Skip to main content
QUICK REVIEW

[论文解读] Prisma: A Tierless Language for Enforcing Contract-Client Protocols in Decentralized Applications (Extended Abstract)

David Richter, David Kretzler|arXiv (Cornell University)|Jan 1, 2022
Blockchain Technology Applications and Security被引用 1
一句话总结

Prisma 是一种无层级的领域特定语言,将智能合约与客户端逻辑统一在一个程序中,通过直接风格的发送和接收操作,利用控制流强制执行正确的通信协议。它通过在程序结构中直接编码协议,消除了接口不匹配和通信错误,并形式化证明其编译器即使在攻击者控制客户端的情况下也能保持行为不变。

ABSTRACT

Decentralized applications (dApps) consist of smart contracts that run on blockchains and clients that model collaborating parties. dApps are used to model financial and legal business functionality. Today, contracts and clients are written as separate programs - in different programming languages - communicating via send and receive operations. This makes distributed program flow awkward to express and reason about, increasing the potential for mismatches in the client-contract interface, which can be exploited by malicious clients, potentially leading to huge financial losses. In this paper, we present Prisma, a language for tierless decentralized applications, where the contract and its clients are defined in one unit. Pairs of send and receive actions that "belong together" are encapsulated into a single direct-style operation, which is executed differently by sending and receiving parties. This enables expressing distributed program flow via standard control flow and renders mismatching communication impossible. We prove formally that our compiler preserves program behavior in presence of an attacker controlling the client code. We systematically compare Prisma with mainstream and advanced programming models for dApps and provide empirical evidence for its expressiveness and performance. The design space of dApp programming and other multi-party languages depends on one major choice: a local model versus a global model. In a local model, parties are defined in separate programs and their interactions are encoded via send and receive effects. In a global language, parties are defined within one shared program and interactions are encoded via combined send-and-receive operations with no effects visible to the outside world. The global model is followed by tierless [Christian Queinnec, 2000; Cooper et al., 2007; Choi and Chang, 2019; Fowler et al., 2019; Serrano et al., 2006; Serrano and Prunet, 2016; Radanne et al., 2016; Weisenburger et al., 2018] and choreographic [Kohei Honda et al., 2011; Fabrizio Montesi et al., 2014; Saverio Giallorenzo et al., 2020] languages. However, known approaches to dApp programming follow the local model, thus rely on explicitly specifying the client-contract interaction protocol. Moreover, the contract and clients are implemented in different languages, hence, developers have to master two technology stacks. The dominating approach in industry is Solidity [Mix, 2019] for the contract and JavaScript for clients. Solidity relies on expressing the protocol using assertions in the contract code, which are checked at run time [Solidity documentation - common patterns, 2020]. Failing to insert the correct assertions may give parties illegal access to monetary values to the detriment of others [Nikolić et al., 2018; Luu et al., 2016]. In research, contract languages [Ankush Das et al., 2019; Michael J. Coblenz, 2017; Franklin Schrans et al., 2018; Franklin Schrans et al., 2019; Michael J. Coblenz et al., 2019; Michael J. Coblenz et al., 2019; Reed Oei et al., 2020; Sam Blackshear et al., 2019] have been proposed that rely on advanced type systems such as session types, type states, and linear types. The global model has not been explored for dApp programming. This is unfortunate given the potential to get by with a standard typing discipline and to avoid intricacies and potential mismatches of a two-language stack. Our work fills this gap by proposing Prisma - the first language that features a global programming model for Ethereum dApps. While we focus on the Ethereum blockchain, we believe our techniques to be applicable to other smart contract platforms. Prisma enables interleaving contract and client logic within the same program and adopts a direct style (DS) notation for encoding send-and-receive operations (with our awaitCl language construct) akin to languages with async/await [Gavin M. Bierman et al., 2012; Scala async rfc]. DS addresses shortcomings with the currently dominant encoding of the protocol’s finite state machines (FSM) [Mix, 2019; Michael J. Coblenz, 2017; Franklin Schrans et al., 2018; Franklin Schrans et al., 2019; Michael J. Coblenz et al., 2019; Michael J. Coblenz et al., 2019]. We argue writing FSM style corresponds to a control-flow graph of basic blocks, which is low-level and more suited to be written by a compiler than by a human. With FSM style, the contract is a passive entity whose execution is driven by clients. whereas the DS encoding allows the contract to actively ask clients for input, fitting dApp execution where a dominant contract controls execution and diverts control to other parties when their input is needed. In the following Prisma snippet, the payout function is a function invoked by the contract when it is time to pay money to a client. In Prisma, variables, methods and classes are separated into two namespaces, one for the contract and one for the clients. The payout method is located on the contract via the annotation @co. The body of the method diverts the control to the client using awaitCl(...) { ... }, hence the contained readLine call is executed on the client. Note that no explicit send/receive operations are needed but the communication protocol is expressed through the program control flow. Only after the check client == toBePayed that the correct client replied, the current contact balance balance() is transferred to the client via transfer. @co def payout(toBePayed: Arr[Address]): Unit = { awaitCl(client => client == toBePayed) { readLine("Press enter for payout") } toBePayed.transfer(balance()) } Overall, Prisma relieves the developer from the responsibility of correctly managing distributed, asynchronous program flows and the heterogeneous technology stack. Instead, the burden is put on the compiler, which distributes the program flow by means of selective continuation-passing-style (CPS) translation and defunctionalisation and inserts guards against malicious client interactions. We needed to develop a CPS translation for the code that runs on the Ethereum Virtual Machine (EVM) since the EVM has no built-in support for concurrency primitives which could be used for asynchronous communication. While CPS translations are well-known, we cannot use them out-of-the-box because the control flow is interwoven with distribution in our case. A CPS translation that does not take distribution into account would allow malicious clients to force the contract to deviate from the intended control flow by sending a spoofed continuation. Thus, it was imperative to prove correctness of our distributed CPS translation to ensure control-flow integrity of the contract.

