Security Analysis in the Blockchain Agnostic Framework Prototype

This thesis is related to the BC4CC project [1], in which a Policy-based Blockchain Agnostic Framework was proposed [2] and a prototype implemented. The prototype is composed, at the moment, of the Bifrost Application Programming Interface (API) [3], Policy-based Blockchain Selection Framework, and a Flask-based front-end, which provides user access control and entry-points for the API. These components are currently deployed in a centralized server and implement basic security features, e.g., requests limiters and basic HTTP authentication. However, these features alone do not provide the security of the whole framework. Thus, other attack vectors that might exist should be know and mitigated. In this sense, the work to be performed in this thesis is to conduct a security analysis on the framework components and server, document vulnerabilities and attack vectors, and propose mitigation techniques for these. For example, assessment of which of the top 10 web application security risks [4] are present in the prototype. The student should also research other risks in the literature to further complement the analysis. Depending on time constraints, the student can implement security mechanisms to mitigate attack vectors and vulnerabilities encountered during the conducted analysis.

[1] Communication Systems Group (CSG). Blockchain Based Temperature Monitoring for Cold Chains in Medical Drug Distribution (BC4CC). 2019. [Online] https://www.csg.uzh.ch/csg/en/research/BC4CC.html Last access July 19, 2019.

[2] Eder J. Scheid, Bruno Rodrigues, Burkhard Stiller. Toward a Policy-based Blockchain Agnostic Framework. 16th IFIP/IEEE International Symposium on Integrated Network Management (IM 2019). 8-12 April. Washington DC, USA.

[3] Eder J. Scheid, Timo Hegnauer, Bruno Rodrigues, Burkhard Stiller. Bifröst: a Modular Blockchain Interoperability API. 44th IEEE Conference on Local Computer Networks (LCN 2019). 14-17 October. 2019. Osnabrück, Germany. [to appear]

[4] Synopsys Editorial Team. OWASP Top 10 web application security risks. 2019. [Online]. https://www.synopsys.com/blogs/software-security/owasp-top-10-application-security-risks/ Last access July 19, 2019