Skip to main content
SpringerLink
Log in
Book cover

Protocols, Strands, and Logic pp 124–138Cite as

Verifying a Blockchain-Based Remote Debugging Protocol for Bug Bounty

  • Chapter
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 13066))

Abstract

We address the problem of a mutual agreement between a bug bounty issuer and a bounty hunter in blockchain smart contracts. Our framework is VeriOSS, where a Proof of Knowledge protocol is used. Through it, the hunter communicates in clear increasingly large portions of the detected bug and gets back increasingly ample portions of the reward, provided that the issuer considers the received information plausible. The process is iterated until the entire bug is revealed and the entire reward given. We formalize this protocol using the Applied Pi-calculus and we apply ProVerif to it so as to verify its correctness, i.e., that only the relevant information and the corresponding reward are exchanged and that the integrity and the authenticity of the communications is granted.

This work has been partially supported by IMT PAI Project VeriOSS, and by the MIUR project PRIN 2017FTXR7S IT MATTERS (Methods and Tools for Trustworthy Smart Systems).

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   59.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   79.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    The activities occurring on gray and black markets are hard to document, however, some leaked emails give a glimpse on these markets. See https://tsyrklevich.net/2015/07/22/hacking-team-0day-market/.

  2. 2.

    https://sites.google.com/site/bughunteruniversity/behind-the-scenes/charts/2016.

  3. 3.

    https://www.first.org/cvss/specification-document.

  4. 4.

    https://cwe.mitre.org/cwss/cwss_v1.0.1.html.

  5. 5.

    https://github.com/Selene15/P2K_ProVerif.

References

  1. Cpsa: Crptographic protocol shapes analyzer. https://github.com/mitre/cpsa, Accessed May 2021

  2. Abadi, M., Blanchet, B., Fournet, C.: The applied pi calculus: mobile values, new names, and secure communication. J. ACM 65(1), 1:1–1:41 (2018)

    Google Scholar 

  3. Adão, P., Focardi, R., Guttman, J.D., Luccio, F.L.: Localizing firewall security policies. In: IEEE 29th Computer Security Foundations Symposium, CSF 2016, Lisbon, Portugal, 27 June–1 July 2016, pp. 194–209. IEEE Computer Society (2016). https://doi.org/10.1109/CSF.2016.21

  4. Blanchet, B.: An efficient cryptographic protocol verifier based on prolog rules. In: 14th IEEE Computer Security Foundations Workshop (CSFW-14 2001), pp. 82–96. IEEE Computer Society (2001)

    Google Scholar 

  5. Blanchet, B.: Modeling and verifying security protocols with the applied pi calculus and proverif. Found. Trends Priv. Secur. 1(1–2), 1–135 (2016)

    Google Scholar 

  6. Canidio, A., Costa, G., Galletta, L.: VeriOSS: using the blockchain to foster bug bounty programs. In: Anceaume, E., Bisière, C., Bouvard, M., Bramas, Q., Casamatta, C. (eds.) 2nd International Conference on Blockchain Economics, Security and Protocols, Tokenomics 2020. OASIcs, vol. 82, pp. 6:1–6:14. Schloss Dagstuhl - Leibniz-Zentrum für Informatik (2020)

    Google Scholar 

  7. Cortier, V., Kremer, S.: Formal models and techniques for analyzing security protocols: a tutorial. Found. Trends Program. Lang. 1(3), 151–267 (2014)

    Article  Google Scholar 

  8. Dijkstra, E.W.: A Discipline of Programming, vol. 613924118. Prentice-hall, Englewood Cliffs (1976)

    MATH  Google Scholar 

  9. Franklin, M., Tsudik, G.: Secure group barter: multi-party fair exchange with semi-trusted neutral parties. In: Hirchfeld, R. (ed.) FC 1998. LNCS, vol. 1465, pp. 90–102. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0055475

    Chapter  Google Scholar 

  10. Guttman, J.D.: A new column: information security. Bull. EATCS 82, 242–252 (2004)

    Google Scholar 

  11. Guttman, J.D., Herzog, A.L., Ramsdell, J.D., Skorupka, C.W.: Verifying information flow goals in security-enhanced linux. J. Comput. Secur. 13(1), 115–134 (2005). http://content.iospress.com/articles/journal-of-computer-security/jcs230

  12. Hazay, C., Lindell, Y.: Efficient Secure Two-Party Protocols: Techniques and Constructions, 1st edn. Springer-Verlag, Heidelberg (2010)

    Book  Google Scholar 

  13. Mukhamedov, A., Kremer, S., Ritter, E.: Analysis of a multi-party fair exchange protocol and formal proof of correctness in the strand space model. In: Patrick, A.S., Yung, M. (eds.) FC 2005. LNCS, vol. 3570, pp. 255–269. Springer, Heidelberg (2005). https://doi.org/10.1007/11507840_23

    Chapter  MATH  Google Scholar 

  14. Papadimitriou, C.: Computational Complexity, 1st edn. Pearson, Boston (1993)

    MATH  Google Scholar 

  15. Thayer, F.J., Herzog, J.C., Guttman, J.D.: Strand spaces: why is a security protocol correct? In: Security and Privacy - 1998 IEEE Symposium on Security and Privacy, Oakland, CA, USA, 3–6 May 1998, Proceedings, pp. 160–171. IEEE Computer Society (1998). https://doi.org/10.1109/SECPRI.1998.674832

  16. Thayer, F.J., Herzog, J.C., Guttman, J.D.: Strand spaces: Proving security protocols correct. J. Comput. Secur. 7(1), 191–230 (1999). http://content.iospress.com/articles/journal-of-computer-security/jcs117

  17. Woo, T.Y., Lam, S.S.: A semantic model for authentication protocols. In: Proceedings 1993 IEEE Computer Society Symposium on Research in Security and Privacy, pp. 178–194. IEEE (1993)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Dipartimento di Informatica, Università di Pisa, Pisa, Italy

    Pierpaolo Degano & Selene Gerali

  2. IMT School for Advanced Studies, Lucca, Italy

    Pierpaolo Degano, Letterio Galletta & Selene Gerali

Authors
  1. Pierpaolo Degano
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Letterio Galletta
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Selene Gerali
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Pierpaolo Degano .

Editor information

Editors and Affiliations

  1. Department of Computer Science, Worcester Polytechnic Institute, Worcester, MA, USA

    Daniel Dougherty

  2. Th.M. Siebel Center for Computer Science, University of Illinois Urbana-Champaign, Urbana, IL, USA

    José Meseguer

  3. Institute of Mathematics and Computer Science, Technical University of Denmark, Kongens Lyngby, Denmark

    Sebastian Alexander Mödersheim

  4. J83K, The MITRE Corporation, Bedford, MA, USA

    Paul Rowe

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Degano, P., Galletta, L., Gerali, S. (2021). Verifying a Blockchain-Based Remote Debugging Protocol for Bug Bounty. In: Dougherty, D., Meseguer, J., Mödersheim, S.A., Rowe, P. (eds) Protocols, Strands, and Logic. Lecture Notes in Computer Science(), vol 13066. Springer, Cham. https://doi.org/10.1007/978-3-030-91631-2_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-91631-2_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-91630-5

  • Online ISBN: 978-3-030-91631-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation