BitShares Forum

Other => Random Discussion => Topic started by: kenCode on May 10, 2015, 04:23:13 pm

Title: An "arbitrary data" bug in the blockchain?
Post by: kenCode on May 10, 2015, 04:23:13 pm
fyrstikken has an interesting 6min post up- any validity to this?
 
URGENT! Bitcoin Flaws Malware & Viruses #Bitcoinbleed
https://www.youtube.com/watch?v=1XfXYiQQSlE
Title: Re: An "arbitrary data" bug in the blockchain?
Post by: xeroc on May 10, 2015, 07:50:07 pm
Whats the tl;dl; version of the "bug"?
Title: Re: An 'arbitrary data' bug in the blockchain?
Post by: kenCode on May 10, 2015, 07:55:00 pm
Whats the tl;dl; version of the "bug"?

I'm not sure, but fyrstikken is a smart guy and he doesn't put out bs. His quatloo trader is how I first discovered him.
Do you think that bug is legit? Does the BTS blockchain have this same 80bytes hole?
We need to code in a trap, or "sql-injection" style Else condition or something if what he says is legit.
Please advise, thanx-
 ken
Title: Re: An "arbitrary data" bug in the blockchain?
Post by: toast on May 10, 2015, 07:56:54 pm
He describes how to put executable code into the blockchain but not how to execute it. In other news, you can send viruses over email..
Title: Re: An "arbitrary data" bug in the blockchain?
Post by: kenCode on May 10, 2015, 08:12:32 pm
He describes how to put executable code into the blockchain but not how to execute it. In other news, you can send viruses over email..

The wallet or downloadable app can be instructed to execute anything.
So, let's assume worst case scenario, someone downloads an infected BTS wallet from somewhere.
It executes the rpc (or whatever) and BAMM! -there goes your BTS.
 
FOUND IT: http://bitcoinist.net/kaspersky-labs-interpol-blockchain-vulnerable/
 
He mentions that as a proof of concept, they injected the code, ran it, and just had it open up Notepad. But, they could have done something much more sinister.
 
Do we have the same 80byte hole?
Can we trap for malicious injections into it?
Title: Re: An "arbitrary data" bug in the blockchain?
Post by: xeroc on May 10, 2015, 08:17:23 pm
You can write arbitrary text and base64 encoded binary blobs on every account wall ..

If you have a client that executes that code you can do whatever you want .. i acctually sounds like a nice "feature" too
Title: Re: An "arbitrary data" bug in the blockchain?
Post by: xeroc on May 10, 2015, 08:18:41 pm
.. this leads to the old issue: can you trust the source that delivers software to not deliver malware instead ..
Title: Re: An "arbitrary data" bug in the blockchain?
Post by: toast on May 10, 2015, 08:28:02 pm
So, let's assume worst case scenario, someone downloads an infected BTS wallet from somewhere.

Assume someone downloads a virus. They could then use that to download a different virus and run it (this one happened to be stored on a blockchain instead of dropbox)
Title: Re: An "arbitrary data" bug in the blockchain?
Post by: Akado on May 10, 2015, 08:29:01 pm
I think that can be compared to catching a virus over mail. In the past ou could be infected just by opening mails since javascript would execute automatically.

But now it doesn't so you don't get. It's the same thing. The malicious thing could be there, but doesn't execute so it shouldn't be a problem.
Title: Re: An "arbitrary data" bug in the blockchain?
Post by: kenCode on May 10, 2015, 08:55:35 pm
Ok, so just to make my paranoid ass feel better..
Can we at least add a simple trap for a few characters that all executables would require to be run?
 
We used to trap for slashes (\), quotes (" and ') and certain sql stmnts (INSERT INTO, DROP TABLE, etc) back in the day. Just disallow the few characters that all scripts would require if someone was to try the injection.
 
Governments and other malicious types would just love to snag our coin.
 
I take this stuff VERY seriously. Our hard earned money is at stake here. No matter how small it may seem, it never hurts to code another trap.
FAILsafe.
 
