Enterprise Blockchain Security 2020-6

Enterprise Blockchain Security 2020-6

February 5, 2021 | Mina Hao

Regulatory Policies

With years of development, the blockchain industry has taken shape, but enterprise blockchain applications are still at an exploratory stage. The blockchain ecosystem contains SPs, application vendors, and users. SPs in this context provide blockchain information services, whose compliance
requirements are surely different from those for other information services (such as cloud services) due to the blockchain technology’s unique characteristics of non-deletability and support for post-event forensics.

Data Governance

With the promulgation of laws and regulations, such as GDPR, data security is becoming increasingly important. Collection, management, and exchange of personal data are all subject to compliance requirements.

Some statutes stipulate that blockchain information providers, as a type of network SPs, should provide the data deletion capability. However, one of the most distinctive features that differentiate the blockchain technology from other technologies is non-deletability of data, which poses the greatest risk to compliance.

Malicious actors leverage this feature of blockchains to upload illegitimate information, creating an adverse impact, or upload malicious code or C&C addresses to achieve persistence. In this context, data governance is an important indicator to measure whether data in the blockchain system is
operable. In traditional public blockchains, it is almost an impossible mission to delete incorrect or malicious information. The only exception is the DAO event, in which Ethereum prevents malicious onchain transactions by means of hard forks. Despite of this, there are still political data and suspicious business data stored in Ethereum. In contrast, data governance for consortium blockchains is possible.

This is because a consortium blockchain has a limited number of nodes that have been validated by each other. Besides the online consensus mechanism, it is possible to negotiate offline. When consensus is reached about deletion of a block, all nodes (nodes storing this block and orderer nodes) will be rolled back to the previous height. For example, in Hyperledger Fabric, we can run the rollback command to roll back the current peer to the previous block height.

USU, a digital asset transaction platform built on the EOS ecosystem, has a mirroring mechanism to implement fast synchronization of node data and regular creation of images of local ledgers. With a convenient rollback mechanism, the platform allows users to specify an image label for rollback when consensus is reached.

The nature of blockchains makes it possible to manipulate data. The problem is that the cost of doing so increases with the number of nodes on a blockchain system. This explains why there are not so many attacks against blockchains. When it comes to data governance, it is necessary to find a balance between technologies and compliance by acquiring the capability of controlling data at some cost (communication cost of all involved organizations, potential system downtime cost, and so on).

Smart Contract Governance

A smart contract is executable code that all endorsers acknowledge. Consistent code and identical input enable all endorsers within the global scope to reach consensus on the transaction result, thus saving the costs of labor and time otherwise incurred by manual checks and execution for traditional contracts.

However, on the other hand, smart contracts need to be deployed on all endorsers of a decentralized blockchain system. Even if it is a consortium blockchain, it is impossible to simultaneously update contracts on all nodes, thus exposing blockchain applications to a great security risk: When a vulnerability is found in a smart contract mechanism, it may be rather costly to fix the code and update contracts.

The security of smart contracts is extremely important. When a vulnerability or error is found, it is impossible to shut down the system and fix it by means of centralized upgrade as we usually do for a centralized system. Smart contracts have a direct control of money or critical transaction data. A vulnerability in the mechanism could cause direct financial losses. In this sense, it is very important to enhance their security measures.

The current research in this area is focused on how to use formal verification methods, which are usually applied in chip design or military control systems, on smart contracts to minimize human errors by means of mathematical proofs. For example, Beosin’s 1 (also known as Chengdu LianAn Technology Co., Ltd.) automatic formal verification tool can effectively detect common vulnerabilities in the chaincode of Hyperledger Fabric and provide users with repair suggestions.

To be continued.