do not require invertibility from their underlying primitive. In this work, we study fixed-length Tweakable Pseudorandom Function (TPRF) with large domain expansion, a novel primitive that can bring high security and significant performance optimizations in symmetric schemes, such as (authenticated) encryption. Our first contribution is to introduce a new design paradigm, derived from the Iterate-Fork-Iterate construction, in order to build n-to-αn-bit (α≥2), n-bit secure, domain expanding TPRF. We dub this new generic composition masked Iterate-Fork-Iterate mIFI. We then propose a concrete TPRF instantiation ButterKnife that expands an n-bit input to 8n-bit output via a public tweak and secret key. ButterKnife is built with high efficiency and security in mind. It is fully parallelizable and based on Deoxys-BC, the AES-based tweakable block cipher used in the authenticated encryption winner algorithm in the defense-in-depth category of the CAESAR competition. We analyze the resistance of ButterKnife to differential, linear, meet-in-the-middle, impossible differentials and rectangle attacks. A special care is taken to the attack scenarios made possible by the multiple branches. Our next contribution is to design and provably analyze two new TPRF-based deterministic authenticated encryption (DAE) schemes called SAFE and ZAFE that are highly efficient, parallelizable, and offer (n+min(n,t))/2 bits of security, where n, t denote respectively the input block and the tweak sizes of the underlying primitives. We further implement SAFE with ButterKnife to show that it achieves an encryption performance of 1.18 c/B for long messages on Skylake, which is 24% faster than the comparable Crypto’17 TBC-based ZAE DAE. Our second candidate ZAFE, which uses the same authentication pass as ZAE, offers a similar level of speedup. Besides, we show that ButterKnife, when used in Counter Mode, is slightly faster than AES (0.55 c/B vs 0.63 c/B on Skylake).
  • Musketeer: Incentive-Compatible Rebalancing for Payment Channel Networks
    Avarikioti, Z., Schmid, S., & Tiwari, S. (2024). Musketeer: Incentive-Compatible Rebalancing for Payment Channel Networks. In R. Böhme & L. Kiffer (Eds.), 6th Conference on Advances in Financial Technologies (AFT 2024) (pp. 1–22).
    DOI: 10.4230/LIPIcs.AFT.2024.13 Metadata
    Abstract
    In this work, we revisit the severely limited throughput problem of cryptocurrencies and propose a novel rebalancing approach for Payment Channel Networks (PCNs). PCNs are a popular solution for increasing the blockchain throughput, however, their benefit depends on the overall users’ liquidity. Rebalancing mechanisms are the state-of-the-art approach to maintaining high liquidity in PCNs. However, existing opt-in rebalancing mechanisms exclude users that may assist in rebalancing for small service fees, leading to suboptimal solutions and under-utilization of the PCNs’ bounded liquidity. We introduce the first rebalancing approach for PCNs that includes all users, following a “all for one and one for all” design philosophy that yields optimal throughput. The proposed approach introduces a double-auction rebalancing problem, which we term Musketeer, where users can participate as buyers (paying fees to rebalance) or sellers (charging fees to route transactions). The desired properties tailored to the unique characteristics of PCNs are formally defined, including the novel game-theoretic property of cyclic budget balance that is a stronger variation of strong budget balance. Basic results derived from auction theory, including an impossibility and multiple mechanisms that either achieve all desiderata under a relaxed model or sacrifice one of the properties, are presented. We also propose a novel mechanism that leverages time delays as an additional cost to users. This mechanism is provably truthful, cyclic budget balanced, individually rational and economic efficient but only with respect to liquidity.
  • On Efficient and Secure Compression Functions for Arithmetization-Oriented Hashing
    Andreeva, E., Bhattacharyya, R., Roy, A., & Trevisani, S. (2024). On Efficient and Secure Compression Functions for Arithmetization-Oriented Hashing. In 2024 IEEE 37th Computer Security Foundations Symposium (CSF) (pp. 1–16).
    DOI: 10.1109/CSF61375.2024.00045 Metadata
    Abstract
    ZK-SNARKs, a fundamental component of privacyoriented payment systems, identity protocols, or anonymous voting systems, are advanced cryptographic protocols for verifiable computation: modern SNARKs allow to encode the invariants of a program, expressed as an arithmetic circuit, in an appropriate constraint language from which short, zero-knowledge proofs for correct computations can be constructed. One of the most important computations that is run through SNARK systems is the verification of Merkle tree (MT) opening proofs, which relies on the evaluation of a fixed-input-length (FIL) cryptographic compression function over binary MTs. As classical, bit-oriented hash functions like SHA-2 are not compactly representable in SNARK frameworks, Arithmetization-Oriented (AO) cryptographic designs have emerged as an alternative, efficient solution. Today, the majority of AO compression functions are built from permutation-based hashing modes, such as Sponge. While this approach allows cost savings, compared to blockcipher-based modes, as it does not require key-scheduling, AO blockcipher schedulers are often cheap to compute. Furthermore, classical bitoriented cryptography has long studied how to construct provably secure compression functions from blockciphers, following the Preneel-Govaerts-Vandewalle (PGV) framework. The potential efficiency gains together with the strong provable security foundations in the classic setting, motivate the study of AO blockcipher-based compression functions. In this work, we propose AO PGV-LC and PGV-ELC, two AO blockcipher-based FIL compression modes inspired by and extending the classical PGV approach, offering flexible input and output sizes and coming with provable security guarantees in the AO setting. We prove the collision and preimage resistance in the ideal cipher model, and give bounds for collision and opening resistance over MTs of arbitrary arity. We compare experimentally the AO PGV-ELC mode over the HADES blockcipher with its popular and widely adopted Sponge instantiation, POSEIDON, and its improved variant POSEIDON2. Our resulting constructions are up to 3× faster than POSEIDONAND 2× faster than POSEIDON2 in native x86 execution, and up to 50% faster in the Groth16 SNARK framework. Finally, we study the benefits of using MTs of arity wider than two, proposing a new strategy to obtain a compact R1CS constraint system in such case. In fact, by combining an efficient parametrization of the HADES blockcipher over the PGV-ELC mode, together with an optimal choice of the MT arity, we measured an improvement of up to 9× in native MT construction time, and up to 2.5× in proof generation time, compared to POSEIDON over binary MTs.
  • On Proving Equivalence Class Signatures Secure from Non-interactive Assumptions
    Bauer, B., Fuchsbauer, G., & Regen, F. (2024). On Proving Equivalence Class Signatures Secure from Non-interactive Assumptions. In Public-Key Cryptography – PKC 2024 (pp. 3–36).
    DOI: 10.1007/978-3-031-57718-5_1 Metadata
    Abstract
    Equivalence class signatures (EQS), introduced by Hanser and Slamanig (AC’14, J. Crypto’19), sign vectors of elements from a bilinear group. Their main feature is “adaptivity”: given a signature on a vector, anyone can transform it to a (uniformly random) signature on any multiple of the vector. A signature thus authenticates equivalence classes and unforgeability is defined accordingly. EQS have been used to improve the efficiency of many cryptographic applications, notably (delegatable) anonymous credentials, (round-optimal) blind signatures, group signatures and anonymous tokens. EQS security implies strong anonymity (or blindness) guarantees for these schemes which holds against malicious signers without trust assumptions. Unforgeability of the original EQS construction is proven directly in the generic group model. While there are constructions from standard assumptions, these either achieve prohibitively weak security notions (PKC’18) or they require a common reference string (AC’19, PKC’22), which reintroduces trust assumptions avoided by EQS. In this work we ask whether EQS schemes that satisfy the original security model can be proved secure under standard (or even non-interactive) assumptions with standard techniques. Our answer is negative: assuming a reduction that, after running once an adversary breaking unforgeability, breaks a non-interactive computational assumption, we construct efficient meta-reductions that either break the assumption or break class-hiding, another security requirement for EQS.
  • Optimizing Virtual Payment Channel Establishment in the Face of On-Path Adversaries
    Aumayr, L., Ceylan, E., Kopyciok, Y., Maffei, M., Moreno-Sanchez, P., Salem, I., & Schmid, S. (2024). Optimizing Virtual Payment Channel Establishment in the Face of On-Path Adversaries. In Proceedings 2024 IFIP Networking Conference (IFIP Networking) (pp. 1–10).
    DOI: 10.23919/IFIPNetworking62109.2024.10619889 Metadata
    Abstract
    Payment channel networks (PCNs) are among the most promising solutions to the scalability issues in permissionless blockchains, by allowing parties to pay each other off-chain through a path of payment channels (PCs). However, routing transactions comes at a cost which is proportional to the number of intermediaries, since each charges a fee for the routing service. Furthermore, analogous to other networks, malicious intermediaries in the payment path can lead to security and privacy threats. Virtual channels (VCs), i.e., bridges over PC paths, mitigate the above PCN issues, as an intermediary participates only once to set up the VC and is then excluded from every future VC transaction. However, similar to PCs, creating a VC has a cost that must be paid out of the bridged PCs' balance. Currently, we are missing guidelines to where and how many VCs to set up. Ideally, VCs should minimize transaction costs while mitigating security and privacy threats from on-path adversaries. In this work, we address for the first time the VC setup problem, formalizing it as an optimization problem. We present an integer linear program (ILP) to compute the globally optimal VC setup strategy in terms of transaction costs, security, and privacy. We then accompany the computationally heavy ILP with a fast local greedy algorithm. Our model and algorithms can be used with any on-path adversary, given that its strategy can be expressed as a set of corrupted nodes that is estimated by the honest nodes. We conduct an evaluation of the greedy algorithm over a snapshot of the Lightning Network (LN), the largest Bitcoin-based PCN. Our results confirm on real-world data that our greedy strategy minimizes costs while protecting against security and privacy threats of on-path adversaries. These findings may serve the LN community as guidelines for the deployment of VCs.
  • Skye: An Expanding PRF based Fast KDF and its Applications
    Bhati, A. S., Dufka, A., Andreeva, E., Roy, A., & Preneel, B. (2024). Skye: An Expanding PRF based Fast KDF and its Applications. In ASIA CCS ’24: Proceedings of the 19th ACM Asia Conference on Computer and Communications Security (pp. 1082–1098).
    DOI: 10.1145/3634737.3637673 Metadata
    Abstract
    A Key Derivation Function (KDF) generates a uniform and highly random key-stream from weakly random key material. KDFs are broadly used in various security protocols such as digital signatures and key exchange protocols. HKDF, the most deployed KDF in practice, is based on the extract-then-expand paradigm. It is presently used, among others, in the Signal Protocol for end-to-end encrypted messaging. HKDF is a generic KDF for general input sources and thus is not optimized for source-specific use cases such as key derivation from Diffie-Hellman (DH) sources (i.e. DH shared secrets as key material). Furthermore, the sequential HKDF design is unnecessarily slow on some general-purpose platforms that can benefit from parallelization. In this work, we propose a novel, efficient and secure KDF called Skye. Skye follows the extract-then-expand paradigm and consists of two algorithms: efficient deterministic randomness extractor and expander functions. Instantiating our extractor for dedicated source-specific (e.g. DH sources) inputs leads to a significant efficiency gain over HKDF while maintaining its security level. We provide concrete security analysis of Skye and both its underlying algorithms in the standard model. We provide a software performance comparison of Skye with the AES-based expanding PRF ButterKnife and HKDF with SHA-256 (as used in practice). Our results show that in isolation Skye performs from 4x to 47x faster than HKDF, depending on the availability of AES or SHA instruction support. We further demonstrate that with such a performance gain, when Skye is integrated within the current Signal implementation, we can achieve significant overall improvements ranging from 38% to 64% relative speedup in unidirectional messaging. Even in bidirectional messaging, that includes DH computation with dominating computational cost, Skye still contributes to 12-36% relative speedup when just 10 messages are sent and received at once.
  • Updatable Public-Key Encryption, Revisited
    Alwen, J., Fuchsbauer, G., & Mularczyk, M. (2024). Updatable Public-Key Encryption, Revisited. In Advances in Cryptology – EUROCRYPT 2024 (pp. 346–376).
    DOI: 10.1007/978-3-031-58754-2_13 Metadata
    Abstract
    We revisit Updatable Public-Key Encryption (UPKE), which was introduced as a practical mechanism for building forward-secure cryptographic protocols. We begin by observing that all UPKE notions to date are neither syntactically flexible nor secure enough for the most important multi-party protocols motivating UPKE. We provide an intuitive taxonomy of UPKE properties – some partially or completely overlooked in the past – along with an overview of known (explicit and implicit) UPKE constructions. We then introduce a formal UPKE definition capturing all intuitive properties needed for multi-party protocols. Next, we provide a practical pairing-based construction for which we provide concrete bounds under a standard assumption in the random oracle and the algebraic group model. The efficiency profile of the scheme compares very favorably with existing UPKE constructions (despite the added flexibility and stronger security). For example, when used to improve the forward security of the Messaging Layer Security protocol [RFC9420], our new UPKE construction requires less than 1.5% of the bandwidth of the next-most efficient UPKE construction satisfying the strongest UPKE notion considered so far.
  • Verifying Global Two-Safety Properties in Neural Networks with Confidence
    Athavale, A., Bartocci, E., Christakis, M., Maffei, M., Ničković, D., & Weissenbacher, G. (2024). Verifying Global Two-Safety Properties in Neural Networks with Confidence. In A. Gurfinkel & V. Ganesh (Eds.), Computer Aided Verification (pp. 329–351). Springer.
    DOI: 10.1007/978-3-031-65630-9_17 Metadata
    Abstract
    We present the first automated verification technique for confidence-based 2-safety properties, such as global robustness and global fairness, in deep neural networks (DNNs). Our approach combines self-composition to leverage existing reachability analysis techniques and a novel abstraction of the softmax function, which is amenable to automated verification. We characterize and prove the soundness of our static analysis technique. Furthermore, we implement it on top of Marabou, a safety analysis tool for neural networks, conducting a performance evaluation on several publicly available benchmarks for DNN verification.
  • Wappler: Sound Reachability Analysis for WebAssembly
    Scherer, M., Blaabjerg, J. F., Sjösten, A., Solitro, M. M., & Maffei, M. (2024). Wappler: Sound Reachability Analysis for WebAssembly. In L. O’Conner & P. Kellenberger (Eds.), 2024 IEEE 37th Computer Security Foundations Symposium (CSF) (pp. 249–264).
    DOI: 10.1109/CSF61375.2024.00025 Metadata
    Abstract
    WebAssembly (Wasm) is an increasingly deployed low-level language providing near-native performance to security-critical domains such as web browsers, smart contracts, and edge computing. In all of these domains, establishing the absence of bugs and security vulnerabilities is of utmost importance, which motivates the development of sound and automated static analysis techniques. This is, however, a challenging task since the Wasm formal semantics is not directly amenable to efficient static analysis, Wasm code is typically embedded in statically unknown and possibly malicious contexts, and the low-level nature of the language makes it hard to precisely and yet soundly capture memory management and other core features. In this work, we present Wappler, the first sound and automated static analysis technique for WebAssembly. The core idea is to encode the semantics into Horn clauses so as to make it accessible to automated theorem provers, such as z3. The realization of this approach, however, requires to tackle several challenges. We address the fact that the Wasm semantics is not directly amenable to automation of security proofs by introducing annotations that enable a precise, practical, and yet sound encoding. Furthermore, we devise a formalism to specify embedder behavior and introduce a sound yet precise memory abstraction. We demonstrate the expressiveness of our logical formalism by encoding several general as well as Wasm-specific security properties. Finally, we implement our static analysis technique and conduct an experimental evaluation over the official Wasm test suite to demonstrate its performance.

SPFBT

Security and Privacy Foundations of Blockchain Technologies

2020 – 2025 •  SBA Research gemeinnützige GmbH  •  PI Matteo Maffei
Abstract

Blockchains are emerging as a disruptive technology for securing transactions and computations across mutually distrustful peers. The security and privacy of blockchains, however, depends on a complicated combination of cryptography, programming languages, game theory, distributed systems, and network concepts, which is not well understood. The goal of this project is to lay sound foundations for blockchain technologies, devising techniques for their provable analysis and design.

CDL-BOT

Blockchain Technologies for the Internet of Things

2020 – 2025 •  Christian Doppler Research Association (CDG)  •  PI Matteo Maffei
Abstract

In recent years, Distributed Ledger Technologies (DLTs) like blockchains have gained much popularity both within industry and research. Today, DLTs are not only perceived as the underlying technology for cryptocurrencies like Bitcoin, but have also been identified as a potential disruptive technology in many different fields, e.g., supply chain tracking and healthcare. In a lot of these fields, blockchains are combined with Internet of Things (|oT) technologies in order to store data from real-world objects in a tamper-proof way, to process this data, and to share the results.

The widespread attention for DLTs has led to manifold research and development activities. These focus either on the application of blockchains in novel use cases, theenhancement of already existing technologies, or the development of completely new DLTs. As a result, today's DLT landscape is heavily fragmented, with different, incompatible technologies being available to potential users. Since interoperability between different blockchains is usually not foreseen in existing protocols and standards, functionalities like sending tokens from one participant to another, invoking and executing smart contracts, or guaranteeing validity of data stored in a blockchain can only be carried out within a single blockchain. This incompatibility contradicts the open nature of |oT- based systems, where heterogeneous technologies interact with each other, and therefore prevents the uptake of blockchains by the industry.

Therefore, the Christian Doppler Laboratory for Blockchain Technologies for the Internet of Things (CDL-BOT) will contribute to the foundations of blockchain interoperability by providing fundamental research results in the areas of cross-blockchain token transfers, cross-blockchain smart contract invocation and interaction, the integration of blockchains with further DLTs and other systems, and by providing client-side blockchain interoperability through developer support. In addition, research in the area of lightweight DLTs for the loT is conducted. While the focus of CDL-BOT is on the application of blockchain technologies in the |oT, other DLTs are also regarded. Furthermore, the research results from the laboratory are not only applicable to the |oT field, but also important for non-|oT-based systems where interoperability between different DLTs is necessary. By doing so, CDL-BOT stimulates a paradigm shift from todays closed blockchains to an open system where devices and users can interact with each other across the boundaries of DLTs.

