•   When: Friday, March 30, 2018 from 10:00 AM to 11:00 AM
•   Speakers: Ari Juels, Jacobs Technion-Cornell Institute, Cornell Tech
•   Location: Research Hall 163
•   Export to iCal

Abstract:

Vulnerability reward programs, a.k.a. bug bounties, are a near-universal component of major software security programs. Today, though, such programs have three major deficiencies. They fail to provide strong technical (or other) assurances of fair payment for reported bugs, lack rigorous principles for setting bounty amounts, and can only effectively incentivize economically rational hackers to disclose bugs by offering rich bounties. As a result, rather than reporting bugs, hackers often choose to sell or weaponize them.

We offer a novel, principled approach to administering and reasoning about bug bounties that cost-effectively boosts incentives for hackers to report bugs. Our key idea is a concept that we call an *exploit gap*. This is a transformation of program code that prevents a serious bug from being exploited as a security-critical vulnerability. We focus on a broadly applicable realization through a variant of the classic idea of N-version programming. We call the result a *hydra program*.

As our main target application, we explore *smart contracts*, programs that execute on blockchains. Because smart contracts are often financial instruments, they offer a springboard for our rigorous framework to reason about bounty price setting. By modeling an economically rational hacker's bug-exploitation, we show how hydra contracts greatly amplify the power of bounties to financially incentivize disclosure. We also show how smart contracts can separately enforce *fairness* for bug bounties, guaranteeing payment for correctly reported bugs.

We present a survey of well-known exploits to-date against Ethereum smart contracts, showing that multi-language hydra programming would have abated most of them. We also report on implementation of hydra Ethereum contracts.

Bio

Ari Juels is a Professor at Cornell Tech (Jacobs Institute) in New York City, and Computer Science faculty member at Cornell University. He is a Co-Director of the Initiative for CryptoCurrencies and Contracts (IC3).

He was the Chief Scientist of RSA (The Security Division of EMC), Director of RSA Laboratories, and a Distinguished Engineer at EMC, where he worked until 2013. He received his Ph.D. in computer science from U.C. Berkeley in 1996.

His recent areas of interest include blockchains, cryptocurrency, and smart contracts, as well as applied cryptography, cloud security, user authentication, and privacy.

In 2004, MIT’s Technology Review Magazine named Dr. Juels one of the world’s top 100 technology innovators under the age of 35. Computerworld honored him in its “40 Under 40” list of young industry leaders in 2007. He has received other distinctions, but sadly no recent ones acknowledging his youth.