US20210334363A1 - Secure authentication server for smart contract - Google Patents
Secure authentication server for smart contract Download PDFInfo
- Publication number
- US20210334363A1 US20210334363A1 US16/468,279 US201916468279A US2021334363A1 US 20210334363 A1 US20210334363 A1 US 20210334363A1 US 201916468279 A US201916468279 A US 201916468279A US 2021334363 A1 US2021334363 A1 US 2021334363A1
- Authority
- US
- United States
- Prior art keywords
- certificate
- vulnerability
- source code
- checking
- smart contract
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/54—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by adding security routines or objects to programs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/33—User authentication using certificates
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/51—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
- G06Q20/3821—Electronic credentials
- G06Q20/38215—Use of certificates or encrypted proofs of transaction rights
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
- G06Q20/3827—Use of message hashing
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/385—Payment protocols; Details thereof using an alias or single-use codes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/40—Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
- G06Q20/401—Transaction verification
- G06Q20/4014—Identity check for transactions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
- H04L9/3268—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Definitions
- the present invention relates to a secure authentication server for smart contracts. More particularly, the present invention relates to a server performing secure authentication by determining whether there exists vulnerability to the threat such as a hacking attack to an app or web which performs a smart contract and issuing a certificate to a smart contract source code free from the vulnerability.
- Smart contact refers to a method of the decentralized ledger technology, which is used to conclude a transaction automatically between parties if specific conditions for the transaction are satisfied.
- transaction conditions and content are registered in a smart contract system, relevant laws and procedures corresponding to the contract are applied automatically, and a result of the contract is notified to the transaction parties.
- the smart contract provides an advantage that transaction procedures are simplified, and costs associated with contracting are reduced.
- the present invention has been made to solve the problem above and is intended to analyze security vulnerability in smart contracts, establish specific security criteria, and verify security according to the criteria.
- the present invention is intended to construct a reliable smart contract environment by issuing a certificate to a smart contract the security stability of which passes the criteria.
- a server which performs secure authentication on a source code for smart contract may comprise a communication unit receiving a smart contract source code from the server requesting secure authentication; and a controller checking security vulnerability based on the received smart contract source code, wherein the controller comprises a source code vulnerability checking unit reading a source code of a smart contract and checking vulnerability in the source code; a communication interval checking unit checking a communication interval for execution of the source code; an execution vulnerability checking unit checking app and web vulnerability on a browser in which the source code is executed; and in response to determining the security level satisfied with the required criterion as a result of checking by the source code vulnerability checking unit, communication interval checking unit, and execution vulnerability checking unit, a certificate issuing unit issuing a certificate and storing the certificate together with the source code in a blockchain block where the source code of the smart contract is stored.
- a contract program may be developed according to a stricter security criterion when a source code of the smart contract is designed.
- various embodiments of the present invention perform a smart contract only when a certificate is validated, thereby providing a smart transaction environment secure from hacking threats.
- FIG. 1 is a block diagram illustrating a structure of a secure authentication server for smart contracts according to an embodiment of the present invention.
- FIGS. 2 a and 2 b illustrate an example of an authentication operation of a secure authentication server for smart contracts according to an embodiment of the present invention.
- FIG. 3 is a flow diagram illustrating a procedure for issuing a security certificate of a smart contract according to an embodiment of the present invention.
- FIG. 4 is a flow diagram illustrating the order of operations for checking a certificate according to an embodiment of the present invention.
- a server which performs secure authentication on a source code for a smart contract may comprise a communication unit receiving a smart contract source code from the server requesting secure authentication; and a controller checking security vulnerability based on the received smart contract source code, wherein the controller comprises a source code vulnerability checking unit reading a source code of a smart contract and checking vulnerability in the source code; a communication interval checking unit checking a communication interval for execution of the source code; an execution vulnerability checking unit checking app and web vulnerability on a browser in which the source code is executed; and in response to determining the security level satisfied with the required condition as a result of checking by the source code vulnerability checking unit, communication interval checking unit, and execution vulnerability checking unit, a certificate issuing unit issuing a certificate and storing the certificate together with the source code in a blockchain block where the source code of the smart contract is stored.
- a constituting element is said to be ‘connected’ or ‘attached’ to other constituting element, the former may be connected or attached directly to the other constituting element, but there may be a case in which another constituting element is present between the two constituting elements.
- a constituting element is said to be ‘directly connected’ or ‘directly attached’ to other constituting element, it should be understood that there is no other constituting element between the two constituting elements.
- FIG. 1 is a block diagram illustrating a structure of a secure authentication server for smart contracts according to an embodiment of the present invention.
- FIGS. 2 a and 2 b illustrate an example of an authentication operation of a secure authentication server for smart contracts according to an embodiment of the present invention.
- the secure authentication server 100 may include a communication unit 110 , storage unit 120 , and controller 130 .
- the controller 130 may include a source code vulnerability checking unit 131 , communication interval checking unit 132 , execution vulnerability checking unit 133 , and certificate issuing unit 134 .
- the communication unit 110 may utilize a network for transmitting and receiving data between a user device and a server, where the type of the network is not limited to a particular one.
- the network may be an Internet Protocol (IP) network which provides a service of transmitting and receiving a large amount of data or an All IP network which integrates different IP networks.
- IP Internet Protocol
- the network may be one of a wired network, Wireless Broadband (Wibro) network, mobile communication network including WCDMA, mobile communication network including a High Speed Downlink Packet Access (HSDPA) network and Long Term Evolution (LTE) network, mobile communication network including LTE advanced (LTE-A) and Five Generation (5G) network, satellite network, and Wi-Fi network; or a combination of at least one or more of the networks above.
- WCDMA Wireless Broadband
- HSDPA High Speed Downlink Packet Access
- LTE Long Term Evolution
- 5G Five Generation
- the communication network 110 may receive a smart contract source code from a server requesting secure authentication. Also, the communication network 110 may perform a data transmission operation for storing a certificate on the blockchain in which the smart contract source code is stored, the certificate indicating completion of secure authentication of the corresponding source code.
- the blockchain may refer to a blockchain (for example, Ethereum) which supports smart contracts. And according to various embodiments, the blockchain may include a private blockchain managed by a government organization or corporate company as well as a public blockchain such as Ethereum.
- the communication unit 110 may collect information about a target company of secure authentication and clients according to various embodiments of the present invention.
- the server 100 may analyze vulnerability of the web and apps in which a smart contract source code is implemented. For example, the server 100 may collect information about major hacking methods for each field, collect information about classification of a company providing a smart contract which is a target of security checking, calculates a hacking technique used primarily for classification of a company providing the smart contract which is a target of security checking, and writes a list of simulated hacking requests based on the calculated hacking technique.
- An operator of the server 100 may directly participate in part of the security checking process and manually perform simulated hacking, where the operator may perform simulated hacking based on the list of simulated hacking requests.
- the server 100 may control a certificate to be issued only when the smart contract passes hacking techniques on the list of simulated hacking requests.
- the communication unit 110 may receive not only a smart contract source code but also a certificate stored previously on the block body of a blockchain. Accordingly, the server 100 may determine validity of the corresponding certificate based on the code information and hash value of the received certificate; and only when the certificate is determined to be valid, the server 100 may approve smart contract operations.
- the storage unit 120 may include an internal or external memory.
- an internal memory may include at least one of a volatile memory (for example, dynamic RAM (DRAM), static RAM (SRAM), or synchronous dynamic RAM (SDRAM)), non-volatile memory (for example, one-time programmable ROM (OTPROM), programmable ROM (PROM), erasable and programmable ROM (EPROM), electrically erasable and programmable ROM (EEPROM), mask ROM, flash ROM, flash memory (for example, NAND flash or NOR flash memory), hard drive, or solid state drive (SDD).
- DRAM dynamic RAM
- SRAM static RAM
- SDRAM synchronous dynamic RAM
- non-volatile memory for example, one-time programmable ROM (OTPROM), programmable ROM (PROM), erasable and programmable ROM (EPROM), electrically erasable and programmable ROM (EEPROM), mask ROM, flash ROM, flash memory (for example, NAND flash or NOR flash memory
- An external memory may further include a flash drive, for example, compact flash (CF), secure digital (SD), micro secure digital (Micro-SD), mini secure digital (Mini SD), extreme digital (xD), multi-media card (MMC), or memory stick.
