Author Topic: An "arbitrary data" bug in the blockchain?  (Read 5777 times)

0 Members and 1 Guest are viewing this topic.

Offline kenCode

  • Hero Member
  • *****
  • Posts: 2283
    • View Profile
    • Agorise
Thank you everyone for chiming in on this subject, I do feel much better now. Other than DDNS, I saw this one as a potential attack point for us. If it's not, it's not. Mike Ward from the CoinTelegraph is in our DDNS thread right now:
https://bitsharestalk.org/index.php/topic,15461.msg207790.html#msg207790
kenCode - Decentraliser @ Agorise
Matrix/Keybase/Hive/Commun/Github: @Agorise
www.PalmPay.chat

Offline toast

  • Hero Member
  • *****
  • Posts: 4001
    • View Profile
  • BitShares: nikolai
i dont understand.

you're saying that code can be run from a blockchain just by downloading it from a legit client?

if it's not a legit client, then whats to stop it from being a bitcoin wallet or a paypal phish site or something?

it seems like a general computing problem thats been known for decades...

The issue is if you write a client which parses unstructured data from the blockchain and interprets it in then you can exploit bugs in the software interpreting it.

but thats already a malicious client to begin with, right?

Exactly.
Do not use this post as information for making any important decisions. The only agreements I ever make are informal and non-binding. Take the same precautions as when dealing with a compromised account, scammer, sockpuppet, etc.

merockstar

  • Guest
i dont understand.

you're saying that code can be run from a blockchain just by downloading it from a legit client?

if it's not a legit client, then whats to stop it from being a bitcoin wallet or a paypal phish site or something?

it seems like a general computing problem thats been known for decades...

The issue is if you write a client which parses unstructured data from the blockchain and interprets it in then you can exploit bugs in the software interpreting it.

but thats already a malicious client to begin with, right?

TurkeyLeg

  • Guest

I think you people are missing the point...

This post contains a destructive virus.  You can execute it by following these malicious instructions:

Code: [Select]
Smash your computer with a hammer.
I could also burn these instructions onto a wall in the BitShares blockchain, but that wouldn't give me any way to make people execute it.

Hahaha! Made my day.


Sent from my iPhone using Tapatalk

Offline bytemaster

it is very difficult to exploit bugs to execute arbitrary code.

Can we make it impossible to inject such code? Or even more difficult than it already is?
Does the BitShares blockchain have the same 80byte hole?

We don't mark any memory as executable.  You can already embed arbitrary data in the public data fields and memos.  It is not a security concern and will be present in EVERY blockchain upon which addresses or public keys are used.  In other words: a Bitcoin address is ARBITRARY DATA.   
For the latest updates checkout my blog: http://bytemaster.bitshares.org
Anything said on these forums does not constitute an intent to create a legal obligation or contract between myself and anyone else.   These are merely my opinions and I reserve the right to change them at any time.

Offline speedy

  • Hero Member
  • *****
  • Posts: 1160
    • View Profile
  • BitShares: speedy
Your web browser downloads arbitrary data with every page you visit.  If you visit certain websites they will download mind viruses that convince you that mining is good.

Haha +5%

Offline xeroc

  • Board Moderator
  • Hero Member
  • *****
  • Posts: 12922
  • ChainSquad GmbH
    • View Profile
    • ChainSquad GmbH
  • BitShares: xeroc
  • GitHub: xeroc
it is very difficult to exploit bugs to execute arbitrary code.

Can we make it impossible to inject such code? Or even more difficult than it already is?
Does the BitShares blockchain have the same 80byte hole?
It is a FEATURE to be able to put arbitrary data ON THE BLOCKCHAIN ..
and you should ALWAYS trust those that deliver software to you .. not just in crypto, same thing holds true for your home banking, browser, messenger, video game!

This is not an issue of crypto in general nor is it an issue for bitshares in particular
« Last Edit: May 11, 2015, 01:53:34 pm by xeroc ¯\_(ツ)_/¯ »

Offline kenCode

  • Hero Member
  • *****
  • Posts: 2283
    • View Profile
    • Agorise
it is very difficult to exploit bugs to execute arbitrary code.

