►
Description
Ethereum and other smart contract platforms currently use identity-based access control, but this security architecture is known to create specific vulnerabilities. Is there a better security architecture for smart contracts?
San Francisco Blockchain Week: https://sfblockchainweek.io/
A
A
So
you
know
we're
nothing
if
not
ambitious.
We
obviously
can't
do
that
ourselves.
We
can't
do
it
even
with
the
people
in
this
room
or
in
this
conference
or
with
this
button.
Oh
should
I
point
at
you
or
what's
the
there,
we
go
all
right
now,
we'll
point
you
okay!
So
yes,
it's
too
big.
We
need
the
tens
of
millions
of
programmers
in
the
world
that
currently
wake
up
and
go
and
solve
some
problem.
A
If
we
want
to
decentralize
the
economy,
we
need
them
to
be
using
that
technology
successfully
right
and
right
now
they
can't
do
that.
There
are
a
couple
of
obstacles.
The
first
is
hard
and
long-term
and
interesting.
I,
don't
know
if
you
remember
10-15
years
ago,
when
people
made
web
applications
they
had
HTML,
they
had
early
versions
of
JavaScript,
they
had
CSS
and
you'd
kind
of
glue
them
together,
and
you
could
get
some
amount
of
event
reaction
and
a
little
bit
of
responsiveness
and
some
a
bit
of
smarts,
but
the
really
slick,
really
secure,
really
expressive.
A
Responsive
reactive
applications
that
were
used
to
now
on
the
web
are
all
built
with
frameworks.
That's
what
we
mean
by
frameworks
is
the
difference
between
the
you
is
you
had
15
years
ago,
and
you
know
air
B&B,
and
you
know
those
kinds
of
things
now
where
they're
built
using
react,
angular
view
that
has
direct
support
for
the
activities
that
they
engage
in.
It
directly
supports
menus
and
data
feeds
from
their
system,
databases.
A
We
also
need
to
solve
the
security
model
problem.
It's
clear
that
even
now
that
now
on
current
smart
contracting
platforms,
even
experts
can't
get
the
security
right.
They
end
up
with
breaches
that
lose
tens
of
millions
of
dollars
in
minutes
with
no
recourse,
so
the
the
environment
in
which
smart
contracts
run.
A
The
definition
we've
worked
with
for
10
years
or
more,
a
contract
like
arrangement
expressed
in
source
code,
where
the
behavior
of
the
program
enforces
the
terms
of
the
contract
right
so
Bitcoin,
that's
really
enforcing
the
arrangement
of
transfer
and
so
forth
in
the
code
of
Bitcoin.
So
that
is
an
example
of
of
a
smart
contract,
but
obviously
we've
gotten
much
richer.
Aetherium
has
opened
up
a
whole
new
realm
where
people
can
do
programming
of
arbitrary
programmers
use
cases
instead
of
just
the
one
that's
built
into
the
system.
A
You
know
that
kind
of
comes
from
our
use
of
Windows
and
UNIX
and
so
forth.
But
what
it
means
is
if
I
gave
you
a
ticket
and
you
wanted
to
sell
it
to
a
friend
of
yours
or
give
it
to
a
buddy
or
what
have
you?
You
would
need
permission
to
change.
The
contents
of
that
smart
contract
to
replace
your
name
with
theirs
your
identity
with
their,
if
your
address
with
theirs
on
aetherium
and
that's
hard,
that
requires
it
for
me
to
provide
you
a
ticket
that
can
do
that.
A
I
have
to
do
a
lot
more
implementation
right.
I
have
to
support
that
behavior
on
your
part
and
that's
more
code,
more
opportunity
for
bugs,
and
in
particular
it's
code
that
is
security,
sensitive.
It's
about
the
security
of
the
system
and
bugs
they're
the
things
that
result
in
losses.
Let's
go
to
the
next
slide.
That
model
would
we
call
the
acts,
identity,
based
access,
control,.
A
The
identity
based
access
control
model
baek's
the
notion
of
owner
into
the
contract,
impedes
transfer,
even
if
it's
possible
after
adding
enough
epicycles
to
do
that
and
prevents
dynamic
exchange
of
right.
It
prevents
me
from
selling
it
to
you
you
from
turning
around
and
selling
it
to
a
friend,
a
friend,
from
building
a
smart
contract
that
will
sell
it
for
a
fixed
price
up
up
until
next
Saturday,
which
is
effectively
right
a
covered
call.
But
it's
a
new,
interesting,
smart
contract.
That's
going
to
engage
an
interesting
market
behavior!
