msc brainstorm: hardening the root-of-trust in EBSI

[synctext]

brainstorm Not afraid of assembly! Defend: July 2025. Phd ambition!!!
GPA could use some boosting.

First, describe the scope and past occurrences of node hijacks.
From Solarwinds to the recent 1.3 million Android TVs in a botnet. Do you aim to protect from unzip fail of firmware update?

Security frameworks. sandbox where you can run anything. IoT device, build Raspberry pi with TinyML as exemplary use-case?

ToDo

• read Zero-Trust architecture
• Enhancing TinyML Security: Study of Adversarial Attack

Other ideas:

• byzantine faults; Engraft: Enclave-guarded Raft on Byzantine Faulty Nodes
• DNA passport
• Low-level PUF
• Open HSM
• IoT devices, etc.

https://www.enisa.europa.eu/publications/eidas-compliant-eid-solutions/@@download/fullReport

Zero-Trust Architecture for Legal Entities

update: Cars now have firmware and secure boot. In-line with your 'hacking' passion. Toyota cars get stolen using CANbus attack. There is a Tesla bug hunting bounty. Smartphone app opens your car, passport-grade authentication. Link to insurance and question who was driving the car when damage occurred?? 🤔 (more US thing versus EU where things are decently organised). The science: protecting high-value 'portable' computers and firmware {zero-trust}.

update2: V2X tech for "car wifi" in 5.9 GHz band. Police remotely stopping a car is no longer the realm of Sci-Fi movies. See the trail of a "remote car stopping" from the Czech Technical University in Prague and the BUT in Brno and PR stuff from the USA.

• Towards zero trust security in connected vehicles: A comprehensive survey
• A Zero Trust Architecture for Connected and Autonomous Vehicles
• A curated list of awesome resources, books, hardware, software, applications, people to follow, and more cool stuff about vehicle security, car hacking, and tinkering with the functionality of your car.
• HOW TO BEGIN V2X DEVELOPMENT ON LINUX

ToDo: a draft 1-page research proposal (e.g. the science focus side)

[Kheoss]

Proposal: A Privacy-Preserving Digital Identity System Using DNA Passports and Physical Unclonable Functions (PUFs)
Background and Motivation
As digital identity systems become integral to secure IoT and automotive environments, the need for robust, privacy-preserving authentication has never been greater. Traditional biometric and hardware-based authentication methods present vulnerabilities, either through centralized storage or susceptibility to cloning and tampering. This proposal explores a hybrid identity model combining DNA-based identifiers and Physical Unclonable Functions (PUFs), leveraging the unique properties of both biological and hardware-based identifiers for a decentralized, multi-factor authentication system that is resistant to forgery and highly secure.

Objectives
Develop a Secure DNA-PUF System Architecture: Design an identity framework that binds DNA-based identifiers with PUFs, creating a unique, privacy-preserving multi-factor identity verification system.
Implement Privacy-Preserving DNA Hashing: Ensure DNA information is encoded and stored securely, protecting user privacy while enabling strong, unique identity verification.
Prototype and Evaluate the System: Build a prototype and evaluate the system’s effectiveness in providing secure, decentralized authentication, focusing on IoT and automotive applications.

Possible Methodology
DNA-Based Identifier Generation: Select privacy-friendly DNA markers, create a hashed digital representation, and store this locally on the device, ensuring user privacy.
Device-Based PUF Authentication: Equip devices with PUFs (or simulate PUFs? ) to generate unique, hardware-rooted responses. Each device’s PUF response serves as an unforgeable, repeatable key.
Combined DNA-PUF Authentication: Bind the DNA hash with the PUF response to form a multi-factor identifier. Authentication involves the device presenting both the DNA-based user identity and PUF-derived device identity, ensuring that only authorized users and devices gain access.
Testing and Validation: Develop a prototype for evaluation within a simulated IoT or automotive environment, analyzing performance metrics, security resilience, and privacy preservation (how?).

Expected Outcomes ???