Edit: I'll throw in another 10,000 BTS bounty to have that trap coded in.
Get it done (and provable) within v0.10.0 and I'll make it a 30,000 BTS bounty. Anybody else wanna pitch in?
Title: Re: An "arbitrary data" bug in the blockchain?
Post by: merockstar on May 10, 2015, 09:24:26 pm
i dont understand.

you're saying that code can be run from a blockchain just by downloading it from a legit client?

if it's not a legit client, then whats to stop it from being a bitcoin wallet or a paypal phish site or something?

it seems like a general computing problem thats been known for decades...
Title: An "arbitrary data" bug in the blockchain?
Post by: emailtooaj on May 10, 2015, 09:32:56 pm
Yes I'll throw in 10,000 BTS towards bounty. This is an issue that should be taken care of, if not already addressed....and not taken lightly. If we are going to ask people to put in their hard earned money and wealth into this system, it better be damn well secured from something as trivial as this. Obviously the wallet/client is the weak link, not something embedded in the block chain.


Sent from my iPhone using Tapatalk
Title: Re: An "arbitrary data" bug in the blockchain?
Post by: toast on May 10, 2015, 10:27:39 pm
i dont understand.

you're saying that code can be run from a blockchain just by downloading it from a legit client?

if it's not a legit client, then whats to stop it from being a bitcoin wallet or a paypal phish site or something?

it seems like a general computing problem thats been known for decades...

The issue is if you write a client which parses unstructured data from the blockchain and interprets it in then you can exploit bugs in the software interpreting it.
Title: Re: An "arbitrary data" bug in the blockchain?
Post by: Troglodactyl on May 10, 2015, 10:31:36 pm
I think you people are missing the point...

This post contains a destructive virus.  You can execute it by following these malicious instructions:

Code: [Select]
Smash your computer with a hammer.
I could also burn these instructions onto a wall in the BitShares blockchain, but that wouldn't give me any way to make people execute it.
Title: Re: An "arbitrary data" bug in the blockchain?
Post by: Tuck Fheman on May 10, 2015, 11:15:18 pm
FUD
Title: Re: An "arbitrary data" bug in the blockchain?
Post by: kenCode on May 11, 2015, 12:12:46 pm
Does anyone here know how to code a simple trap for this? There's now a 40,000 BTS bounty for you. ::)
Title: Re: An "arbitrary data" bug in the blockchain?
Post by: Troglodactyl on May 11, 2015, 12:29:15 pm
Does anyone here know how to code a simple trap for this? There's now a 40,000 BTS bounty for you. ::)

A trap in what exactly?  The client should not attempt to execute arbitrary data from the blockchain anyway, so this shouldn't be an issue.
Title: Re: An "arbitrary data" bug in the blockchain?
Post by: kenCode on May 11, 2015, 12:33:37 pm
Does anyone here know how to code a simple trap for this? There's now a 40,000 BTS bounty for you. ::)
this shouldn't be an issue.

For me, that's not good enough. If someone downloads a client that WILL, then we all have a big big problem. We do not want to be on the end of that stick.
 
Does anyone here know how to code a simple trap for this? There's now a 40,000 BTS bounty for you. ::)
Title: Re: An "arbitrary data" bug in the blockchain?
Post by: Troglodactyl on May 11, 2015, 12:38:15 pm
Does anyone here know how to code a simple trap for this? There's now a 40,000 BTS bounty for you. ::)
this shouldn't be an issue.

For me, that's not good enough. If someone downloads a client that WILL, then we all have a big big problem. We do not want to be on the end of that stick.
 
Does anyone here know how to code a simple trap for this? There's now a 40,000 BTS bounty for you. ::)

If someone writes a malicious client that executes arbitrary data from the blockchain, they might as well include malicious code in the client itself.  Our blockchain cannot protect people from downloading malicious software.

EDIT: If for some strange reason the attacker was determined to get the destructive payload from the blockchain, any traps could be avoided by disguising the payload and adding code to the client to convert it back into executable form.
Title: Re: An "arbitrary data" bug in the blockchain?
Post by: kenCode on May 11, 2015, 01:01:32 pm
Maybe not, but we can stop insertions of executable code into our blockchain, no?
 
The Devs could even write a small batch file then to scramble any executable code that it finds in there too.
 
The client can't rewrite our blockchain, but we can, and we can trap for any condition, even with a disguised payload.
 
Until I hear from one of the core devs on this, I cannot let this go. Our money is on the line here. You may have never been hurt in your life, but I sure have,  I know what it's like to live on the streets and have to start all over again from zero. I'm working way too hard to have to lose everything once again. I have 3 other mouths to feed here too, please understand my concerns.
 
