Date Posted: 7/16/2021

At the 42nd IEEE Symposium on Security and PrivacyEthan Cecchetti, Siqiu Yao, Haobin Ni, and Andrew Myers won the Best Paper Award for "Compositional Security for Reentrant Applications." The conference is sponsored by the Institute of Electrical and Electronics Engineers (IEEE) Computer Society Technical Committee on Security and Privacy in cooperation with the International Association for Cryptologic Research.

All at Cornell, Cecchetti, Yao, and Ni are Ph.D. candidates. In their doctoral research, Cecchetti and Yao are advised by Myers, while Ni is co-advised by Greg Morrisett and Robbert van Renesse.

In their joint work on "Compositional Security for Reentrant Applications," the authors explain the motivation for their research and their responses to it: "The disastrous vulnerabilities in smart contracts sharply remind us of our ignorance: we do not know how to write code that is secure in composition with malicious code. Information flow control has long been proposed as a way to achieve compositional security, offering strong guarantees even when combining software from different trust domains. Unfortunately, this appealing story breaks down in the presence of reentrancy attacks. We formalize a general definition of reentrancy and introduce a security condition that allows software modules like smart contracts to protect their key invariants while retaining the expressive power of safe forms of reentrancy. We present a security type system that provably enforces secure information flow; in conjunction with run-time mechanisms, it enforces secure reentrancy even in the presence of unknown code; and it helps locate and correct recent high-profile vulnerabilities."