Secure, Decentralized Identity System: A privacy-centric identity model that binds user DNA with device-specific PUF authentication, creating a robust, decentralized system for IoT security.
Enhanced Privacy and Security: Privacy-preserving techniques for DNA data storage and processing, with a multi-factor approach that combines user and device authentication without relying on centralized databases.
A working prototype with results demonstrating its feasibility and effectiveness in environments where strong, privacy-respecting authentication is essential.

To explore: Multi-layered/fine-grain hierarchies may be a nice addition as many authentication systems work more like "I am this device" instead of "I owe this device".

Potential Impact
This DNA-PUF hybrid system for secure digital identity merges advanced biometrics with unique hardware-based identifiers. Its decentralized design makes it suitable for applications in IoT, connected vehicles, and other fields where secure, user-controlled identity management is critical. This research will contribute to the fields of digital identity and privacy, addressing current limitations and setting a foundation for further innovations in secure authentication.

• Unclonable functions based on DNA tools.

• Cancellable / theft locking/ lost device

• Chemical unclonable functions based on operable random DNA pools

[synctext]

Very scary 😨 😮 😨 Solid science for "identity of the future" in a world that is slowly collapsing into chaos.

Passport 2050

Advise: re-write. example:
The world is slowly descending into less democracy, more wars, and increased suffering. Establishing the correctness of information, validity of electronic signatures, owners of object, and identity of humans is becoming a cardinal requirement for global safety. This thesis is exploring identity solutions for the worst-case scenario. Our adversary model is that multiple state-actors will re-organise their economy for sustained attacking of the integrity of liberal democracies. Our requirement is that by 2050 our system could still serve as the foundation for identity and integrity of all our socio-economic systems. By being isolated from most plausible technological breakthrough. This means our solution consists of combining traditional hardware-based PUFs and the frontier of science and unique identification: DNA.

• PUF: eIDAS extreme
• PUF+DNA+openness and accountability: eIDAS Ultra
• FastDNA for eIDAS Ultra authentication

[Kheoss]

13/11/2024: A bit of literature review

Lots of DNA is no-coding DNA ( does not encode protein sequences ), however the 1% that does is interesting.

Concept: Protein-Based DNA Signature Generator

• simulate the process of protein formation from specific DNA segments to create a unique, verifiable signature
• use DNA as input to model protein structure or sequence => complex and biologically authentic way to generate signatures tied to an individual’s DNA ( bio-PUF ? )
• ZKP by simulating the protein/structure formation [transcription] for a challange

Problems:

• how to revoke such identity?
• many papers that might be usefull are new and did not find them (yet) to read in full [ examples:
  Synthesizing DNA molecules with identity-based digital signatures to prevent malicious tampering and enabling source attribution]

DNA encoding schemes herald a new age in cybersecurity for safeguarding digital assets

Cyber Attacks on Power System Automation and Protection and Impact Analysis

A hybrid logistic DNA-based encryption system for securing the Internet of Things patient monitoring systems

A novel DNA-based key scrambling technique for image encryption

[synctext]

Thesis Brainstorm III

"Purple teaming of the upcoming EU EBSI passport-grade digital identity"
EBSI and Europeum are establishing a state-of-the-art identity system to provide an alternative to Big Tech identity systems and traditional paper-based passports. Instead of the usual secrecy the EU has decided on an transparent, open source, and accountable system. The core of the system is formed by Hyperledger Besu. We created a state-of-the-art SIEM tooling for this server. We present a systematic study consisting of running numerous pentests against an actual pre-production EBSI server, configuring SIEM tooling to report these attacks, and devise new attacks. {speculation!} The result is successful resource exhaustion attack against the default Hyperledger configuration used. Due to the complexity and fragility of the smart contract system we successfully made the server unreachable.

SIEM tools provide forensics, not just a intrusion detection system. This project uses a "capture the flag" experience. This angle uses the hard work of building tooling, new defences, reference architecture, security audit, and possibly new attacks. Security audit should not be in the old format of this vunerability, this config detail. This project will provide a state-of-the-art security audit with risk assessment. For instance, in the scenario that EBSI provides foundation for the digital Euro it impacts risk tolerance. Each deployment level will be analysed, including facilitating tokanization. (blue teaming stuff). Your thesis does not critically depend on successfully breaking EBSI security, but you meticulously create the ecosystem for breaking it. Then you can also propose a security fix. Little investigation shows three unresolved active vulnerabilities to hyperledger Besu ecosystem 😱 Client has incorrect conversion. server side has critical error in 32 bit signed and unsigned types in the calculation of available gas.
Danger is that throwing a bunch of open source tools together is not science for a Delft Master thesis. But with unpatched critical server errors for multiple months, there is low-hanging fruit.

