Advertisement

Ensuring Resource Trust and Integrity in Web Browsers Using Blockchain Technology

Conference paper
Part of the Lecture Notes in Business Information Processing book series (LNBIP, volume 316)

Abstract

Current web technology allows the use of cryptographic primitives as part of server-provided Javascript. This may result in security problems with web-based services. We provide an example for an attack on the WhisperKey service. We present a solution which is based on human code reviewing and on CVE (Common Vulnerabilities and Exposures) data bases. In our approach, existing code audits and known vulnerabilities are tied to the Javascript file by a tamper-proof Blockchain approach and are signaled to the user by a browser extension. The contribution explains our concept and its workflow; it may be extended to all situations with modular, mobile code. Finally, we propose an amendment to the W3C subresource recommendation.

Keywords

Browser resource integrity Code poisoning Software delivery Blockchain Code review 

Notes

Acknowledgments

The authors would like to thank Craig Calcaterra for providing feedback, valuable insights into reputation- and incentive mechanisms as well as thoughts on a review DAO.

References

  1. 1.
    Akhawe, D., Braun, F., Marier, F., Weinberger, J.: Subresource integrity W3C recommendation. https://www.w3.org/TR/SRI/ (2016). Accessed 31 Jan 2017
  2. 2.
    Armstrong, J.S.: Peer review for journals: evidence on quality control, fairness, and innovation. Sci. Eng. Ethics 3(1), 63–84 (1997)CrossRefGoogle Scholar
  3. 3.
    Bartoletti, M., Pompianu, L.: An analysis of bitcoin OP_RETURN metadata. CoRR abs/1702.01024 (2017). http://arxiv.org/abs/1702.01024CrossRefGoogle Scholar
  4. 4.
    Business Process Model: Notation (BPMN) Version 2.0. OMG Specification, Object Management Group (2011). Accessed 1 Feb 2018Google Scholar
  5. 5.
    Calcaterra, C., Kaal, W.A., Vlad, A.: Semada technical white paper - a decentralized platform for verified reputation - version 0.3. https://docs.google.com/document/d/1rMpcaO5rlXw5RxUCDy_e_his6DSdrDfUS9qwcgWHAAw/edit (2017). Accessed 25 Feb 2018
  6. 6.
    Didil (Pseudonym): Off-chain data storage: Ethereum & IPFS - saving on gas. https://medium.com/@didil/off-chain-data-storage-ethereum-ipfs-570e030432cf (2017). Accessed 31 Jan 2018
  7. 7.
    Felderer, M., Büchler, M., Johns, M., Brucker, A.D., Breu, R., Pretschner, A.: Security testing: a survey. In: Advances in Computers, vol. 101, pp. 1–51. Elsevier (2016)Google Scholar
  8. 8.
    Huckle, S., Bhattacharya, R., White, M., Beloff, N.: Internet of Things, blockchain and shared economy applications. Procedia Comput. Sci. 98, 461–466 (2016)CrossRefGoogle Scholar
  9. 9.
    Benet, J.: IPFS - content addressed, versioned, P2P file system. https://ipfs.io/ipfs/QmR7GSQM93Cx5eAg6a6yRzNde1FQv7uL6X1o4k7zrJa3LX/ipfs.draft3.pdf (2017). Accessed 17 Jan 2018
  10. 10.
    Kobeissi, N.: Cryptocat blog - moving to a browser app model. https://web.archive.org/web/20130206114001/blog.crypto.cat/2012/08/moving-to-a-browser-app-model/ (2012). Accessed 3 Nov 2017
  11. 11.
    Leiding, B., Cap, C.H., Mundt, T., Rashidibajgan, S.: Authcoin: validation and authentication in decentralized networks. In: The 10th Mediterranean Conference on Information Systems - MCIS 2016, Cyprus, CY, September 2016Google Scholar
  12. 12.
    Leiding, B., Memarmoshrefi, P., Hogrefe, D.: Self-managed and blockchain-based vehicular ad-hoc networks. In: Proceedings of the 2016 ACM International Joint Conference on Pervasive and Ubiquitous Computing: Adjunct, pp. 137–140. ACM (2016)Google Scholar