A
So
all
of
that
difficulty
makes
it
makes
it
hard
to
grow
an
economy
of
smart
contracts
working
to
each
other
working
with
each
other,
and
we
can
see
where
this
came
from
right.
Our
legacy
security
systems
are
really
around
human
to
computer
interface,
where
I'm
using
the
computer
I
come
to
a
job.
I
get
access
to
some
resources,
maybe
in
six
months
I
get
promoted
and
and
I
get
a
few
more
resources.
But
things
don't
change
very
much.
A
But
goods
and
services
are
moving
back
and
forth
dynamically
as
a
result
of
the
behavior
of
the
contract
and
the
identity
based
access
control
model
is
well
known,
that
it
doesn't
support
that
really
well.
It's
maybe
supports
that
static
arrangement
I
have
with
my
employer,
but
it
doesn't
support
dynamically.
Changing
on
a
second-by-second
basis
who
has
access
to
what
parts
of
what
parts
of
the
computer
or
what
kinds
of
data
or
what
kinds
of
digital
assets,
so
we
have
a
different
model.
A
Now
you
only
need
that
formal
definition,
if
you
are,
if
you
are
building
a
crypto
arrangement
to
have
the
same
properties
or
architecting
an
operating
system
that
needs
to
have
those
properties
so
that
you
can
tap
into
the
long
history
of
analysis
of
security
properties
of
this
and
how
to
build
composable
systems
in
the
abstraction.
But
in
a
programming
language,
which
is
where
most
of
us
will
encounter
this
model
and
most
of
us
will
be
building
smart
contracts.
A
It's
just
strongly
encapsulated
object,
so
an
au
cap
system,
an
object
capability
system
is
a
system
where
we
start
with
objects.
We
start
with
objects
like
c-sharp,
like
Java,
like
JavaScript,
and
we
build
up
abstractions
for
doing
security
on
the
one
hand
or
market
cooperation
market
activity
on
the
other,
and
so
here,
I'm
gonna
focus
on
the
market
activity,
but
indeed
secure
operating
systems
and
secure
systems
out
there
have
been
built
with
this
model
multiple
times.
So,
let's
talk
about.
A
Let's
look
at
a
simple:
okay,
simple
object
capability,
so
here
this
is
JavaScript,
but
again
it
could
be
any
of
several
languages.
We
have
a
make
entry
and
exit
counter
for
that
concert.
I
had
write.
I
want
to
be
able
to
count
the
number
of
people
inside
the
venue,
so
it's
got
a
count
and
entry,
I
can
say,
who's
come
in
and
I
can
click
another
ticker
to
say
who's
gone
out
and
on
the
right
is
using
it.
A
Where
I
make
a
counter
for
my
concert
and
if
you're
familiar
with
JavaScript
this
pattern
of
counter
count
entry,
it's
pulling
off
the
method
as
a
new
object,
that's
just
a
shortcut
in
JavaScript,
but
think
of
it
as
just
another
object,
and
so
the
model
of
provisioning
rights
and
authority
in
the
oke
app
model
is
ya.
Entry
guard
the
guy
who
I
hire
there.
You
are,
you
know,
or
the
contract
the
system,
the
front
end,
gatekeeper,
I'm,
just
gonna,
say
here,
use
this
object
to
count
entry
and
now
I
have
given
him
access.
A
I
have
authorized
him
and
the
only
thing
he
can
do
on
my
entry
system
here
is
increment.
The
number
of
people
that
came
in
and
similarly
I
give
to
the
exit
guard
the
count
exit.
So
he
can
decrement
the
number
of
people
that
are
still
in
the
venue
and
never
the
twain
shall
meet
if
the
guy
who's
managing
the
entry
gate
leaves
and
hands
it
off
to
jane,
jane,
picks
up
that
capability.
Now,
she's,
the
one:
that's
good,
that's
able
to
click
that
ticker,
and
so
the
authority
is
vested
in
a
bearer
instrument.
A
So
that's
a
simple
example:
what
does
this
look
like
when
you're
doing
a
mechanism
for
market
cooperation
write
a
simple
ledger?
We
have
four
simple
ledger
kind
of
function.
We
have
what
are
called
mints
that
make
currency
that
make
new
currencies
and
they
produce
a
purse
full
of
that
currency
right.
So
those
are
the
operations.
I
can
make
a
mint
with
a
given
name.
A
A
Can
deposit
one
purse
full
of
cur
of
that
currency
into
another
purse
of
the
same
currency,
and
this
is
important
deposit
will
only
work,
and
this
is
just
a
straightforward
object
pattern
written
in
JavaScript.