ToDo:

• find 20-ish papers of state-of-the-art literature around described draft thesis direction.
• Explore if this is "industry-driven" and thus lacks the transparency, paper publishing, open innovation processes that academics prefer
• Install local hyperledger Besu and reproduce critical vulnerabilities, investigate how EBSI might be impacted.
  • are there Besu smart contracts in EBSI?

[Kheoss]

https://www.geeksforgeeks.org/hyperledger-besu-in-blockchain/#limitations-of-hyperledger-besu
https://dltgroup.it/DLTWorkshop/slides2023/Sestili_Session_5.pdf
https://www.mdpi.com/2504-2289/7/2/79 [pay to win jurnal]

Brainstorm:

1. Post-Quantum Security for apps based on Besu Hyperledger

Quantum Threats:
Shor's Algorithm: A quantum algorithm that can efficiently factorize large integers, breaking RSA and ECC-based systems.
Grover's Algorithm: Reduces the time required to brute-force symmetric encryption keys, necessitating larger key sizes for symmetric encryption algorithms.

Many blockchain systems (Besu too) use cryptographic algorithms/signatures that will eventually become obsolete in a post-quantum world.
Post-quantum algorithms are needed to ensure future-proofing.

Post-Quantum Cryptographic Algorithms:

Lattice-Based Cryptography
Merkle tree-based signatures (hash based)
Isogeny-Based Cryptography ( mayben not )

Besu platform's ( base platform for EBSI, "The first public sector blockchain infrastructure in Europe") number 1 contributor works at Consensys ( company which also own Metamask and a asteroid mining company ? )

Resolution: too speculative and the threat model a little questionable as current crypto is STILL STRONG and there is a high chance it will work in the future as public/private key is tested for 50+ years AND... we still have today's problems that need to be taken care of ( identity issues, threat actors tracking, etc)

2.Interoperability and Cross-System Security

How to make besu hyperledger be interoperable with other blockchains?

3. Incident Response and Resilience: "Hardening the root of trust in Europe"

Traditional SIEMs: Tools like Splunk, Elastic Stack (ELK), and Graylog are adapted for blockchain monitoring by applying custom rules.

Let's try to make something for blockchain specific such as logs, event correlation, not AI preferably.

Try to protect the root of trust of europe from vulnerable base platform (Besu). Detach from the untrustworthy platform and create a layer of security.

Sprint focus:

• Exploit existing vulnerabilities in Besu.
• Check if we can capture the current exploits before the threat actually affects us ( anomaly vs signature detection)
• Can other more formal threat detection models capture that from trafic?

URGENCY MODE ON: Time to focus as the graduation deadline is around July 2025!

[synctext]

Quite a discovery, Hyperledge Besu is captured by Consensys, all top-4 devs. This is an aggressive company, loaded with cash and history of various borderline illegal behaviours. Solid thesis material, turning the Besu untrustworthy platform into the EU EBSI root-of-trust for passport-grade identities. 😨

[Kheoss]

Sprint update:

• "Gas allocation error in CALL operations in Besu EVM" patched in 22.7.1 but still, maybe nodes run in vulnerable versions ( further study might be interesting).

Blockcain IOT SIEM tool

Lab setup - (I hope soon to be) similar to EBSI

• BESU
• minimum 4 validators
• QBFT
• smart contracts
• Docker ( my appologies for this one )

Besu Hyperledger versions in use:

• 22.4.2 as a vulnerable version
• 22.7.1 as a patched version [benchmark]

On going: replicate attacks (including CVE-2022-36025, resource exhaustion, etc)

Some ideas from this sprint:

• Besu is harder to setup than expected
• Existing logs could vaguely detect unexpected gas fees (ex: CVE-2022-36025 ), however, how to intervine? Quarantine nodes? Demolish transactions based on statistics? Do we want an overlay or an underlay ?
  Combining Besu Logs with Network and maybe OS logs could be the way to go.
• Should also investigate the Execution Layer (EVM) as here seems the place where bugs and vulnerabilities are most present. (Pre-Deployment Contract Complexity Assessment/Run-time Monitoring of Contract Calls).
  Quarantine a whole contract?

