Journal of Multimedia Information System

Korea Multimedia Society (한국멀티미디어학회)
권호 표지
DOI QR코드

DOI QR Code

Modeling Vulnerability Discovery Process in Major Cryptocurrencies

  • Joh, HyunChul (School of Smart Industry, Kyungil University) ;
  • Lee, JooYoung (School of K-Culture Entertainment, Kyungil University)
  • Received : 2022.08.17
  • Accepted : 2022.09.09
  • Published : 2022.09.30
Download PDF
⟨ Previous Next ⟩

Abstract

These days, businesses, in both online and offline, have started accepting cryptocurrencies as payment methods. Even in countries like El Salvador, cryptocurrencies are recognized as fiat currencies. Meanwhile, publicly known, but not patched software vulnerabilities are security threats to not only software users but also to our society in general. As the status of cryptocurrencies has gradually increased, the impact of security vulnerabilities related to cryptocurrencies on our society has increased as well. In this paper, we first analyze vulnerabilities from the two major cryptocurrency vendors of Bitcoin and Ethereum in a quantitative manner with the respect to the CVSS, to see how the vulnerabilities are roughly structured in those systems. Then we introduce a modified AML vulnerability discovery model for the vulnerability datasets from the two vendors, after showing the original AML dose not accurately represent the vulnerability discovery trends on the datasets. The analysis shows that the modified model performs better than the original AML model for the vulnerability datasets from the major cryptocurrencies.

Keywords

Acknowledgement

This research was supported by the intramural research program in Kyungil University.