- CF compact flash
- SD secure digital
- Micro-SD micro secure digital
- Mini SD mini secure digital
- xD extreme digital
- MMC multi-media card
- An external memory may be connected functionally and/or physically to an electronic device through various interfaces.
- the storage unit 120 may store information about an automation tool for detecting vulnerability within the source code itself and vulnerability in a communication interval. Also, the storage unit 120 may store information about the minimum criterion required for issuing a certificate. For example, the storage unit 120 may further include information about a method for scoring each vulnerability item. And if a vulnerability discovery score exceeds the minimum criterion, the server 100 may stop the operation of issuing a certificate.
- the storage unit 120 may store a classification criterion for each company requesting vulnerability analysis of a smart contract. Also, the storage unit 120 may store information about major attack methods for each company classification, history of past hacking occurrences, and information of hacking techniques. Also, the storage unit 120 may store a hash function for calculating a hash value to be included in a certificate at the time of issuing the certificate. At this time, the hash function may include, for example, MD4 function, SHA-0 function, SHA-1 function, SHA-256 function, SHA-384 function, and SHA-512 function, which is not limited to the hash functions mentioned above.
- the storage unit 120 may store a vulnerability list to be checked.
- the vulnerability lists are shown in the following tables.
- Insufficient user authentication Medium Vulnerability that may be exploited when user authentication is insufficient (for example, authentication is performed based on user ID) in a personal information update page or single sign-on (SSO) session, allowing attackers to modify the value passed to a parameter and thereby to assume the user identity and leak personal information
- Weak password recovery High Vulnerability that may be exploited if user authentication is insufficient or password is displayed right on the screen when a function for recovering a password stored in a web application or a temporary password is issued by an administrator, allowing attackers to obtain, modify, or recover the password of other user Session prediction High Vulnerability that may be exploited by attackers to intercept a specific session by predicting the weak ID of the session such as one using a simple increasing ID
- Insufficient access control High Vulnerability that does not limit access rights to sensitive data or functions
- Insufficient session completion Medium Vulnerability that may be exploited when the same session ID is issued for each authentication or session timeout is set too long, thereby
- Table 1 above shows a list of vulnerabilities that may be checked on a smart contract source code
- Table 2 above shows a list of vulnerabilities that may be checked on a web/app.
- Table 1 may include a list of vulnerabilities checked by the source code vulnerability checking unit 131 described later
- Table 2 may include a list of vulnerabilities checked by the communication interval checking unit and execution vulnerability checking unit 133 .
- the controller 130 may also be called a processor, controller, microcontroller, microprocessor, or microcomputer. Meanwhile, the controller may be implemented by hardware, firmware, software, or a combination thereof.
- one embodiment of the present invention may be implemented in the form of modules, procedures, functions, and the like which perform the functions or operations described above.
- Software codes may be stored in the memory and activated by the controller.
- the memory may be located inside or outside of the user terminal and server and may exchange data with the controller by using various well-known means.
- the controller 130 may comprise a source code vulnerability checking unit 131 , communication interval checking unit 132 , execution vulnerability checking unit 133 , and certificate issuing unit 134 .
- FIG. 2 a illustrates an operation of checking source code vulnerabilities performed by the source code vulnerability checking unit 131 on the smart contract source code stored on the blockchain 240 in the form of transactions.
- the contract code written in Solidity may be converted to byte codes by compiling the contract code by Solc.
- the smart contract information converted to byte codes may be stored on the block body of the blockchain.
- the source code vulnerability checking unit 131 may perform vulnerability checking on a source code written in Solidity before the content of a smart contract is converted to byte codes.
- Solidity is a java-based language for implementing smart contracts, and according to various embodiments of the present invention, a source code to be analyzed may be implemented by a programming language in addition to java-based Solidity.
- the source code vulnerability checking unit 131 may perform an operation of recording detected vulnerability and providing the detected vulnerability as feedback to a provider which has provided the source code to be analyzed. Also, when the examined source code is similar to the source code previously checked for vulnerability by more than a prescribed percentage, the examined source code may be determined as a modified version of the same source code. The source code vulnerability checking unit 131 may determine through various other methods whether an examined source code is the source code previously checked for vulnerability, and if the examined source code is determined as the source code in which vulnerability has been found from the previous source code checking, a vulnerability determining criterion performed in the subsequent step (communication interval checking step and web/app vulnerability checking step) may be changed.
- the source code vulnerability checking unit 131 may increase a required reference value for passing a simulated hacking attack or increase the number of simulated hacking techniques that have to be overcome with respect to a smart contract in which vulnerability has been detection and which thereby has a history of modification of the source code.
- the communication interval checking unit 132 and the execution vulnerability checking unit 133 may perform checking operations. The checking operations will be described with reference to FIG. 2 b.
- the content of a smart contract in the form of byte codes recoded on the blockchain 240 may be implemented on a decentralized network such as the Ethereum client 230 .
- the platform on a decentralized network in which a smart contract in the form of byte codes is implemented may be Ethereum Virtual Machine (EVM), where the EVM may be used for other virtual currencies (for example, quantum) or DApp that comply with the Ethereum and the standard code Ethereum Request for Commnet (ERC) 20 of the Ethereum.
- EVM Ethereum Virtual Machine
- EVM Ethereum Virtual Machine
- the EVM may be used for other virtual currencies (for example, quantum) or DApp that comply with the Ethereum and the standard code Ethereum Request for Commnet (ERC) 20 of the Ethereum.
- a smart contract in the form of byte codes may be executed on the EVM, which immediately provides the user with the corresponding content of the smart contract through the browser 260 .
- the communication interval checking unit 132 and the execution vulnerability checking unit 133 may check vulnerabilities on the browser 260 at the step of providing an operation for implementing the smart contract.
- ‘web3.ja’ shown within the browser 260 may indicate an Ethereum javascript API which implements the JSON Remote Procedure Call (RPC) specification.
- RPC Java Remote Procedure Call
- web3.js is a front-end concept for implementing smart contracts; and the communication interval checking unit 130 and the execution vulnerability checking unit 133 may check vulnerabilities with respect to a smart contract app (or web) implemented through web3.js performing the role of the front end.
- the source code communication interval checking operation may be performed by the communication interval checking unit 132 and may perform the role of assessing vulnerabilities in a communication interval.
- the web/app vulnerability checking operation may be performed by the execution vulnerability checking unit 133 , which may include a manual checking operation by the operator of the server 100 .
- the execution vulnerability checking unit 133 may adopt a new checking reference value set according to a determination result by the source code vulnerability checking unit 131 about whether there exists an error correction history or a vulnerability detection history.
- the source code vulnerability checking unit 131 may strengthen the execution vulnerability checking criterion as used in a simulated hacking attack for a source code of a smart contract with an error correction history or a vulnerability detection history.
- the execution vulnerability checking unit 133 may request the operator to perform vulnerability checking (for example, simulated hacking attack) of an app (or web) implemented by the corresponding smart contract source code according to the strengthened criterion.
- the certificate issuing unit 134 may issue a certificate.
- the certificate issuing unit 134 issues a certificate when it is determined from a checking result by the source code vulnerability checking unit, communication interval checking unit, and execution vulnerability checking unit that the security level satisfies a required criterion; and the certificate issuing unit 134 may control the issued certificate to be stored together with the source code in the blockchain block to which the source code of the smart contract is stored.
- the certificate issuing unit 134 issues a certificate by including code information and a hash value indicating the certificate, where the hash value may be calculated based on the certificate code information and content of the smart contract source code.
- the certificate code information may include, for example, information about an authentication subject, information about an authentication date, and information about an authentication validation criterion.
- the hash value may prevent a code indicating the certificate from being copied irrespective of the source code. Even if the certificate code is the same, the hash value may have a different value when the source code of a smart contract is different; therefore, if a different certificate copy is used, the hash value is not validated since the hash value included in the certificate is not the one issued for the corresponding source code.
- the certificate issuing unit 134 may calculate a hash value after adding various elements for preventing a certificate from being copied.
- the certificate issuing unit 134 may control a certificate issued through the communication unit 110 to be transmitted to the block body of the blockchain as transaction data and to be stored therein.
- the certificate issuing unit 134 may issue a certificate including a validation criterion.
- the certificate issuing unit 134 may issue a certificate by including information about a valid period since it is possible that an authentication criterion is changed from since the certificate is issued, and a new threatening element is added.