This
is
all
implemented
and
running
in
our
in
our
playground,
VAT
our
proof
of
concept
system,
but
that
deposit
takes
if
it
gets
a
purse
that
is
not
in
the
same
currency.
A
The
deposit
fails
because,
of
course,
you
can't
deposit
apples
into
a
purse
full
of
oranges
right
so
it
so
it
only
succeeds
if
you
actually
gave
me
a
purse
of
the
currency
I'm
expecting.
So
how
does
that
get
used?
Well,
for
my
concert
that
I'm
putting
on
I
meant
a
new
currency
which
is
tickets
to
the
concert.
A
Poof
I
got
a
new
currency
right
now,
when
I
want
to
when,
when
in
some
operation
in
my
smart
contract
for
managing
that
manage
in
this
contract,
this
this
concert
I'm
requested
a
ticket
I
mint
one
token
one
unit
of
this
currency
and
I
return
it,
and
now
they
have
a
purse
with
one
concert
ticket
in
it.
Obviously,
if
they
were
doing
bulk
orders,
I
could
return
them
for
tickets,
but
that's
not
what
we're
doing
here.
Okay,
so
I
could
also
just
mint
a
ticket
and
send
it
to
Carol
right.
A
So
I've
got
some
API
some
economic
arrangement,
so
I
invoke
her
receive
ticket
function
and
now
Carol
receives
as
an
argument,
simple
argument,
passing
in
your
object-oriented
programming
language
receives
a
ticket
okay.
Well,
this
isn't
quite
what
you
need
for
a
smart
contract
and
for
cooperation
here,
because
remember,
these
are
simple
objects
right,
there's,
nothing
magic!
Here!
A
It's
something
that
again,
tens
of
millions
of
programmers
in
the
world
could
trivially
use
this
kind
of
library
and
do
this
sort
of
thing
all
the
time,
but
what
happens
with
objects
when
I
pass
them
is
I
share
them.
So
now
carol
has
the
ticket,
but
so
do
I
all
right.
So
what
do
we
do
so
now?
Where
we
get
to
that
issuer?
That
I
mentioned
an
issuer
on
a
mint
is
effectively
like
a
brand
that
I
can
use
to
verify
that
a
given
purse
is
indeed
part
of
you
know.
A
A
In
my
particular
example,
here
I
sent
a
message
to
the
venue.
You
know
to
publish
my
new
concert
event
and
here's
the
the
the
issuer
that
will
validate
people's
tickets
for
entry
right,
and
so
now
anyone
can
tell
whether
they
got
a
valid
ticket
for
that
concert.
So
Carol
who's,
the
one
who
received
the
ticket
I,
sent
her.
What
she's
gonna
do
when
she
gets
that
ticket
in
her
received
ticket
call,
is
she's
going
to
go
to
that
concert,
issuer
and
say
great
I've
got
something
that
claims
to
be
a
ticket.
A
Let
me
claim
it
right
and
it's
you
know
it's
not
claiming
it's
still
a
ticket.
She
could
go
use
it,
but
it's
only
alleged
I
might
have
sent
her
anything
and
so
by
doing
the
get
exclusive
from
the
issuer,
she
knows
that
the
venue's
validator
of
tickets
for
the
venue
will
confirm
if
that's
a
real
ticket,
and
so
what
she
gets
out
in
ticket
is
not
just
confirmation
that
it
is
a
real
ticket
for
the
actual
concert.
But
now
she
also
knows
that
she's,
the
older
whole
only
holder
of
it
right.
A
She
gets
a
purse
where
the
original
ticket
that
might
have
had
many
people
accessing
it.
Many
people
sharing
it
now.
All
of
the
contents
have
been
transferred
to
this
newly
created
purse,
and
so
she
has
exclusive
access
to
those
rights,
and
so
she
has
exclusive
access
to
the
ticket
for
the
concert
right
and
she
has
that
by
construction.
She
just
did
now.
She
knows
that
that's
the
property
that
she
has
and
then,
given
that
she
succeeded
at
that
she
will
return
the
payment.
A
A
Her
response
is
the
payment
I
then
go
and
deposit
that
into
my
account
that
gets
the
same
kind
of
thing
as
get
exclusive
which
the
deposit
succeeds.
If
and
only
if,
it's
it's
in
the
currency,
I
was
expecting
it's
in
the
currency
of
my
account
and
it
will
deposit
that
and
transfer
that
into
my
account.
So
now
I
know
I
have
all
the
money
and
she
succeeded
at
paying
me.
Okay.
Now,
that's
clearly
got
some
problems.
What
if
she
doesn't
pay
me?
