Story

CS Prof Tackles Cyberfinance Security

by Jackie Swift

When currencies were invented, they ushered in a new age of human innovation and advancement. Moving from the barter system to a system dependent on the mutual agreement of accepting currency as payment for goods and services made trade between societies much easier.

Now the invention of digital financial vehicles such as cryptocurrencies and distributed ledgers are spawning yet another new age in finance. These technologies bring the potential to change the way we do business, even as they introduce new problems in reliability and security. Indeed, cyberfinance is vulnerable to hacking just as other electronic data systems are, which puts security at the forefront in optimizing these technologies.

Cryptocurrencies

“The core idea at the heart of these approaches is consensus—getting multiple mutually distrusting parties to come to an agreement and to make a decision,” says Emin Gün Sirer, Computer Science. “The new emerging technologies allow us to do this at scale across highly distrusting parties that may be actively trying to attack each other. Yet the algorithms are robust enough to constrain what they can and cannot do, thus bringing predictability to their interaction.”

Sirer’s cybertechnology research covers distributed systems and secure operating systems. In particular, he works with cryptocurrencies—virtual currencies that use cryptography for security, such as Bitcoin and Ethereum—and distributed ledgers—digital data that is replicated, shared, and synchronized across multiple sites.

“These technologies are widely regarded as destructive,” Sirer says. “Many people see them as changing the game, where new emerging companies will be big winners, and ossified old technology companies are due for extinction. They have the potential to revolutionize cyberspace the same way the internet revolutionized communication technology.”

Falcon—Fast and Fierce

Sirer is concerned with secure data management. His research group has developed a relay network called Falcon for processing Bitcoin blockchains, distributed transaction ledgers that store unchangeable, digitally recorded Bitcoin transactions in a linear chain. Falcon increases the speed at which Bitcoin’s blockchains are shared among users, called miners. “Thanks to our software, every single Bitcoin blockchain goes through a set of nodes operated by Cornell and gets to miners that are part of the Bitcoin ecosystem in an incredibly fast manner,” Sirer says.

This is important because cryptocurrencies like Bitcoin are valuable to the extent that they are decentralized. “The faster the blockchains can be disseminated around the globe, the more decentralized the Bitcoin marketplace becomes,” Sirer explains. “People depend on seeing their transaction in this giant blockchain, this ledger. That’s how they know their transaction was recorded, and then they know they can ship their goods or consider their payment paid.”

Before Sirer and his colleagues created Falcon, the dissemination of blockchains was done by the Bitcoin protocol, which was much slower. It took the old protocol about a minute to disseminate a blockchain to 95 percent of the nodes on the Bitcoin network. Falcon can disseminate the same amount of data in a couple of seconds. “We’re quite proud of this technology,” Sirer says. “We were the first to come up with using this particular technique called application-level cut-through routing. We called it falcon because, like the bird, it is very fast and fierce.”

Teechan, Preventing Computer Users from Stealing Movies and Music—and Money

In another project centered on security and speed, Sirer and his colleagues created a system, called Teechan (Trusted Execution Environment Channel), for quickly transferring value across the globe. Teechan is built on top of a special security feature for digital rights management (DRM), which is part of every Intel processor made today. While DRM exists to prevent people from using their computer to steal movies and music, Sirer saw another use for it.  “It can be incredibly powerful if used correctly,” he says. “It allowed us to build a class of systems we didn’t know how to build before.”

Intel’s core idea allows users to run their code unmolested in a secure enclave. That means both ends of a transaction have the same constraints.

“Normally you don’t know what the computer on the other end of the relationship is going to do,” Sirer says. “You have no idea what code they’re running or what kind of adversarial behavior they could engage in, so you have to write your protocols in the most conservative manner possible. But with this technology, you know exactly what code the other side has, and you’re assured the person cannot change or violate the integrity of that code. This allows us to build mechanisms on top that are much more efficient.”

In a test, Sirer and his colleagues set up a Teechan channel between Imperial College in London and Cornell University and sent transactions across the Atlantic at the blistering fast speed of one-one-hundred-thousandth of a second. By comparison an electronic transaction using the more familiar ACH (Automated Clearing House) network typically takes a couple of days. A Bitcoin transmission can take 10 minutes to an hour to complete. “We’ve seen a lot of excitement around Teechan,” Sirer says. “There are lots of different applications for it in traditional financial institutions, and there are many applications for it on top of cryptocurrencies.”

The Initiative for Cryptocurrencies and Contracts, a Global Player

Sirer is the codirector of the Initiative for Cryptocurrencies and Contracts (IC3), an initiative of faculty members at Cornell University, Cornell Tech, University of California Berkeley, University of Illinois Urbana-Champaign, and the Technion-Israel Institute of Technology. IC3 connects Cornell globally to the cutting-edge of research regarding cryptocurrencies, distributive systems, and blockchains. Sponsors of IC3 range from big players such as IBM and Intel to small startups working on blockchains.

“This sort of initiative is new to us at Cornell,” Sirer says. “It’s been revolutionary for an isolated institution in Upstate New York to reach out and be tightly coupled with industry across the globe.” IC3 has garnered more than the usual share of press coverage. In the initiative’s first 270 days of existence, it was featured in 220 news articles. “We play a crucial role in the evolution of cryptocurrencies and blockchains,” Sirer explains. “And we’re quite well recognized as a result.”

The DAO Incident

In 2016, Sirer and IC3 were instrumental in pointing out vulnerabilities in the code of one of the largest digital smart contracts at the time, the Digital Autonomous Organization (DAO), a form of decentralized, investor-directed venture capital fund. The DAO attracted investments of more than $220 million in ether, the digital value token of the Ethereum cryptocurrency. Sirer and his colleagues identified nine different exploitable problems with the DAO’s code in May 2016. “Shortly after I published my findings, somebody used another exploit, plus one of the exploits we identified,” Sirer says. “With those two tricks, they were able to attack the DAO and steal $52 million worth of digital assets.”

By comparison, the largest bank heist of actual currency in history happened in 1997 when thieves stole approximately $38 million. “The hacker who broke into the DAO stole much more than that,” Sirer says. “And they did it from the comfort of their home, without having to get up, put a stocking over their faces, and carry a gun.” Sirer worked with the FBI and other law enforcement to try to track down the perpetrator, who remains unknown. However, Sirer and his colleagues took steps to ensure this sort of thing doesn’t happen again by educating the cybercommunity on how to write secure contracts and by creating new security techniques to counter an attack.

Despite some security issues, distributive systems are worth studying because they have huge potential to help advance civilization, Sirer says. “We don’t know how to build large systems that can achieve agreement among participants. This is a longstanding problem historically. We’ve seen civilizations jump ahead just by virtue of technology that allowed them to achieve agreement among more participants. Contracts, legal entities, and the like, these are all agreement mechanisms that are social and very powerful. Their equivalents in the digital space are just as powerful, much faster, and much more efficient. They have the ability to transform society.”