- the certificate issuing unit 134 may distinguish a certificate issued for a public blockchain database (which transmits a certificate as transaction data to the block body of the blockchain and stores the certificate therein) from a certificate issued for a private blockchain database.
- a public blockchain database which transmits a certificate as transaction data to the block body of the blockchain and stores the certificate therein
- the public blockchain may be characterized that everyone is given a read permission, anyone may generate transactions, and anyone who has participated in a network may verify and authorize transactions. Meanwhile, the public blockchain is further characterized that it is difficult to be modified.
- the certificate for the public blockchain may be issued by including a validation criterion such as a validation period at the time the certificate is created instead of being modified at a later time to be revoked, and accordingly, a smart contract provider may have to re-issue the certificate periodically.
- a private blockchain adopts the advantage of reliability assurance inherent to blockchain while maintaining the conventional centralized method.
- a private blockchain allows each node to be privileged differently by a central entity, which indicates that centralized control is possible for the private blockchain. Accordingly, a certificate, even if it is stored in a private blockchain, may be modified and discarded at a later time.
- the certificate issuing unit 134 may issue a certificate so that it may be discarded and modified at a later time, where, for example, the certificate may be issued by including information about the number of validations. For example, when the number of validations is set to 100, the certificate issuing unit 134 may issue a certificate that is invalidated when certificate reading and authentication is performed 100 times.
- the certificate issuing unit 134 may modify the content of a certificate by newly transmitting a code which sets the initial value of a certificate to 100 and decreases the initial value by one each time authentication is completed and a transaction is performed. If the initial number of validations is counted down to zero according to the method above, the certificate may be regarded as being invalid.
- the certificate issuing unit 134 may issue the certificate by including therein a valid period of the certificate while, when a certificate is recorded in a private blockchain, the certificate issuing unit 134 may issue the certificate by including therein the number of validations of the certificate.
- the certificate issuing unit 134 may provide a notification for renewal of the certificate.
- FIG. 3 is a flow diagram illustrating a procedure for issuing a security certificate of a smart contract according to an embodiment of the present invention.
- the server 100 may perform the operation of receiving the content of a source code 305 . Afterwards, the controller 130 of the server 100 may perform the operation of checking vulnerability of the received source code 310 . At this time, the controller 130 may determine whether vulnerability has been found in the source code, and the source has been modified. For a source code revealing vulnerability and having a history of modification, the controller 130 may request to increase the reference value used for checking vulnerability of a web/app to be performed subsequently.
- the controller 130 may perform the operation of executing the source code on a browser 315 . Afterwards, the controller 130 may perform the operation of checking vulnerability in a communication interval of the source code 320 . Afterwards, the controller 130 may perform the operation of checking vulnerability of an app and a web in which the corresponding source code has been implemented 325 .
- the controller 130 may perform the operation of determining whether vulnerability is found through vulnerability checking 330 and if vulnerability is found, may perform the operation of recording vulnerability type and stopping issuing of a certificate 340 .
- the operation 340 may include the operation of recording the vulnerability type and providing the recorded vulnerability type to a source code provider as feedback information.
- the controller 130 may perform the operation of issuing a certificate and registering the issued certificate on the blockchain as transaction data 335 .
- the controller may determine whether vulnerability is found in the respective steps 310 , 320 , and 325 ; and perform the operation 340 if vulnerability is found in each step.
- the controller 130 may increase the reference value of a vulnerability criterion for the operation 325 ; and accordingly, perform the vulnerability checking operation 325 according to the changed reference value.
- the certificate issuing unit 134 of the controller 130 is employed, where the certificate issuing unit 134 is characterized that it issues a certificate by including code information and a hash value therein and generates the hash value based on the certificate code information and the content of a smart contract source code. Also, when issuing a certificate by configuring a validation criterion, the certificate issuing unit 134 may include a preconfigured number of certifications and a preconfigured period in the validation criterion.
- the certificate issuing unit 134 may configure a valid period for authentication to be shorter than a preconfigured default value and calculate a hash value of the certificate by including information about the shortened valid period. Also, when a certificate is recorded in a public blockchain, the certificate issuing unit 134 may issue the certificate by including a valid period of the certificate while, when a certificate is recorded in a private blockchain, the certificate may be issued by including therein the number of validations of the certificate.
- FIG. 4 is a flow diagram illustrating the order of operations for checking a certificate according to an embodiment of the present invention.
- the controller 130 may perform the operation of searching the transaction recording history of the corresponding block for a certificate corresponding to the smart contract 410 . At this time, the controller 130 may search for the certificate by referring to the certificate storage location information for each smart contract stored previously in the server 100 .
- the controller 130 may perform the operation of determining whether a certificate exists 415 and if it is determined that the certificate does not exist, may perform the operation of requesting stopping the smart contract operation 425 .
- the controller 130 may perform the operation of determining validity by reading the corresponding certificate 420 . At this time, to determine validity of the certificate, the controller 130 may assess a validation criterion such as a valid period included in the certificate. Also, the controller 130 may determine whether the corresponding certificate has been forged by comparing the hash value included in the certificate.
- the controller 130 may perform the operation of approving a smart contract operation 430 .
- the controller may request stopping the corresponding smart contract operation.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Business, Economics & Management (AREA)
- Accounting & Taxation (AREA)
- Finance (AREA)
- Strategic Management (AREA)
- General Business, Economics & Management (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
- Storage Device Security (AREA)
Abstract
A server which performs secure authentication on a source code for smart contract may comprise a communication unit receiving a smart contract source code from the server requesting secure authentication; and a controller checking security vulnerability based on the received smart contract source code, wherein the controller comprises a source code vulnerability checking unit reading a source code of a smart contract and checking vulnerability in the source code; a communication interval checking unit checking a communication interval for execution of the source code; an execution vulnerability checking unit checking app and web vulnerability on a browser in which the source code is executed; a certificate issuing unit issuing a certificate if it is found from a checking result that a security level satisfies a required criterion and storing the certificate together with the source code in a blockchain block where the source code of the smart contract is stored.
Description
- The present invention relates to a secure authentication server for smart contracts. More particularly, the present invention relates to a server performing secure authentication by determining whether there exists vulnerability to the threat such as a hacking attack to an app or web which performs a smart contract and issuing a certificate to a smart contract source code free from the vulnerability.
- Smart contact refers to a method of the decentralized ledger technology, which is used to conclude a transaction automatically between parties if specific conditions for the transaction are satisfied. When transaction conditions and content are registered in a smart contract system, relevant laws and procedures corresponding to the contract are applied automatically, and a result of the contract is notified to the transaction parties. The smart contract provides an advantage that transaction procedures are simplified, and costs associated with contracting are reduced.
- Meanwhile, smart contract may be prone to bugs due to errors in the ‘source code’ written in a programming language. According to a recent paper investigating bugs of Ethereum smart contracts, there are three types of bugs in smart contracts: bugs locking up money, bugs causing leakage of money, and bugs causing cancellation of a contract. In fact, among approximately one million smart contracts, 35,200 cases have been found to have potential security vulnerability, and 2365 cases have been found to definitely have bugs. In fact, there was an occasion where Parity, an Ethereum wallet, has been locked up due to a bug, which has locked up a fund of about 150 million USDs. As described above, a security problem in the smart contract may cause serious loss of money, and countermeasures against the problem is required; however, much effort still has to be done to authenticate security for smart contracts.
- The present invention has been made to solve the problem above and is intended to analyze security vulnerability in smart contracts, establish specific security criteria, and verify security according to the criteria.
- Also, the present invention is intended to construct a reliable smart contract environment by issuing a certificate to a smart contract the security stability of which passes the criteria.
- A server which performs secure authentication on a source code for smart contract may comprise a communication unit receiving a smart contract source code from the server requesting secure authentication; and a controller checking security vulnerability based on the received smart contract source code, wherein the controller comprises a source code vulnerability checking unit reading a source code of a smart contract and checking vulnerability in the source code; a communication interval checking unit checking a communication interval for execution of the source code; an execution vulnerability checking unit checking app and web vulnerability on a browser in which the source code is executed; and in response to determining the security level satisfied with the required criterion as a result of checking by the source code vulnerability checking unit, communication interval checking unit, and execution vulnerability checking unit, a certificate issuing unit issuing a certificate and storing the certificate together with the source code in a blockchain block where the source code of the smart contract is stored.