Partners
  • IOTA Foundation, Berlin, Germany
  • Pantos GmbH, Wien, Austria
Publications
  • A blockchain-based IoT data marketplace
    Sober, M., Scaffino, G., Schulte, S., & Kanhere, S. S. (2023). A blockchain-based IoT data marketplace. CLUSTER COMPUTING-THE JOURNAL OF NETWORKS SOFTWARE TOOLS AND APPLICATIONS, 26(6), 3523–3545.
    DOI: 10.1007/s10586-022-03745-6 Metadata
    Abstract
    The (IoT) is growing steadily, and so is the number of data that is generated by (IoT) devices. This makes it difficult to find and leverage relevant data (and data sources) without a data marketplace. Such a marketplace provides a platform to enable different parties, e.g., sensor operators and service providers, to trade their data. Today, most data marketplaces are based on centralized solutions, which may become a single point of failure and come with expensive infrastructure, trust problems, and privacy issues. Therefore, we propose the application of blockchain technology to implement a data marketplace for the IoT. Within the proposed marketplace, smart contracts are used to implement various functionalities and enforce the rules of the data exchange. The marketplace also includes a proxy, a broker, and (GUIs) to enable data trading. To show the applicability of the proposed data marketplace, we analyze the costs arising from the utilization of smart contracts.
  • Breaking and Fixing Virtual Channels: Domino Attack and Donner
    Aumayr, L., Moreno-Sanchez, P., Kate, A., & Maffei, M. (2023). Breaking and Fixing Virtual Channels: Domino Attack and Donner. In Proceedings Network and Distributed System Security Symposium 2023. 30th Annual Network and Distributed System Security Symposium (NDSS) 2023, San Diego, United States of America (the).
    DOI: 10.14722/ndss.2023.24370 Metadata
    Abstract
    Payment channel networks (PCNs) mitigate the scalability issues of current decentralized cryptocurrencies. They allow for arbitrarily many payments between users connected through a path of intermediate payment channels, while requiring interacting with the blockchain only to open and close the channels. Unfortunately, PCNs are (i) tailored to payments, excluding more complex smart contract functionalities, such as the oracle-enabling Discreet Log Contracts and (ii) their need for active participation from intermediaries may make payments unreliable, slower, expensive, and privacy-invasive. Virtual channels are among the most promising techniques to mitigate these issues, allowing two endpoints of a path to create a direct channel over the intermediaries without any interaction with the blockchain. After such a virtual channel is constructed, (i) the endpoints can use this direct channel for applications other than payments and (ii) the intermediaries are no longer involved in updates. In this work, we first introduce the Domino attack, a new DoS/griefing style attack that leverages virtual channels to destruct the PCN itself and is inherent to the design adopted by the existing Bitcoin-compatible virtual channels. We then demonstrate its severity by a quantitative analysis on a snapshot of the Lightning Network (LN), the most widely deployed PCN at present. We finally discuss other serious drawbacks of existing virtual channel designs, such as the support for only a single intermediary, a latency and blockchain overhead linear in the path length, or a non-constant storage overhead per user. We then present Donner, the first virtual channel construction that overcomes the shortcomings above, by relying on a novel design paradigm. We formally define and prove security and privacy properties in the Universal Composability framework. Our evaluation shows that Donner is efficient, reduces the on-chain number of transactions for disputes from linear in the path length to a single one, which is the key to prevent Domino attacks, and reduces the storage overhead from logarithmic in the path length to constant. Donner is Bitcoin-compatible and can be easily integrated in the LN.
  • Breaking and Fixing Virtual Channels: Domino Attack and Donner
    Aumayr, L., Moreno-Sanchez, P., Kate, A., & Maffei, M. (2023, September 6). Breaking and Fixing Virtual Channels: Domino Attack and Donner [Presentation]. VISA Research - external research talks, Palo Alto, United States of America (the).
    Metadata
  • Chrisimos: A useful Proof-of-Work for finding Minimal Dominating Set of a graph
    Chatterjee, D., Banerjee, P., & Mazumdar, S. (2023). Chrisimos: A useful Proof-of-Work for finding Minimal Dominating Set of a graph. arXiv.
    DOI: 10.34726/5301 Metadata
    Abstract
    Hash-based Proof-of-Work (PoW) used in the Bitcoin Blockchain leads to high energy consumption and resource wastage. In this paper, we aim to re-purpose the energy by replacing the hash function with real-life problems having commercial utility. We propose Chrisimos, a useful Proof-of-Work where miners are required to find a minimal dominating set for real-life graph instances. A miner who is able to output the smallest dominating set for the given graph within the block interval time wins the mining game. We also propose a new chain selection rule that ensures the security of the scheme. Thus our protocol also realizes a decentralized minimal dominating set solver for any graph instance. We provide formal proof of correctness and show via experimental results that the block interval time is within feasible bounds of hash-based PoW.
  • Context-Aware Routing in Fog Computing Systems
    Karagiannis, V., Frangoudis, P., Dustdar, S., & Schulte, S. (2023). Context-Aware Routing in Fog Computing Systems. IEEE Transactions on Cloud Computing, 11(1), 532–549.
    DOI: 10.1109/TCC.2021.3102996 Metadata
    Abstract
    Fog computing enables the execution of IoT applications on compute nodes which reside both in the cloud and at the edge of the network. To achieve this, most fog computing systems route the IoT data on a path which starts at the data source, and goes through various edge and cloud nodes. Each node on this path may accept the data if there are available resources to process this data locally. Otherwise, the data is forwarded to the next node on path. Notably, when the data is forwarded (rather than accepted), the communication latency increases by the delay to reach the next node. To avoid this, we propose a routing mechanism which maintains a history of all nodes that have accepted data of each context in the past. By processing this history, our mechanism sends the data directly to the closest node that tends to accept data of the same context. This lowers the forwarding by nodes on path, and can reduce the communication latency. We evaluate this approach using both prototype- and simulation-based experiments which show reduced communication latency (by up to 23%) and lower number of hops traveled (by up to 73%), compared to a state-of-the-art method.
  • CryptoVampire: Automated Reasoning for the Complete Symbolic Attacker Cryptographic Model
    Jeanteur, S., Kovács, L., Maffei, M., & Rawson, M. (2024). CryptoVampire: Automated Reasoning for the Complete Symbolic Attacker Cryptographic Model. In 2024 IEEE Symposium on Security and Privacy (SP) (pp. 3165–3183). IEEE.
    DOI: 10.1109/SP54263.2024.00246 Metadata
    Abstract
    Cryptographic protocols are hard to design and prove correct, as witnessed by the ever-growing list of attacks even on protocol standards. Symbolic models of cryptography enable automated formal security proofs of such protocols against an idealized cryptographic model, which abstracts away from the algebraic properties of cryptographic schemes and thus misses attacks. Computational models of cryptography yield rigorous guarantees but support at present only interactive proofs and/or restricted classes of protocols (e.g., stateless ones). A promising approach is given by the computationally complete symbolic attacker (CCSA) model, formalized in the BC Logic, which aims at bridging and getting the best of the two worlds, obtaining cryptographic guarantees by symbolic protocol analysis. The BC Logic is supported by a recently developed interactive theorem prover, namely Squirrel, which enables machine-checked interactive security proofs, as opposed to automated ones, thus requiring expert knowledge both in the cryptographic space as well as on the reasoning side.In this paper, we introduce the CryptoVampire cryptographic protocol verifier, which for the first time fully automates proofs of trace properties in the BC Logic. The key technical contribution is a first-order formalization of protocol properties with tailored handling of subterm relations. As such, we overcome the burden of interactive proving in higher-order logic and automatically establish soundness of cryptographic protocols using only first-order reasoning. Our first-order encoding of cryptographic protocols is challenging for various reasons. On the theoretical side, we restrict full first-order logic with cryptographic axioms to ensure that, by losing the expressivity of the higher-order BC Logic, we do not lose soundness of cryptographic protocols in our first-order encoding. On the practical side, CryptoVampire integrates dedicated proof techniques using first-order saturation algorithms and heuristics, which all together enable leveraging the state-of-the-art Vampire first-order automated theorem prover as the underlying proving engine of CryptoVampire. Our experimental results showcase the effectiveness of CryptoVampire as a standalone verifier as well as in terms of automation support for Squirrel.
  • Foundations of Coin Mixing Services
    Glaeser, N., Maffei, M., Malavolta, G., Moreno-Sanchez, P., Tairi, E., & Thyagarajan, S. A. (2022). Foundations of Coin Mixing Services. In CCS ’22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security (pp. 1259–1273). Association for Computing Machinery.
    DOI: 10.34726/3601 Metadata
    Abstract
    Coin mixing services allow users to mix their cryptocurrency coins and thus enable unlinkable payments in a way that prevents tracking of honest users' coins by both the service provider and the users themselves. The easy bootstrapping of new users and backwards compatibility with cryptocurrencies (such as Bitcoin) with limited support for scripts are attractive features of this architecture, which has recently gained considerable attention in both academia and industry. A recent work of Tairi et al. [IEEE S&P 2021] formalizes the notion of a coin mixing service and proposes A2L, a new cryptographic protocol that simultaneously achieves high efficiency and interoperability. In this work, we identify a gap in their formal model and substantiate the issue by showing two concrete counterexamples: we show how to construct two encryption schemes that satisfy their definitions but lead to a completely insecure system. To amend this situation, we investigate secure constructions of coin mixing services. First, we develop the notion of blind conditional signatures (BCS), which acts as the cryptographic core for coin mixing services. We propose game-based security definitions for BCS and propose A2L+, a modified version of the protocol by Tairi et al. that satisfies our security definitions. Our analysis is in an idealized model (akin to the algebraic group model) and assumes the hardness of the one-more discrete logarithm problem. Finally, we propose A2L-UC, another construction of BCS that achieves the stronger notion of UC-security (in the standard model), albeit with a significant increase in computation cost. This suggests that constructing a coin mixing service protocol secure under composition requires more complex cryptographic machinery than initially thought.
  • Glimpse: On-Demand PoW Light Client with Constant-Size Storage for DeFi
    Scaffino, G., Aumayr, L., Avarikioti, G., & Maffei, M. (2023). Glimpse: On-Demand PoW Light Client with Constant-Size Storage for DeFi. In Proceedings of the 32nd USENIX Security Symposium (pp. 733–750).
    Metadata
    Abstract
    Cross-chain communication is instrumental in unleashing the full potential of blockchain technologies, as it allows users and developers to exploit the unique design features and the profit opportunities of different existing blockchains. The majority of interoperability solutions are provided by centralized exchanges and bridge protocols based on a trusted majority, both introducing undesirable trust assumptions compared to native blockchain assets. Hence, increasing attention has been given to decentralized solutions: Light and super-light clients paved the way for chain relays, which allow verifying on a blockchain the state of another blockchain by respectively verifying and storing a linear and logarithmic amount of data. Unfortunately, relays turn out to be inefficient in terms of computational costs, storage, or compatibility. We introduce Glimpse, an on-demand bridge that leverages a novel on-demand light client construction with only constant on-chain storage, cost, and computational overhead. Glimpse is expressive, enabling a plethora of DeFi and off-chain applications such as lending, pegs, proofs of oracle attestations, and betting hubs. Glimpse also remains compatible with blockchains featuring a limited scripting language such as the Liquid Network (a pegged sidechain of Bitcoin), for which we present a concrete instantiation. We prove Glimpse security in the Universal Composability (UC) framework and further conduct an economic analysis. We evaluate the cost of Glimpse for Bitcoin-like chains: verifying a simple transaction has at most 700 bytes of on-chain overhead, resulting in a one-time fee of $3, only twice as much as a standard Bitcoin transaction.
  • LightSwap: An Atomic Swap Does Not Require Timeouts at both Blockchains
    Hoenisch, P., Mazumdar, S., Moreno-Sanchez, P., & Ruj, S. (2023). LightSwap: An Atomic Swap Does Not Require Timeouts at both Blockchains. In J. Garcia-Alfaro, G. Navarro-Arribas, & N. Dragoni (Eds.), Data Privacy Management, Cryptocurrencies and Blockchain Technology (pp. 219–235). Springer Cham.
    DOI: 10.1007/978-3-031-25734-6_14 Metadata
    Abstract
    ecurity and privacy issues with centralized exchange services have motivated the design of atomic swap protocols for decentralized trading across currencies. These protocols follow a standard blueprint similar to the 2-phase commit in databases: (i) both users first lock their coins under a certain (cryptographic) condition and a timeout; (ii-a) the coins are swapped if the condition is fulfilled; or (ii-b) coins are released after the timeout. The quest for these protocols is to minimize the requirements from the scripting language supported by the swapped coins, thereby supporting a larger range of cryptocurrencies. The recently proposed universal atomic swap protocol [IEEE S&P’22] demonstrates how to swap coins whose scripting language only supports the verification of a digital signature on a transaction. However, the timeout functionality is cryptographically simulated with verifiable timelock puzzles, a computationally expensive primitive that hinders its use in battery-constrained devices such as mobile phones. In this state of affairs, we question whether the 2-phase commit paradigm is necessary for atomic swaps in the first place. In other words, is it possible to design a secure atomic swap protocol where the timeout is not used by (at least one of the two) users? In this work, we present LightSwap, the first secure atomic swap protocol that does not require the timeout functionality (not even in the form of a cryptographic puzzle) by one of the two users. LightSwap is thus better suited for scenarios where a user, running an instance of LightSwap on her mobile phone, wants to exchange coins with an online exchange service running an instance of LightSwap on a computer. We show how LightSwap can be used to swap Bitcoin and Monero, an interesting use case since Monero does not provide any scripting functionality support other than linkable ring signature verification.
  • LightSwap: An Atomic Swap Does Not Require Timeouts At Both Blockchains
    Hoenisch, P., Mazumdar, S., Moreno-Sanchez, P., & Ruj, S. (2022). LightSwap: An Atomic Swap Does Not Require Timeouts At Both Blockchains. Cryptology ePrint Archive.
    DOI: 10.34726/3662 Metadata
    Abstract
    Security and privacy issues with centralized exchange services have motivated the design of atomic swap protocols for decentralized trading across currencies. These protocols follow a standard blueprint similar to the 2-phase commit in databases: (i) both users first lock their coins under a certain (cryptographic) condition and a timeout; (ii-a) the coins are swapped if the condition is fulfilled; or (ii-b) coins are released after the timeout. The quest for these protocols is to minimize the requirements from the scripting language supported by the swapped coins, thereby supporting a larger range of cryptocurrencies. The recently proposed universal atomic swap protocol [IEEE S&P’22] demonstrates how to swap coins whose scripting language only supports the verification of a digital signature on a transaction. However, the timeout functionality is cryptographically simulated with verifiable timelock puzzles, a computationally expensive primitive that hinders its use in battery-constrained devices such as mobile phones. In this state of affairs, we question whether the 2-phase commit paradigm is necessary for atomic swaps in the first place. In other words, is it possible to design a secure atomic swap protocol where the timeout is not used by (at least one of the two) users? In this work, we present LightSwap, the first secure atomic swap protocol that does not require the timeout functionality (not even in the form of a cryptographic puzzle) by one of the two users. LightSwap is thus better suited for scenarios where a user, running an instance of LightSwap on her mobile phone, wants to exchange coins with an online exchange service running an instance of LightSwap on a computer. We show how LightSwap can be used to swap Bitcoin and Monero, an interesting use case since Monero does not provide any scripting functionality support other than linkable ring signature verification.
  • Optimizing Virtual Payment Channel Establishment in the Face of On-Path Adversaries
    Aumayr, L., Ceylan, E., Kopyciok, Y., Maffei, M., Moreno-Sanchez, P., Salem, I., & Schmid, S. (2024). Optimizing Virtual Payment Channel Establishment in the Face of On-Path Adversaries. In Proceedings 2024 IFIP Networking Conference (IFIP Networking) (pp. 1–10).
    DOI: 10.23919/IFIPNetworking62109.2024.10619889 Metadata
    Abstract
    Payment channel networks (PCNs) are among the most promising solutions to the scalability issues in permissionless blockchains, by allowing parties to pay each other off-chain through a path of payment channels (PCs). However, routing transactions comes at a cost which is proportional to the number of intermediaries, since each charges a fee for the routing service. Furthermore, analogous to other networks, malicious intermediaries in the payment path can lead to security and privacy threats. Virtual channels (VCs), i.e., bridges over PC paths, mitigate the above PCN issues, as an intermediary participates only once to set up the VC and is then excluded from every future VC transaction. However, similar to PCs, creating a VC has a cost that must be paid out of the bridged PCs' balance. Currently, we are missing guidelines to where and how many VCs to set up. Ideally, VCs should minimize transaction costs while mitigating security and privacy threats from on-path adversaries. In this work, we address for the first time the VC setup problem, formalizing it as an optimization problem. We present an integer linear program (ILP) to compute the globally optimal VC setup strategy in terms of transaction costs, security, and privacy. We then accompany the computationally heavy ILP with a fast local greedy algorithm. Our model and algorithms can be used with any on-path adversary, given that its strategy can be expressed as a set of corrupted nodes that is estimated by the honest nodes. We conduct an evaluation of the greedy algorithm over a snapshot of the Lightning Network (LN), the largest Bitcoin-based PCN. Our results confirm on real-world data that our greedy strategy minimizes costs while protecting against security and privacy threats of on-path adversaries. These findings may serve the LN community as guidelines for the deployment of VCs.
  • Sleepy Channels: Bi-directional Payment Channels without Watchtowers
    Aumayr, L., Thyagarajan, S. A., Malavolta, G., Moreno-Sanchez, P., & Maffei, M. (2022). Sleepy Channels: Bi-directional Payment Channels without Watchtowers. In CCS ’22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security (pp. 179–192). Association for Computing Machinery.
    DOI: 10.1145/3548606.3559370 Metadata
    Abstract
    Payment channels (PC) are a promising solution to the scalability issue of cryptocurrencies, allowing users to perform the bulk of the transactions off-chain without needing to post everything on the blockchain. Many PC proposals however, suffer from a severe limitation: Both parties need to constantly monitor the blockchain to ensure that the other party did not post an outdated transaction. If this event happens, the honest party needs to react promptly and engage in a punishment procedure. This means that prolonged absence periods (e.g., a power outage) may be exploited by malicious users. As a mitigation, the community has introduced watchtowers, a third-party monitoring the blockchain on behalf of off-line users. Unfortunately, watchtowers are either trusted, which is critical from a security perspective, or they have to lock a certain amount of coins, called collateral, for each monitored PC in order to be held accountable, which is financially infeasible for a large network. We present Sleepy Channels, the first bi-directional PC protocol without watchtowers (or any other third party) that supports an unbounded number of payments and does not require parties to be persistently online. The key idea is to confine the period in which PC updates can be validated on-chain to a short, pre-determined time window, which is when the PC parties have to be online. This behavior is incentivized by letting the parties lock a collateral in the PC, which can be adjusted depending on their mutual trust and which they get back much sooner if they are online during this time window. Our protocol is compatible with any blockchain that is capable of verifying digital signatures (e.g., Bitcoin), as shown by our proof of concept. Moreover, our experimental results show that Sleepy Channels impose a communication and computation overhead similar to state-of-the-art PC protocols while removing watchtower's collateral and fees for the monitoring service.
  • Sleepy Channels: Bi-directional Payment Channels without Watchtowers
    Aumayr, L., Sri AravindaKrishnan Thyagarajan, Giulio Malavolta, Moreno-Sanchez, P., & Maffei, M. (2022, October 31). Sleepy Channels: Bi-directional Payment Channels without Watchtowers [Poster Presentation]. Crypto Economics Security Conference, Berkeley, United States of America (the).
    Metadata
  • Sleepy Channels: Bi-directional Payment Channels without Watchtowers
    Aumayr, L., Sri AravindaKrishnan Thyagarajan, Giulio Malavolta, Moreno-Sanchez, P., & Maffei, M. (2023, February 28). Sleepy Channels: Bi-directional Payment Channels without Watchtowers [Poster Presentation]. Network and Distributed System Security Symposium (NDSS) 2023, United States of America (the).
    Metadata
  • Sleepy Channels: Bitcoin-Compatible Bi-directional Payment Channels without Watchtowers
    Aumayr, L., Sri AravindaKrishnan Thyagarajan, Giulio Malavolta, Moreno-Sanchez, P., & Maffei, M. (2023, August 30). Sleepy Channels: Bitcoin-Compatible Bi-directional Payment Channels without Watchtowers [Conference Presentation]. The Science of Blockchain Conference 2023, Stanford, United States of America (the).
    Metadata
  • Strategic Analysis of Griefing Attack in Lightning Network
    Mazumdar, S., Banerjee, P., Sinha, A., Ruj, S., & Roy, B. (2022). Strategic Analysis of Griefing Attack in Lightning Network. IEEE Transactions on Network and Service Management.
    DOI: 10.34726/3581 Metadata
    Abstract
    Hashed Timelock Contract (HTLC) in Lightning Network is susceptible to a griefing attack. An attacker can block several channels and stall payments by mounting this attack. A state-of-the-art countermeasure, Hashed Timelock Contract with Griefing-Penalty (HTLC-GP) is found to work under the classical assumption of participants being either honest or malicious but fails for rational participants. To address the gap, we introduce a game-theoretic model for analyzing griefing attacks in HTLC. We use this model to analyze griefing attacks in HTLC-GP and conjecture that it is impossible to design an efficient protocol that will penalize a malicious participant with the current Bitcoin scripting system. We study the impact of the penalty on the cost of mounting the attack and observe that HTLC-GP is weakly effective in disincentivizing the attacker in certain conditions. To further increase the cost of attack, we introduce the concept of guaranteed minimum compensation, denoted as ζ, and modify HTLC-GP into HTLC-GPζ. By experimenting on several instances of Lightning Network, we observe that the total coins locked in the network drops to 28% for HTLC-GPζ, unlike in HTLC-GP where total coins locked does not drop below 40%. These results justify that HTLC-GPζ is better than HTLC-GP to counter griefing attacks.
  • Thora: Atomic and Privacy-Preserving Multi-Channel Updates
    Aumayr, L., Abbaszadeh, K., & Maffei, M. (2022). Thora: Atomic and Privacy-Preserving Multi-Channel Updates. In CCS ’22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security (pp. 165–178). Association for Computing Machinery.
    DOI: 10.1145/3548606.3560556 Metadata
    Abstract
    Most blockchain-based cryptocurrencies suffer from a heavily limited transaction throughput, which is a barrier to their growing adoption. Payment channel networks (PCNs) are one of the promising solutions to this problem. PCNs reduce the on-chain load of transactions and increase the throughput by processing many payments off-chain. In fact, any two users connected via a path of payment channels (i.e., joint addresses between the two channel end-points) can perform payments, and the underlying blockchain is used only when there is a dispute between users. Unfortunately, payments in PCNs can only be conducted securely along a path, which prevents the design of many interesting applications. Moreover, the most widely used implementation, the Lightning Network in Bitcoin, suffers from a collateral lock time linear in the path length, it is affected by security issues, and it relies on specific scripting features called Hash Timelock Contracts that hinders the applicability of the underlying protocol in other blockchains. In this work, we present Thora, the first Bitcoin-compatible off-chain protocol that enables the atomic update of arbitrary channels (i.e., not necessarily forming a path). This enables the design of a number of new off-chain applications, such as payments across different PCNs sharing the same blockchain, secure and trustless crowdfunding, and channel rebalancing. Our construction requires no specific scripting functionalities other than digital signatures and timelocks, thereby being applicable to a wider range of blockchains. We formally define security and privacy in the Universal Composability framework and show that our cryptographic protocol is a realization thereof. In our performance evaluation, we show that our construction requires only constant collateral, independently from the number of channels, and has only a moderate off-chain communication as well as computation overhead.
  • Thora: Atomic and Privacy-Preserving Multi-Channel Updates
    Aumayr, L., Abbaszadeh, K., & Maffei, M. (2023, February 28). Thora: Atomic and Privacy-Preserving Multi-Channel Updates [Poster Presentation]. Network and Distributed System Security Symposium (NDSS) 2023, San Diego, United States of America (the).
    Metadata
    Abstract
    Most blockchain-based cryptocurrencies suffer from a heavily limited transaction throughput, which is a barrier to their growing adoption. Payment channel networks (PCNs) are one of the promising solutions to this problem. PCNs reduce the on-chain load of transactions and increase the throughput by processing many payments off-chain. In fact, any two users connected via a path of payment channels (i.e., joint addresses between the two channel end-points) can perform payments, and the underlying blockchain is used only when there is a dispute between users. Unfortunately, payments in PCNs can only be conducted securely along a path, which prevents the design of many interesting applications. Moreover, the most widely used implementation, the Lightning Network in Bitcoin, suffers from a collateral lock time linear in the path length, it is affected by security issues, and it relies on specific scripting features called Hash Timelock Contracts that hinders the applicability of the underlying protocol in other blockchains. In this work, we present Thora, the first Bitcoin-compatible off-chain protocol that enables the atomic update of arbitrary channels (i.e., not necessarily forming a path). This enables the design of a number of new off-chain applications, such as payments across different PCNs sharing the same blockchain, secure and trustless crowdfunding, and channel rebalancing. Our construction requires no specific scripting functionalities other than digital signatures and timelocks, thereby being applicable to a wider range of blockchains. We formally define security and privacy in the Universal Composability framework and show that our cryptographic protocol is a realization thereof. In our performance evaluation, we show that our construction requires only constant collateral, independently from the number of channels, and has only a moderate off-chain communication as well as computation overhead.
  • Thora: Atomic and Privacy-Preserving Multi-Channel Updates
    Aumayr, L., Abbaszadeh, K., & Maffei, M. (2023, August 30). Thora: Atomic and Privacy-Preserving Multi-Channel Updates [Conference Presentation]. The Science of Blockchain Conference 2023 (SBC’23), Stanford University, United States of America (the).
    Metadata
  • Thora: Atomic And Privacy-Preserving Multi-Channel Updates
    Aumayr, L., Kasra Abbaszadeh, & Maffei, M. (2022, October 31). Thora: Atomic And Privacy-Preserving Multi-Channel Updates [Poster Presentation]. Crypto Economics Security Conference, Berkeley, United States of America (the).
    Metadata
  • Towards a Game-Theoretic Security Analysis of Off-Chain Protocols
    Rain, S., Avarikioti, G., Kovacs, L., & Maffei, M. (2023). Towards a Game-Theoretic Security Analysis of Off-Chain Protocols. In 2023 IEEE 36th Computer Security Foundations Symposium (CSF) (pp. 107–122). IEEE.
    DOI: 10.1109/CSF57540.2023.00003 Metadata
    Abstract
    Off-chain protocols constitute one of the most promising approaches to solve the inherent scalability issue of blockchain technologies. The core idea is to let parties transact on-chain only once to establish a channel between them, leveraging later on the resulting channel paths to perform arbitrarily many peer-to-peer transactions off-chain. While significant progress has been made in terms of proof techniques for off-chain protocols, existing approaches do not capture the game-theoretic incentives at the core of their design, which led to overlooking significant attack vectors like the Wormhole attack in the past. In this work we take a first step towards a principled game-theoretic security analysis of off-chain protocols by introducing the first game-theoretic model that is expressive enough to reason about their security. We advocate the use of Extensive Form Games (EFGs) and introduce two instances of EFGs to capture security properties of the closing and the routing of the Lightning Network. Specifically, we model the closing protocol, which relies on punishment mechanisms to disincentivize parties to upload old channel states on-chain. Moreover, we model the routing protocol, thereby formally characterizing the Wormhole attack, a vulnerability that undermines the fee-based incentive mechanism underlying the Lightning Network.
  • Towards faster settlement in HTLC-based Cross-Chain Atomic Swaps
    Mazumdar, S. (2022). Towards faster settlement in HTLC-based Cross-Chain Atomic Swaps. arXiv.
    DOI: 10.34726/3805 Metadata
    Abstract
    Hashed Timelock (HTLC)-based atomic swap protocols enable the exchange of coins between two or more parties without relying on a trusted entity. This protocol is like the American call option without premium. It allows the finalization of a deal within a certain period. This puts the swap initiator at liberty to delay before deciding to proceed with the deal. If she finds the deal unprofitable, she just waits for the time-period of the contract to elapse. However, the counterparty is at a loss since his assets remain locked in the contract. The best he can do is to predict the initiator's behavior based on the asset's price fluctuation in the future. But it is difficult to predict as cryptocurrencies are quite volatile, and their price fluctuates abruptly. We perform a game theoretic analysis of HTLC-based atomic cross-chain swap to predict whether a swap will succeed or not. From the strategic behavior of the players, we infer that this model lacks fairness. We propose Quick Swap, a two-party protocol based on hashlock and timelock that fosters faster settlement of the swap. The parties are required to lock griefing-premium along with the principal amount. If the party griefs, he ends up paying the griefing-premium. If a party finds a deal unfavorable, he has the provision to cancel the swap. We prove that Quick Swap is more participant-friendly than HTLC-based atomic swap. Our work is the first to propose a protocol to ensure fairness of atomic-swap in a cyclic multi-party setting.
  • Wappler: Sound Reachability Analysis for WebAssembly
    Scherer, M., Blaabjerg, J. F., Sjösten, A., Solitro, M. M., & Maffei, M. (2024). Wappler: Sound Reachability Analysis for WebAssembly. In L. O’Conner & P. Kellenberger (Eds.), 2024 IEEE 37th Computer Security Foundations Symposium (CSF) (pp. 249–264).
    DOI: 10.1109/CSF61375.2024.00025 Metadata
    Abstract
    WebAssembly (Wasm) is an increasingly deployed low-level language providing near-native performance to security-critical domains such as web browsers, smart contracts, and edge computing. In all of these domains, establishing the absence of bugs and security vulnerabilities is of utmost importance, which motivates the development of sound and automated static analysis techniques. This is, however, a challenging task since the Wasm formal semantics is not directly amenable to efficient static analysis, Wasm code is typically embedded in statically unknown and possibly malicious contexts, and the low-level nature of the language makes it hard to precisely and yet soundly capture memory management and other core features. In this work, we present Wappler, the first sound and automated static analysis technique for WebAssembly. The core idea is to encode the semantics into Horn clauses so as to make it accessible to automated theorem provers, such as z3. The realization of this approach, however, requires to tackle several challenges. We address the fact that the Wasm semantics is not directly amenable to automation of security proofs by introducing annotations that enable a precise, practical, and yet sound encoding. Furthermore, we devise a formalism to specify embedder behavior and introduce a sound yet precise memory abstraction. We demonstrate the expressiveness of our logical formalism by encoding several general as well as Wasm-specific security properties. Finally, we implement our static analysis technique and conduct an experimental evaluation over the official Wasm test suite to demonstrate its performance.

