Abstract
Ethereum is blockchain-based platform which enables the development and deployment of smart contracts. Smart contracts are computer programs that provide automation for the governance of decentralized autonomous organizations (DAO). However, while the Blockchain technology is secure, smart contracts are only as secure as the programmers has designed it to be. Therefore, smart contract exposes vulnerabilities that can be exploited by attackers and threaten the viability of the DAOs. This study presents a case study which investigated how security programming patterns and practices from other programming languages can be applied in Solidity – Ethereum programming language. We have characterized the cost of introducing these patterns and practices. We identified 30 security programming patterns and practices from C++, JAVA which can be applicable to Solidity and implemented ten in a representative smart contract. The results show that the application of the ten security patterns and practices identified and implemented increases the cost of the smart contract (when compared to the baseline). Furthermore, we argue that this difference is not significant and should not deter any programmers into introducing the security patterns and practices into their smart contracts.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Michael del Castillo. The DAO Attacked: Code Issue Leads to $60 Million Ether Theft (2016). https://www.coindesk.coom/dao-attacked-code-issue-leads-60-million-ether-theft/. Accessed 25 May 2019
Magazzeni, D., McBurney, P., Nash, W.: Validation and verification of smart contracts: a research agenda. Computer 50(9), 50–57 (2017)
Kalra, S., Goel, S., Dhawan, M., Sharma, S.: ZEUS: analyzing safety of smart contracts. In: 25th Annual Network and Distributed System Security Symposium, NDSS, February 2018
Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system. http://bitcoin.org/bitcoin.Pdf. Accessed 30 Apr 2019
Buterin, V.: A next-generation smart contract and decentralized application (2014)
Żuchowski, Ł.: Ethereum: everything you want to know about Gas (2017). https://blog.softwaremill.com/ethereum-everything-you-want-to-know-about-the-gas-b7c8f5c17e7c. Accessed 12 June 2019
Chen, T., Li, X., Luo, X., Zhang, X.: Under-optimized smart contracts devour your money. In: 2017 IEEE 24th International Conference on Software Analysis, Evolution and Reengineering (SANER), pp. 442–446. IEEE, February 2017
García-Bañuelos, L., Ponomarev, A., Dumas, M., Weber, I.: Optimized execution of business processes on blockchain. In: International Conference on Business Process Management, pp. 130–146. Springer, Cham, September 2017
Pfleeger, C.P., Pfleeger, S.L.: Security in Computing. Prentice Hall Professional Technical Reference, Upper Saddle River (2002)
Dannen, C.: Bridging the blockchain knowledge gap. In: Introducing Ethereum and Solidity, pp. 1–20. Apress, Berkeley (2017)
Wikipedia: Secure coding. https://en.wikipedia.org/wiki/Secure_coding/. Accessed 12 May 2019
Viega, J., McGraw, G.: Building Secure Software: How to Avoid Security Problems the Right Way (Paperback). Addison-Wesley Professional Computing Series. Addison-Wesley Professional, Boston (2011)
Schumacher, M., Fernandez-Buglioni, E., Hybertson, D., Buschmann, F., Sommerlad, P.: Security Patterns: Integrating Security and Systems Engineering. Wiley, Hoboken (2013)
Steel, C., Nagappan, R.: Core Security Patterns: Best Practices and Strategies for J2EE, Web Services, and Identity Management. Pearson Education India, New Delhi (2006)
Andrews, M., Whittaker, J.A.: How to Break Web Software: Functional and Security Testing of Web Applications and Web Services. Addison-Wesley Professional, Boston (2006)
SEI CERT Code standard. https://wiki.sei.cmu.edu/confluence/display/seccode/SEI+CERT+Coding+Standards. Accessed 15 May 2019
Wheeler, D.A.: Secure Programming for Linux and Unix HOWTO (1999). http://www.dwheeler.com/secure-programs/
Atzei, N., Bartoletti, M., Cimoli, T.: A survey of attacks on Ethereum smart contracts (SOK). In: International Conference on Principles of Security and Trust, pp. 164–186. Springer, Heidelberg, April 2017
Tikhomirov, S., Voskresenskaya, E., Ivanitskiy, I., Takhaviev, R., Marchenko, E., Alexandrov, Y.: SmartCheck: static analysis of Ethereum smart contracts. In: 2018 IEEE/ACM 1st International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB). IEEE, May 2018
Wohrer, M., Zdun, U.: Smart contracts: security patterns in the Ethereum ecosystem and solidity. In: 2018 International Workshop on Blockchain Oriented Software Engineering (IWBOSE). IEEE (2018)
Runeson, P., Host, M., Rainer, A.W., Regnell, B.: Case Study Research in Software Engineering. Guidelines and Examples. Wiley, Hoboken (2012)
Yoshioka, N., Washizaki, H., Maruyama, K.: A survey on security patterns. Prog. Inform. 5(5), 35–47 (2008)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 The Editor(s) (if applicable) and The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
N’Da, A.A.K., Matalonga, S., Dahal, K. (2020). Characterizing the Cost of Introducing Secure Programming Patterns and Practices in Ethereum. In: Rocha, Á., Adeli, H., Reis, L., Costanzo, S., Orovic, I., Moreira, F. (eds) Trends and Innovations in Information Systems and Technologies. WorldCIST 2020. Advances in Intelligent Systems and Computing, vol 1160. Springer, Cham. https://doi.org/10.1007/978-3-030-45691-7_3
Download citation
DOI: https://doi.org/10.1007/978-3-030-45691-7_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-45690-0
Online ISBN: 978-3-030-45691-7
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)