研究动机与目标

  • 为解决去中心化应用(dApp)开发中因智能合约与客户端逻辑分离而引发的安全与正确性挑战。
  • 消除智能合约与客户端之间因接口不匹配而导致的财务损失,如 DAO 攻击等事件所示。
  • 提供一种统一的编程模型,使智能合约与客户端逻辑使用同一种语言和程序单元编写,从而降低复杂性和样板代码。
  • 通过将协议直接编码在控制流中,强制执行正确的交互协议,使协议违规在编译时即不可能发生。
  • 证明简单的类型系统足以实现安全性,避免使用会话类型等复杂类型体系,同时确保强保证。

提出的方法

  • Prisma 使用全局的、无层级的编程模型,其中智能合约与客户端逻辑均在单一程序单元中定义。
  • 它引入了直接风格的通信操作,当由一方执行时表现为发送,当由另一方执行时表现为接收。
  • 通信被封装在控制流中,因此操作的顺序自然定义了协议,无需显式协议规范。
  • 该语言使用标准的 System-F 风格类型系统,避免使用会话类型或线性逻辑等复杂类型体系。
  • 定义了形式化语义和一种行为正确性保证的编译器,确保在攻击者控制客户端的情况下程序行为仍被保留。
  • 该编译器生成高效、低开销的区块链代码,通过避免冗余或昂贵操作,最小化交易费用。

实验结果

研究问题

  • RQ1是否可以通过 dApp 的统一编程模型消除智能合约与客户端之间的接口不匹配?
  • RQ2直接风格的通信操作是否能够在不依赖复杂类型系统的情况下强制执行正确的协议流程?
  • RQ3无层级语言结合基于控制流的协议是否能防止因通信不匹配而引发的协议违规和攻击?
  • RQ4该模型是否能通过简单的类型系统而非高级类型体系实现强安全保证?
  • RQ5该编译器是否足够高效,可实际用于真实世界 dApp 的部署?

主要发现

  • Prisma 将智能合约与客户端逻辑统一在一个程序中,消除了对独立语言栈的需求,降低了开发复杂性。
  • 直接风格的通信模型通过将协议编码在控制流中,确保协议正确性,使运行时的不匹配和协议违规成为不可能。
  • 该编译器形式化证明了即使在客户端被攻击者控制的情况下,程序行为仍能被保留,实现了构建即安全的安全保障。
  • 实证评估表明,Prisma 生成的代码在区块链上执行高效,执行成本低,优于生成昂贵或冗余操作的其他方法。
  • Prisma 的方法可推广至其他需要强通信保证的分布式系统,而不仅限于智能合约。
  • 案例研究显示,Prisma 支持真实世界 dApp 模式的表达能力,包括金融和众筹工作负载,同时保持安全与正确性。

更好的研究,从现在开始

从论文设计到论文写作,大幅缩短您的研究时间。

无需绑定信用卡

本解读由 AI 生成,并经人工编辑审核。