"Dynamic runtime complexity throttling in a permissioned Besu-based network" related tools and papers:

Slither - solidity contract static analyzer (loops, re-entrancy paterns, etc)
Mythril - symbolic framework for EVM bytecode (can detect integer overflow, etc)
Manticore - another symbolic execution tool
MadMax: surviving out of gas - vulnerabilities related to gas consumption
Securify: Practical Security Analysis of Smart Contracts - security scanner for ETH smart contracts
Making a smart contract smarter

Random ideas:
What about forensics ? immutable / tamper-evident logs?

• Cryptographic logging:
• Secure Storage of logs
• teal-time integrity checks

General opinion after 1-2 weeks of working with it: Not too bad, even decent tool, backed up by lots of money. Complicated to setup and a little too "large" in features but overall a decent, enterprise level tool.

I do not think there is enough evidence to focus on Besu's infrastructure/ vulnerability finding in a master's thesis as it is enterprise level. Doing SIEM Tooling seems the best way for "hardening the root of trust".

Next sprint: SimTools for blockchain on the setup

• YARA Rules
• zeek...

[synctext]

For next sprint. Get Top-3 SIEM tools running. ELk stack, Prometheus, greylog, splunk, etc?
Identify the top-3. Get going with Besu. Future sprint: identify what to fix, improve, standardize.

[Kheoss]

It's time to dig deeper into lower levels of blockchain/BESU

• I think is time to focus my thesis to one direction , here's some research gaps I've found while playing with logging tools in BESU.
  1.Lack of Granular Gas-Monitoring Tools
  Problem: Most existing log analyzers or SIEM tools for Ethereum clients do not provide sufficiently granular gas usage details at each CALL or sub-call. Hence the difficulty to detect the vulnerability we've addressed so far.
  Opportunity: Implement or integrate fine-grained gas tracing and incorporate it into SIEM pipelines.

  2.Limited Real-Time Visibility ( ⚠️ this is a side effect of 1 and 3 as I see it⚠️ )
  Problem: Many solutions focus on post-event analysis/forensics, not on detecting suspicious gas anomalies in real-time.
  Opportunity: Develop near real-time dashboards and alerting specifically for gas anomalies that can catch potential exploits before they propagate.

  3.Sparse or Inconsistent EVM-Level Logging
  Problem: Current logs may lack enough fields or standardized formats for capturing sub-call gas usage, negative gas values, or integer overflow warnings.
  Opportunity: Enhance Besu’s built-in logging or build a lightweight “instrumentation layer” to capture relevant gas details.

  I feel like a combination of 1 and 3 is a winner combination, not only focusing on the network events but the actual logics executet in the network.

• Besu supports a plugin interface

• Execution Traces vs. Event Logs (texecution traces might be able to detect anomalies that never appear in traditional logs)

• Novel? as I know there isn’t a well-known, off-the-shelf SIEM solution that provides real-time, in-depth EVM trace data

Detect EVM-layer attacks.

Progress:

• Add logstash, filebeat, elasticsearch and kibana to the network in order to get logs ( both on vulnerable version and latest)
• Refine log inputs using filebeat
• Create transactions and monitor the network to get a feel of what blue teaming would be in this scenario

Proposal for next sprint:

• Play more with smart contracts and how we can detect events related to smart contracts ( access, deployment ).
• Get more insidefull logs ( smart contract calls, subcalls, values used in the calls, etc ) by adding custom logs from EVM layer ( create a BESU custom plugin ).
• Compare the two traces ( with plugin vs without plugin ) and see what happens

What it seems to be the case so far: We cannot detect CVE-2022-36025 using Kibana traces but we could detect it using DETERMINISTIC (NO AI) rules with the new logs.