IoTIO

IoTIO: Analyzing and Understanding the Internet of Insecure Things

2020 – 2025 •  Vienna Science and Technology Fund (WWTF)  •  PI Martina Lindorfer
Abstract

Consumer devices, from door locks to light bulbs, are becoming increasingly smart. They are linked with other devices as part of smart homes and offices, usually Internet-connected, and may be publicly accessible through misconfiguration or IPv6.

The corresponding security and privacy implications have yet to be explored in depth, and their analysis is complicated by device type and architecture diversity. Prior work focused on case studies of specific device types, or analyzed devices' firmware in isolation, requiring substantial manual effort. In contrast, the automatic analysis of devices' interaction with their environment and other devices could uncover new vulnerability types and privacy violations.

In this project, we will propose scalable techniques to analyze smart devices for potential vulnerabilities based on how they are collecting, processing, and sharing data by interacting with their mobile companion app or smart hubs. We will provide a proof-of-concept tool to show our research's practicality.

The basis of our project are novel software and network analyses of companion apps and hub integration to synthesize protocols, discover commands to exercise device functionality, and identify information flows ‒ without requiring access to the smart devices themselves.

The project is a multi-disciplinary research effort enabling security and privacy analyses. It has also societal impact by enabling informed decision making by manufactures, lawmakers, and users.