- Since various embodiments of the present invention assess security vulnerability of smart contract performed through blockchain and issue a certificate only for the smart contract which does not reveal security vulnerability, a contract program may be developed according to a stricter security criterion when a source code of the smart contract is designed.
- Also, various embodiments of the present invention perform a smart contract only when a certificate is validated, thereby providing a smart transaction environment secure from hacking threats.
-
FIG. 1 is a block diagram illustrating a structure of a secure authentication server for smart contracts according to an embodiment of the present invention. -
FIGS. 2a and 2b illustrate an example of an authentication operation of a secure authentication server for smart contracts according to an embodiment of the present invention. -
FIG. 3 is a flow diagram illustrating a procedure for issuing a security certificate of a smart contract according to an embodiment of the present invention. -
FIG. 4 is a flow diagram illustrating the order of operations for checking a certificate according to an embodiment of the present invention. - A server which performs secure authentication on a source code for a smart contract may comprise a communication unit receiving a smart contract source code from the server requesting secure authentication; and a controller checking security vulnerability based on the received smart contract source code, wherein the controller comprises a source code vulnerability checking unit reading a source code of a smart contract and checking vulnerability in the source code; a communication interval checking unit checking a communication interval for execution of the source code; an execution vulnerability checking unit checking app and web vulnerability on a browser in which the source code is executed; and in response to determining the security level satisfied with the required condition as a result of checking by the source code vulnerability checking unit, communication interval checking unit, and execution vulnerability checking unit, a certificate issuing unit issuing a certificate and storing the certificate together with the source code in a blockchain block where the source code of the smart contract is stored.
- Since the present invention may be modified in various ways and may provide various embodiments, specific embodiments will be depicted in the appended drawings and described in detail with reference to the drawings.
- However, it should be understood that the specific embodiments are not intended to restrict the gist of the present invention to the specific embodiments; rather, it should be understood that the specific embodiments include all of the modifications, equivalents or substitutes described by the technical principles and belonging to the technical scope of the present invention. To describe the respective drawings, similar reference symbol numbers are given to similar elements.
- If a constituting element is said to be ‘connected’ or ‘attached’ to other constituting element, the former may be connected or attached directly to the other constituting element, but there may be a case in which another constituting element is present between the two constituting elements. On the other hand, if a constituting element is said to be ‘directly connected’ or ‘directly attached’ to other constituting element, it should be understood that there is no other constituting element between the two constituting elements.
- Terms used in this document are intended only for describing a specific embodiment and are not intended to limit the technical scope of the present invention. A singular expression should be understood to indicate a plural expression unless otherwise explicitly stated. The term of ‘include’ or ‘have’ is used to indicate existence of an embodied feature, number, step, operation, element, component, or a combination thereof; and should not be understood to preclude the existence or possibility of adding one or more other features, numbers, steps, operations, elements, components, or a combination thereof.
- In what follows, with reference to
FIGS. 1 to 2 b, a secure authentication operation for a smart contract according to an embodiment of the present invention will be described. -
FIG. 1 is a block diagram illustrating a structure of a secure authentication server for smart contracts according to an embodiment of the present invention. -
FIGS. 2a and 2b illustrate an example of an authentication operation of a secure authentication server for smart contracts according to an embodiment of the present invention. - The
secure authentication server 100 according to an embodiment of the present invention may include acommunication unit 110,storage unit 120, andcontroller 130. Thecontroller 130 may include a source codevulnerability checking unit 131, communicationinterval checking unit 132, executionvulnerability checking unit 133, andcertificate issuing unit 134. - The
communication unit 110 may utilize a network for transmitting and receiving data between a user device and a server, where the type of the network is not limited to a particular one. For example, the network may be an Internet Protocol (IP) network which provides a service of transmitting and receiving a large amount of data or an All IP network which integrates different IP networks. Also, the network may be one of a wired network, Wireless Broadband (Wibro) network, mobile communication network including WCDMA, mobile communication network including a High Speed Downlink Packet Access (HSDPA) network and Long Term Evolution (LTE) network, mobile communication network including LTE advanced (LTE-A) and Five Generation (5G) network, satellite network, and Wi-Fi network; or a combination of at least one or more of the networks above. - The
communication network 110 according to an embodiment of the present invention may receive a smart contract source code from a server requesting secure authentication. Also, thecommunication network 110 may perform a data transmission operation for storing a certificate on the blockchain in which the smart contract source code is stored, the certificate indicating completion of secure authentication of the corresponding source code. At this time, the blockchain may refer to a blockchain (for example, Ethereum) which supports smart contracts. And according to various embodiments, the blockchain may include a private blockchain managed by a government organization or corporate company as well as a public blockchain such as Ethereum. - Also, the
communication unit 110 may collect information about a target company of secure authentication and clients according to various embodiments of the present invention. Referring to the collected data, theserver 100 may analyze vulnerability of the web and apps in which a smart contract source code is implemented. For example, theserver 100 may collect information about major hacking methods for each field, collect information about classification of a company providing a smart contract which is a target of security checking, calculates a hacking technique used primarily for classification of a company providing the smart contract which is a target of security checking, and writes a list of simulated hacking requests based on the calculated hacking technique. An operator of theserver 100 may directly participate in part of the security checking process and manually perform simulated hacking, where the operator may perform simulated hacking based on the list of simulated hacking requests. And theserver 100 may control a certificate to be issued only when the smart contract passes hacking techniques on the list of simulated hacking requests. - The
communication unit 110 may receive not only a smart contract source code but also a certificate stored previously on the block body of a blockchain. Accordingly, theserver 100 may determine validity of the corresponding certificate based on the code information and hash value of the received certificate; and only when the certificate is determined to be valid, theserver 100 may approve smart contract operations. - The
storage unit 120, for example, may include an internal or external memory. For example, an internal memory may include at least one of a volatile memory (for example, dynamic RAM (DRAM), static RAM (SRAM), or synchronous dynamic RAM (SDRAM)), non-volatile memory (for example, one-time programmable ROM (OTPROM), programmable ROM (PROM), erasable and programmable ROM (EPROM), electrically erasable and programmable ROM (EEPROM), mask ROM, flash ROM, flash memory (for example, NAND flash or NOR flash memory), hard drive, or solid state drive (SDD). - An external memory may further include a flash drive, for example, compact flash (CF), secure digital (SD), micro secure digital (Micro-SD), mini secure digital (Mini SD), extreme digital (xD), multi-media card (MMC), or memory stick. An external memory may be connected functionally and/or physically to an electronic device through various interfaces.