⚠️ This thesis needs to be accelerated, however, I feel finally we're on the right track and with clear targets ⚠️
GitHub Repo

Nice resource:
Learn EVM Attacks

'Sciencify' the project:
Problem: Detect EMV-Attacks

• Almost a whole class of attacks go undetected. A little bit more granular monitoring would help. ( Ex: Running a SUBCAL with negative gas, why not monitor gas changes along traces)
• Agent modeling (threat modeling).
• Realtime alerting

Existing RPC traces: debug_traceTransaction

[synctext]

• good topic for a master thesis
• Good to keep the science at the centre. No solution, sell the problem!
• SIEM Open Source Solutions: A Comparative Study {non-english, chatGPT advised}
• https://github.com/coinspect/learn-evm-attacks dataset of logs
• You selected ELK stack 👍

Next sprint: write Problem Description chapter of thesis. Seek Harm approval later.

[Kheoss]

Vlad_Constantinescu_Thesis_Proposal.pdf

the Root of Trust of Europe

Problem description:
On 3 June 2021, the European Commission took a bold step toward revolutionizing digital identity by proposing
a regulation to update the European digital identity framework. Central to this vision is the introduction of the
European digital identity wallet—a cutting-edge solution building upon the foundations laid by the 2024 Regulation
on European electronic identification and trust services (eIDAS). This legislative momentum paves the way for
a robust, cross-border electronic trust layer across the European Union, where EBSI (the European Blockchain
Services Infrastructure) serves as the root-of-trust architecture in each Member State.
EBSI’s decentralized structure mitigates single-point-of-failure risks and ensures passport-grade security for
critical transactions, empowering EU citizens through verifiable and tamper-resistant digital credentials. However,
this trust framework hinges on vigilant, real-time monitoring to safeguard integrity and availability. Security Information and Event Management (SIEM) solutions are essential in detecting, analyzing, and responding to incidents.
Yet traditional SIEM tools rarely delve into the low-level Ethereum Virtual Machine (EVM) behaviors—such as
detailed gas consumption and smart contract execution traces—needed to uncover subtle vulnerabilities like gas
miscalculation (e.g., GHSA-4456-w38r-m53x). This master thesis aims to strengthen the very core of Europe’s
emerging digital trust fabric by designing and integrating advanced SIEM tooling optimized for EBSI’s Hyperledger
Besu environment, ensuring that threats are promptly identified and the European trust layer remains secure and
resilient.
Hyperledger Besu, a widely-used Ethereum client, also the root technology chosen by EBSI, shows restrictions
in its out-of-the-box logging capabilities, providing only coarse-grained events and high-level metrics.
The lack of fine-grained, EVM-level logging limits the ability to detect subtle gas-related vulnerabilities, as
current logging mechanisms fail to capture detailed gas flows, sub-call gas allocations, or integer overflow errors in
real time. This oversight makes it difficult for SIEM systems to identify attacks that exploit these vulnerabilities.
Additionally, the absence of detailed execution traces delays obstructs analysis, preventing investigators from
reconstructing the exact sequence of operations leading to an anomaly. Moreover, in networks with multiple
validators, inconsistent or sparse logs obstruct the correlation of events and consensus anomalies, which are crucial
for detecting coordinated or network-wide attacks.
These issues present a gap in the current state-of-the-art SIEM tooling for blockchain networks, where there is
a need for a methodology that integrates granular EVM-level data into SIEM workflow.
Such methodology would provide continuous, detailed logs of EVM execution, including sub-call level and gas
usage per opcode.
Additionally, it would enhance anomaly detection capabilities by correlating fine-grained gas metrics with higherlevel network events, improving incident response capabilities and forensic investigations by allowing detailed analysis
of malicious transactions or unexpected behavior.
This paper aims to address the identified gap by developing a novel methodology for granular EVM-level gas
monitoring and logging in Hyperledger Besu.
By integrating deep EVM instrumentation with traditional SIEM tools (e.g., ELK stack), this research aims to
demonstrate that more detailed EMV-level logging and analysis can lead to earlier detection of vulnerabilities, a
reduction in false positives, and a stronger security posture for blockchain networks. The approach will be validated
through controlled experiments, comparative analysis with existing solutions, and performance benchmarking under
various network conditions and attack scenarios.