Partners
  • Ruhr-Universität Bochum, Bochum, Germany
Publications
  • A Comparative Analysis of Certificate Pinning in Android & iOS
    Pradeep, A., Paracha, M. T., Bhowmick, P., Davanian, A., Razaghpanah, A., Chung, T., Lindorfer, M., Vallina-Rodriguez, N., Levin, D., & Choffnes, D. (2022). A Comparative Analysis of Certificate Pinning in Android & iOS. In Proceedings of the 22nd ACM Internet Measurement Conference (pp. 605–618). ACM.
    DOI: 10.34726/3505 Metadata
    Abstract
    TLS certificate pinning is a security mechanism used by applications (apps) to protect their network traffic against malicious certificate authorities (CAs), in-path monitoring, and other methods of TLS tampering. Pinning can provide enhanced security to defend against malicious third-party access to sensitive data in transit (e.g., to protect sensitive banking and health care information), but can also hide an app’s personal data collection from users and auditors. Prior studies found pinning was rarely used in the Android ecosystem, except in high-profile, security-sensitive apps; and, little is known about its usage on iOS and across mobile platforms. In this paper, we thoroughly investigate the use of certificate pinning on Android and iOS. We collect 5,079 unique apps from the two official app stores: 575 common apps, 1,000 popular apps each, and 1,000 randomly selected apps each. We develop novel, cross-platform, static and dynamic analysis techniques to detect the usage of certificate pinning. Thus, our study offers a more comprehensive understanding of certificate pinning than previous studies. We find certificate pinning as much as 4 times more widely adopted than reported in recent studies. More specifically, we find that 0.9% to 8% of Android apps and 2.5% to 11% of iOS apps use certificate pinning at run time (depending on the aforementioned sets of apps). We then investigate which categories of apps most frequently use pinning (e.g., apps in the “finance” category), which destinations are typically pinned (e.g., first-party destinations vs those used by third-party libraries), which certificates are pinned and how these are pinned (e.g., CA vs leaf certificates), and the connection security for pinned connections vs unpinned ones (e.g., the use of weak ciphers or improper certificate validation). Lastly, we investigate how many pinned connections are amenable to binary instrumentation to reveal the contents of their connections; for those that are, we analyze the data sent over pinned connections to understand what is protected by pinning.
  • ADAPT it! Automating APT Campaign and Group Attribution by Leveraging and Linking Heterogeneous Files
    Saha, A., Blasco, J., Cavallaro, L., & Lindorfer, M. (2024). ADAPT it! Automating APT Campaign and Group Attribution by Leveraging and Linking Heterogeneous Files. In RAID ’24: Proceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses (pp. 114–129). Association for Computing Machinery.
    DOI: 10.1145/3678890.3678909 Metadata
    Abstract
    Recent years have witnessed a surge in the growth of Advanced Persistent Threats (APTs), with significant challenges to the security landscape, affecting industry, governance, and democracy. The ever- growing number of actors and the complexity of their campaigns have made it difficult for defenders to track and attribute these malicious activities effectively. Traditionally, researchers relied on threat intelligence to track APTs. However, this often led to fragmented information, delays in connecting campaigns with specific threat groups, and misattribution. In response to these challenges, we introduce ADAPT, a ma- chine learning-based approach for automatically attributing APTs at two levels: (1) the threat campaign level, to identify samples with similar objectives and (2) the threat group level, to identify samples operated by the same entity. ADAPT supports a variety of heterogeneous file types targeting different platforms, includ- ing executables and documents, and uses linking features to find connections between them. We evaluate ADAPT on a reference dataset from MITRE as well as a comprehensive, label-standardized dataset of 6,134 APT samples belonging to 92 threat groups. Using real-world case studies, we demonstrate that ADAPT effectively identifies clusters representing threat campaigns and associates them with their respective groups.
  • Are You Sure You Want To Do Coordinated Vulnerability Disclosure?
    Chen, T.-H., Tagliaro, C., Lindorfer, M., Borgolte, K., & van der Ham-de Vos, J. (2024). Are You Sure You Want To Do Coordinated Vulnerability Disclosure? In 2024 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW) (pp. 307–314).
    DOI: 10.1109/EuroSPW61312.2024.00039 Metadata
    Abstract
    The rising numbers of vulnerabilities and security issues stemming from the rapid iteration and development of the Internet of Things (IoT) have introduced new challenges for the involved stakeholders to mitigate them in time. To effectively bring researchers, vendors, and end-users together to address such problems, Coordinated Vulnerability Disclosure (CVD) has become standard practice. Although general CVD procedures for practitioners to follow exist, adapting them to the specific circumstances has proven to be complicated in practice. In this paper, we document our experience of reporting various security vulnerabilities for 15,820 IoT backends. The discovery and scanning have been part of a separate research project, in this contribution we focus on the disclosure to the backends' operators in a large-scale coordinated vulnerability disclosure effort, following the latest disclosure guidelines. We discuss what we have learned to inform others who want to engage in large-scale CVD, we compare the steps and tradeoffs of our effort with current CVD suggestions, based on our measurement before and after the disclosure, and we describe how adapting our approach can improve CVD best practices.
  • ART-assisted App Diffing: Defeating Dalvik Bytecode Shrinking, Obfuscation, and Optimization with Android's OAT Compiler
    Bleier, J., & Lindorfer, M. (2022, May 23). ART-assisted App Diffing: Defeating Dalvik Bytecode Shrinking, Obfuscation, and Optimization with Android’s OAT Compiler [Poster Presentation]. 43rd IEEE Symposium on Security and Privacy, San Francisco, United States of America (the).
    Metadata
    Abstract
    Android aims to provide a secure and feature-rich, yet resource-saving platform for its applications (apps). To achieve these goals, the compilation to distributable packages shrinks, obfuscates, and optimizes the code by default. As an additional optimization, the Android Runtime (ART) nowadays compiles the app’s bytecode to native code on the device instead of executing it in the Dalvik VM. We study the effects of these changes in the Android build and runtime environment on the problem of calculating app similarity. We compare existing bytecode-based tools to our novel approach of using the recompiled (and optimized) binary form. We propose OATMEAL, an extensible framework to generate reliable ground truth for evaluating app similarity approaches and provide a benchmark dataset to the community. We built this dataset from open-source apps available on F-Droid in various configurations that optimize and obfuscate the bytecode. Using this dataset, we show the limitations of existing Android-specific bytecode analysis approaches when faced with the new optimizing R8 bytecode compiler. We further demonstrate how well BinDiff, a state-of-the-art binary-based alternative, works in scoring the similarity of apps. With OATMEAL, we provide the foundation for integrating and benchmarking further approaches, both for calculating the similarity between apps (based on bytecode or binary code), and for evaluating their robustness to evolving optimization and obfuscation techniques.
  • C2Miner: Tricking IoT Malware into Revealing Live Command & Control Servers
    Davanian, A., Faloutsos, M., & Lindorfer, M. (2024). C2Miner: Tricking IoT Malware into Revealing Live Command & Control Servers. In ASIA CCS ’24: Proceedings of the 19th ACM Asia Conference on Computer and Communications Security (pp. 112–127).
    DOI: 10.1145/3634737.3644992 Metadata
    Abstract
    How can we identify live Command & Control (C2) servers for a given IoT malware binary? An effective solution to this problem constitutes a significant capability towards detecting and containing botnets. This task is not trivial because C2 servers are short-lived, and they use sophisticated and proprietary communication protocols. We propose C2Miner, a novel approach to trick IoT malware binaries into revealing their currently live C2 servers. Our approach weaponizes old disposable IoT malware binaries and uses them to probe active servers. We provide novel solutions to overcome the following challenges: (a) disambiguating the C2-bound traffic generated by the malware and (b) determining if a target IP:port is indeed a C2 server as opposed to a benign server. In our evaluation, based on 3M distinct exploration attempts over 150K distinct IP addresses, we show that we can identify C2 servers within a given IP:port space with an F1 score of 86%. In addition, we show how our approach can be used in practice and at scale. Conducting a large-scale probing campaign has scalability issues given that the number of probes is proportional to the IP addresses, the number of ports, and the number of binaries from distinct families which we want to explore. To address this challenge, we propose a grammar-based method to fingerprint and cluster C2 communications which, among other applications, allows us to select malware binaries for weaponization efficiently. Additionally, we use spatio-temporal features of C2 servers to narrow down our search in the entire IP space. An optimistic observation from our study is that using only 2 (more than 6 months) old IoT malware binaries, we scan 18K IP:port pairs daily for 6 days and find 6 new live C2 servers.
  • Comparing Apples to Androids: Discovery, Retrieval, and Matching of iOS and Android Apps for Cross-Platform Analyses
    Steinböck, M., Bleier, J., Rainer, M., Urban, T., Utz, C., & Lindorfer, M. (2024). Comparing Apples to Androids: Discovery, Retrieval, and Matching of iOS and Android Apps for Cross-Platform Analyses. In MSR ’24: Proceedings of the 21st International Conference on Mining Software Repositories (pp. 348–360).
    DOI: 10.1145/3643991.3644896 Metadata
    Abstract
    For years, researchers have been analyzing mobile Android apps to investigate diverse properties such as software engineering practices, business models, security, privacy, or usability, as well as differences between marketplaces. While similar studies on iOS have been limited, recent work has started to analyze and compare Android apps with those for iOS. To obtain the most representative analysis results across platforms, the ideal approach is to compare their characteristics and behavior for the same set of apps, e. g., to study a set of apps for iOS and their respective counterparts for Android. Previous work has only attempted to identify and evaluate such cross-platform apps to a limited degree, mostly comparing sets of apps independently drawn from app stores, manually matching small sets of apps, or relying on brittle matches based on app and developer names. This results in (1) comparing apps whose behavior and properties significantly differ, (2) limited scalability, and (3) the risk of matching only a small fraction of apps. In this work, we propose a novel approach to create an extensive dataset of cross-platform apps for the iOS and Android ecosystems. We describe an analysis pipeline for discovering, retrieving, and matching apps from the Apple App Store and Google Play Store that we used to create a set of 3,322 cross-platform apps out of 10,000 popular apps for iOS and Android, respectively. We evaluate existing and new approaches for cross-platform app matching against a set of reference pairs that we obtained from Google's data migration service. We identify a combination of seven features from app store metadata and the apps themselves to match iOS and Android apps with high confidence (95.82 %). Compared to previous attempts that identified 14 % of apps as cross-platform, we are able to match 34 % of apps in our dataset. To foster future research in the cross-platform analysis of mobile apps, we make our pipeline available to the community.
  • Comparing User Perceptions of Anti-Stalkerware Apps with the Technical Reality
    Fassl, M., Anell, S., Houy, S., Lindorfer, M., & Krombholz, K. (2022). Comparing User Perceptions of Anti-Stalkerware Apps with the Technical Reality. In Proceedings of the Eighteenth Symposium on Usable Privacy and Security (SOUPS 2022) (pp. 135–154). USENIX Association.
    DOI: 10.34726/3902 Metadata
    Abstract
    Every year an increasing number of users face stalkerware on their phones. Many of them are victims of intimate partner surveillance (IPS) who are unsure how to identify or remove stalkerware from their phones. An intuitive approach would be to choose anti-stalkerware from the app store. However, a mismatch between user expectations and the technical capabilities can produce an illusion of security and risk compensation behavior (i.e., the Peltzmann effect). We compare users’ perceptions of anti-stalkerware with the technical reality. First, we applied thematic analysis to app reviews to analyze user perceptions. Then, we performed a cognitive walkthrough of two prominent anti-stalkerware apps available on the Google Play Store and reverse-engineered them to understand their detection features. Our results suggest that users base their trust on the look and feel of the app, the number and type of alerts, and the apps’ affordances. We also found that app capabilities do not correspond to the users’ perceptions and expectations, impacting their practical effectiveness. We discuss different stakeholders’ options to remedy these challenges and better align user perceptions with the technical reality.
  • Connecting the .dotfiles: Checked-In Secret Exposure with Extra (Lateral Movement) Steps
    Jungwirth, G., Saha, A., Schröder, M., Fiebig, T., Lindorfer, M., & Cito, J. (2023). Connecting the .dotfiles: Checked-In Secret Exposure with Extra (Lateral Movement) Steps. In IEEE/ACM 20th International Conference on Mining Software Repositories (MSR) (pp. 322–333).
    DOI: 10.1109/MSR59073.2023.00051 Metadata
    Abstract
    Personal software configurations, known as dotfiles, are increasingly being shared in public repositories. To understand the security and privacy implications of this phenomenon, we conducted a large-scale analysis of dotfiles repositories on GitHub. Furthermore, we surveyed repository owners to understand their motivations for sharing dotfiles, and their awareness of the security implications. Our mixed-method approach consisted of two parts: (1) We mined 124,230 public dotfiles repositories and inductively searched them for security and privacy flaws. (2) We then conducted a survey of repository owners (n=1,650) to disclose our findings and learn more about the problems and implications. We found that 73.6 % of repositories leak potentially sensitive information, most commonly email addresses (of which we found 1.2 million), but also RSA private keys, API keys, installed software versions, browsing history, and even mail client inboxes. In addition, we found that sharing is mainly ideological (an end in itself) and to show off ("ricing"), in addition to easing machine setup. Most users are confident about the contents of their files and claim to understand the security implications. In response to our disclosures, a small minority (2.2%) will make their repositories private or delete them, but the majority of respondents will continue sharing their dotfiles after taking appropriate actions. Dotfiles repositories are a great tool for developers to share knowledge and communicate - if done correctly. We provide recommendations for users and platforms to make them more secure. Specifically, tools should be used to manage dotfiles. In addition, platforms should work on more sophisticated tests, to find weaknesses automatically and inform the users or control the damage.
  • I Still Know What You Watched Last Sunday: Privacy of the HbbTV Protocol in the European Smart TV Landscape
    Tagliaro, C., Hahn, F., Sepe, R., Aceti, A., & Lindorfer, M. (2023). I Still Know What You Watched Last Sunday: Privacy of the HbbTV Protocol in the European Smart TV Landscape. In Proceedings Network and Distributed System Security (NDSS) Symposium 2023. 30th Annual Network and Distributed System Security Symposium (NDSS) 2023, San Diego, United States of America (the).
    DOI: 10.14722/ndss.2023.24102 Metadata
    Abstract
    The ever-increasing popularity of Smart TVs and support for the Hybrid Broadcast Broadband TV (HbbTV) standard allow broadcasters to enrich content offered to users via the standard broadcast signal with Internet-delivered apps, e.g., ranging from quizzes during a TV show to targeted advertisement. HbbTV works using standard web technologies as transparent overlays over a TV channel. Despite the number of HbbTV-enabled devices rapidly growing, studies on the protocol’s security and privacy aspects are scarce, and no standard protective measure is in place. We fill this gap by investigating the current state of HbbTV in the European landscape and assessing its implications for users’ privacy. We shift the focus from the Smart TV’s firmware and app security, already studied in-depth in related work, to the content transmission protocol itself. Contrary to traditional “linear TV” signals, HbbTV allows for bi-directional communication: in addition to receiving TV content, it also allows for transmitting data back to the broadcaster. We describe techniques broadcasters use to measure users’ (viewing) preferences and show how the protocol’s implementation can cause severe privacy risks by studying its deployment by 36 TV channels in five European countries (Italy, Germany, France, Austria, and Finland). We also survey users’ awareness of Smart TV and HbbTV-related risks. Our results show little understanding of the possible threats users are exposed to. Finally, we present a denylist-based mechanism to ensure a safe experience for users when watching TV and to reduce the privacy issues that HbbTV may pose.
  • Investigating HbbTV Privacy Invasiveness Across European Countries
    Tagliaro, C., Hahn, F., Sepe, R., Aceti, A., & Lindorfer, M. (2023). Investigating HbbTV Privacy Invasiveness Across European Countries. In Learning from Authoritative Security Experiment Results (LASER) 2023. Workshop on Learning from Authoritative Security Experiment Results (LASER 2023), San Diego, United States of America (the).
    DOI: 10.14722/laser-ndss.2023.24102 Metadata
    Abstract
    Smart TVs enable the integration of the traditional broadcast signal with services offered by the Internet. Specifically, the Hybrid Broadcast Broadband TV (HbbTV) protocol allows broadcasters to offer consumers additional features via the Internet (e.g., quizzes and the ability to restart programs), enriching their viewing experience. For broadcasters its bi-directional nature also enables them to measure viewing preferences and provide targeted advertisements (marketed as “Addressable TV”). HbbTV works using standard web technologies as transparent overlays over a TV channel, thus, porting web security and privacy concerns to the Smart TV. However, despite the increasing adoption of HbbTV worldwide, studies on security and privacy issues in its deployments are scarce. In this paper, we discuss how we tested a range of 36 channels across five European countries and which challenges we faced; Specifically, every country adopts different ways of delivering the broadcast signal to the TVs. Thus, we provide a common experiment setup and detailed instructions on how we assess the TV channels’ privacy level in each country. We also show how the URLs pointing to the HbbTV applications we extracted can foster further replicability and studies. Finally, to complement our technical experiments we also measured Italian users’ awareness (N=174) of the security and privacy risks HbbTV introduces and we discuss our methodology to do so.
  • IoTFlow: Inferring IoT Device Behavior at Scale through Static Mobile Companion App Analysis
    Schmidt, D., Tagliaro, C., Borgolte, K., & Lindorfer, M. (2023). IoTFlow: Inferring IoT Device Behavior at Scale through Static Mobile Companion App Analysis. In CCS ’23: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (pp. 681–695). Association for Computing Machinery.
    DOI: 10.1145/3576915.3623211 Metadata
    Abstract
    The number of “smart” devices, that is, devices making up the Internet of Things (IoT), is steadily growing. They suffer from vulnerabilities just as other software and hardware. Automated analysis techniques can detect and address weaknesses before attackers can misuse them. Applying existing techniques or developing new approaches that are sufficiently general is challenging though. Contrary to other platforms, the IoT ecosystem features various software and hardware architectures. We introduce IoTFlow, a new static analysis approach for IoT devices that leverages their mobile companion apps to address the diversity and scalability challenges. IoTFlow combines Value Set Analysis (VSA) with more general data-flow analysis to automatically reconstruct and derive how companion apps communicate with IoT devices and remote cloud-based backends, what data they receive or send, and with whom they share it. To foster future work and reproducibility, our IoTFlow implementation is open source. We analyze 9,889 manually verified companion apps with IoTFlow to understand and characterize the current state of security and privacy in the IoT ecosystem, which also demonstrates the utility of IoTFlow. We compare how these IoT apps differ from 947 popular general-purpose apps in their local network commu- nication, the protocols they use, and who they communicate with. Moreover, we investigate how the results of IoTFlow compare to dynamic analysis, with manual and automated interaction, of 13 IoT devices when paired and used with their companion apps. Overall, utilizing IoTFlow, we discover various IoT security and privacy issues, such as abandoned domains, hard-coded credentials, expired certificates, and sensitive personal information being shared.
  • Large-Scale Security Analysis of Real-World Backend Deployments Speaking IoT-Focused Protocols
    Tagliaro, C., Komsic, M., Continella, A., Borgolte, K., & Lindorfer, M. (2024). Large-Scale Security Analysis of Real-World Backend Deployments Speaking IoT-Focused Protocols. In RAID ’24: Proceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses (pp. 561–578).
    DOI: 10.1145/3678890.3678899 Metadata
    Abstract
    Internet-of-Things (IoT) devices, ranging from smart home assistants to health devices, are pervasive: Forecasts estimate their number to reach 29 billion by 2030. Understanding the security of their machine-to-machine communication is crucial. Prior work focused on identifying devices’ vulnerabilities or proposed protocol-specific solutions. Instead, we investigate the security of backends speaking IoT protocols, that is, the backbone of the IoT ecosystem. We focus on three real-world protocols for our large-scale analysis: MQTT, CoAP, and XMPP. We gather a dataset of over 337,000 backends, augment it with geographical and provider data, and perform non-invasive active measurements to investigate three major security threats: information leakage, weak authentication, and denial of service. Our results provide quantitative evidence of a problematic immaturity in the IoT ecosystem. Among other issues, we find that 9.44% backends expose information, 30.38% CoAP-speaking backends are vulnerable to denial of service attacks, and 99.84% of MQTT- and XMPP-speaking backends use insecure transport protocols (only 0.16% adopt TLS, of which 70.93% adopt a vulnerable version).
  • Mixed Signals: Analyzing Software Attribution Challenges in the Android Ecosystem
    Hageman, K., Feal, A., Gamba, J., Girish, A., Bleier, J., Lindorfer, M., Tapiador, J., & Vallina-Rodriguez, N. (2023). Mixed Signals: Analyzing Software Attribution Challenges in the Android Ecosystem. IEEE Transactions on Software Engineering, 49(4), 2964–2979.
    DOI: 10.34726/5296 Metadata
    Abstract
    The ability to identify the author responsible for a given software object is critical for many research studies and for enhancing software transparency and accountability. However, as opposed to other application markets like Apple's iOS App Store, attribution in the Android ecosystem is known to be hard. Prior research has leveraged market metadata and signing certificates to identify software authors without questioning the validity and accuracy of these attribution signals. However, Android application (app) authors can, either intentionally or by mistake, hide their true identity due to: (1) the lack of policy enforcement by markets to ensure the accuracy and correctness of the information disclosed by developers in their market profiles during the app release process, and (2) the use of self-signed certificates for signing apps instead of certificates issued by trusted CAs. In this paper, we perform the first empirical analysis of the availability, volatility and overall aptness of publicly available market and app metadata for author attribution in Android markets. To that end, we analyze a dataset of over 2.5 million market entries and apps extracted from five Android markets for over two years. Our results show that widely used attribution signals are often missing from market profiles and that they change over time. We also invalidate the general belief about the validity of signing certificates for author attribution. For instance, we find that apps from different authors share signing certificates due to the proliferation of app building frameworks and software factories. Finally, we introduce the concept of an attribution graph and we apply it to evaluate the validity of existing attribution signals on the Google Play Store. Our results confirm that the lack of control over publicly available signals can confuse automatic attribution processes.
  • No Spring Chicken: Quantifying the Lifespan of Exploits in IoT Malware Using Static and Dynamic Analysis
    Al Alsadi, A. A., Sameshima, K., Bleier, J., Yoshioka, K., Lindorfer, M., van Eeten, M., & Hernández Gañán, C. (2022). No Spring Chicken: Quantifying the Lifespan of Exploits in IoT Malware Using Static and Dynamic Analysis. In Yuji Suga, Kouichi Sakurai, Xuhua Ding, & Kazue Sako (Eds.), ASIA CCS ’22: Proceedings of the 2022 ACM on Asia Conference on Computer and Communications Security (pp. 309–321). Association for Computing Machinery.
    DOI: 10.1145/3488932.3517408 Metadata
    Abstract
    The Internet of things (IoT) is composed by a wide variety of software and hardware components that inherently contain vulnerabilities. Previous research has shown that it takes only a few minutes from the moment an IoT device is connected to the Internet to the first infection attempts. Still, we know little about the evolution of exploit vectors: Which vulnerabilities are being targeted in the wild, how has the functionality changed over time, and for how long are vulnerabilities being targeted? Understanding these questions can help in the secure development, and deployment of IoT networks. We present the first longitudinal study of IoT malware exploits by analyzing 17,720 samples collected from three different sources from 2015 to 2020. Leveraging static and dynamic analysis, we extract exploits from these binaries to then analyze them along the following four dimensions: (1) evolution of infection vectors over the years, (2) exploit lifespan, vulnerability age, and the time-to-exploit of vulnerabilities, (3) functionality of exploits, and (4) targeted IoT devices and manufacturers. Our descriptive analysis uncovers several patterns: IoT malware keeps evolving, shifting from simply leveraging brute force attacks to including dozens of device-specific exploits. Once exploits are developed, they are rarely abandoned. The most recent binaries still target (very) old vulnerabilities. In some cases, new exploits are developed for a vulnerability that has been known for years. We find that the mean time-to-exploit after vulnerability disclosure is around 29 months, much longer than for malware targeting other environments.
  • Not that Simple: Email Delivery in the 21st Century
    Holzbauer, F., Ullrich, J., Lindorfer, M., & Fiebig, T. (2022). Not that Simple: Email Delivery in the 21st Century. In Proceedings of the 2022 USENIX Annual Technical Conference (pp. 295–308). USENIX Association.
    DOI: 10.34726/4024 Metadata
    Abstract
    Over the past two decades, the number of RFCs related to email and its security has exploded from below 100 to nearly 500. This embedded the Simple Mail Transfer Protocol (SMTP) into a tree of interdependent and delivery-relevant standards. In this paper, we investigate how far real-world deployments keep up with this increasing complexity of delivery- and security options. To gain an in-depth picture of email delivery apart from the giants in the ecosystem (Gmail, Outlook, etc.), we engage people to send emails to eleven differently configured target domains. Our measurements allow us to evaluate core aspects of email delivery, including security features, DNS configuration, and IP version support on the sending side across different types of providers. We find that novel technologies are often insufficiently supported, even by large providers. For example, while 65.4% of email providers can resolve hosts via IPv6, only 44.3% can also deliver emails via IPv6. Concerning security features, we observe that less than half (41.5%) of all providers rely on DNSSEC validating resolvers, and encryption is mostly opportunistic, with 89.7% of providers accepting invalid certificates. TLSA, as a DNS-based certificate verification method, is only used by 31.7% of the providers in our study. Finally, we turned our eye to the impact modern standards have on unsolicited bulk email (SPAM). We found that greylisting is effective, reducing the SPAM volume by roughly half while not impacting regular delivery. However, and interestingly, SPAM delivery currently seems to focus on plaintext IPv4 connections, making IPv6-only, TLS-enforcing inbound email servers a more effective anti-SPAM measure—even though it also means rejecting a major portion of legitimate emails.
  • Not Your Average App: A Large-scale Privacy Analysis of Android Browsers
    Pradeep, A., Feal, Á., Gamba, J., Rao, A., Lindorfer, M., Vallina-Rodriguez, N., & Choffnes, D. (2023). Not Your Average App: A Large-scale Privacy Analysis of Android Browsers. In M. L. Mazurek & M. Sherr (Eds.), Proceedings on Privacy Enhancing Technologies Symposium 2023 (pp. 29–46).
    DOI: 10.56553/popets-2023-0003 Metadata
    Abstract
    The privacy-related behavior of mobile browsers has remained widely unexplored by the research community. In fact, as opposed to regular Android apps, mobile browsers may present contradicting privacy behaviors. On the one hand, they can have access to (and can expose) a unique combination of sensitive user data, from users’ browsing history to permission-protected personally identifiable information (PII) such as unique identifiers and geolocation. On the other hand, they are in a unique position to protect users’ privacy by limiting data sharing with other parties by implementing ad- blocking features. In this paper, we perform a comparative and empirical analysis on how hundreds of Android web browsers protect or expose user data during browsing sessions. To this end, we collect the largest dataset of Android browsers to date, from the Google Play Store and four Chinese app stores. Then, we develop a novel analysis pipeline that combines static and dynamic analysis methods to find a wide range of privacy-enhancing (e.g., ad-blocking) and privacy-harming behaviors (e.g., sending browsing histories to third parties, not validating TLS certificates, and exposing PII—including non-resettable identifiers—to third parties) across browsers. We find that various popular apps on both Google Play and Chinese stores have these privacy-harming behaviors, including apps that claim to be privacy-enhancing in their descriptions. Overall, our study not only provides new insights into important yet overlooked considerations for browsers’ adoption and transparency, but also that automatic app analysis systems (e.g., sandboxes) need context-specific analysis to reveal such privacy behaviors.
  • Of Ahead Time: Evaluating Disassembly of Android Apps Compiled to Binary OATs Through the ART
    Bleier, J., & Lindorfer, M. (2023). Of Ahead Time: Evaluating Disassembly of Android Apps Compiled to Binary OATs Through the ART. In J. Polakis & E. van der Kouwe (Eds.), EUROSEC ’23: Proceedings of the 16th European Workshop on System Security (pp. 21–29).
    DOI: 10.1145/3578357.3591219 Metadata
    Abstract
    The Android operating system has evolved significantly since its initial release in 2008. Most importantly, in a continuing effort to increase the run-time performance of mobile applications (apps) and to reduce resource requirements, the way code is executed has transformed from being bytecode-based to a binary-based approach: Apps are still mainly distributed as Dalvik bytecode, but the Android Runtime (ART) uses an optimizing compiler to create binary code ahead-of-time (AOT), just-in-time (JIT), or as a combination of both. These changes in the build pipeline, including increasing obfuscation and optimization of the Dalvik bytecode, invalidate assumptions of bytecode-based static code analysis approaches through identifier renaming and code shrinking. Furthermore, customized apps can be distributed pre-compiled with devices’ firmware, sidestepping the bytecode altogether. Finally, Android apps have always relied on native binary code libraries for performance-critical tasks. We propose to narrow the gap between bytecode and binary code by leveraging the ART compiler’s capability to create well-formed ELF binaries, called OATs, as the basis for further static code analysis. To this end, we created a pipeline to automatically and efficiently compile APKs to OATs into a benchmark dataset of 1,339 apps. We then evaluate five popular disassemblers based on how well they can analyze these OATs based on how well they can detect function boundaries. Our results, in particular, compared to the success rate of two bytecode-based analyzers, demonstrate that our OAT-based approach can help to bring a wider set of code analysis tools and techniques to the area of Android app analysis.
  • Tabbed Out: Subverting the Android Custom Tab Security Model
    Beer, P., Squarcina, M., Veronese, L., & Lindorfer, M. (2024). Tabbed Out: Subverting the Android Custom Tab Security Model. In 2024 IEEE Symposium on Security and Privacy (SP) (pp. 4591–4609).
    DOI: 10.1109/SP54263.2024.00105 Metadata
    Abstract
    Mobile operating systems provide developers with various mobile-to-Web bridges to display Web pages inside native applications. A recently introduced component called Custom Tab (CT) provides an outstanding feature to overcome the usability limitations of traditional WebViews: it shares the state with the underlying browser. Similar to traditional WebViews, it can also keep the host application informed about ongoing Web navigations. In this paper, we perform the first systematic security evaluation of the CT component and show how the design of its security model did not consider cross- context state inference attacks when the feature was introduced. Additionally, we show how CTs can be exploited for fine-grained exfiltration of sensitive user browsing data, violation of Web session integrity by circumventing SameSite cookies, and how UI customization of the CT component can lead to phishing and information leakage. To assess the prevalence of CTs in the wild and the practicality of the mitigation strategies we propose, we carry out the first large-scale analysis of CT usage on over 50K Android applications. Our analysis reveals that their usage is widespread, with 83% of applications embedding CTs either directly or as part of a library. We have responsibly disclosed all our findings to Google, which has already taken steps to apply targeted mitigations, assigned three CVEs for the discovered vulnerabilities, and awarded us $10,000 in bounties. Our interaction with Google led to clarifications of the CT security model in the new Chrome Custom Tabs Security FAQ document.
  • Tarnhelm: Isolated, Transparent & Confidential Execution of Arbitrary Code in ARM's TrustZone
    Quarta, D., Ianni, M., Machiry, A., Fratantonio, Y., Gustafson, E., Balzarotti, D., Lindorfer, M., Vigna, G., & Kruegel, C. (2021). Tarnhelm: Isolated, Transparent & Confidential Execution of Arbitrary Code in ARM’s TrustZone. In Proceedings of the 2021 Research on offensive and defensive techniques in the Context of Man At The End (MATE) Attacks. ACM, Austria. ACM.
    DOI: 10.1145/3465413.3488571 Metadata ⯈Fulltext (preprint)
    Abstract
    Protecting the confidentiality of applications on commodity operating systems, both on desktop and mobile devices, is challenging: attackers have unrestricted control over an application´s processes and thus direct access to any of the application´s assets. However, the application´s code itself can be of great commercial value, for example in the case of proprietary code or additional functionality obtained as downloadable content and via in-app purchases, which are widely used to monetize free applications through premium content. Developers still rely heavily on obfuscation to protect their own code from unauthorized tampering or copying, providing an obstacle for an attacker, but not preventing compromise. In this paper, we present Tarnhelm, an approach to offer a practical and transparent primitive to implement code confidentiality by extending ARM´s TrustZone, a TEE that so far provides limited functionality to application developers. Tarnhelm allows develop- ers to easily designate part of their code as confidential through source code annotations. At compile time, Tarnhelm automatically partitions the application into regular application code, executed in the "normal world," and the invisible code, transparently executed in the "secure world." Tarnhelm tightly couples and secures the execution in both worlds without exposing any additional attack surface by combining a number of different techniques, such as secure code loading, system call forwarding, transparent world switching, and the enforcement of inter-world control-flow integrity. We implemented a proof of concept of Tarnhelm and demonstrate its feasibility in a mobile computing setting.

