Presented at
Black Hat USA 2022,
Aug. 11, 2022, 2:30 p.m.
(30 minutes).
We present a protocol that collectivises security bounties for deterministically verifiable zero-day exploits. It enables companies to show customers how secure their software is, in terms of dollars staked on their open-source software stack. It also helps ethical hackers retrieve their bounties without ambiguity. Subjectivity and manual labour of triage-processes are eliminated for these exploits.<br> <br>The protocol enables companies and users (stakeholders) to pool bounties on open-source security stacks in decentralised virtual machines (DVMs) containing read and/or write secrets. Stakeholders specify minimum responsible disclosure durations and a public key. Next, ethical hackers can submit an attack to such DVMs, by storing it in a decentralised encrypted locker (DEL), and notifying the DVM of its presence. Once the stakeholders see this notification, (along with the rest of the world), they can use their private key to retrieve the attack from the DEL (before the rest of the world). For each bounty placed on the DVM, a call is made to the DEL just before the end of the accompanying responsible disclosure time. This call verifies that the attack is still encrypted. After the respective responsible disclosure periods have passed, the DEL is decrypted and the attack is executed. Successful attacks compromise the DVM read/write secret, triggering bounty hunter payout.<br> <br>This protocol enables ethical hackers to know, before starting work on their exploit, when they will retrieve a payout and how large that payout will be for publishing their exploits, in a winner-take-all market. At the same time, it allows small companies to stake money on open-source security alongside industry giants. This provides a transparent insight on economically rational hackers in the open-source software zero-day exploits segment of the cyber-security market. The accompanying whitepaper presents more details: https://github.com/trusec<br>
Presenters:
-
Clara Maine
- Developer, TruCol
<div><span>Clara Maine has recently completed her bachelor's degree in Artificial Intelligence at Radboud University and wrote a thesis relating to the societal impacts and ethics of recommender systems. She plans to spend the future finding ways to synthesize her technical knowledge with her artistic passions and to contribute meaningfully to her local communities in Nijmegen and the USA. In addition to her continuing pursuit of knowledge, she hopes to spend time on projects which recognize and foster humanity’s great potential for collaboration.</span></div>
-
Akke Toeter
- Co-Founder, TruCol
Akke Toeter is a Co-founder of TruCol.
-
Victoria Bosch
- Master Student, TruCol
Victoria Bosch is a motivated student of computational neuroscience and artificial intelligence. She has an interdisciplinary bachelor in artificial intelligence and philosophy at the Liberal Arts & Sciences faculty of Utrecht University. Victoria is currently finalising the master in Artificial Intelligence with a specialisation in Cognitive Computing at Radboud University, and will commence a PhD in computational neuroscience coming year. She has a passion for making science accessible and works on science outreach. Besides her studies, she worked on and presented the TruCol protocol during the Ethereum conference (EthCC) in Paris last summer. Additionally, she co-authored the 2021 publication titled: "Implementation of a distributed minimum dominating set approximation algorithm in a spiking neural network".
-
Subhechha Subudhi
- Developer, TruCol
Subhechha Subudhi is a Developer at Trucol.
Links:
Similar Presentations: