Klevoya: A Cybersecurity solution for WebAssembly based distributed ledgers

Klevoya：基于 WebAssembly 的分布式账本的网络安全解决方案

• 批准号: 73073
• 金额: $ 12万
• 依托单位: BARRACUDA SYSTEMS LIMITED
• 依托单位国家: 英国
• 项目类别: Study
• 财政年份: 2020
• 资助国家: 英国
• 起止时间: 2020 至 无数据
• 项目状态: 已结题
• 来源: https://gtr.ukri.org/projects?ref=73073
• 关键词: Klevoya; Cybersecurity; solution; WebAssembly; based

Over the last several years there has been a growing interest in distributed ledger technologies (DLTs - which include blockchains such as Ethereum and EOS). One powerful aspect of DLTs that is fueling this interest is that of smart contracts, which are software programs that execute on distributed ledgers. Smart contracts are used to i) control the flow of digital rights (e.g. funds and assets) between several parties and, ii) encapsulate the business logic (i.e. the rules for how a business operates; e.g. a bank policy limiting how much can be transferred in one transaction) for modifying a record in a distributed ledger. The transactions that a smart contract controls are stored in an immutable fashion on the distributed ledger without requiring a central authority to validate them. Ensuring that smart contracts are free of business logic errors and vulnerabilities is extremely difficult as they have open and exposed APIs and are immutable once deployed. This results in an exponential number of scenarios to be tested, making it difficult to verify their correct operation.The growth in DLTs and difficulties in testing them has brought about an attendant interest from bad actors in exploiting - for financial gain - applications deployed on DLT platforms. These bad actors actively seek out new vulnerabilities that are unknown to DLT application developers and use that knowledge to attack and exploit DLT applications. (Such newly discovered vulnerabilities are termed "zero-day" vulnerabilities, as the exploit of the vulnerability takes place before or on the first (or "zeroth") day of a developer's awareness of the exploit.)Klevoya is developing a new cybersecurity solution that will enable developers of DLT applications to ensure that their applications are free from vulnerabilities prior to being deployed on a public distributed ledger application platform that uses the WebAssembly (WASM) virtual machine (e.g. EOS, or Ethereum version 2's Ethereum WASM - eWASM).This project aims to conduct applied research into techniques to perform fuzzing of DLT applications to uncover zero-day vulnerabilities and bugs in their implementation.Securing applications deployed on DLT platforms will be critical to the UK's success in positioning itself as a leader in the DLT sector. The UK is well known for its cybersecurity expertise. Through this project, we will be able to leverage those skills; applying cutting edge cybersecurity technology to DLTs and enabling the UK to become a world-leading global provider of secure DLT applications.

在过去的几年里，人们对分布式账本技术（DLT-包括以太坊和EOS等区块链）的兴趣越来越大。DLT的一个强大方面是智能合约，它是在分布式账本上执行的软件程序。智能合约用于i）控制多方之间的数字权利（例如资金和资产）的流动，ii）封装业务逻辑（即业务如何运作的规则;例如限制一笔交易中可以转移多少的银行政策）以修改分布式分类账中的记录。智能合约控制的交易以不可变的方式存储在分布式账本上，而不需要中央机构对其进行验证。确保智能合约没有业务逻辑错误和漏洞是非常困难的，因为它们具有开放和公开的API，并且一旦部署就不可变。这导致需要测试的场景数量呈指数级增长，因此很难验证它们是否正确运行。DLT的增长和测试困难带来了不良行为者的兴趣，他们为了经济利益而利用部署在DLT平台上的应用程序。这些不良行为者积极寻找DLT应用程序开发人员未知的新漏洞，并利用这些知识攻击和利用DLT应用程序。(Such新发现的漏洞被称为“零日”漏洞，因为漏洞的利用发生在开发人员意识到漏洞利用的第一天（或“零日”）之前或当天。Klevoya正在开发一种新的网络安全解决方案，该解决方案将使DLT应用程序的开发人员能够确保其应用程序在部署到使用WebAssembly（WASM）虚拟机的公共分布式账本应用程序平台之前没有漏洞（例如EOS，或以太坊版本2的以太坊WASM - eWASM）该项目旨在对DLT应用程序进行模糊技术的应用研究，以发现零-确保部署在DLT平台上的应用程序的安全对于英国成功将自己定位为DLT领域的领导者至关重要。英国以其网络安全专业知识而闻名。通过这个项目，我们将能够利用这些技能;将尖端的网络安全技术应用于DLT，并使英国成为世界领先的安全DLT应用程序的全球提供商。