Can we make it impossible to inject such code? Or even more difficult than it already is?
Does the BitShares blockchain have the same 80byte hole?
kenCode - Decentraliser @ Agorise
Matrix/Keybase/Hive/Commun/Github: @Agorise
www.PalmPay.chat

Offline bytemaster

Your web browser downloads arbitrary data with every page you visit.  If you visit certain websites they will download mind viruses that convince you that mining is good.

Downloading and storing data is not a vulnerability.    Furthermore, almost every OS out there requires executable instructions to be located in specially flagged memory.  Coders have to go to great lengths to write code that can programmatically generate instructions that can then be executed in the same process.    It happens every day with Just in Time compiling in Java Script in your Browser, but it still requires significant level of intentional steps and thus is highly unlikely to occur as a result of a programming bug.   

In modern Operating Systems with Address Space randomization and a million other techniques in place it is very difficult to exploit bugs to execute arbitrary code. 
For the latest updates checkout my blog: http://bytemaster.bitshares.org
Anything said on these forums does not constitute an intent to create a legal obligation or contract between myself and anyone else.   These are merely my opinions and I reserve the right to change them at any time.

Offline kenCode

  • Hero Member
  • *****
  • Posts: 2283
    • View Profile
    • Agorise
Maybe not, but we can stop insertions of executable code into our blockchain, no?
 
The Devs could even write a small batch file then to scramble any executable code that it finds in there too.
 
The client can't rewrite our blockchain, but we can, and we can trap for any condition, even with a disguised payload.
 
Until I hear from one of the core devs on this, I cannot let this go. Our money is on the line here. You may have never been hurt in your life, but I sure have,  I know what it's like to live on the streets and have to start all over again from zero. I'm working way too hard to have to lose everything once again. I have 3 other mouths to feed here too, please understand my concerns.
 
Sorry guys, security just means way too much to me, I can't let this one go.
kenCode - Decentraliser @ Agorise
Matrix/Keybase/Hive/Commun/Github: @Agorise
www.PalmPay.chat

Offline Troglodactyl

  • Hero Member
  • *****
  • Posts: 960
    • View Profile
Does anyone here know how to code a simple trap for this? There's now a 40,000 BTS bounty for you. ::)
this shouldn't be an issue.

For me, that's not good enough. If someone downloads a client that WILL, then we all have a big big problem. We do not want to be on the end of that stick.
 
Does anyone here know how to code a simple trap for this? There's now a 40,000 BTS bounty for you. ::)

If someone writes a malicious client that executes arbitrary data from the blockchain, they might as well include malicious code in the client itself.  Our blockchain cannot protect people from downloading malicious software.

EDIT: If for some strange reason the attacker was determined to get the destructive payload from the blockchain, any traps could be avoided by disguising the payload and adding code to the client to convert it back into executable form.
« Last Edit: May 11, 2015, 12:46:26 pm by Troglodactyl »

Offline kenCode

  • Hero Member
  • *****
  • Posts: 2283
    • View Profile
    • Agorise
Does anyone here know how to code a simple trap for this? There's now a 40,000 BTS bounty for you. ::)
this shouldn't be an issue.

For me, that's not good enough. If someone downloads a client that WILL, then we all have a big big problem. We do not want to be on the end of that stick.
 
Does anyone here know how to code a simple trap for this? There's now a 40,000 BTS bounty for you. ::)
kenCode - Decentraliser @ Agorise
Matrix/Keybase/Hive/Commun/Github: @Agorise
www.PalmPay.chat

Offline Troglodactyl

  • Hero Member
  • *****
  • Posts: 960
    • View Profile
Does anyone here know how to code a simple trap for this? There's now a 40,000 BTS bounty for you. ::)

A trap in what exactly?  The client should not attempt to execute arbitrary data from the blockchain anyway, so this shouldn't be an issue.

Offline kenCode

  • Hero Member
  • *****
  • Posts: 2283
    • View Profile
    • Agorise
Does anyone here know how to code a simple trap for this? There's now a 40,000 BTS bounty for you. ::)
kenCode - Decentraliser @ Agorise
Matrix/Keybase/Hive/Commun/Github: @Agorise
www.PalmPay.chat

Tuck Fheman

  • Guest