[synctext]

With Honor example, dramatic buzz-bingo of high-end master thesis: #8062 (comment)
another one: TrustZero master thesis example, about annulled electrons 😬
Unique angle: access to real EBSI server, live reporting!!

Opening wording should more grander. Sell your problem, then present solution. True PR.

On 3 June 2021 the European Commission put forward a proposal for a regulation updating the European digital identity framework. The regulation's main innovation is the introduction of the European digital identity wallet. The Commission's initiative builds on the 2024 Regulation on European electronic identification and trust services.

This master thesis strengthens the root of trust that is at the technological core of this European-wide trust. The above legislation creates an cross-border electronic trust layer for Europe, based on a digital identity wallet. It is the first ecosystem in which multiple governments use a unified way of expressing trust relationships and accreditations in a digital and machine-readable form. This digital trust layer for Europe is based on passport-grade security and holder binding. The core technology is called EBSI, an architecture for decentralised trust, making information verifiable and empowering EU citizens.
EBSI is the root-of-trust service operating in each member state. This decentralisation across member state reduces single-point-of-failure risks. The integrity of the platform itself depend on incident monitoring, the focus of this thesis.

Security Information and Event Management (SIEM) systems are critical for monitoring, detecting, and responding to security incidents in real time. However, traditional SIEM solutions often lack the granularity required to analyze low-level Ethereum Virtual Machine (EVM) behavior, specifically, detailed gas consumption and execution traces of smart contract operations, which represents an important piece in the identification of subtle vulnerabilities such as those related to gas miscalculations (e.g., GHSA-4456-w38r-m53x).

[Kheoss]

Putting science at the core

How to validate the work? How to prove our work is better?

• We cannot build our own dataset / lunch attacks manualy over a network as created attack patterns can be questionable.
• Access to EBSI architecture collect a dataset?
• Online dataset? ( lacks the fine grained data the new system is based )

Advice: make the problem more broad: Why use ELK stack for both centralized and blockchain?

Progress:

Custom Client Modifications: For research purposes, I’m modifying Besu’s source to add more granular logging. Instrument the EVM loop to log selected opcodes and the gas remaining. Although this would slow down the node significantly in production, it can be useful on a private node to capture complete execution traces for every transaction without relying on the JSON-RPC (which might miss transactions not yet mined, etc.).

Besu’s open-source nature lets you insert detectors for known attack patterns – e.g., count the number of EXTCODECOPY or BALANCE opcodes (which were vectors in past attacks​ ethos.dev) during each transaction and log if it exceeds a threshold.

What can we inspect further:

Call Graphs: For analyzing a specific suspicious transaction or contract, visualizing the call graph is very insightful.
Tools like the Origin Tracer or even custom scripts can take the call trace (with its tree of calls) and display it hierarchically.

We might see a pattern where a contract A calls B, which calls A again, and so on – forming a deep recursion. A call graph diagram with nodes (contracts) and edges (calls, labeled with gas) can make these complex interactions easier to understand at a glance.

This call graph combined with granular logs might reveal interesting information:

For example:

User S calls contract A with an input and contract A subcalls contract B with an input and gas price computed using user’s input.
We can raise a flag and be careful because that subcall might be executed with user inputs.

Alternative: Turn it into Red teaming approach?
Externally fingerprint nodes and patterns
Insiders attack vs outsider attack

Resources red:

Detecting Insider Attacks in Blockchain Networks

https://www.vldb.org/pvldb/vol12/p975-ruan.pdf

https://www.spiedigitallibrary.org/conference-proceedings-of-spie/13184/131846V/Advanced-detection-of-malicious-transactions-in-ethereum-unraveling-complex-asset/10.1117/12.3033033.short

Dataset: https://www.kaggle.com/datasets/bigquery/ethereum-blockchain

Dataset with potential :https://github.com/salam-ammari/Labeled-Transactions-based-Dataset-of-Ethereum-Network