CoRaF

A Composable Rational Framework for Blockchain Systems

2022 – 2025 •  Austrian Science Fund (FWF)  •  PI Georgia Avarikioti
Abstract

Bitcoin marked the beginning of a new era in digital finance; the data structure known as the blockchain enabled financial transactions to be executed in a secure decentralized manner, therefore revolutionizing the financial landscape. Blockchains naturally form environments where the participants act for profit (i.e., participants are rational). Nevertheless, current works typically analyze the security of blockchain protocols in the traditional setting where some of the participants are malicious and the rest are honest as there is no general framework to analyze blockchains from a rational perspective. Furthermore, blockchain systems are complex and consist of several components that handle different performance aspects, such as the network layer or Layer 0, the consensus layer or Layer 1, and the off-chain network or Layer 2. All these layers interact with each other and the security of each layer depends on the security of its substrate layer and vice versa. Therefore, the composition of protocols in the blockchain setting is vital for the security guarantees and the correct operation of cryptocurrencies. The goal of this project is to introduce a composable framework for the security analysis of blockchain protocols under a hybrid model of both rational and malicious participants. This is a significant yet currently missing tool with impact across multiple disciplines such as computer science and economics.

Browsec

Foundations and Tools for Client-Side Web Security

2018 – 2024 •  European Research Council (ERC)  •  PI Matteo Maffei
Abstract

The constantly increasing number of attacks on web applications shows how their rapid development has not been accompanied by adequate security foundations and demonstrates the lack of solid security enforcement tools. Indeed, web applications expose a gigantic attack surface, which hinders a rigorous understanding and enforcement of security properties. Hence, despite the worthwhile efforts to design secure web applications, users for a while will be confronted with vulnerable, or maliciously crafted, code. Unfortunately, end users have no way at present to reliably protect themselves from malicious applications. BROWSEC will develop a holistic approach to client-side web security, laying its theoretical foundations and developing innovative security enforcement technologies. In particular, BROWSEC will deliver the first client-side tool to secure web applications that is practical, in that it is implemented as an efficient and easily deployable browser extension, and also provably sound, i.e., backed up by machine-checked proofs that the tool provides end users with the required security guarantees. At the core of the proposal lies a novel monitoring technique, which treats the browser as a blackbox and intercepts its inputs and outputs in order to prevent dangerous information flows. With this lightweight monitoring approach, we aim at enforcing strong security properties without requiring any expensive and, given the dynamic nature of web applications, statically infeasible program analysis.

BROWSEC is thus a multidisciplinary research effort, promising practical impact and delivering breakthrough advancements in various disciplines, such as web security, JavaScript semantics, software engineering, and program verification.

