Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

SoK: Evolution, Security, and Fundamental Properties of Transactional Systems

Sky Pelletier Waterpeace, Nikolay Ivanov

TL;DR

A four-generation evolutionary taxonomy of transaction security is developed, exposing a pronounced bias toward DLT security research at the expense of broader transactional security and identifying concrete open problems for the next generation of transaction processing systems.

Abstract

Transaction processing systems underpin modern commerce, finance, and critical infrastructure, yet their security has never been studied across the full evolutionary arc of these systems. Over five decades, transaction processing has progressed through four distinct generations, from centralized databases, to distributed databases, to blockchain and distributed ledger technologies (DLTs), finally to multi-context systems that span cyber-physical components under real-time constraints. Each generation has introduced new transaction types and new classes of vulnerabilities, yet security research remains fragmented by domain, and the foundational ACID transaction model has not been revisited to reflect the demands of contemporary systems. We classify 163 papers on transaction security by evolutionary generation, security focus, and relevant Common Weakness Enumeration (CWE) entries, and distill a curated set of 41 high-impact or seminal papers spanning all four generations. We make three principal contributions. First, we develop a four-generation evolutionary taxonomy that contextualizes each work within the broader trajectory of transaction processing. Second, we map each paper's security focus to CWE identifiers, providing a systems-oriented vocabulary for analyzing transaction-specific threats across otherwise siloed domains. Third, we demonstrate that the classical ACID properties are insufficient for modern transactional systems and introduce RANCID, extending ACID with Real-timeness (R) and N-many Contexts (N), as a property set for reasoning about the security and correctness of systems that must coordinate across heterogeneous contexts under timing constraints. Our systematization exposes a pronounced bias toward DLT security research at the expense of broader transactional security and identifies concrete open problems for the next generation of transaction processing systems.

SoK: Evolution, Security, and Fundamental Properties of Transactional Systems

TL;DR

A four-generation evolutionary taxonomy of transaction security is developed, exposing a pronounced bias toward DLT security research at the expense of broader transactional security and identifying concrete open problems for the next generation of transaction processing systems.

Abstract

Transaction processing systems underpin modern commerce, finance, and critical infrastructure, yet their security has never been studied across the full evolutionary arc of these systems. Over five decades, transaction processing has progressed through four distinct generations, from centralized databases, to distributed databases, to blockchain and distributed ledger technologies (DLTs), finally to multi-context systems that span cyber-physical components under real-time constraints. Each generation has introduced new transaction types and new classes of vulnerabilities, yet security research remains fragmented by domain, and the foundational ACID transaction model has not been revisited to reflect the demands of contemporary systems. We classify 163 papers on transaction security by evolutionary generation, security focus, and relevant Common Weakness Enumeration (CWE) entries, and distill a curated set of 41 high-impact or seminal papers spanning all four generations. We make three principal contributions. First, we develop a four-generation evolutionary taxonomy that contextualizes each work within the broader trajectory of transaction processing. Second, we map each paper's security focus to CWE identifiers, providing a systems-oriented vocabulary for analyzing transaction-specific threats across otherwise siloed domains. Third, we demonstrate that the classical ACID properties are insufficient for modern transactional systems and introduce RANCID, extending ACID with Real-timeness (R) and N-many Contexts (N), as a property set for reasoning about the security and correctness of systems that must coordinate across heterogeneous contexts under timing constraints. Our systematization exposes a pronounced bias toward DLT security research at the expense of broader transactional security and identifies concrete open problems for the next generation of transaction processing systems.
Paper Structure (39 sections, 4 figures, 2 tables)

This paper contains 39 sections, 4 figures, 2 tables.

Table of Contents

  1. Introduction
  2. Evolutionary Generations of Transaction Processing Systems
  3. Generation I: Centralized Databases.
  4. Generation II: Distributed Databases.
  5. Generation III: Distributed Ledger Technologies.
  6. Generation IV: Modern Multi-Context Transactional Systems.
  7. Security of Transaction Systems
  8. Landscape of Transaction Security Threats
  9. Payment system security.
  10. Distributed ledger security.
  11. Cyber-physical transaction security.
  12. CWE-Based Classification Framework
  13. Patterns in the CWE Classification
  14. Race conditions and timing weaknesses.
  15. Business logic and emergent-resource weaknesses.
  16. ...and 24 more sections

Figures (4)

  • Figure 1: Overview of our systematization approach. Each step corresponds to a major section of the paper and produces a reusable analytical artifact (bottom row).
  • Figure 2: Distribution of security-focused papers across evolutionary generations in our survey ($n = 163$). Generation III (DLTs) accounts for 66% of the literature.
  • Figure 3: Process flow for identifying and classifying papers. From an initial pool of 235 papers, 163 were retained after scope filtering and classified along five dimensions; 41 were selected for the curated survey.
  • Figure 4: Primary security focus of the 163 in-scope papers (left) and the 41 curated papers (right). The curated set shifts toward attack-focused works, reflecting the higher novelty threshold of demonstrated exploits.