- The
storage unit 120 according to an embodiment of the present invention may store information about an automation tool for detecting vulnerability within the source code itself and vulnerability in a communication interval. Also, thestorage unit 120 may store information about the minimum criterion required for issuing a certificate. For example, thestorage unit 120 may further include information about a method for scoring each vulnerability item. And if a vulnerability discovery score exceeds the minimum criterion, theserver 100 may stop the operation of issuing a certificate. - According to various embodiments, the
storage unit 120 may store a classification criterion for each company requesting vulnerability analysis of a smart contract. Also, thestorage unit 120 may store information about major attack methods for each company classification, history of past hacking occurrences, and information of hacking techniques. Also, thestorage unit 120 may store a hash function for calculating a hash value to be included in a certificate at the time of issuing the certificate. At this time, the hash function may include, for example, MD4 function, SHA-0 function, SHA-1 function, SHA-256 function, SHA-384 function, and SHA-512 function, which is not limited to the hash functions mentioned above. - Also, the
storage unit 120 may store a vulnerability list to be checked. The vulnerability lists are shown in the following tables. -
TABLE 1 Vulnerability name Severity level Description Weak Credentials High Vulnerability that may be exploited when a predictable password is used Use Equals To Compare Strings Medium Vulnerability that may be exploited when a comparison operator such as == or != is used for comparison of strings Method Argument Could Be Medium Vulnerability that may be exploited when reassignment is not Final defined after a transfer argument is passed (after an argument is passed, the corresponding argument needs to be reassigned, or final declaration is required) Use of non-cryptographic Medium Vulnerability that may be exploited when a non-cryptographic PRNG pseudo-random number generator is used Duplicate If Low Vulnerability that may be exploited when duplicate expressions are used Weak Random Low Vulnerability that may be exploited when a weak random number generator is used Constant Memory Allocation Low Vulnerability that may be exploited when a memory allocation function does not return the size of a data type (result of sizeof operator) (which may cause buffer overflow vulnerability) Unused Function Low Vulnerability that may be exploited when a declared function is not used Possible Off By One Error in High Vulnerability due to possibility of an infinite loop when the size of For Loop an array is not specified Null Pointer High Vulnerability due to absence of a routine for checking the null value Memleak High Vulnerability due to memory leak Resource Leak High Vulnerability due to resource leak Denial of Service Low Vulnerability to DoS attack due to the use of BufferedReader.readLine( ) function Unused Allocated Memory Low Vulnerability that may be exploited when unused memory is allocated Unread Variable Low Vulnerability that may be exploited when an unread value is allocated to a variable -
TABLE 2 Vulnerability name Severity level Description Weak Credentials High Vulnerability that may be exploited when a predictable password is used Use Equals To Compare Strings Medium Vulnerability that may be exploited when a comparison operator such as == or != is used for comparison of strings Method Argument Could Be Medium Vulnerability that may be exploited when reassignment is not Final defined after a transfer argument is passed (after an argument is passed, the corresponding argument needs to be reassigned, or final declaration is required) Use of non-cryptographic PRNG Medium Vulnerability that may be exploited when a non-cryptographic pseudo-random number generator is used Duplicate If Low Vulnerability that may be exploited when duplicate expressions are used Weak Random Low Vulnerability that may be exploited when a weak random number generator is used Constant Memory Allocation Low Vulnerability that may be exploited when a memory allocation function does not return the size of a data type (result of sizeof operator) (which may cause buffer overflow vulnerability) Unused Function Low Vulnerability that may be exploited when a declared function is not used External Links Low Vulnerability that may be exploited when an URL is included in a source code (an inappropriate link has to be reviewed) Cross Site Scripting High Vulnerability that may be exploited when data received from a user is not filtered in a webpage but is retransmitted to the user by being included in a dynamically created webpage SQL injection High Vulnerability due to reading or manipulating information of DB by injecting SQL statements to the input form or URL input field Debug Parameter High Vulnerability due to existence of a debug-related parameter within a source code Cryptography High Vulnerability due to existence of hard-coded cryptographic key within a source code No Html Comments High Vulnerability due to existence of unnecessary URLs within HTML comments Jsp Encoding Medium Vulnerability due to absence of encoding type Potentially Sensitive Data Medium Vulnerability due to existence of a temporary file Visible Process Control Low Vulnerability due to existence of an external program execution command (linux, cmd, and the like) within a source code Poor Logging Practice Low Vulnerability that may be exploited when logs are output by using a function such as System.out.print (In) or System.err.print(In) (where the logging function may be used through an application) Buffer overflow High Vulnerability causing a defect by putting more data than the block size of a memory or a buffer Format string High Vulnerability due to the problem that a string-processing part may access the memory space Injection High Vulnerability allowing access to a database by injecting an input that may be interpreted as an SQL statement Operating system command High Vulnerability that may allow attackers to call an operating system execution command and to attempt to install a backdoor or take over administrator rights when filtering of user input values is not conducted properly Directory indexing Medium Vulnerability that displays the whole list of files within a directory and exposes important files such as a web server structure, backup files, or source files when directory indexing is enabled but an index file does not exist in the directory when the corresponding directory is requested Excessive exposure of error Medium Vulnerability that exposes important information when the attacker page causes an error while error handling (e.g., redirecting to a separate error page) is not defined at the occurrence of the error Plain text exposure of sensitive High Vulnerability that exposes important information such as account information information (ID and password) and personal information (resident registration number or card number) as plain text within a source of a web application Security misconfiguration High Vulnerability allowing attackers to access a web server for which security is not configured properly Plain text transmission of Medium Vulnerability allowing information to be captured and stolen through sensitive information eavesdropping when sensitive information such as login authentication information is transmitted as plain text without using an encryption method Malicious content High Vulnerability having a malicious influence on the user as malicious content is injected to a web application instead of normal content Cross-site scripting (XSS) Medium Vulnerability that may be exploited when filtering of user input values is not conducted properly in a web application, allowing attackers to insert a malicious script into an enterable form and thereby to steal a user session and distribute a malicious code. Password complexity High Vulnerability that may be exploited when a weak password is allowed for membership subscription, allowing attackers to attempt password entering by guessing and password entering by using a dictionary file constructed by collecting surrounding information Argument modification High Vulnerability that may be exploited when access control is not fully examined for all possible execution paths or performed insufficiently, allowing attackers to leak user information through an accessible execution path or to elevate administrative rights temporarily Client-based authentication High Vulnerability that may be exploited when authentication is client- based, allowing attackers to bypass authentication through modification of the code such as javascript, VBscript, or Java Applet. Insufficient user authentication Medium Vulnerability that may be exploited when user authentication is insufficient (for example, authentication is performed based on user ID) in a personal information update page or single sign-on (SSO) session, allowing attackers to modify the value passed to a parameter and thereby to assume the user identity and leak personal information Weak password recovery High Vulnerability that may be exploited if user authentication is insufficient or password is displayed right on the screen when a function for recovering a password stored in a web application or a temporary password is issued by an administrator, allowing attackers to obtain, modify, or recover the password of other user Session prediction High Vulnerability that may be exploited by attackers to intercept a specific session by predicting the weak ID of the session such as one using a simple increasing ID Insufficient access control High Vulnerability that does not limit access rights to sensitive data or functions Insufficient session completion Medium Vulnerability that may be exploited when the same session ID is issued for each authentication or session timeout is set too long, thereby allowing attackers to reuse the session Session fixation High Vulnerability allowing user authentication information to be reused by or retransmitted to other terminal Automation attack High Vulnerability that may be exploited when the number of attempts to access a specific process is not limited, allowing attackers to perform the specific process repeatedly by using an automation tool and bot and thereby to initiate a large number of processes, eventually exerting an influence on the system performance Process verification missing High Vulnerability allowing attackers to upload a web program capable of directly accessing a web server and executing system commands by using a file upload function File upload High Vulnerability allowing attackers to upload a web program capable of directly accessing a web server and executing system commands by using a file upload function File download High Vulnerability allowing attackers to download attached key files by manipulating a file download path Administrator page exposure Medium Vulnerability that may be exploited when the administrator page is composed in a predictable form, allowing attackers to easily access the administrator page and to obtain administrator rights through brute-force attack Elevation of rights through High Vulnerability allowing attackers to modify the cookie value, which is modification of cookie values one of user authentication methods, and thereby to switch to a different user or elevate administrative rights Unnecessary file exposure Medium Vulnerability that may be exploited when a predictable directory or file name is used and the corresponding location thereof is easily exposed, allowing attackers to exploit the exposed location to access information about a target object and data containing sensitive information Use of predictable password High Vulnerability that may be exploited when a default account and password are used after a web service is installed, allowing attackers to use the web service by exploiting the corresponding right Exposure of system operation High Vulnerability allowing important information of a web service and information by an external site content of the web page to be collected through a search engine and thereby to be exposed to an external unauthorized person Phishing attack using a redirect High Vulnerability that may be exploited when a redirect function exists, function allowing a current page to be redirected to an arbitrary page due to lack of verification of URL arguments Allowing unnecessary web Low Vulnerability that may be exploited when unnecessary methods are method allowed in addition to one commonly used in a web application, such as GET or POST method, allowing attackers to generate, delete, or modify a file in a web server by using the unnecessary method - Table 1 above shows a list of vulnerabilities that may be checked on a smart contract source code, and Table 2 above shows a list of vulnerabilities that may be checked on a web/app. In other words, Table 1 may include a list of vulnerabilities checked by the source code
vulnerability checking unit 131 described later, and Table 2 may include a list of vulnerabilities checked by the communication interval checking unit and executionvulnerability checking unit 133. Thecontroller 130 may also be called a processor, controller, microcontroller, microprocessor, or microcomputer. Meanwhile, the controller may be implemented by hardware, firmware, software, or a combination thereof. - In the case of implementation by firmware or software, one embodiment of the present invention may be implemented in the form of modules, procedures, functions, and the like which perform the functions or operations described above. Software codes may be stored in the memory and activated by the controller. The memory may be located inside or outside of the user terminal and server and may exchange data with the controller by using various well-known means.
