Ethan Cecchetti
June 11, 2021 at 11:00 AM on Zoom
Compositional Security for Reentrant Applications
Abstract: The disastrous vulnerabilities in smart contracts sharply remind us of our ignorance: we do not know how to write code that is secure in composition with malicious code. Information flow control has long been proposed as a way to achieve compositional security, offering strong guarantees even when combining software from different trust domains. Unfortunately, this appealing story breaks down in the presence of reentrancy attacks. In this talk I will present a highly general definition of reentrancy and reentrancy security that allows software modules like smart contracts to protect their key invariants while retaining the expressive power of safe forms of reentrancy. I will describe how we can combine a type system and run-time mechanism to enforce this new notion of security even in the presence of unknown code. This work recently received a best paper award at IEEE S&P '21. The paper is available here.
Bio: Ethan is a final year PhD student at Cornell University working with Andrew Myers and Ari Juels and will be a post-doc with the cybersecurity group at the University of Maryland, College Park starting in the fall. His research focuses broadly on designing secure systems and building tools to ease their development. More specifically, Ethan uses cryptography and language-based tools to secure decentralized applications composed of mutually distrusting subsystems. More information is available at his website.