  13. 13.
    McCorry, P., Shahandashti, S.F., Clarke, D., Hao, F.: Authenticated key exchange over bitcoin. In: Chen, L., Matsuo, S. (eds.) SSR 2015. LNCS, vol. 9497, pp. 3–20. Springer, Cham (2015).  https://doi.org/10.1007/978-3-319-27152-1_1CrossRefGoogle Scholar
  14. 14.
    McGraw, G.: Software security. IEEE Secur. Priv. 2(2), 80–83 (2004)CrossRefGoogle Scholar
  15. 15.
    McGraw, G.: Automated code review tools for security. Computer 41(12), 108–111 (2008)CrossRefGoogle Scholar
  16. 16.
    Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system. https://bitcoin.org/bitcoin.pdf (2008). Accessed 17 Jan 2018
  17. 17.
    Nguyen, Q.K.: Blockchain - a financial technology for future sustainable development. In: International Conference on Green Technology and Sustainable Development (GTSD), pp. 51–54. IEEE (2016)Google Scholar
  18. 18.
    Norta, A., Vedeshin, A., Rand, H., Tobies, S., Rull, A., Poola, M., Rull, T.: Self-aware agent-supported contract management on blockchains for legal accountability. https://docs.agrello.org/Agrello-Self-Aware_Whitepaper-English.pdf (2017). Accessed 17 Jan 2018
  19. 19.
    O’Leary, D.E.: Configuring blockchain architectures for transaction information in blockchain consortiums: the case of accounting and supply chain systems. Intell. Syst. Account. Finan. Manag. 24(4), 138–147 (2017)CrossRefGoogle Scholar
  20. 20.
    Ouaddah, A., Elkalam, A.A., Ouahman, A.A.: Towards a novel privacy-preserving access control model based on blockchain technology in IoT. In: Rocha, Á., Serrhini, M., Felgueiras, C. (eds.) Europe and MENA Cooperation Advances in Information and Communication Technologies. AISC, pp. 523–533. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-46568-5_53CrossRefGoogle Scholar
  21. 21.
    Popov, S.: The tangle, version 1.3. https://pdfs.semanticscholar.org/13ec/26512f6602a5184aa3beb6193694dc8c9974.pdf (2017). Accessed 7 Feb 2018
  22. 22.
    Rennie, D.: Editorial peer review: its development and rationale. Peer Rev. Health Sci. 2, 1–13 (2003)Google Scholar
  23. 23.
    Rigby, P.C., German, D.M., Storey, M.A.: Open source software peer review practices: a case study of the apache server. In: Proceedings of the 30th International Conference on Software Engineering, pp. 541–550. ACM (2008)Google Scholar
  24. 24.
    Rigby, P.C., Storey, M.A.: Understanding broadcast based peer review on open source software projects. In: Proceedings of the 33rd International Conference on Software Engineering, pp. 541–550. ACM (2011)Google Scholar
  25. 25.
    Rowland, F.: The peer-review process. Learn. Publish. 15(4), 247–258 (2002)CrossRefGoogle Scholar
  26. 26.
    SALT Technology Ltd.: Salt - blockchain-backed loans. https://membership.saltlending.com/files/abstract.pdf (2017). Accessed 17 Jan 2018
  27. 27.
    Schneier, B.: Cryptocat - Schneier on security. https://www.schneier.com/blog/archives/2012/08/cryptocat.html (2012). Accessed 3 Nov 2017
  28. 28.
    Steemit Inc.: Steem - an incentivized, blockchain-based, public content platform. https://steem.io/SteemWhitePaper.pdf (2017). Accessed 19 Dec 2017
  29. 29.
    Teridion Blog: CDN security: are CDNs safe? https://www.teridion.com/2017/02/are-cdns-safe/ (2017). Accessed 31 Jan 2018

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  1. 1.Department of Computer ScienceUniversity of RostockRostockGermany
  2. 2.Institute of Computer ScienceUniversity of GöttingenGöttingenGermany

Personalised recommendations