- The
controller 130 according to an embodiment of the present invention may comprise a source codevulnerability checking unit 131, communicationinterval checking unit 132, executionvulnerability checking unit 133, andcertificate issuing unit 134. - Operation of the source code
vulnerability checking unit 131 will be described with reference toFIG. 2a .FIG. 2a illustrates an operation of checking source code vulnerabilities performed by the source codevulnerability checking unit 131 on the smart contract source code stored on theblockchain 240 in the form of transactions. - As shown in
FIG. 2a , in theDevelopment step 220, the contract code written in Solidity may be converted to byte codes by compiling the contract code by Solc. The smart contract information converted to byte codes may be stored on the block body of the blockchain. The source codevulnerability checking unit 131 may perform vulnerability checking on a source code written in Solidity before the content of a smart contract is converted to byte codes. Here, Solidity is a java-based language for implementing smart contracts, and according to various embodiments of the present invention, a source code to be analyzed may be implemented by a programming language in addition to java-based Solidity. - Depending on various embodiments, while performing source code vulnerability checking 210, the source code
vulnerability checking unit 131 may perform an operation of recording detected vulnerability and providing the detected vulnerability as feedback to a provider which has provided the source code to be analyzed. Also, when the examined source code is similar to the source code previously checked for vulnerability by more than a prescribed percentage, the examined source code may be determined as a modified version of the same source code. The source codevulnerability checking unit 131 may determine through various other methods whether an examined source code is the source code previously checked for vulnerability, and if the examined source code is determined as the source code in which vulnerability has been found from the previous source code checking, a vulnerability determining criterion performed in the subsequent step (communication interval checking step and web/app vulnerability checking step) may be changed. For example, the source codevulnerability checking unit 131 may increase a required reference value for passing a simulated hacking attack or increase the number of simulated hacking techniques that have to be overcome with respect to a smart contract in which vulnerability has been detection and which thereby has a history of modification of the source code. - After the source code
vulnerability checking unit 131 checks vulnerabilities of a source code, the communicationinterval checking unit 132 and the executionvulnerability checking unit 133 may perform checking operations. The checking operations will be described with reference toFIG. 2 b. - As shown in
FIG. 2b , the content of a smart contract in the form of byte codes recoded on theblockchain 240 may be implemented on a decentralized network such as theEthereum client 230. The platform on a decentralized network in which a smart contract in the form of byte codes is implemented may be Ethereum Virtual Machine (EVM), where the EVM may be used for other virtual currencies (for example, quantum) or DApp that comply with the Ethereum and the standard code Ethereum Request for Commnet (ERC) 20 of the Ethereum. - A smart contract in the form of byte codes may be executed on the EVM, which immediately provides the user with the corresponding content of the smart contract through the
browser 260. The communicationinterval checking unit 132 and the executionvulnerability checking unit 133 may check vulnerabilities on thebrowser 260 at the step of providing an operation for implementing the smart contract. - ‘web3.ja’ shown within the
browser 260 may indicate an Ethereum javascript API which implements the JSON Remote Procedure Call (RPC) specification. In other words, while the EVM for implementing smart contracts is a back-end concept, web3.js is a front-end concept for implementing smart contracts; and the communicationinterval checking unit 130 and the executionvulnerability checking unit 133 may check vulnerabilities with respect to a smart contract app (or web) implemented through web3.js performing the role of the front end. - Referring to 250 of
FIG. 2b , the source code communication interval checking operation may be performed by the communicationinterval checking unit 132 and may perform the role of assessing vulnerabilities in a communication interval. And the web/app vulnerability checking operation may be performed by the executionvulnerability checking unit 133, which may include a manual checking operation by the operator of theserver 100. According to various embodiments, the executionvulnerability checking unit 133 may adopt a new checking reference value set according to a determination result by the source codevulnerability checking unit 131 about whether there exists an error correction history or a vulnerability detection history. For example, the source codevulnerability checking unit 131 may strengthen the execution vulnerability checking criterion as used in a simulated hacking attack for a source code of a smart contract with an error correction history or a vulnerability detection history. In response to the operation above, the executionvulnerability checking unit 133 may request the operator to perform vulnerability checking (for example, simulated hacking attack) of an app (or web) implemented by the corresponding smart contract source code according to the strengthened criterion. - For a smart contract for which vulnerability checking has been completed by the source code
vulnerability checking unit 131, communicationinterval checking unit 132, and executionvulnerability checking unit 133; and which has satisfied the vulnerability checking criterion, thecertificate issuing unit 134 may issue a certificate. - The
certificate issuing unit 134 issues a certificate when it is determined from a checking result by the source code vulnerability checking unit, communication interval checking unit, and execution vulnerability checking unit that the security level satisfies a required criterion; and thecertificate issuing unit 134 may control the issued certificate to be stored together with the source code in the blockchain block to which the source code of the smart contract is stored. - Also, the
certificate issuing unit 134 issues a certificate by including code information and a hash value indicating the certificate, where the hash value may be calculated based on the certificate code information and content of the smart contract source code. The certificate code information may include, for example, information about an authentication subject, information about an authentication date, and information about an authentication validation criterion. The hash value may prevent a code indicating the certificate from being copied irrespective of the source code. Even if the certificate code is the same, the hash value may have a different value when the source code of a smart contract is different; therefore, if a different certificate copy is used, the hash value is not validated since the hash value included in the certificate is not the one issued for the corresponding source code. - In addition, according to various embodiments, the
certificate issuing unit 134 may calculate a hash value after adding various elements for preventing a certificate from being copied. - The
certificate issuing unit 134 may control a certificate issued through thecommunication unit 110 to be transmitted to the block body of the blockchain as transaction data and to be stored therein. - According to various embodiments, the
certificate issuing unit 134 may issue a certificate including a validation criterion. For example, thecertificate issuing unit 134 may issue a certificate by including information about a valid period since it is possible that an authentication criterion is changed from since the certificate is issued, and a new threatening element is added. - Also, according to various embodiments, the
certificate issuing unit 134 may distinguish a certificate issued for a public blockchain database (which transmits a certificate as transaction data to the block body of the blockchain and stores the certificate therein) from a certificate issued for a private blockchain database. This distinction results from a structural difference between a public blockchain database and a private blockchain database, where the public blockchain may be characterized that everyone is given a read permission, anyone may generate transactions, and anyone who has participated in a network may verify and authorize transactions. Meanwhile, the public blockchain is further characterized that it is difficult to be modified. Since the content of a certificate recorded in the public blockchain may not be modified, the certificate for the public blockchain may be issued by including a validation criterion such as a validation period at the time the certificate is created instead of being modified at a later time to be revoked, and accordingly, a smart contract provider may have to re-issue the certificate periodically. - Meanwhile, a private blockchain adopts the advantage of reliability assurance inherent to blockchain while maintaining the conventional centralized method. A private blockchain allows each node to be privileged differently by a central entity, which indicates that centralized control is possible for the private blockchain. Accordingly, a certificate, even if it is stored in a private blockchain, may be modified and discarded at a later time. In other words, the
certificate issuing unit 134 may issue a certificate so that it may be discarded and modified at a later time, where, for example, the certificate may be issued by including information about the number of validations. For example, when the number of validations is set to 100, thecertificate issuing unit 134 may issue a certificate that is invalidated when certificate reading and authentication is performed 100 times. To this purpose, thecertificate issuing unit 134 may modify the content of a certificate by newly transmitting a code which sets the initial value of a certificate to 100 and decreases the initial value by one each time authentication is completed and a transaction is performed. If the initial number of validations is counted down to zero according to the method above, the certificate may be regarded as being invalid. - According to various embodiments, when recording a certificate in a public blockchain, the