References

  1. D. Chaum, "Blind signatures for untraceable payments," D. Chaum, R. L. Rivest, and A. T. Sherman (eds.), Advances in cryptology proceedings of crypto 82, Plenum, New York, NY: Springer-Verlag,pp.199-203, 1982.
  2. S. Nakamoto, "Bitcoin: A peer-to-peer electronic cash system," Decentralized Business Review, 2008.
  3. V. Buterin,"A next-generation smart contract and decentralized application platform," White Paper, vol. 3, no. 37, 2014.
  4. P. Daian, Analysis of the DAO Exploit, 2016 https://hackingdistributed.com/2016/06/18/analysis-of-the-dao-exploit/.
  5. S. Palladino, The Paritywallet Hack Explained, 2017. https://blog.openzeppelin.com/on-the-parity-wallet-multisig-hack-405a8c12e8f7/.
  6. L. Poinsignon, BGP Leaks and Cryptocurrencies, 2018. https://blog.cloudflare.com/bgp-leaks-and-crypto-currencies/.
  7. J. Mattke, C. Maier, and L. Reis, "Is cryptocurrency money? Three empirical studies analyzing medium of exchange, store of value and unit of account," in Proceedings of the 2020 on Computers and People Research Conference, New York, NY, 2022. pp. 26-35.
  8. A. M. Bailey, B. Rettler, and C. Warmke, "Philosophy, politics, and economics of cryptocurrency I: Money without state," Philosophy Compass, vol. 16, no. 11, 2021.
  9. S. Frei, T. Duebendorfer, G. Ollmann, and M. May, "Understanding the web browser threat: Examination of vulnerable online web browser populations and the insecurity iceberg," ETH Zurich Tech Report Nr, vol. 288, 2008.
  10. D. Vujicic, D. Jagodic, and S. Randic, "Blockchain technology, bitcoin, and Ethereum: A brief overview, " in proceedings of the 17th International Symposium Infoteh-Jahorina (Infoteh), pp. 1-6, 2018.
  11. S. S. Kushwaha, S. Joshi, D. Singh, M. Kaur, and H. N. Lee, "Systematic review of security vulnerabilities in ethereum blockchain smart contract, " IEEE Access, vol. 10, pp. 6605-6621, 2022. https://doi.org/10.1109/ACCESS.2021.3140091
  12. S. S. Kushwaha, S. Joshi, D. Singh, M. Kaur, and H. - N. Lee, "Systematic review of security vulnerabilities in ethereum blockchain smart contract," IEEE Access, vol. 10, pp. 6605-6621, 2022. https://doi.org/10.1109/ACCESS.2021.3140091
  13. S. Quamara and A. K. Singh. "A systematic survey on security concerns in cryptocurrencies: State-of-the-art and perspectives," Computers & Security, vol. 113, 2022.
  14. P. Xia, H. Wang, B. Zhang, R. Ji, B. Gao, and L. Wu, et al., "Characterizing cryptocurrency exchange scams," Computers & Security, vol. 98, 2020.
  15. F. Fang, C. Ventre, M. Basios, L. Kanthan, D. Martinez-Rego, F. Wu, and L. Li, "Cryptocurrency trading: A comprehensive survey," Financial Innovation, vol. 8, no. 13, 2022.
  16. S. Erfani and M. Ahmadi, "Bitcoin security reference model: An implementation platform," in Proceedings of the 2019 International Symposium on Signals, Circuits and Systems, 2019. pp. 1-5.
  17. L. Lys, A. Micoulet, and M. Potop-Butucaru, "Atomic swapping bitcoins and ethers," in Proceedings of the 38th Symposium on Reliable Distributed Systems, 2019. pp. 372-3722.
  18. A. Christopher, K. Deniswara, and B. L. Handoko, "Forecasting cryptocurrency volatility using GARCH and ARCH model," in Proceedings of the 6th International Conference on E-Commerce, E-Business and EGovernment, New York, NY, pp. 121-128, 2022.
  19. I. Stoepker, R. Gundlach, and S. Kapodistria, "Robustness analysis of bitcoin confirmation times," ACM SIGMETRICS Performance Evaluation Review, vol. 48, no. 4, 2021, pp. 20-23. https://doi.org/10.1145/3466826.3466834
  20. A. P. Motamed and B. Bahrak, "Quantitative analysis of cryptocurrencies transaction graph," Applied Network Science, vol. 4, no. 131, 2019.
  21. Y. Hu, S. Wang, G. H. Tu, L. Xiao, T. Xie, and X. Lei, et al., "Security threats from bitcoin wallet smartphone applications: Vulnerabilities, attacks, and countermeasures," in Proceedings of the Eleventh ACM Conference on Data and Application Security and Privacy (CODASPY '21), New York, NY, 2021. pp. 89-100.
  22. H. Chen, M. Pendleton, L. Njilla, and S. Xu, "A survey on ethereum systems security: Vulnerabilities, attacks, and defenses," ACM Computing Surveys, vol. 53, no. 3, pp. 1-43, 2020.
  23. O. H. Alhazmi, and Y. K. Malaiya, "Application of vulnerability discovery models to major operating systems," IEEE Transactions on Reliability, vol. 57, no. 1, pp. 14-22, 2008. https://doi.org/10.1109/TR.2008.916872
  24. H. Joh and Y. K. Malaiya, "Modeling skewness in vulnerability discovery," Quality and Reliability Engineering International, vol. 30, no. 8, pp. 1445-1459, 2014. https://doi.org/10.1002/qre.1567
  25. FIRST.Org, Common Vulnerability Scoring System Version 3.1 User Guide, While Paper, 2022. https://www.first.org/cvss/v3.1/user-guide.
  26. A. Stango, N. R. Prasad, and D. M. Kyriazanos, "A threat analysis methodology for security evaluation and enhancement planning, " in proceedings of the 3rd International Conference on Emerging Security Information, Systems and Technologies, Washington, DC, pp. 262-267, 2009.
  27. I. Mkpong-Ruffin, D. Umphress, J. Hamilton, and J. Gilbert, "Quantitative software security risk assessment model," in Proceedings of the 2007 ACM Workshop on Quality of Protection, New York, NY, 2007. pp. 31-33.
  28. S. H. Houmb, V. N. Franqueira, and E. A. Engum, "Quantifying security risk level from cvss estimates of frequency and impact," Journal of Systems and Software, vol. 83, no. 9, pp. 1622-1634, 2010. https://doi.org/10.1016/j.jss.2009.08.023
  29. F. Massacci and V. H. Nguyen, "An empirical methodology to evaluate vulnerability discovery models," IEEE Transactions on Software Engineering, vol. 40, no. 12, pp. 1147-1162, 2014. https://doi.org/10.1109/TSE.2014.2354037
  30. O. H. Alhazmi and Y. K. Malaiya, "Quantitative vulnerability assessment of systems software," Proc. Ann. IEEE Reliability and Maintainability Symposium, pp. 615-662, 2005.
  31. X. Wang, R. Ma, B. Li, D. Tian, and X. Wang, "E-WBM: An effort-based vulnerability discovery model," IEEE Access, vol. 7, pp. 44276-44292, 2019. https://doi.org/10.1109/access.2019.2907977
  32. S. G. Eick, T. L. Graves, A. F. Karr, J. Marron, and A. Mockus, "Does code decay? assessing the evidence from change management data," IEEE Transactions on Software Engineering, vol. 27, no. 1, pp. 1-12, 2001. https://doi.org/10.1109/32.895984
  33. O. H. Alhazmi and Y. K. Malaiya, "Prediction capabilities of vulnerability discovery models," in RAMS '06: Proceedings of the RAMS '06. Annual Reliability and Maintainability Symposium, Washington, DC, 2006. pp. 86-91.
  34. H. Joh, "Extended linear vulnerability discovery process," Journal of Multimedia Information System, vol. 4, no. 2, pp. 57-64, 2017. https://doi.org/10.9717/JMIS.2017.4.2.57
  35. H. Hanif, M. H. N. Nasir, M. F. S. Razak, A. Firdaus, and N. B. Anuard, "The rise of software vulnerability: Taxonomy of software vulnerabilities detection and machine learning approaches," Journal of Network and Computer Applications, vol. 179, 2021.
  36. X. Li, L. Wang, Y. Xin, Y. Yang, Q. Tang, and Y. Chen, "Automated software vulnerability detection based on hybrid neural network, " Applied Sciences, vol. 11, no. 7, 2021.
  37. H. Joh and Y. K. Malaiya, "Periodicity in software vulnerability discovery, patching and exploitation," International Journal of Information Security, vol. 16, no. 6, pp. 673-690, 2017. https://doi.org/10.1007/s10207-016-0345-x