She's
got
the
ticket
right,
I'm
out
the
ticket.
A
You
know
she's
able
to
go
to
the
concert
and
might
not
pay
me
or
might
not
pay
me
enough
for
what
happe.
Well,
that's
where
remember
I
said
this
is
low
level,
programming
using
objects
and
just
starting
to
build
up
to
market
abstractions
that
we
can
use
to
put
together
smart
contracts.
What
we
really
all
want
is
these
are
the
tools
to
go
into
building
a
framework,
and
so
what
are
the
elements
of
a
framework
right?
A
Similarly,
I
could
start
an
auction,
and
now
the
seat
on
the
auction
is
a
brand
new
right
that
didn't
exist
before
that
I
can
now
buy
and
sell
and
trade,
and
what
you
want
is
for
that
to
be
a
bearer
right,
that
I
can
buy
and
sell
and
trade
and
and
and
use
another
market
institutions,
but
to
solve
my
problem
with
sending
Carol
this
ticket
and
not
getting
paid
instead.
I
want
a
contract
that
allows
an
arrangement
over
existing
rights,
so
I
already
have
the
ticket
right.
I
want
to
win.
A
A
A
Another
kind
of
contract
that
manipulates
existing
rights
is
I
writing
a
smart
contract
that
will
sell
it
that
will
sell
whatever
the
underlying
right
is
for
a
fixed
price
over
a
period
of
time
and
neck,
and
now
you
know
one
time,
I
write
it
one
time,
I,
sort
out
all
the
cancellation
and
timing
and
and
those
sorts
of
things,
and
now
again
going
back
to
the
difference
of
this
security
architecture
versus
an
identity
based
access
control,
architecture.
I,
don't
have
to
put
your
name
in
the
covered.
A
Call
it's
just
a
thing
and
I
can
sell
it
to
you.
I
can
send
it
to
you.
I
can
sell
it
to
you
through
an
escrow
exchange
agent.
I
can
post
it
on
a
new
auction
that
someone
built
etc.
So
I've
got
this
ability
to
build
these
market
abstractions
and
then
reuse
them
to
build
yet
more
sophisticated
market
abstractions
okay.
So
what
we've
seen
is
an
example
of
how
one
could
potentially
manipulate
rights
easily
right,
Minuten
move
them
around
share
them
with
each
other,
make
them
exclusive
transfer
them
and
so
forth.
A
A
One
of
the
cool
things
about
blockchain
the
way
we
think
about
we
originally
I
was
just
saying
we
did
smart
contract
technology
before
blockchain,
and
that
was
cryptographic
protocols
between
machines,
where
I
could
then
find
a
cluster
of
machines.
That
I
was
willing
to
rely
on
mutually
with
you.
We
could
deploy
our
contract
to
there
and
engage
in
in
escrow
exchange
and
all
that
sort
of
stuff.
A
What
blockchains
brought
is
essentially
now
they
can
manufacture
new
machines
out
of
agreement
rather
than
out
of
silicon,
and
so,
from
our
perspective,
a
blockchain
kind
of
looks
like
a
machine
that
just
has
an
incredibly
high
integrity
and
and
so
on
that
environment.
We
would
be
running
that
kind
of
these
kinds
of
transactions
deployed
where
it's
running,
replicated
computation
with
consensus,
verification
that
all
of
those
machines
in
a
distributed
fashion
are
doing
the
same
contract,
execution
and
I.
Think
I'm.
It
forgot
a
part
of
your
question.
Could
you
react?
It.
A
A
So
our
semantics
are
in
JavaScript,
and
so
we
just
completed
a
collaboration
with
Salesforce
to
do
the
production
security
kernel,
that's
now
deployed
and
under
it's
underneath
the
Salesforce
lightning
platform
and
it's
the
kernel
of
our
system
to
provide
essentially
feather
weight
compartments
where
we
can
launch
programs,
give
them
very
limited
authority
and
allow
them
to
communicate
through
that,
but
strictly
according
to
the
object
capability
principles,
and
so
that's
called
SES.
It's
on
our
site.
A
It's
open
source
and
Salesforce
is
just
one
of
the
companies
are
starting
to
pick
it
up
to
use
it
and
web
to
properties
for
security.
But
it
is,
it
is
underpinning
our
model
for
executing
this
kind
of
technology
on
on
in
a
smart
contract
platform,
and
so
that
runtime
would
be
running
on
each
of
the
validators
or
each
of
the
miners
in
order
to
compute
the
smart
contract
result
and
there's
a
subset
of
JavaScript
that
we
can
compile
called
called
Jesse
that
we
can
run
on
other
platforms.