certificate issuing unit 134 may issue the certificate by including therein a valid period of the certificate while, when a certificate is recorded in a private blockchain, thecertificate issuing unit 134 may issue the certificate by including therein the number of validations of the certificate. - Also, if the certificate expiration date is reached, or the number of validations becomes smaller than a prescribed number, the
certificate issuing unit 134 may provide a notification for renewal of the certificate. -
FIG. 3 is a flow diagram illustrating a procedure for issuing a security certificate of a smart contract according to an embodiment of the present invention. - The server 100 (communication unit 110) may perform the operation of receiving the content of a
source code 305. Afterwards, thecontroller 130 of theserver 100 may perform the operation of checking vulnerability of the receivedsource code 310. At this time, thecontroller 130 may determine whether vulnerability has been found in the source code, and the source has been modified. For a source code revealing vulnerability and having a history of modification, thecontroller 130 may request to increase the reference value used for checking vulnerability of a web/app to be performed subsequently. - After the operation of checking vulnerability of a
source code 310, thecontroller 130 may perform the operation of executing the source code on abrowser 315. Afterwards, thecontroller 130 may perform the operation of checking vulnerability in a communication interval of thesource code 320. Afterwards, thecontroller 130 may perform the operation of checking vulnerability of an app and a web in which the corresponding source code has been implemented 325. - Afterwards, the
controller 130 may perform the operation of determining whether vulnerability is found through vulnerability checking 330 and if vulnerability is found, may perform the operation of recording vulnerability type and stopping issuing of acertificate 340. Theoperation 340 may include the operation of recording the vulnerability type and providing the recorded vulnerability type to a source code provider as feedback information. - Meanwhile, if no vulnerability is found, the
controller 130 may perform the operation of issuing a certificate and registering the issued certificate on the blockchain as transaction data 335. - According to various embodiments, the controller may determine whether vulnerability is found in the
respective steps operation 340 if vulnerability is found in each step. - Also, if vulnerability is found by applying at least one of the
operations controller 130 may increase the reference value of a vulnerability criterion for theoperation 325; and accordingly, perform thevulnerability checking operation 325 according to the changed reference value. - And when the
controller 130 issues a certificate, thecertificate issuing unit 134 of thecontroller 130 is employed, where thecertificate issuing unit 134 is characterized that it issues a certificate by including code information and a hash value therein and generates the hash value based on the certificate code information and the content of a smart contract source code. Also, when issuing a certificate by configuring a validation criterion, thecertificate issuing unit 134 may include a preconfigured number of certifications and a preconfigured period in the validation criterion. Also, when a certificate is issued for a smart contract in which security vulnerability has been found and which thereby has a history of modifications, thecertificate issuing unit 134 may configure a valid period for authentication to be shorter than a preconfigured default value and calculate a hash value of the certificate by including information about the shortened valid period. Also, when a certificate is recorded in a public blockchain, thecertificate issuing unit 134 may issue the certificate by including a valid period of the certificate while, when a certificate is recorded in a private blockchain, the certificate may be issued by including therein the number of validations of the certificate. -
FIG. 4 is a flow diagram illustrating the order of operations for checking a certificate according to an embodiment of the present invention. - If performing the operation of receiving a smart
contract request signal 405, thecontroller 130 may perform the operation of searching the transaction recording history of the corresponding block for a certificate corresponding to thesmart contract 410. At this time, thecontroller 130 may search for the certificate by referring to the certificate storage location information for each smart contract stored previously in theserver 100. - Afterwards, the
controller 130 may perform the operation of determining whether a certificate exists 415 and if it is determined that the certificate does not exist, may perform the operation of requesting stopping thesmart contract operation 425. - Meanwhile, if it is found that a certificate exists, the
controller 130 may perform the operation of determining validity by reading thecorresponding certificate 420. At this time, to determine validity of the certificate, thecontroller 130 may assess a validation criterion such as a valid period included in the certificate. Also, thecontroller 130 may determine whether the corresponding certificate has been forged by comparing the hash value included in the certificate. - Afterwards, if it is determined that the corresponding certificate is valid, the
controller 130 may perform the operation of approving asmart contract operation 430. On the other hand, if it is determined that the corresponding certificate is invalid, the controller may request stopping the corresponding smart contract operation. - The present invention has been described in detail with reference to the embodiments above; however, it should be understood by those skilled in the art that alteration, modification, and variation of the present embodiments may be made without departing from the technical scope of the present invention. In other words, to achieve the intended effect of the present invention, all of the functional blocks shown in the drawings do not necessarily have to be included separately nor do all of the steps in the drawings necessarily have to be followed as they appear therein; even if not so operated, it should be noted that as much deviation as possible from the embodiments still belong to the technical scope of the present invention defined in the appended claims.
Claims (8)
1. A server which performs secure authentication on a source code for smart contract, comprising:
a communication unit receiving a smart contract source code from the server requesting secure authentication; and
a controller checking security vulnerability based on the received smart contract source code,
wherein the controller comprises:
a source code vulnerability checking unit reading a source code of a smart contract and checking vulnerability in the source code;
a communication interval checking unit checking a communication interval for execution of the source code;
an execution vulnerability checking unit checking app and web vulnerability on a browser in which the source code is executed; and
in response to determining a security level satisfied with a required criterion as a result of checking by the source code vulnerability checking unit, communication interval checking unit, and execution vulnerability checking unit, a certificate issuing unit issuing a certificate and storing the certificate together with the source code in a blockchain block where the source code of the smart contract is stored.
2. The server of claim 1 , wherein the certificate issuing unit issues the certificate by including therein code information and a hash value; and
generates the hash value based on certificate code information and content of a smart contract source code.
3. The server of claim 1 , wherein, when the certificate issuing unit issues the certificate by configuring a validation criterion, the validation criterion includes a preconfigured number of certifications and a preconfigured period.
4. The server of claim 1 , wherein the execution vulnerability checking unit performs vulnerability checking by increasing a required reference value for passing a simulated hacking attack with respect to a smart contract in which vulnerability has been detected by at least one of the source code vulnerability checking unit and the communication interval checking unit and which thereby has a history of modification of a source code.
5. The server of claim 1 , wherein, when a certificate is issued for a smart contract in which security vulnerability has been found and which thereby has a history of modifications, the certificate issuing unit configures a valid period for authentication to be shorter than a preconfigured default value and calculates a hash value of the certificate by including information about the shortened valid period.
6. The server of claim 1 , wherein the controller performs certificate checking to perform an operation of the smart contract, wherein existence of the certificate is determined based on transaction location information; in the presence of the certificate, determines validity of the certificate by receiving a code and hash value of the certificate; and if it is determined to be a valid certificate, approves to perform the corresponding smart contract operation.
7. The server of claim 1 , wherein, if vulnerability is detected in a source code under analysis, the source code vulnerability checking unit stops subsequent operations for issuing a certificate and reports a list of detected vulnerabilities and modifications.
8. The server of claim 1 , wherein, when recording a certificate in a public blockchain, the certificate issuing unit issues the certificate by including therein a valid period of the certificate while, when a certificate is recorded in a private blockchain, the certificate issuing unit issues the certificate by including therein a number of validations of the certificate.
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR10-2018-0105594 | 2018-09-04 | ||
KR1020180105594A KR101947760B1 (en) | 2018-09-04 | 2018-09-04 | Secure authentication server for smart contract |
PCT/KR2019/006017 WO2020050474A1 (en) | 2018-09-04 | 2019-05-20 | Security certification server for smart contracts |
Publications (2)
Publication Number | Publication Date |
---|---|
US20210334363A1 true US20210334363A1 (en) | 2021-10-28 |
US11170097B1 US11170097B1 (en) | 2021-11-09 |
Family
ID=65366501
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/468,279 Active 2040-06-25 US11170097B1 (en) | 2018-09-04 | 2019-05-20 | Secure authentication server for smart contract |
Country Status (3)
Country | Link |
---|---|
US (1) | US11170097B1 (en) |
KR (1) | KR101947760B1 (en) |
WO (1) | WO2020050474A1 (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20210067351A1 (en) * | 2019-09-03 | 2021-03-04 | Fujitsu Limited | Communication apparatus and communication method |
US20220207122A1 (en) * | 2019-09-05 | 2022-06-30 | Open Lens Project Ltd. | System and method for management of digital media content |
CN115391789A (en) * | 2022-09-14 | 2022-11-25 | 杭州安碣信息安全科技有限公司 | Intelligent analysis method and device for Rust intelligent contract |
US20230069078A1 (en) * | 2019-04-12 | 2023-03-02 | Symbiont.Io, Inc. | Systems, devices, and methods for dlt-based data management platforms and data products |
US11817998B2 (en) * | 2019-01-28 | 2023-11-14 | Elisa Oyj | Automated configuration deployment in network operations systems |
Families Citing this family (17)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR102008001B1 (en) * | 2019-02-21 | 2019-08-06 | 주식회사 모파스 | System for generating smart contract using blockchain |
KR102218163B1 (en) * | 2019-02-25 | 2021-02-23 | 이지스체인 주식회사 | Distributed ledger system with enhanced security and service providing method based on the distributed ledger technology using thereof |
CN110033244B (en) * | 2019-03-15 | 2021-10-22 | 创新先进技术有限公司 | Intelligent contract execution method and device based on block chain and electronic equipment |
CN109948345A (en) * | 2019-03-20 | 2019-06-28 | 杭州拜思科技有限公司 | A kind of method, the system of intelligence contract Hole Detection |
CN110059837A (en) * | 2019-04-30 | 2019-07-26 | 安徽德宾信息科技有限公司 | A kind of equipment point-detecting management system |
EP3906488B1 (en) * | 2019-06-12 | 2023-08-02 | Nec Corporation | Method and contract rewriting framework system for supporting smart contracts in a blockchain network |
CN110737899B (en) * | 2019-09-24 | 2022-09-06 | 暨南大学 | Intelligent contract security vulnerability detection method based on machine learning |
KR102163930B1 (en) * | 2019-09-30 | 2020-10-12 | 넷마블 주식회사 | Distributed compile system implementing blockchain rewards |
KR102247233B1 (en) * | 2019-10-28 | 2021-05-03 | 주식회사 린아레나 | Method for auditing smart contract with multi layer and apparatus thereof |
CN111026578B (en) * | 2019-11-15 | 2023-09-29 | 杭州云象网络技术有限公司 | Intelligent contract security detection method based on prophetic machine |
CN111028077B (en) * | 2019-11-20 | 2023-04-11 | 华中科技大学 | Intelligent contract protection method and system based on input filter |
CN111464643B (en) * | 2020-04-01 | 2021-07-09 | 西安交通大学 | Multi-energy trading and management platform based on block chain |
CN111753306B (en) * | 2020-05-29 | 2022-08-05 | 西安深信科创信息技术有限公司 | Intelligent contract vulnerability detection method and device, electronic equipment and storage medium |
CN111898134B (en) * | 2020-08-03 | 2022-11-11 | 北京理工大学 | Intelligent contract vulnerability detection method and device based on LSTM and BiLSTM |
US20230418951A1 (en) * | 2020-11-17 | 2023-12-28 | Sooho.Io Inc. | Apparatus and method for analyzing vulnerabilities of smart contract code |
KR102227403B1 (en) * | 2020-12-09 | 2021-03-12 | 넷마블 주식회사 | Distributed compile system implementing blockchain rewards |
CN112990941B (en) * | 2021-03-10 | 2022-06-07 | 武汉大学 | Vulnerability detection method and system for Pompe frauds in intelligent contracts |
Family Cites Families (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR101810150B1 (en) * | 2015-04-09 | 2018-01-26 | (주)아이씨엔캐스트 | THIRD PARTY'S SECURITY AUTHENTICATION SYSTEM BETWEEN MOBILE DEVICE AND IoT DEVICES AND METHOD THEREOF |
KR101637854B1 (en) * | 2015-10-16 | 2016-07-08 | 주식회사 코인플러그 | Certificate issuance system and method based on block chain, certificate authentication system and method based on block chain |
KR101680260B1 (en) | 2015-12-14 | 2016-11-29 | 주식회사 코인플러그 | Certificate issuance system and method based on block chain |
JP6703918B2 (en) | 2016-08-31 | 2020-06-03 | ヤフー株式会社 | Generation program, generation device, and generation method |
KR20180041055A (en) | 2017-09-06 | 2018-04-23 | 주식회사 코인플러그 | Method for providing certificate service based on smart contract and server using the same |
US11310234B2 (en) * | 2017-11-16 | 2022-04-19 | International Business Machines Corporation | Securing permissioned blockchain network from pseudospoofing network attacks |
US20190306173A1 (en) * | 2018-04-02 | 2019-10-03 | Ca, Inc. | Alert smart contracts configured to manage and respond to alerts related to code |
US20190303623A1 (en) * | 2018-04-02 | 2019-10-03 | Ca, Inc. | Promotion smart contracts for software development processes |
US20190303541A1 (en) * | 2018-04-02 | 2019-10-03 | Ca, Inc. | Auditing smart contracts configured to manage and document software audits |
US10924484B2 (en) * | 2018-04-26 | 2021-02-16 | Radware, Ltd. | Method for determining a cost to allow a blockchain-based admission to a protected entity |
US10769869B2 (en) * | 2018-06-27 | 2020-09-08 | International Business Machines Corporation | Self-driving vehicle integrity management on a blockchain |
US10656936B2 (en) * | 2018-08-30 | 2020-05-19 | Dell Products L.P. | Systems and methods for software integrity validation using blockchain |
-
2018
- 2018-09-04 KR KR1020180105594A patent/KR101947760B1/en active IP Right Grant
-
2019
- 2019-05-20 WO PCT/KR2019/006017 patent/WO2020050474A1/en active Application Filing
- 2019-05-20 US US16/468,279 patent/US11170097B1/en active Active
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11817998B2 (en) * | 2019-01-28 | 2023-11-14 | Elisa Oyj | Automated configuration deployment in network operations systems |
US20230069078A1 (en) * | 2019-04-12 | 2023-03-02 | Symbiont.Io, Inc. | Systems, devices, and methods for dlt-based data management platforms and data products |
US11869012B2 (en) * | 2019-04-12 | 2024-01-09 | Lm Funding America, Inc | Systems, devices, and methods for DLT-based data management platforms and data products |
US20210067351A1 (en) * | 2019-09-03 | 2021-03-04 | Fujitsu Limited | Communication apparatus and communication method |
US11522722B2 (en) * | 2019-09-03 | 2022-12-06 | Fujitsu Limited | Communication apparatus and communication method |
US20220207122A1 (en) * | 2019-09-05 | 2022-06-30 | Open Lens Project Ltd. | System and method for management of digital media content |
CN115391789A (en) * | 2022-09-14 | 2022-11-25 | 杭州安碣信息安全科技有限公司 | Intelligent analysis method and device for Rust intelligent contract |
Also Published As
Publication number | Publication date |
---|---|
US11170097B1 (en) | 2021-11-09 |
WO2020050474A1 (en) | 2020-03-12 |
KR101947760B1 (en) | 2019-02-13 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11170097B1 (en) | Secure authentication server for smart contract | |
US8572750B2 (en) | Web application exploit mitigation in an information technology environment | |
Yang et al. | Model-based security testing: An empirical study on oauth 2.0 implementations | |
US20150121532A1 (en) | Systems and methods for defending against cyber attacks at the software level | |
US9071600B2 (en) | Phishing and online fraud prevention | |
US10867048B2 (en) | Dynamic security module server device and method of operating same | |
US11562052B2 (en) | Computing system and method for verification of access permissions | |
US11665138B2 (en) | System and method for automatic WAF service configuration | |
RU2634174C1 (en) | System and method of bank transaction execution | |
Calzavara et al. | Testing for integrity flaws in web sessions | |
US8127033B1 (en) | Method and apparatus for accessing local computer system resources from a browser | |
Darvish et al. | Security analysis of mobile money applications on android | |
Rahat et al. | Cerberus: Query-driven scalable vulnerability detection in oauth service provider implementations | |
US20100043059A1 (en) | Trusted Electronic Communication Through Shared Vulnerability | |
Squarcina et al. | Cookie crumbles: breaking and fixing web session integrity | |
KR102143511B1 (en) | Security reliability management server for smart transaction | |
CN112769731B (en) | Process control method, device, server and storage medium | |
Woschek | Owasp cheat sheets | |
Calzavara et al. | Language-based web session integrity | |
Hagar | Security owasp iot information pointer and logging events | |
Razmov et al. | Practical automated filter generation to explicitly enforce implicit input assumptions | |
RU2780029C1 (en) | Method for identification of an online user and his device | |
Kolehmainen | Security of firmware update mechanisms within SOHO routers | |
Stötzner | Design of an Android App2App redirect flow for the FAPI 2.0 standard | |
Venkatakrishnan | Redundancy-Based Detection of Security Anomalies in Web-Server Environments. |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
FEPP | Fee payment procedure |
Free format text: ENTITY STATUS SET TO UNDISCOUNTED (ORIGINAL EVENT CODE: BIG.); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY |
|
FEPP | Fee payment procedure |
Free format text: ENTITY STATUS SET TO SMALL (ORIGINAL EVENT CODE: SMAL); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |