Abstract
We address the problem of a mutual agreement between a bug bounty issuer and a bounty hunter in blockchain smart contracts. Our framework is VeriOSS, where a Proof of Knowledge protocol is used. Through it, the hunter communicates in clear increasingly large portions of the detected bug and gets back increasingly ample portions of the reward, provided that the issuer considers the received information plausible. The process is iterated until the entire bug is revealed and the entire reward given. We formalize this protocol using the Applied Pi-calculus and we apply ProVerif to it so as to verify its correctness, i.e., that only the relevant information and the corresponding reward are exchanged and that the integrity and the authenticity of the communications is granted.
This work has been partially supported by IMT PAI Project VeriOSS, and by the MIUR project PRIN 2017FTXR7S IT MATTERS (Methods and Tools for Trustworthy Smart Systems).
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
The activities occurring on gray and black markets are hard to document, however, some leaked emails give a glimpse on these markets. See https://tsyrklevich.net/2015/07/22/hacking-team-0day-market/.
- 2.
- 3.
- 4.
- 5.
References
Cpsa: Crptographic protocol shapes analyzer. https://github.com/mitre/cpsa, Accessed May 2021
Abadi, M., Blanchet, B., Fournet, C.: The applied pi calculus: mobile values, new names, and secure communication. J. ACM 65(1), 1:1–1:41 (2018)
Adão, P., Focardi, R., Guttman, J.D., Luccio, F.L.: Localizing firewall security policies. In: IEEE 29th Computer Security Foundations Symposium, CSF 2016, Lisbon, Portugal, 27 June–1 July 2016, pp. 194–209. IEEE Computer Society (2016). https://doi.org/10.1109/CSF.2016.21
Blanchet, B.: An efficient cryptographic protocol verifier based on prolog rules. In: 14th IEEE Computer Security Foundations Workshop (CSFW-14 2001), pp. 82–96. IEEE Computer Society (2001)
Blanchet, B.: Modeling and verifying security protocols with the applied pi calculus and proverif. Found. Trends Priv. Secur. 1(1–2), 1–135 (2016)
Canidio, A., Costa, G., Galletta, L.: VeriOSS: using the blockchain to foster bug bounty programs. In: Anceaume, E., Bisière, C., Bouvard, M., Bramas, Q., Casamatta, C. (eds.) 2nd International Conference on Blockchain Economics, Security and Protocols, Tokenomics 2020. OASIcs, vol. 82, pp. 6:1–6:14. Schloss Dagstuhl - Leibniz-Zentrum für Informatik (2020)
Cortier, V., Kremer, S.: Formal models and techniques for analyzing security protocols: a tutorial. Found. Trends Program. Lang. 1(3), 151–267 (2014)
Dijkstra, E.W.: A Discipline of Programming, vol. 613924118. Prentice-hall, Englewood Cliffs (1976)
Franklin, M., Tsudik, G.: Secure group barter: multi-party fair exchange with semi-trusted neutral parties. In: Hirchfeld, R. (ed.) FC 1998. LNCS, vol. 1465, pp. 90–102. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0055475
Guttman, J.D.: A new column: information security. Bull. EATCS 82, 242–252 (2004)
Guttman, J.D., Herzog, A.L., Ramsdell, J.D., Skorupka, C.W.: Verifying information flow goals in security-enhanced linux. J. Comput. Secur. 13(1), 115–134 (2005). http://content.iospress.com/articles/journal-of-computer-security/jcs230
Hazay, C., Lindell, Y.: Efficient Secure Two-Party Protocols: Techniques and Constructions, 1st edn. Springer-Verlag, Heidelberg (2010)
Mukhamedov, A., Kremer, S., Ritter, E.: Analysis of a multi-party fair exchange protocol and formal proof of correctness in the strand space model. In: Patrick, A.S., Yung, M. (eds.) FC 2005. LNCS, vol. 3570, pp. 255–269. Springer, Heidelberg (2005). https://doi.org/10.1007/11507840_23
Papadimitriou, C.: Computational Complexity, 1st edn. Pearson, Boston (1993)
Thayer, F.J., Herzog, J.C., Guttman, J.D.: Strand spaces: why is a security protocol correct? In: Security and Privacy - 1998 IEEE Symposium on Security and Privacy, Oakland, CA, USA, 3–6 May 1998, Proceedings, pp. 160–171. IEEE Computer Society (1998). https://doi.org/10.1109/SECPRI.1998.674832
Thayer, F.J., Herzog, J.C., Guttman, J.D.: Strand spaces: Proving security protocols correct. J. Comput. Secur. 7(1), 191–230 (1999). http://content.iospress.com/articles/journal-of-computer-security/jcs117
Woo, T.Y., Lam, S.S.: A semantic model for authentication protocols. In: Proceedings 1993 IEEE Computer Society Symposium on Research in Security and Privacy, pp. 178–194. IEEE (1993)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this chapter
Cite this chapter
Degano, P., Galletta, L., Gerali, S. (2021). Verifying a Blockchain-Based Remote Debugging Protocol for Bug Bounty. In: Dougherty, D., Meseguer, J., Mödersheim, S.A., Rowe, P. (eds) Protocols, Strands, and Logic. Lecture Notes in Computer Science(), vol 13066. Springer, Cham. https://doi.org/10.1007/978-3-030-91631-2_7
Download citation
DOI: https://doi.org/10.1007/978-3-030-91631-2_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-91630-5
Online ISBN: 978-3-030-91631-2
eBook Packages: Computer ScienceComputer Science (R0)