Partners
  • Wolfgang Pauli Institute, Wien, Austria
Publications
  • Blitz: Secure Multi-Hop Payments Without Two-Phase Commits
    Aumayr, L., Moreno-Sanchez, P., Kate, A., & Maffei, M. (2022, August 31). Blitz: Secure Multi-Hop Payments Without Two-Phase Commits [Conference Presentation]. The Science of Blockchain Conference 2022, Stanford, United States of America (the).
    Metadata
  • Breaking and Fixing Virtual Channels: Domino Attack and Donner
    Aumayr, L., Moreno-Sanchez, P., Kate, A., & Maffei, M. (2023). Breaking and Fixing Virtual Channels: Domino Attack and Donner. In Proceedings Network and Distributed System Security Symposium 2023. 30th Annual Network and Distributed System Security Symposium (NDSS) 2023, San Diego, United States of America (the).
    DOI: 10.14722/ndss.2023.24370 Metadata
    Abstract
    Payment channel networks (PCNs) mitigate the scalability issues of current decentralized cryptocurrencies. They allow for arbitrarily many payments between users connected through a path of intermediate payment channels, while requiring interacting with the blockchain only to open and close the channels. Unfortunately, PCNs are (i) tailored to payments, excluding more complex smart contract functionalities, such as the oracle-enabling Discreet Log Contracts and (ii) their need for active participation from intermediaries may make payments unreliable, slower, expensive, and privacy-invasive. Virtual channels are among the most promising techniques to mitigate these issues, allowing two endpoints of a path to create a direct channel over the intermediaries without any interaction with the blockchain. After such a virtual channel is constructed, (i) the endpoints can use this direct channel for applications other than payments and (ii) the intermediaries are no longer involved in updates. In this work, we first introduce the Domino attack, a new DoS/griefing style attack that leverages virtual channels to destruct the PCN itself and is inherent to the design adopted by the existing Bitcoin-compatible virtual channels. We then demonstrate its severity by a quantitative analysis on a snapshot of the Lightning Network (LN), the most widely deployed PCN at present. We finally discuss other serious drawbacks of existing virtual channel designs, such as the support for only a single intermediary, a latency and blockchain overhead linear in the path length, or a non-constant storage overhead per user. We then present Donner, the first virtual channel construction that overcomes the shortcomings above, by relying on a novel design paradigm. We formally define and prove security and privacy properties in the Universal Composability framework. Our evaluation shows that Donner is efficient, reduces the on-chain number of transactions for disputes from linear in the path length to a single one, which is the key to prevent Domino attacks, and reduces the storage overhead from logarithmic in the path length to constant. Donner is Bitcoin-compatible and can be easily integrated in the LN.
  • Breaking and Fixing Virtual Channels: Domino Attack and Donner
    Aumayr, L., Moreno-Sanchez, P., Kate, A., & Maffei, M. (2023, September 6). Breaking and Fixing Virtual Channels: Domino Attack and Donner [Presentation]. VISA Research - external research talks, Palo Alto, United States of America (the).
    Metadata
  • Chrisimos: A useful Proof-of-Work for finding Minimal Dominating Set of a graph
    Chatterjee, D., Banerjee, P., & Mazumdar, S. (2023). Chrisimos: A useful Proof-of-Work for finding Minimal Dominating Set of a graph. arXiv.
    DOI: 10.34726/5301 Metadata
    Abstract
    Hash-based Proof-of-Work (PoW) used in the Bitcoin Blockchain leads to high energy consumption and resource wastage. In this paper, we aim to re-purpose the energy by replacing the hash function with real-life problems having commercial utility. We propose Chrisimos, a useful Proof-of-Work where miners are required to find a minimal dominating set for real-life graph instances. A miner who is able to output the smallest dominating set for the given graph within the block interval time wins the mining game. We also propose a new chain selection rule that ensures the security of the scheme. Thus our protocol also realizes a decentralized minimal dominating set solver for any graph instance. We provide formal proof of correctness and show via experimental results that the block interval time is within feasible bounds of hash-based PoW.
  • Cookie Crumbles: Breaking and Fixing Web Session Integrity
    Squarcina, M., Adão, P., Lorenzo Veronese, & Matteo Maffei. (2023). Cookie Crumbles: Breaking and Fixing Web Session Integrity. In J. Calandrino & C. Troncoso (Eds.), SEC ’23: Proceedings of the 32nd USENIX Conference on Security Symposium (pp. 5539–5556). USENIX Association.
    DOI: 10.34726/5329 Metadata
    Abstract
    Cookies have a long history of vulnerabilities targeting their confidentiality and integrity. To address these issues, new mechanisms have been proposed and implemented in browsers and server-side applications. Notably, improvements to the Secure attribute and cookie prefixes aim to strengthen cookie integrity against network and same-site attackers, whereas SameSite cookies have been touted as the solution to CSRF. On the server, token-based protections are considered an effective defense for CSRF in the synchronizer token pattern variant. In this paper, we question the effectiveness of these protections and study the real-world security implications of cookie integrity issues, showing how security mechanisms previously considered robust can be bypassed, exposing Web applications to session integrity attacks such as session fixation and cross-origin request forgery (CORF). These flaws are not only implementation-specific bugs but are also caused by compositionality issues of security mechanisms or vulnerabilities in the standard. Our research contributed to 12 CVEs, 27 vulnerability disclosures, and updates to the cookie standard. It comprises (i) a thorough cross-browser evaluation of cookie integrity issues, that results in new attacks originating from implementation or specification inconsistencies, and (ii) a security analysis of the top 13 Web frameworks, exposing session integrity vulnerabilities in 9 of them. We discuss our responsible disclosure and propose practical mitigations.
  • CryptoVampire: Automated Reasoning for the Complete Symbolic Attacker Cryptographic Model
    Jeanteur, S., Kovács, L., Maffei, M., & Rawson, M. (2024). CryptoVampire: Automated Reasoning for the Complete Symbolic Attacker Cryptographic Model. In 2024 IEEE Symposium on Security and Privacy (SP) (pp. 3165–3183). IEEE.
    DOI: 10.1109/SP54263.2024.00246 Metadata
    Abstract
    Cryptographic protocols are hard to design and prove correct, as witnessed by the ever-growing list of attacks even on protocol standards. Symbolic models of cryptography enable automated formal security proofs of such protocols against an idealized cryptographic model, which abstracts away from the algebraic properties of cryptographic schemes and thus misses attacks. Computational models of cryptography yield rigorous guarantees but support at present only interactive proofs and/or restricted classes of protocols (e.g., stateless ones). A promising approach is given by the computationally complete symbolic attacker (CCSA) model, formalized in the BC Logic, which aims at bridging and getting the best of the two worlds, obtaining cryptographic guarantees by symbolic protocol analysis. The BC Logic is supported by a recently developed interactive theorem prover, namely Squirrel, which enables machine-checked interactive security proofs, as opposed to automated ones, thus requiring expert knowledge both in the cryptographic space as well as on the reasoning side.In this paper, we introduce the CryptoVampire cryptographic protocol verifier, which for the first time fully automates proofs of trace properties in the BC Logic. The key technical contribution is a first-order formalization of protocol properties with tailored handling of subterm relations. As such, we overcome the burden of interactive proving in higher-order logic and automatically establish soundness of cryptographic protocols using only first-order reasoning. Our first-order encoding of cryptographic protocols is challenging for various reasons. On the theoretical side, we restrict full first-order logic with cryptographic axioms to ensure that, by losing the expressivity of the higher-order BC Logic, we do not lose soundness of cryptographic protocols in our first-order encoding. On the practical side, CryptoVampire integrates dedicated proof techniques using first-order saturation algorithms and heuristics, which all together enable leveraging the state-of-the-art Vampire first-order automated theorem prover as the underlying proving engine of CryptoVampire. Our experimental results showcase the effectiveness of CryptoVampire as a standalone verifier as well as in terms of automation support for Squirrel.
  • Foundations of Coin Mixing Services
    Glaeser, N., Maffei, M., Malavolta, G., Moreno-Sanchez, P., Tairi, E., & Thyagarajan, S. A. (2022). Foundations of Coin Mixing Services. In CCS ’22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security (pp. 1259–1273). Association for Computing Machinery.
    DOI: 10.34726/3601 Metadata
    Abstract
    Coin mixing services allow users to mix their cryptocurrency coins and thus enable unlinkable payments in a way that prevents tracking of honest users' coins by both the service provider and the users themselves. The easy bootstrapping of new users and backwards compatibility with cryptocurrencies (such as Bitcoin) with limited support for scripts are attractive features of this architecture, which has recently gained considerable attention in both academia and industry. A recent work of Tairi et al. [IEEE S&P 2021] formalizes the notion of a coin mixing service and proposes A2L, a new cryptographic protocol that simultaneously achieves high efficiency and interoperability. In this work, we identify a gap in their formal model and substantiate the issue by showing two concrete counterexamples: we show how to construct two encryption schemes that satisfy their definitions but lead to a completely insecure system. To amend this situation, we investigate secure constructions of coin mixing services. First, we develop the notion of blind conditional signatures (BCS), which acts as the cryptographic core for coin mixing services. We propose game-based security definitions for BCS and propose A2L+, a modified version of the protocol by Tairi et al. that satisfies our security definitions. Our analysis is in an idealized model (akin to the algebraic group model) and assumes the hardness of the one-more discrete logarithm problem. Finally, we propose A2L-UC, another construction of BCS that achieves the stronger notion of UC-security (in the standard model), albeit with a significant increase in computation cost. This suggests that constructing a coin mixing service protocol secure under composition requires more complex cryptographic machinery than initially thought.
  • Generalized Channels from Limited Blockchain Scripts and Adaptor Signatures
    Aumayr, L., Oguzhan Ersoy, Erwig, A., Faust, S., Hostáková, K., Maffei, M., Moreno-Sanchez, P., & Riahi, S. (2022, August 30). Generalized Channels from Limited Blockchain Scripts and Adaptor Signatures [Conference Presentation]. The Science of Blockchain Conference 2022, Stanford, United States of America (the).
    Metadata
  • Glimpse: On-Demand PoW Light Client with Constant-Size Storage for DeFi
    Scaffino, G., Aumayr, L., Avarikioti, G., & Maffei, M. (2023). Glimpse: On-Demand PoW Light Client with Constant-Size Storage for DeFi. In Proceedings of the 32nd USENIX Security Symposium (pp. 733–750).
    Metadata
    Abstract
    Cross-chain communication is instrumental in unleashing the full potential of blockchain technologies, as it allows users and developers to exploit the unique design features and the profit opportunities of different existing blockchains. The majority of interoperability solutions are provided by centralized exchanges and bridge protocols based on a trusted majority, both introducing undesirable trust assumptions compared to native blockchain assets. Hence, increasing attention has been given to decentralized solutions: Light and super-light clients paved the way for chain relays, which allow verifying on a blockchain the state of another blockchain by respectively verifying and storing a linear and logarithmic amount of data. Unfortunately, relays turn out to be inefficient in terms of computational costs, storage, or compatibility. We introduce Glimpse, an on-demand bridge that leverages a novel on-demand light client construction with only constant on-chain storage, cost, and computational overhead. Glimpse is expressive, enabling a plethora of DeFi and off-chain applications such as lending, pegs, proofs of oracle attestations, and betting hubs. Glimpse also remains compatible with blockchains featuring a limited scripting language such as the Liquid Network (a pegged sidechain of Bitcoin), for which we present a concrete instantiation. We prove Glimpse security in the Universal Composability (UC) framework and further conduct an economic analysis. We evaluate the cost of Glimpse for Bitcoin-like chains: verifying a simple transaction has at most 700 bytes of on-chain overhead, resulting in a one-time fee of $3, only twice as much as a standard Bitcoin transaction.
  • LightSwap: An Atomic Swap Does Not Require Timeouts At Both Blockchains
    Hoenisch, P., Mazumdar, S., Moreno-Sanchez, P., & Ruj, S. (2022). LightSwap: An Atomic Swap Does Not Require Timeouts At Both Blockchains. Cryptology ePrint Archive.
    DOI: 10.34726/3662 Metadata
    Abstract
    Security and privacy issues with centralized exchange services have motivated the design of atomic swap protocols for decentralized trading across currencies. These protocols follow a standard blueprint similar to the 2-phase commit in databases: (i) both users first lock their coins under a certain (cryptographic) condition and a timeout; (ii-a) the coins are swapped if the condition is fulfilled; or (ii-b) coins are released after the timeout. The quest for these protocols is to minimize the requirements from the scripting language supported by the swapped coins, thereby supporting a larger range of cryptocurrencies. The recently proposed universal atomic swap protocol [IEEE S&P’22] demonstrates how to swap coins whose scripting language only supports the verification of a digital signature on a transaction. However, the timeout functionality is cryptographically simulated with verifiable timelock puzzles, a computationally expensive primitive that hinders its use in battery-constrained devices such as mobile phones. In this state of affairs, we question whether the 2-phase commit paradigm is necessary for atomic swaps in the first place. In other words, is it possible to design a secure atomic swap protocol where the timeout is not used by (at least one of the two) users? In this work, we present LightSwap, the first secure atomic swap protocol that does not require the timeout functionality (not even in the form of a cryptographic puzzle) by one of the two users. LightSwap is thus better suited for scenarios where a user, running an instance of LightSwap on her mobile phone, wants to exchange coins with an online exchange service running an instance of LightSwap on a computer. We show how LightSwap can be used to swap Bitcoin and Monero, an interesting use case since Monero does not provide any scripting functionality support other than linkable ring signature verification.
  • Optimizing Virtual Payment Channel Establishment in the Face of On-Path Adversaries
    Aumayr, L., Ceylan, E., Kopyciok, Y., Maffei, M., Moreno-Sanchez, P., Salem, I., & Schmid, S. (2024). Optimizing Virtual Payment Channel Establishment in the Face of On-Path Adversaries. In Proceedings 2024 IFIP Networking Conference (IFIP Networking) (pp. 1–10).
    DOI: 10.23919/IFIPNetworking62109.2024.10619889 Metadata
    Abstract
    Payment channel networks (PCNs) are among the most promising solutions to the scalability issues in permissionless blockchains, by allowing parties to pay each other off-chain through a path of payment channels (PCs). However, routing transactions comes at a cost which is proportional to the number of intermediaries, since each charges a fee for the routing service. Furthermore, analogous to other networks, malicious intermediaries in the payment path can lead to security and privacy threats. Virtual channels (VCs), i.e., bridges over PC paths, mitigate the above PCN issues, as an intermediary participates only once to set up the VC and is then excluded from every future VC transaction. However, similar to PCs, creating a VC has a cost that must be paid out of the bridged PCs' balance. Currently, we are missing guidelines to where and how many VCs to set up. Ideally, VCs should minimize transaction costs while mitigating security and privacy threats from on-path adversaries. In this work, we address for the first time the VC setup problem, formalizing it as an optimization problem. We present an integer linear program (ILP) to compute the globally optimal VC setup strategy in terms of transaction costs, security, and privacy. We then accompany the computationally heavy ILP with a fast local greedy algorithm. Our model and algorithms can be used with any on-path adversary, given that its strategy can be expressed as a set of corrupted nodes that is estimated by the honest nodes. We conduct an evaluation of the greedy algorithm over a snapshot of the Lightning Network (LN), the largest Bitcoin-based PCN. Our results confirm on real-world data that our greedy strategy minimizes costs while protecting against security and privacy threats of on-path adversaries. These findings may serve the LN community as guidelines for the deployment of VCs.
  • Rigorous Methods for Smart Contracts
    Bjørner, N., Christakis, M., Maffei, M., & Rosu, G. (Eds.). (2022). Rigorous Methods for Smart Contracts (Dagstuhl Seminar 21431). Schloss Dagstuhl – Leibniz-Zentrum für Informatik GmbH, Dagstuhl Publishing.
    DOI: 10.4230/DagRep.11.9.80 Metadata
    Abstract
    This report documents the program and the outcomes of Dagstuhl Seminar 21431 “Rigorous Methods for Smart Contracts”. Blockchain technologies have emerged as an exciting field for both researchers and practitioners focusing on formal guarantees for software. It is arguably a “once in a lifetime” opportunity for rigorous methods to be integrated in audit processes for parties deploying smart contracts, whether for fund raising, securities trading, or supply-chain management. Smart contracts are programs managing cryptocurrency accounts on a blockchain. Research in the area of smart contracts includes a fascinating combination of formal methods, programming-language semantics, and cryptography. First, there is vibrant development of verification and program-analysis techniques that check the correctness of smart-contract code. Second, there are emerging designs of programming languages and methodologies for writing smart contracts such that they are more robust by construction or more amenable to analysis and verification. Programming-language abstraction layers expose low-level cryptographic primitives enabling developers to design high-level cryptographic protocols. Automated-reasoning mechanisms present a common underlying enabler; and the specific needs of the smart-contract world offer new challenges. This workshop brought together stakeholders in the aforementioned areas related to advancing reliable smart-contract technologies.
  • SecWasm: Information Flow Control for WebAssembly
    Bastys, I., Algehed, M., Sjösten, A., & Sabelfeld, A. (2022). SecWasm: Information Flow Control for WebAssembly. In Static Analysis (pp. 74–103). Springer Nature Switzerland AG.
    DOI: 10.1007/978-3-031-22308-2_5 Metadata
    Abstract
    We introduce SecWasm, the first general purpose information-flow control system for WebAssembly (Wasm), thus extending the safety guarantees offered by Wasm with guarantees that applications manipulate sensitive data in a secure way. SecWasm is a hybrid system enforcing termination-insensitive noninterference which overcomes the challenges posed by the uncommon characteristics for machine languages of Wasm in an elegant and thorough way.
  • Sleepy Channels: Bi-directional Payment Channels without Watchtowers
    Aumayr, L., Thyagarajan, S. A., Malavolta, G., Moreno-Sanchez, P., & Maffei, M. (2022). Sleepy Channels: Bi-directional Payment Channels without Watchtowers. In CCS ’22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security (pp. 179–192). Association for Computing Machinery.
    DOI: 10.1145/3548606.3559370 Metadata
    Abstract
    Payment channels (PC) are a promising solution to the scalability issue of cryptocurrencies, allowing users to perform the bulk of the transactions off-chain without needing to post everything on the blockchain. Many PC proposals however, suffer from a severe limitation: Both parties need to constantly monitor the blockchain to ensure that the other party did not post an outdated transaction. If this event happens, the honest party needs to react promptly and engage in a punishment procedure. This means that prolonged absence periods (e.g., a power outage) may be exploited by malicious users. As a mitigation, the community has introduced watchtowers, a third-party monitoring the blockchain on behalf of off-line users. Unfortunately, watchtowers are either trusted, which is critical from a security perspective, or they have to lock a certain amount of coins, called collateral, for each monitored PC in order to be held accountable, which is financially infeasible for a large network. We present Sleepy Channels, the first bi-directional PC protocol without watchtowers (or any other third party) that supports an unbounded number of payments and does not require parties to be persistently online. The key idea is to confine the period in which PC updates can be validated on-chain to a short, pre-determined time window, which is when the PC parties have to be online. This behavior is incentivized by letting the parties lock a collateral in the PC, which can be adjusted depending on their mutual trust and which they get back much sooner if they are online during this time window. Our protocol is compatible with any blockchain that is capable of verifying digital signatures (e.g., Bitcoin), as shown by our proof of concept. Moreover, our experimental results show that Sleepy Channels impose a communication and computation overhead similar to state-of-the-art PC protocols while removing watchtower's collateral and fees for the monitoring service.
  • Sleepy Channels: Bi-directional Payment Channels without Watchtowers
    Aumayr, L., Sri AravindaKrishnan Thyagarajan, Giulio Malavolta, Moreno-Sanchez, P., & Maffei, M. (2022, October 31). Sleepy Channels: Bi-directional Payment Channels without Watchtowers [Poster Presentation]. Crypto Economics Security Conference, Berkeley, United States of America (the).
    Metadata
  • Sleepy Channels: Bi-directional Payment Channels without Watchtowers
    Aumayr, L., Sri AravindaKrishnan Thyagarajan, Giulio Malavolta, Moreno-Sanchez, P., & Maffei, M. (2023, February 28). Sleepy Channels: Bi-directional Payment Channels without Watchtowers [Poster Presentation]. Network and Distributed System Security Symposium (NDSS) 2023, United States of America (the).
    Metadata
  • Sleepy Channels: Bitcoin-Compatible Bi-directional Payment Channels without Watchtowers
    Aumayr, L., Sri AravindaKrishnan Thyagarajan, Giulio Malavolta, Moreno-Sanchez, P., & Maffei, M. (2023, August 30). Sleepy Channels: Bitcoin-Compatible Bi-directional Payment Channels without Watchtowers [Conference Presentation]. The Science of Blockchain Conference 2023, Stanford, United States of America (the).
    Metadata
  • Strategic Analysis of Griefing Attack in Lightning Network
    Mazumdar, S., Banerjee, P., Sinha, A., Ruj, S., & Roy, B. (2022). Strategic Analysis of Griefing Attack in Lightning Network. IEEE Transactions on Network and Service Management.
    DOI: 10.34726/3581 Metadata
    Abstract
    Hashed Timelock Contract (HTLC) in Lightning Network is susceptible to a griefing attack. An attacker can block several channels and stall payments by mounting this attack. A state-of-the-art countermeasure, Hashed Timelock Contract with Griefing-Penalty (HTLC-GP) is found to work under the classical assumption of participants being either honest or malicious but fails for rational participants. To address the gap, we introduce a game-theoretic model for analyzing griefing attacks in HTLC. We use this model to analyze griefing attacks in HTLC-GP and conjecture that it is impossible to design an efficient protocol that will penalize a malicious participant with the current Bitcoin scripting system. We study the impact of the penalty on the cost of mounting the attack and observe that HTLC-GP is weakly effective in disincentivizing the attacker in certain conditions. To further increase the cost of attack, we introduce the concept of guaranteed minimum compensation, denoted as ζ, and modify HTLC-GP into HTLC-GPζ. By experimenting on several instances of Lightning Network, we observe that the total coins locked in the network drops to 28% for HTLC-GPζ, unlike in HTLC-GP where total coins locked does not drop below 40%. These results justify that HTLC-GPζ is better than HTLC-GP to counter griefing attacks.
  • Tabbed Out: Subverting the Android Custom Tab Security Model
    Beer, P., Squarcina, M., Veronese, L., & Lindorfer, M. (2024). Tabbed Out: Subverting the Android Custom Tab Security Model. In 2024 IEEE Symposium on Security and Privacy (SP) (pp. 4591–4609).
    DOI: 10.1109/SP54263.2024.00105 Metadata
    Abstract
    Mobile operating systems provide developers with various mobile-to-Web bridges to display Web pages inside native applications. A recently introduced component called Custom Tab (CT) provides an outstanding feature to overcome the usability limitations of traditional WebViews: it shares the state with the underlying browser. Similar to traditional WebViews, it can also keep the host application informed about ongoing Web navigations. In this paper, we perform the first systematic security evaluation of the CT component and show how the design of its security model did not consider cross- context state inference attacks when the feature was introduced. Additionally, we show how CTs can be exploited for fine-grained exfiltration of sensitive user browsing data, violation of Web session integrity by circumventing SameSite cookies, and how UI customization of the CT component can lead to phishing and information leakage. To assess the prevalence of CTs in the wild and the practicality of the mitigation strategies we propose, we carry out the first large-scale analysis of CT usage on over 50K Android applications. Our analysis reveals that their usage is widespread, with 83% of applications embedding CTs either directly or as part of a library. We have responsibly disclosed all our findings to Google, which has already taken steps to apply targeted mitigations, assigned three CVEs for the discovered vulnerabilities, and awarded us $10,000 in bounties. Our interaction with Google led to clarifications of the CT security model in the new Chrome Custom Tabs Security FAQ document.
  • Thora: Atomic and Privacy-Preserving Multi-Channel Updates
    Aumayr, L., Abbaszadeh, K., & Maffei, M. (2022). Thora: Atomic and Privacy-Preserving Multi-Channel Updates. In CCS ’22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security (pp. 165–178). Association for Computing Machinery.
    DOI: 10.1145/3548606.3560556 Metadata
    Abstract
    Most blockchain-based cryptocurrencies suffer from a heavily limited transaction throughput, which is a barrier to their growing adoption. Payment channel networks (PCNs) are one of the promising solutions to this problem. PCNs reduce the on-chain load of transactions and increase the throughput by processing many payments off-chain. In fact, any two users connected via a path of payment channels (i.e., joint addresses between the two channel end-points) can perform payments, and the underlying blockchain is used only when there is a dispute between users. Unfortunately, payments in PCNs can only be conducted securely along a path, which prevents the design of many interesting applications. Moreover, the most widely used implementation, the Lightning Network in Bitcoin, suffers from a collateral lock time linear in the path length, it is affected by security issues, and it relies on specific scripting features called Hash Timelock Contracts that hinders the applicability of the underlying protocol in other blockchains. In this work, we present Thora, the first Bitcoin-compatible off-chain protocol that enables the atomic update of arbitrary channels (i.e., not necessarily forming a path). This enables the design of a number of new off-chain applications, such as payments across different PCNs sharing the same blockchain, secure and trustless crowdfunding, and channel rebalancing. Our construction requires no specific scripting functionalities other than digital signatures and timelocks, thereby being applicable to a wider range of blockchains. We formally define security and privacy in the Universal Composability framework and show that our cryptographic protocol is a realization thereof. In our performance evaluation, we show that our construction requires only constant collateral, independently from the number of channels, and has only a moderate off-chain communication as well as computation overhead.
  • Thora: Atomic and Privacy-Preserving Multi-Channel Updates
    Aumayr, L., Abbaszadeh, K., & Maffei, M. (2023, February 28). Thora: Atomic and Privacy-Preserving Multi-Channel Updates [Poster Presentation]. Network and Distributed System Security Symposium (NDSS) 2023, San Diego, United States of America (the).
    Metadata
    Abstract
    Most blockchain-based cryptocurrencies suffer from a heavily limited transaction throughput, which is a barrier to their growing adoption. Payment channel networks (PCNs) are one of the promising solutions to this problem. PCNs reduce the on-chain load of transactions and increase the throughput by processing many payments off-chain. In fact, any two users connected via a path of payment channels (i.e., joint addresses between the two channel end-points) can perform payments, and the underlying blockchain is used only when there is a dispute between users. Unfortunately, payments in PCNs can only be conducted securely along a path, which prevents the design of many interesting applications. Moreover, the most widely used implementation, the Lightning Network in Bitcoin, suffers from a collateral lock time linear in the path length, it is affected by security issues, and it relies on specific scripting features called Hash Timelock Contracts that hinders the applicability of the underlying protocol in other blockchains. In this work, we present Thora, the first Bitcoin-compatible off-chain protocol that enables the atomic update of arbitrary channels (i.e., not necessarily forming a path). This enables the design of a number of new off-chain applications, such as payments across different PCNs sharing the same blockchain, secure and trustless crowdfunding, and channel rebalancing. Our construction requires no specific scripting functionalities other than digital signatures and timelocks, thereby being applicable to a wider range of blockchains. We formally define security and privacy in the Universal Composability framework and show that our cryptographic protocol is a realization thereof. In our performance evaluation, we show that our construction requires only constant collateral, independently from the number of channels, and has only a moderate off-chain communication as well as computation overhead.
  • Thora: Atomic and Privacy-Preserving Multi-Channel Updates
    Aumayr, L., Abbaszadeh, K., & Maffei, M. (2023, August 30). Thora: Atomic and Privacy-Preserving Multi-Channel Updates [Conference Presentation]. The Science of Blockchain Conference 2023 (SBC’23), Stanford University, United States of America (the).
    Metadata
  • Thora: Atomic And Privacy-Preserving Multi-Channel Updates
    Aumayr, L., Kasra Abbaszadeh, & Maffei, M. (2022, October 31). Thora: Atomic And Privacy-Preserving Multi-Channel Updates [Poster Presentation]. Crypto Economics Security Conference, Berkeley, United States of America (the).
    Metadata
  • Towards a Game-Theoretic Security Analysis of Off-Chain Protocols
    Rain, S., Avarikioti, G., Kovacs, L., & Maffei, M. (2023). Towards a Game-Theoretic Security Analysis of Off-Chain Protocols. In 2023 IEEE 36th Computer Security Foundations Symposium (CSF) (pp. 107–122). IEEE.
    DOI: 10.1109/CSF57540.2023.00003 Metadata
    Abstract
    Off-chain protocols constitute one of the most promising approaches to solve the inherent scalability issue of blockchain technologies. The core idea is to let parties transact on-chain only once to establish a channel between them, leveraging later on the resulting channel paths to perform arbitrarily many peer-to-peer transactions off-chain. While significant progress has been made in terms of proof techniques for off-chain protocols, existing approaches do not capture the game-theoretic incentives at the core of their design, which led to overlooking significant attack vectors like the Wormhole attack in the past. In this work we take a first step towards a principled game-theoretic security analysis of off-chain protocols by introducing the first game-theoretic model that is expressive enough to reason about their security. We advocate the use of Extensive Form Games (EFGs) and introduce two instances of EFGs to capture security properties of the closing and the routing of the Lightning Network. Specifically, we model the closing protocol, which relies on punishment mechanisms to disincentivize parties to upload old channel states on-chain. Moreover, we model the routing protocol, thereby formally characterizing the Wormhole attack, a vulnerability that undermines the fee-based incentive mechanism underlying the Lightning Network.
  • Towards faster settlement in HTLC-based Cross-Chain Atomic Swaps
    Mazumdar, S. (2022). Towards faster settlement in HTLC-based Cross-Chain Atomic Swaps. arXiv.
    DOI: 10.34726/3805 Metadata
    Abstract
    Hashed Timelock (HTLC)-based atomic swap protocols enable the exchange of coins between two or more parties without relying on a trusted entity. This protocol is like the American call option without premium. It allows the finalization of a deal within a certain period. This puts the swap initiator at liberty to delay before deciding to proceed with the deal. If she finds the deal unprofitable, she just waits for the time-period of the contract to elapse. However, the counterparty is at a loss since his assets remain locked in the contract. The best he can do is to predict the initiator's behavior based on the asset's price fluctuation in the future. But it is difficult to predict as cryptocurrencies are quite volatile, and their price fluctuates abruptly. We perform a game theoretic analysis of HTLC-based atomic cross-chain swap to predict whether a swap will succeed or not. From the strategic behavior of the players, we infer that this model lacks fairness. We propose Quick Swap, a two-party protocol based on hashlock and timelock that fosters faster settlement of the swap. The parties are required to lock griefing-premium along with the principal amount. If the party griefs, he ends up paying the griefing-premium. If a party finds a deal unfavorable, he has the provision to cancel the swap. We prove that Quick Swap is more participant-friendly than HTLC-based atomic swap. Our work is the first to propose a protocol to ensure fairness of atomic-swap in a cyclic multi-party setting.
  • Verifying Global Two-Safety Properties in Neural Networks with Confidence
    Athavale, A., Bartocci, E., Christakis, M., Maffei, M., Ničković, D., & Weissenbacher, G. (2024). Verifying Global Two-Safety Properties in Neural Networks with Confidence. In A. Gurfinkel & V. Ganesh (Eds.), Computer Aided Verification (pp. 329–351). Springer.
    DOI: 10.1007/978-3-031-65630-9_17 Metadata
    Abstract
    We present the first automated verification technique for confidence-based 2-safety properties, such as global robustness and global fairness, in deep neural networks (DNNs). Our approach combines self-composition to leverage existing reachability analysis techniques and a novel abstraction of the softmax function, which is amenable to automated verification. We characterize and prove the soundness of our static analysis technique. Furthermore, we implement it on top of Marabou, a safety analysis tool for neural networks, conducting a performance evaluation on several publicly available benchmarks for DNN verification.
  • Wappler: Sound Reachability Analysis for WebAssembly
    Scherer, M., Blaabjerg, J. F., Sjösten, A., Solitro, M. M., & Maffei, M. (2024). Wappler: Sound Reachability Analysis for WebAssembly. In L. O’Conner & P. Kellenberger (Eds.), 2024 IEEE 37th Computer Security Foundations Symposium (CSF) (pp. 249–264).
    DOI: 10.1109/CSF61375.2024.00025 Metadata
    Abstract
    WebAssembly (Wasm) is an increasingly deployed low-level language providing near-native performance to security-critical domains such as web browsers, smart contracts, and edge computing. In all of these domains, establishing the absence of bugs and security vulnerabilities is of utmost importance, which motivates the development of sound and automated static analysis techniques. This is, however, a challenging task since the Wasm formal semantics is not directly amenable to efficient static analysis, Wasm code is typically embedded in statically unknown and possibly malicious contexts, and the low-level nature of the language makes it hard to precisely and yet soundly capture memory management and other core features. In this work, we present Wappler, the first sound and automated static analysis technique for WebAssembly. The core idea is to encode the semantics into Horn clauses so as to make it accessible to automated theorem provers, such as z3. The realization of this approach, however, requires to tackle several challenges. We address the fact that the Wasm semantics is not directly amenable to automation of security proofs by introducing annotations that enable a precise, practical, and yet sound encoding. Furthermore, we devise a formalism to specify embedder behavior and introduce a sound yet precise memory abstraction. We demonstrate the expressiveness of our logical formalism by encoding several general as well as Wasm-specific security properties. Finally, we implement our static analysis technique and conduct an experimental evaluation over the official Wasm test suite to demonstrate its performance.
  • Web Platform Threats: Automated Detection of Web Security Issues With WPT
    Bernardo, P., Veronese, L., DALLA VALLE, V., Calzavara, S., Squarcina, M., Adão, P., & Maffei, M. (2024). Web Platform Threats: Automated Detection of Web Security Issues With WPT. In Proceedings of the 33rd USENIX Security Symposium (pp. 757–774).
    Metadata
    Abstract
    Client-side security mechanisms implemented by Web browsers, such as cookie security attributes and the Mixed Content policy, are of paramount importance to protect Web applications. Unfortunately, the design and implementation of such mechanisms are complicated and error-prone, potentially exposing Web applications to security vulnerabilities. In this paper, we present a practical framework to formally and automatically detect security flaws in client-side security mechanisms. In particular, we leverage Web Platform Tests (WPT), a popular cross-browser test suite, to automatically collect browser execution traces and match them against Web invariants, i.e., intended security properties of Web mechanisms expressed in first-order logic. We demonstrate the effectiveness of our approach by validating 9 invariants against the WPT test suite, discovering violations with clear security implications in 104 tests for Firefox, Chromium and Safari. We disclosed the root causes of these violations to browser vendors and standard bodies, which resulted in 8 individual reports and one CVE on Safari.
  • WebSpec: Towards Machine-Checked Analysis of Browser Security Mechanisms
    Veronese, L., Farinier, B., Bernardo, P., Tempesta, M., Squarcina, M., & Maffei, M. (2023). WebSpec: Towards Machine-Checked Analysis of Browser Security Mechanisms. In 2023 IEEE Symposium on Security and Privacy (SP) (pp. 2761–2779). IEEE.
    DOI: 10.1109/SP46215.2023.10179465 Metadata
    Abstract
    The complexity of browsers has steadily increased over the years, driven by the continuous introduction and update of Web platform components, such as novel Web APIs and security mechanisms. Their specifications are manually reviewed by experts to identify potential security issues. However, this process has proved to be error-prone due to the extensiveness of modern browser specifications and the interplay between new and existing Web platform components. To tackle this problem, we developed WebSpec, the first formal security framework for the analysis of browser security mechanisms, which enables both the automatic discovery of logical flaws and the development of machine-checked security proofs. WebSpec, in particular, includes a comprehensive semantic model of the browser in the Coq proof assistant, a formalization in this model of ten Web security invariants, and a toolchain turning the Coq model and the Web invariants into SMT-lib formulas to enable model checking with the Z3 theorem prover. If a violation is found, the toolchain automatically generates executable tests corresponding to the discovered attack trace, which is validated across major browsers.We showcase the effectiveness of WebSpec by discovering two new logical flaws caused by the interaction of different browser mechanisms and by identifying three previously discovered logical flaws in the current Web platform, as well as five in old versions. Finally, we show how WebSpec can aid the verification of our proposed changes to amend the reported inconsistencies affecting the current Web platform.

DLDaI

Distributed Ledger Development and Implementation

2022 – 2024 •  ABC Research GmbH  •  PI Matteo Maffei

PROFET

Cryptographic Foundations for Future-proof Internet Security

2019 – 2023 •  Austrian Science Fund (FWF)  •  PI Matteo Maffei
Abstract

Today, much of our personal freedom and the power to guarantee and maintain a free society depends on cryptographic primitives (e.g., digital signatures and encryption) incorporated in the security protocols of today's Internet used for securing many daily tasks such as messaging, online banking or sending e-mails. While anticipated regulations like the upcoming EU General Data Protection Regulation (GDPR) promote the usage of cryptography to protect sensitive data, revelations about activities of governmental agencies have revealed worryingly information. Examples include subverting cryptographic software products, subverting certification authorities, backdooring cryptographic schemes, or influencing and weakening cryptographic standardization processes. Besides providing governmental institutions means to spy on citizens, such practices are highly vulnerable to also be exploited by non-governmental attackers.

Many of the public-key cryptographic schemes used to secure today's Internet were not designed with the functionality and the security requirements in mind that come along with tomorrow's envisioned use-cases on the Internet. This requires novel and typically more advanced cryptographic schemes that consider aspects that were not known or of interest in the early days of the Internet. Cryptography for a future-proof Internet needs to consider a potentially huge number of devices to which data is communicated simultaneously and shared selectively and needs to be flexible enough to work on both ends of the spectrum, i.e., resource constrained IoT devices as well as cloud-powered services. What is more, new security aspects such as readiness for a post-quantum era as well as the increasing importance of cryptographic schemes which are resilient against threats due to subversion as well as surveillance (as mentioned before) are of high relevance.

PROFET targets at designing public-key cryptography capable to secure tomorrow's Internet which will encompass paradigms such as cloud computing, the IoT and distributed ledgers as essential ingredients. We thereby want to specifically put our focus on two highly important issues for the future: (1) designing security models and cryptographic schemes that are surveillance and subversion resilient by design, e.g., provide strong notions such as forward security and post-compromise security, and (2) designing cryptographic schemes that remain secure in the presence of powerful quantum computers, i.e., schemes that provide post-quantum security. We will on the one hand work on foundational aspects, but also investigate the application of our techniques to certain problems encountered in the IoT and cloud application scenarios.

ViSP

Vienna Cybersecurity and Privacy Research Center

2019 – 2023 •  Vienna Business Agency (WAW)  •  PI Matteo Maffei
Abstract

The aim of ViSP is to break down the silos and boost the existing research synergies among the partner institutions, to establish a graduate educational program in cybersecurity and privacy, and to create all together an internationally leading research and educational brand for cybersecurity and privacy in Vienna.

While the primary goals are research excellence and education, ViSP will have a significant impact on industry and regional development. Cybersecurity and privacy expertise is extremely required by enterprises, which open branches and labs in close proximity to research centers and universities leading in this field, due to the availability of the required know-how, possibilities of technology transfer, and access to specialized students. Cybersecurity and privacy are also a flourishing field worldwide for startups created by students during or at the end of their studies, which will be promoted and mentored in the incubation phase by ViSP.

The ultimate goal is to establish Vienna as the place to be for cybersecurity and privacy research in Europe. Besides the central location and the excellent quality of life, the unique selling point of the Viennese landscape in the cybersecurity and privacy domain is the unmatchable concentration of research excellence (as witnessed, e.g., by the 6 ERC grants in this field, all joining ViSP, which has no equal in Europe) and the number of universities and research centers active in this field, which however requires a consolidation effort to emerge internationally as a leading location.

Partners
  • Ruhr-Universität Bochum, Bochum, Germany
Publications
  • Blitz: Secure Multi-Hop Payments Without Two-Phase Commits
    Aumayr, L., Moreno-Sanchez, P., Kate, A., & Maffei, M. (2022, August 31). Blitz: Secure Multi-Hop Payments Without Two-Phase Commits [Conference Presentation]. The Science of Blockchain Conference 2022, Stanford, United States of America (the).
    Metadata
  • Breaking and Fixing Virtual Channels: Domino Attack and Donner
    Aumayr, L., Moreno-Sanchez, P., Kate, A., & Maffei, M. (2023). Breaking and Fixing Virtual Channels: Domino Attack and Donner. In Proceedings Network and Distributed System Security Symposium 2023. 30th Annual Network and Distributed System Security Symposium (NDSS) 2023, San Diego, United States of America (the).
    DOI: 10.14722/ndss.2023.24370 Metadata
    Abstract
    Payment channel networks (PCNs) mitigate the scalability issues of current decentralized cryptocurrencies. They allow for arbitrarily many payments between users connected through a path of intermediate payment channels, while requiring interacting with the blockchain only to open and close the channels. Unfortunately, PCNs are (i) tailored to payments, excluding more complex smart contract functionalities, such as the oracle-enabling Discreet Log Contracts and (ii) their need for active participation from intermediaries may make payments unreliable, slower, expensive, and privacy-invasive. Virtual channels are among the most promising techniques to mitigate these issues, allowing two endpoints of a path to create a direct channel over the intermediaries without any interaction with the blockchain. After such a virtual channel is constructed, (i) the endpoints can use this direct channel for applications other than payments and (ii) the intermediaries are no longer involved in updates. In this work, we first introduce the Domino attack, a new DoS/griefing style attack that leverages virtual channels to destruct the PCN itself and is inherent to the design adopted by the existing Bitcoin-compatible virtual channels. We then demonstrate its severity by a quantitative analysis on a snapshot of the Lightning Network (LN), the most widely deployed PCN at present. We finally discuss other serious drawbacks of existing virtual channel designs, such as the support for only a single intermediary, a latency and blockchain overhead linear in the path length, or a non-constant storage overhead per user. We then present Donner, the first virtual channel construction that overcomes the shortcomings above, by relying on a novel design paradigm. We formally define and prove security and privacy properties in the Universal Composability framework. Our evaluation shows that Donner is efficient, reduces the on-chain number of transactions for disputes from linear in the path length to a single one, which is the key to prevent Domino attacks, and reduces the storage overhead from logarithmic in the path length to constant. Donner is Bitcoin-compatible and can be easily integrated in the LN.
  • Breaking and Fixing Virtual Channels: Domino Attack and Donner
    Aumayr, L., Moreno-Sanchez, P., Kate, A., & Maffei, M. (2023, September 6). Breaking and Fixing Virtual Channels: Domino Attack and Donner [Presentation]. VISA Research - external research talks, Palo Alto, United States of America (the).
    Metadata
  • Chrisimos: A useful Proof-of-Work for finding Minimal Dominating Set of a graph
    Chatterjee, D., Banerjee, P., & Mazumdar, S. (2023). Chrisimos: A useful Proof-of-Work for finding Minimal Dominating Set of a graph. arXiv.
    DOI: 10.34726/5301 Metadata
    Abstract
    Hash-based Proof-of-Work (PoW) used in the Bitcoin Blockchain leads to high energy consumption and resource wastage. In this paper, we aim to re-purpose the energy by replacing the hash function with real-life problems having commercial utility. We propose Chrisimos, a useful Proof-of-Work where miners are required to find a minimal dominating set for real-life graph instances. A miner who is able to output the smallest dominating set for the given graph within the block interval time wins the mining game. We also propose a new chain selection rule that ensures the security of the scheme. Thus our protocol also realizes a decentralized minimal dominating set solver for any graph instance. We provide formal proof of correctness and show via experimental results that the block interval time is within feasible bounds of hash-based PoW.
  • Cookie Crumbles: Breaking and Fixing Web Session Integrity
    Squarcina, M., Adão, P., Lorenzo Veronese, & Matteo Maffei. (2023). Cookie Crumbles: Breaking and Fixing Web Session Integrity. In J. Calandrino & C. Troncoso (Eds.), SEC ’23: Proceedings of the 32nd USENIX Conference on Security Symposium (pp. 5539–5556). USENIX Association.
    DOI: 10.34726/5329 Metadata
    Abstract
    Cookies have a long history of vulnerabilities targeting their confidentiality and integrity. To address these issues, new mechanisms have been proposed and implemented in browsers and server-side applications. Notably, improvements to the Secure attribute and cookie prefixes aim to strengthen cookie integrity against network and same-site attackers, whereas SameSite cookies have been touted as the solution to CSRF. On the server, token-based protections are considered an effective defense for CSRF in the synchronizer token pattern variant. In this paper, we question the effectiveness of these protections and study the real-world security implications of cookie integrity issues, showing how security mechanisms previously considered robust can be bypassed, exposing Web applications to session integrity attacks such as session fixation and cross-origin request forgery (CORF). These flaws are not only implementation-specific bugs but are also caused by compositionality issues of security mechanisms or vulnerabilities in the standard. Our research contributed to 12 CVEs, 27 vulnerability disclosures, and updates to the cookie standard. It comprises (i) a thorough cross-browser evaluation of cookie integrity issues, that results in new attacks originating from implementation or specification inconsistencies, and (ii) a security analysis of the top 13 Web frameworks, exposing session integrity vulnerabilities in 9 of them. We discuss our responsible disclosure and propose practical mitigations.
  • Generalized Channels from Limited Blockchain Scripts and Adaptor Signatures
    Aumayr, L., Oguzhan Ersoy, Erwig, A., Faust, S., Hostáková, K., Maffei, M., Moreno-Sanchez, P., & Riahi, S. (2022, August 30). Generalized Channels from Limited Blockchain Scripts and Adaptor Signatures [Conference Presentation]. The Science of Blockchain Conference 2022, Stanford, United States of America (the).
    Metadata
  • Hide & Seek: Privacy-Preserving Rebalancing on Payment Channel Networks
    Avarikioti, G., Pietrzak, K., Salem, I., Schmid, S., Tiwari, S., & Yeo, M. (2022). Hide & Seek: Privacy-Preserving Rebalancing on Payment Channel Networks. In I. Eyal & J. Garay (Eds.), Financial Cryptography and Data Security (pp. 358–373). Springer-Verlag.
    DOI: 10.1007/978-3-031-18283-9_17 Metadata
    Abstract
    Payment channels effectively move the transaction load off-chain thereby successfully addressing the inherent scalability problem most cryptocurrencies face. A major drawback of payment channels is the need to “top up” funds on-chain when a channel is depleted. Rebalancing was proposed to alleviate this issue, where parties with depleting channels move their funds along a cycle to replenish their channels off-chain. Protocols for rebalancing so far either introduce local solutions or compromise privacy. In this work, we present an opt-in rebalancing protocol that is both private and globally optimal, meaning our protocol maximizes the total amount of rebalanced funds. We study rebalancing from the framework of linear programming. To obtain full privacy guarantees, we leverage multi-party computation in solving the linear program, which is executed by selected participants to maintain efficiency. Finally, we efficiently decompose the rebalancing solution into incentive-compatible cycles which conserve user balances when executed atomically.
  • LightSwap: An Atomic Swap Does Not Require Timeouts At Both Blockchains
    Hoenisch, P., Mazumdar, S., Moreno-Sanchez, P., & Ruj, S. (2022). LightSwap: An Atomic Swap Does Not Require Timeouts At Both Blockchains. Cryptology ePrint Archive.
    DOI: 10.34726/3662 Metadata
    Abstract
    Security and privacy issues with centralized exchange services have motivated the design of atomic swap protocols for decentralized trading across currencies. These protocols follow a standard blueprint similar to the 2-phase commit in databases: (i) both users first lock their coins under a certain (cryptographic) condition and a timeout; (ii-a) the coins are swapped if the condition is fulfilled; or (ii-b) coins are released after the timeout. The quest for these protocols is to minimize the requirements from the scripting language supported by the swapped coins, thereby supporting a larger range of cryptocurrencies. The recently proposed universal atomic swap protocol [IEEE S&P’22] demonstrates how to swap coins whose scripting language only supports the verification of a digital signature on a transaction. However, the timeout functionality is cryptographically simulated with verifiable timelock puzzles, a computationally expensive primitive that hinders its use in battery-constrained devices such as mobile phones. In this state of affairs, we question whether the 2-phase commit paradigm is necessary for atomic swaps in the first place. In other words, is it possible to design a secure atomic swap protocol where the timeout is not used by (at least one of the two) users? In this work, we present LightSwap, the first secure atomic swap protocol that does not require the timeout functionality (not even in the form of a cryptographic puzzle) by one of the two users. LightSwap is thus better suited for scenarios where a user, running an instance of LightSwap on her mobile phone, wants to exchange coins with an online exchange service running an instance of LightSwap on a computer. We show how LightSwap can be used to swap Bitcoin and Monero, an interesting use case since Monero does not provide any scripting functionality support other than linkable ring signature verification.
  • SecWasm: Information Flow Control for WebAssembly
    Bastys, I., Algehed, M., Sjösten, A., & Sabelfeld, A. (2022). SecWasm: Information Flow Control for WebAssembly. In Static Analysis (pp. 74–103). Springer Nature Switzerland AG.
    DOI: 10.1007/978-3-031-22308-2_5 Metadata
    Abstract
    We introduce SecWasm, the first general purpose information-flow control system for WebAssembly (Wasm), thus extending the safety guarantees offered by Wasm with guarantees that applications manipulate sensitive data in a secure way. SecWasm is a hybrid system enforcing termination-insensitive noninterference which overcomes the challenges posed by the uncommon characteristics for machine languages of Wasm in an elegant and thorough way.
  • Sleepy Channels: Bi-directional Payment Channels without Watchtowers
    Aumayr, L., Thyagarajan, S. A., Malavolta, G., Moreno-Sanchez, P., & Maffei, M. (2022). Sleepy Channels: Bi-directional Payment Channels without Watchtowers. In CCS ’22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security (pp. 179–192). Association for Computing Machinery.
    DOI: 10.1145/3548606.3559370 Metadata
    Abstract
    Payment channels (PC) are a promising solution to the scalability issue of cryptocurrencies, allowing users to perform the bulk of the transactions off-chain without needing to post everything on the blockchain. Many PC proposals however, suffer from a severe limitation: Both parties need to constantly monitor the blockchain to ensure that the other party did not post an outdated transaction. If this event happens, the honest party needs to react promptly and engage in a punishment procedure. This means that prolonged absence periods (e.g., a power outage) may be exploited by malicious users. As a mitigation, the community has introduced watchtowers, a third-party monitoring the blockchain on behalf of off-line users. Unfortunately, watchtowers are either trusted, which is critical from a security perspective, or they have to lock a certain amount of coins, called collateral, for each monitored PC in order to be held accountable, which is financially infeasible for a large network. We present Sleepy Channels, the first bi-directional PC protocol without watchtowers (or any other third party) that supports an unbounded number of payments and does not require parties to be persistently online. The key idea is to confine the period in which PC updates can be validated on-chain to a short, pre-determined time window, which is when the PC parties have to be online. This behavior is incentivized by letting the parties lock a collateral in the PC, which can be adjusted depending on their mutual trust and which they get back much sooner if they are online during this time window. Our protocol is compatible with any blockchain that is capable of verifying digital signatures (e.g., Bitcoin), as shown by our proof of concept. Moreover, our experimental results show that Sleepy Channels impose a communication and computation overhead similar to state-of-the-art PC protocols while removing watchtower's collateral and fees for the monitoring service.
  • Sleepy Channels: Bi-directional Payment Channels without Watchtowers
    Aumayr, L., Sri AravindaKrishnan Thyagarajan, Giulio Malavolta, Moreno-Sanchez, P., & Maffei, M. (2022, October 31). Sleepy Channels: Bi-directional Payment Channels without Watchtowers [Poster Presentation]. Crypto Economics Security Conference, Berkeley, United States of America (the).
    Metadata
  • Sleepy Channels: Bi-directional Payment Channels without Watchtowers
    Aumayr, L., Sri AravindaKrishnan Thyagarajan, Giulio Malavolta, Moreno-Sanchez, P., & Maffei, M. (2023, February 28). Sleepy Channels: Bi-directional Payment Channels without Watchtowers [Poster Presentation]. Network and Distributed System Security Symposium (NDSS) 2023, United States of America (the).
    Metadata
  • Sleepy Channels: Bitcoin-Compatible Bi-directional Payment Channels without Watchtowers
    Aumayr, L., Sri AravindaKrishnan Thyagarajan, Giulio Malavolta, Moreno-Sanchez, P., & Maffei, M. (2023, August 30). Sleepy Channels: Bitcoin-Compatible Bi-directional Payment Channels without Watchtowers [Conference Presentation]. The Science of Blockchain Conference 2023, Stanford, United States of America (the).
    Metadata
  • Strategic Analysis of Griefing Attack in Lightning Network
    Mazumdar, S., Banerjee, P., Sinha, A., Ruj, S., & Roy, B. (2022). Strategic Analysis of Griefing Attack in Lightning Network. IEEE Transactions on Network and Service Management.
    DOI: 10.34726/3581 Metadata
    Abstract
    Hashed Timelock Contract (HTLC) in Lightning Network is susceptible to a griefing attack. An attacker can block several channels and stall payments by mounting this attack. A state-of-the-art countermeasure, Hashed Timelock Contract with Griefing-Penalty (HTLC-GP) is found to work under the classical assumption of participants being either honest or malicious but fails for rational participants. To address the gap, we introduce a game-theoretic model for analyzing griefing attacks in HTLC. We use this model to analyze griefing attacks in HTLC-GP and conjecture that it is impossible to design an efficient protocol that will penalize a malicious participant with the current Bitcoin scripting system. We study the impact of the penalty on the cost of mounting the attack and observe that HTLC-GP is weakly effective in disincentivizing the attacker in certain conditions. To further increase the cost of attack, we introduce the concept of guaranteed minimum compensation, denoted as ζ, and modify HTLC-GP into HTLC-GPζ. By experimenting on several instances of Lightning Network, we observe that the total coins locked in the network drops to 28% for HTLC-GPζ, unlike in HTLC-GP where total coins locked does not drop below 40%. These results justify that HTLC-GPζ is better than HTLC-GP to counter griefing attacks.
  • Thora: Atomic and Privacy-Preserving Multi-Channel Updates
    Aumayr, L., Abbaszadeh, K., & Maffei, M. (2022). Thora: Atomic and Privacy-Preserving Multi-Channel Updates. In CCS ’22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security (pp. 165–178). Association for Computing Machinery.
    DOI: 10.1145/3548606.3560556 Metadata
    Abstract
    Most blockchain-based cryptocurrencies suffer from a heavily limited transaction throughput, which is a barrier to their growing adoption. Payment channel networks (PCNs) are one of the promising solutions to this problem. PCNs reduce the on-chain load of transactions and increase the throughput by processing many payments off-chain. In fact, any two users connected via a path of payment channels (i.e., joint addresses between the two channel end-points) can perform payments, and the underlying blockchain is used only when there is a dispute between users. Unfortunately, payments in PCNs can only be conducted securely along a path, which prevents the design of many interesting applications. Moreover, the most widely used implementation, the Lightning Network in Bitcoin, suffers from a collateral lock time linear in the path length, it is affected by security issues, and it relies on specific scripting features called Hash Timelock Contracts that hinders the applicability of the underlying protocol in other blockchains. In this work, we present Thora, the first Bitcoin-compatible off-chain protocol that enables the atomic update of arbitrary channels (i.e., not necessarily forming a path). This enables the design of a number of new off-chain applications, such as payments across different PCNs sharing the same blockchain, secure and trustless crowdfunding, and channel rebalancing. Our construction requires no specific scripting functionalities other than digital signatures and timelocks, thereby being applicable to a wider range of blockchains. We formally define security and privacy in the Universal Composability framework and show that our cryptographic protocol is a realization thereof. In our performance evaluation, we show that our construction requires only constant collateral, independently from the number of channels, and has only a moderate off-chain communication as well as computation overhead.
  • Thora: Atomic and Privacy-Preserving Multi-Channel Updates
    Aumayr, L., Abbaszadeh, K., & Maffei, M. (2023, February 28). Thora: Atomic and Privacy-Preserving Multi-Channel Updates [Poster Presentation]. Network and Distributed System Security Symposium (NDSS) 2023, San Diego, United States of America (the).
    Metadata
    Abstract
    Most blockchain-based cryptocurrencies suffer from a heavily limited transaction throughput, which is a barrier to their growing adoption. Payment channel networks (PCNs) are one of the promising solutions to this problem. PCNs reduce the on-chain load of transactions and increase the throughput by processing many payments off-chain. In fact, any two users connected via a path of payment channels (i.e., joint addresses between the two channel end-points) can perform payments, and the underlying blockchain is used only when there is a dispute between users. Unfortunately, payments in PCNs can only be conducted securely along a path, which prevents the design of many interesting applications. Moreover, the most widely used implementation, the Lightning Network in Bitcoin, suffers from a collateral lock time linear in the path length, it is affected by security issues, and it relies on specific scripting features called Hash Timelock Contracts that hinders the applicability of the underlying protocol in other blockchains. In this work, we present Thora, the first Bitcoin-compatible off-chain protocol that enables the atomic update of arbitrary channels (i.e., not necessarily forming a path). This enables the design of a number of new off-chain applications, such as payments across different PCNs sharing the same blockchain, secure and trustless crowdfunding, and channel rebalancing. Our construction requires no specific scripting functionalities other than digital signatures and timelocks, thereby being applicable to a wider range of blockchains. We formally define security and privacy in the Universal Composability framework and show that our cryptographic protocol is a realization thereof. In our performance evaluation, we show that our construction requires only constant collateral, independently from the number of channels, and has only a moderate off-chain communication as well as computation overhead.
  • Thora: Atomic and Privacy-Preserving Multi-Channel Updates
    Aumayr, L., Abbaszadeh, K., & Maffei, M. (2023, August 30). Thora: Atomic and Privacy-Preserving Multi-Channel Updates [Conference Presentation]. The Science of Blockchain Conference 2023 (SBC’23), Stanford University, United States of America (the).
    Metadata
  • Thora: Atomic And Privacy-Preserving Multi-Channel Updates
    Aumayr, L., Kasra Abbaszadeh, & Maffei, M. (2022, October 31). Thora: Atomic And Privacy-Preserving Multi-Channel Updates [Poster Presentation]. Crypto Economics Security Conference, Berkeley, United States of America (the).
    Metadata
  • Towards a Game-Theoretic Security Analysis of Off-Chain Protocols
    Rain, S., Avarikioti, G., Kovacs, L., & Maffei, M. (2023). Towards a Game-Theoretic Security Analysis of Off-Chain Protocols. In 2023 IEEE 36th Computer Security Foundations Symposium (CSF) (pp. 107–122). IEEE.
    DOI: 10.1109/CSF57540.2023.00003 Metadata
    Abstract
    Off-chain protocols constitute one of the most promising approaches to solve the inherent scalability issue of blockchain technologies. The core idea is to let parties transact on-chain only once to establish a channel between them, leveraging later on the resulting channel paths to perform arbitrarily many peer-to-peer transactions off-chain. While significant progress has been made in terms of proof techniques for off-chain protocols, existing approaches do not capture the game-theoretic incentives at the core of their design, which led to overlooking significant attack vectors like the Wormhole attack in the past. In this work we take a first step towards a principled game-theoretic security analysis of off-chain protocols by introducing the first game-theoretic model that is expressive enough to reason about their security. We advocate the use of Extensive Form Games (EFGs) and introduce two instances of EFGs to capture security properties of the closing and the routing of the Lightning Network. Specifically, we model the closing protocol, which relies on punishment mechanisms to disincentivize parties to upload old channel states on-chain. Moreover, we model the routing protocol, thereby formally characterizing the Wormhole attack, a vulnerability that undermines the fee-based incentive mechanism underlying the Lightning Network.
  • Towards faster settlement in HTLC-based Cross-Chain Atomic Swaps
    Mazumdar, S. (2022). Towards faster settlement in HTLC-based Cross-Chain Atomic Swaps. arXiv.
    DOI: 10.34726/3805 Metadata
    Abstract
    Hashed Timelock (HTLC)-based atomic swap protocols enable the exchange of coins between two or more parties without relying on a trusted entity. This protocol is like the American call option without premium. It allows the finalization of a deal within a certain period. This puts the swap initiator at liberty to delay before deciding to proceed with the deal. If she finds the deal unprofitable, she just waits for the time-period of the contract to elapse. However, the counterparty is at a loss since his assets remain locked in the contract. The best he can do is to predict the initiator's behavior based on the asset's price fluctuation in the future. But it is difficult to predict as cryptocurrencies are quite volatile, and their price fluctuates abruptly. We perform a game theoretic analysis of HTLC-based atomic cross-chain swap to predict whether a swap will succeed or not. From the strategic behavior of the players, we infer that this model lacks fairness. We propose Quick Swap, a two-party protocol based on hashlock and timelock that fosters faster settlement of the swap. The parties are required to lock griefing-premium along with the principal amount. If the party griefs, he ends up paying the griefing-premium. If a party finds a deal unfavorable, he has the provision to cancel the swap. We prove that Quick Swap is more participant-friendly than HTLC-based atomic swap. Our work is the first to propose a protocol to ensure fairness of atomic-swap in a cyclic multi-party setting.
  • WebSpec: Towards Machine-Checked Analysis of Browser Security Mechanisms
    Veronese, L., Farinier, B., Bernardo, P., Tempesta, M., Squarcina, M., & Maffei, M. (2023). WebSpec: Towards Machine-Checked Analysis of Browser Security Mechanisms. In 2023 IEEE Symposium on Security and Privacy (SP) (pp. 2761–2779). IEEE.
    DOI: 10.1109/SP46215.2023.10179465 Metadata
    Abstract
    The complexity of browsers has steadily increased over the years, driven by the continuous introduction and update of Web platform components, such as novel Web APIs and security mechanisms. Their specifications are manually reviewed by experts to identify potential security issues. However, this process has proved to be error-prone due to the extensiveness of modern browser specifications and the interplay between new and existing Web platform components. To tackle this problem, we developed WebSpec, the first formal security framework for the analysis of browser security mechanisms, which enables both the automatic discovery of logical flaws and the development of machine-checked security proofs. WebSpec, in particular, includes a comprehensive semantic model of the browser in the Coq proof assistant, a formalization in this model of ten Web security invariants, and a toolchain turning the Coq model and the Web invariants into SMT-lib formulas to enable model checking with the Z3 theorem prover. If a violation is found, the toolchain automatically generates executable tests corresponding to the discovered attack trace, which is validated across major browsers.We showcase the effectiveness of WebSpec by discovering two new logical flaws caused by the interaction of different browser mechanisms and by identifying three previously discovered logical flaws in the current Web platform, as well as five in old versions. Finally, we show how WebSpec can aid the verification of our proposed changes to amend the reported inconsistencies affecting the current Web platform.
  • Wiser: Increasing Throughput in Payment Channel Networks with Transaction Aggregation
    Tiwari, S., Yeo, M., Avarikioti, G., Salem, I., Pietrzak, K., & Schmid, S. (2022). Wiser: Increasing Throughput in Payment Channel Networks with Transaction Aggregation. In AFT ’22: Proceedings of the 4th ACM Conference on Advances in Financial Technologies (pp. 217–231). Association for Computing Machinery.
    DOI: 10.1145/3558535.3559775 Metadata
    Abstract
    Payment channel networks (PCNs) are one of the most prominent solutions to the limited transaction throughput of blockchains. Nevertheless, PCNs suffer themselves from a throughput limitation due to the capital constraints of their channels. A similar dependence on high capital is also found in inter-bank payment settlements, where the so-called netting technique is used to mitigate liquidity demands. In this work, we alleviate this limitation by introducing the notion of transaction aggregation: instead of executing transactions sequentially through a PCN, we enable senders to aggregate multiple transactions and execute them simultaneously to benefit from several amounts that may "cancel out". Two direct advantages of our proposal is the decrease in intermediary fees paid by senders as well as the obfuscation of the transaction data from the intermediaries. We formulate the transaction aggregation as a computational problem, a generalization of the Bank Clearing Problem. We present a generic framework for the transaction aggregation execution, and thereafter we propose Wiser as an implementation of this framework in a specific hub-based setting. To overcome the NP-hardness of the transaction aggregation problem, in Wiser we propose a fixed-parameter linear algorithm for a special case of transaction aggregation as well as the Bank Clearing Problem. Wiser can also be seen as a modern variant of the Hawala money transfer system, as well as a decentralized implementation of the overseas remittance service of Wise.

PR4DLT

Privacy-Preserving Regulatory Technologies for Distributed Ledger Technologies

2018 – 2021 •  Austrian Research Promotion Agency (FFG)  •  PI Matteo Maffei

SP-PCN

Security and Privacy for Payment-Channel Networks

2019 – 2020 •  Austrian Science Fund (FWF)

SLN

Scalability for Lightning Networks

2018 – 2020 •  Chaincode Labs Inc  •  PI Matteo Maffei

Ethertrust

Ethertrust - Trustworthy smart contracts

2018 – 2019 •  netidee.at  •  PI Matteo Maffei