FrameProv wins the Cambridge Blockchain Prize!

The Cambridge Blockchain Prize was a 6-month long competition organised by the Cambridge Blockchain Society and the Cambridge Blockchain Hub. Participants were asked to submit business ideas utilising blockchains in a novel manner.

I submitted FrameProv, my video integrity solution. FrameProv allows viewers to get verifiable information about the edits performed to the video they are watching. In this way, viewers can make up their own mind whether a video has been edited maliciously or not. The goals is to do away for the need for fact checkers and let viewers make up their own mind.

FrameProv had stiff competition: the runner-ups were an AI startup, Deepverse and a platform for managing IP rights, ALPS. I would like to thank the judges for validating this passion project of mine and I look forward to working with the mentors in taking FrameProv to the next stage of development.

You can find the detailed system design for FrameProv here and I have previously written a popular science article about it for OpenDemocracy here.

Visualising the Diffusion of Stolen Bitcoins

In previous work, colleagues from Cambridge and I have shown how stolen bitcoins can be traced if we simply apply existing law. If bitcoins are “mixed”, that is to say if multiple actors pool together their coins in one transaction to obfuscate which coins belong to whom, then the precedent in Clayton’s Case says that FIFO ordering must be used to track which fragments of coin are tainted. If the first input satoshi (atomic unit of Bitcoin) was stolen then the first output satoshi should be marked stolen, and so on.

This led us to design Taintchain, a system for tracing stolen coins through the Bitcoin network. However, we quickly discovered a problem: while it was now possible to trace coins, it was harder to spot patterns. A decent way of visualizing the data is important to make sense of the patterns of splits and joins that are used to obfuscate bitcoin transactions. We therefore designed a visualization tool that interactively expands the taint graph based on user input. We first came up with a way to represent transactions and their associated taints in a temporal graph. After realizing the sheer number of hops that some satoshis go through and the high outdegree of some transactions, we came up with a way to do graph generation on-the-fly while assuming some restrictions on maximum hop length and outdegree.

Using this tool, we were able to spot many of the common tricks used by bitcoin launderers. A summary of our findings can be found in the short paper here.

What’s Intel SGX Good For?

(This was originally posted to the Cambridge security blog here.)

Software Guard eXtensions (SGX) represents Intel’s latest foray into trusted computing. Initially intended as a means to secure cloud computation, it has since been employed for DRM and secure key storage in production systems. SGX differs from its competitors such as TrustZone in its focus on reducing the volume of trusted code in its “secure world”. These secure worlds are called enclaves in SGX parlance and are protected from untrusted code by a combination of a memory encryption engine and a set of new CPU instructions to enforce separation.

SGX has been available on almost every Intel processor since the sixth generation of Intel Core (Skylake). It has had a bit of a rocky journey since. Upon its release, there were concerns expressed about SGX being used as a medium for malware dissemination. A proof of concept demonstrating the effectiveness of this was also published. Then there were concerns about the mandatory agreements required to publish enclave code in production. In order to use Intel’s attestation service, a key enabler for any remote application built on SGX, developers have to obtain a commercial license from Intel. This lock-in raised a fair bit of consternation and to date hasn’t been fully addressed by Intel. Then came the vulnerabilities. SGX was found to be vulnerable to cache timing attacks speculative execution vulnerabilities and to Load Value Injection attacks. This has further eroded the credibility of the platform.

That said, there have been a fair few projects that have utilized SGX either to harden existing solutions or to come up with hitherto unseen applications. In this post, we’ll look at three such proposals to see how they utilize SGX despite its concerning attributes. Where applicable, we will also talk about how the discovered vulnerabilities have affected their viability.

Continue reading “What’s Intel SGX Good For?”