Sorry guys, security just means way too much to me, I can't let this one go.
Title: Re: An "arbitrary data" bug in the blockchain?
Post by: bytemaster on May 11, 2015, 01:17:30 pm
Your web browser downloads arbitrary data with every page you visit.  If you visit certain websites they will download mind viruses that convince you that mining is good.

Downloading and storing data is not a vulnerability.    Furthermore, almost every OS out there requires executable instructions to be located in specially flagged memory.  Coders have to go to great lengths to write code that can programmatically generate instructions that can then be executed in the same process.    It happens every day with Just in Time compiling in Java Script in your Browser, but it still requires significant level of intentional steps and thus is highly unlikely to occur as a result of a programming bug.   

In modern Operating Systems with Address Space randomization and a million other techniques in place it is very difficult to exploit bugs to execute arbitrary code. 
Title: Re: An "arbitrary data" bug in the blockchain?
Post by: kenCode on May 11, 2015, 01:39:57 pm
it is very difficult to exploit bugs to execute arbitrary code.

Can we make it impossible to inject such code? Or even more difficult than it already is?
Does the BitShares blockchain have the same 80byte hole?
Title: Re: An "arbitrary data" bug in the blockchain?
Post by: xeroc on May 11, 2015, 01:50:10 pm
it is very difficult to exploit bugs to execute arbitrary code.

Can we make it impossible to inject such code? Or even more difficult than it already is?
Does the BitShares blockchain have the same 80byte hole?
It is a FEATURE to be able to put arbitrary data ON THE BLOCKCHAIN ..
and you should ALWAYS trust those that deliver software to you .. not just in crypto, same thing holds true for your home banking, browser, messenger, video game!

This is not an issue of crypto in general nor is it an issue for bitshares in particular
Title: Re: An "arbitrary data" bug in the blockchain?
Post by: speedy on May 11, 2015, 01:52:50 pm
Your web browser downloads arbitrary data with every page you visit.  If you visit certain websites they will download mind viruses that convince you that mining is good.

Haha +5%
Title: Re: An "arbitrary data" bug in the blockchain?
Post by: bytemaster on May 11, 2015, 10:10:29 pm
it is very difficult to exploit bugs to execute arbitrary code.

Can we make it impossible to inject such code? Or even more difficult than it already is?
Does the BitShares blockchain have the same 80byte hole?

We don't mark any memory as executable.  You can already embed arbitrary data in the public data fields and memos.  It is not a security concern and will be present in EVERY blockchain upon which addresses or public keys are used.  In other words: a Bitcoin address is ARBITRARY DATA.   
Title: Re: An "arbitrary data" bug in the blockchain?
Post by: TurkeyLeg on May 12, 2015, 12:05:17 am

I think you people are missing the point...

This post contains a destructive virus.  You can execute it by following these malicious instructions:

Code: [Select]
Smash your computer with a hammer.
I could also burn these instructions onto a wall in the BitShares blockchain, but that wouldn't give me any way to make people execute it.

Hahaha! Made my day.


Sent from my iPhone using Tapatalk
Title: Re: An "arbitrary data" bug in the blockchain?
Post by: merockstar on May 12, 2015, 01:13:29 am
i dont understand.

you're saying that code can be run from a blockchain just by downloading it from a legit client?

if it's not a legit client, then whats to stop it from being a bitcoin wallet or a paypal phish site or something?

it seems like a general computing problem thats been known for decades...

The issue is if you write a client which parses unstructured data from the blockchain and interprets it in then you can exploit bugs in the software interpreting it.

but thats already a malicious client to begin with, right?
Title: Re: An "arbitrary data" bug in the blockchain?
Post by: toast on May 12, 2015, 04:08:51 am
i dont understand.

you're saying that code can be run from a blockchain just by downloading it from a legit client?

if it's not a legit client, then whats to stop it from being a bitcoin wallet or a paypal phish site or something?

it seems like a general computing problem thats been known for decades...

The issue is if you write a client which parses unstructured data from the blockchain and interprets it in then you can exploit bugs in the software interpreting it.

but thats already a malicious client to begin with, right?

Exactly.
Title: Re: An "arbitrary data" bug in the blockchain?
Post by: kenCode on May 12, 2015, 08:03:18 am
Thank you everyone for chiming in on this subject, I do feel much better now. Other than DDNS, I saw this one as a potential attack point for us. If it's not, it's not. Mike Ward from the CoinTelegraph is in our DDNS thread right now:
https://bitsharestalk.org/index.php/topic,15461.msg207790.html#msg207790