* [Bitcoin-development] Bitcoin Core trial balloon: splitting blockchain engine and wallet @ 2014-02-21 6:09 Jeff Garzik 2014-02-21 6:27 ` Mike Hearn 2014-02-22 1:04 ` Dustin D. Trammell 0 siblings, 2 replies; 13+ messages in thread From: Jeff Garzik @ 2014-02-21 6:09 UTC (permalink / raw) To: Bitcoin Dev [Meta: "Bitcoin Core" is the newfangled branding of bitcoind / Bitcoin-Qt reference implementation, in case you wondering.] Several sites, including BitPay, use bitcoind outside the standard role of wallet software. bitcoind can be used purely for payment network access and management. I call this the "border router" role. Upcoming version 0.9 will feature the ability to disable the bitcoind wallet at compile time or runtime. This permits a more optimized border router profile, reducing process size by 40-200MB according to some reports. Recent IRC discussion have floated a rough proposal for a wallet next-step: Running the Bitcoin Core wallet as a separate process, a separate binary, from the blockchain engine. The wallet process would communicate with the blockchain engine using existing RPC and P2P channels, becoming a real SPV client. This accomplishes a longstanding security goal of sandboxing away wallet keys and sensitive data from the network-exposed P2P engine, in a separate process, among other benefits. Simple forking was explored a bit. I did some hacking in that direction, as it seemed potentially lightweight and somewhat easy to me: https://github.com/jgarzik/bitcoin/tree/fork fork+pipe is fine for Linux and OSX/BSD. However, Windows requires an exec-like solution to create a new process. MSDN does give us a Unix-pipe-like solution: http://msdn.microsoft.com/en-us/library/edze9h7e%28v=vs.80%29.aspx Others pointed to boost interprocess communication APIs, which come with their own set of caveats. Such a solution would involve a brand new IPC protocol, and lots of brand new glue code. Separate programs seems better. Windows forces us to achieve process separation via exec-like method. We already have IPC: RPC + P2P. Modern OS's make localhost sockets just about as fast as other IPCs methods. Linux, at least, employs zero-copy for localhost sockets in many situations, similar to the kernel's pipe tricks. Pieter has been working on headers-first sync: https://github.com/bitcoin/bitcoin/pull/2964 Moving along this wallet/blockchain engine split requires upping the review&test bandwidth on Pieter's PRs, such as https://github.com/bitcoin/bitcoin/pull/3514 Unsure how much of the separate-binary discussion Gavin saw, so cc'd for emphasis. -- Jeff Garzik Bitcoin core developer and open source evangelist BitPay, Inc. https://bitpay.com/ ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [Bitcoin-development] Bitcoin Core trial balloon: splitting blockchain engine and wallet 2014-02-21 6:09 [Bitcoin-development] Bitcoin Core trial balloon: splitting blockchain engine and wallet Jeff Garzik @ 2014-02-21 6:27 ` Mike Hearn [not found] ` <CA+s+GJCRqqmoHkmsq+6x9Wm6btKzdXoPjw5Af8zRDEkDE+6+zw@mail.gmail.com> 2014-02-21 6:50 ` [Bitcoin-development] " Jeff Garzik 2014-02-22 1:04 ` Dustin D. Trammell 1 sibling, 2 replies; 13+ messages in thread From: Mike Hearn @ 2014-02-21 6:27 UTC (permalink / raw) To: Jeff Garzik; +Cc: Bitcoin Dev [-- Attachment #1: Type: text/plain, Size: 3209 bytes --] Bear in mind a separate process doesn't buy you anything without a sandbox, and those are expensive (in terms of complexity). On 21 Feb 2014 11:40, "Jeff Garzik" <jgarzik@bitpay.com> wrote: > [Meta: "Bitcoin Core" is the newfangled branding of bitcoind / > Bitcoin-Qt reference implementation, in case you wondering.] > > Several sites, including BitPay, use bitcoind outside the standard > role of wallet software. bitcoind can be used purely for payment > network access and management. I call this the "border router" role. > Upcoming version 0.9 will feature the ability to disable the bitcoind > wallet at compile time or runtime. This permits a more optimized > border router profile, reducing process size by 40-200MB according to > some reports. > > Recent IRC discussion have floated a rough proposal for a wallet > next-step: Running the Bitcoin Core wallet as a separate process, a > separate binary, from the blockchain engine. The wallet process would > communicate with the blockchain engine using existing RPC and P2P > channels, becoming a real SPV client. This accomplishes a > longstanding security goal of sandboxing away wallet keys and > sensitive data from the network-exposed P2P engine, in a separate > process, among other benefits. > > Simple forking was explored a bit. I did some hacking in that > direction, as it seemed potentially lightweight and somewhat easy to > me: https://github.com/jgarzik/bitcoin/tree/fork fork+pipe is fine > for Linux and OSX/BSD. However, Windows requires an exec-like > solution to create a new process. MSDN does give us a Unix-pipe-like > solution: > http://msdn.microsoft.com/en-us/library/edze9h7e%28v=vs.80%29.aspx > Others pointed to boost interprocess communication APIs, which come > with their own set of caveats. Such a solution would involve a brand > new IPC protocol, and lots of brand new glue code. > > Separate programs seems better. Windows forces us to achieve process > separation via exec-like method. We already have IPC: RPC + P2P. > Modern OS's make localhost sockets just about as fast as other IPCs > methods. Linux, at least, employs zero-copy for localhost sockets in > many situations, similar to the kernel's pipe tricks. > > Pieter has been working on headers-first sync: > https://github.com/bitcoin/bitcoin/pull/2964 Moving along this > wallet/blockchain engine split requires upping the review&test > bandwidth on Pieter's PRs, such as > https://github.com/bitcoin/bitcoin/pull/3514 > > Unsure how much of the separate-binary discussion Gavin saw, so cc'd > for emphasis. > > -- > Jeff Garzik > Bitcoin core developer and open source evangelist > BitPay, Inc. https://bitpay.com/ > > > ------------------------------------------------------------------------------ > Managing the Performance of Cloud-Based Applications > Take advantage of what the Cloud has to offer - Avoid Common Pitfalls. > Read the Whitepaper. > > http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk > _______________________________________________ > Bitcoin-development mailing list > Bitcoin-development@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/bitcoin-development > [-- Attachment #2: Type: text/html, Size: 4338 bytes --] ^ permalink raw reply [flat|nested] 13+ messages in thread
[parent not found: <CA+s+GJCRqqmoHkmsq+6x9Wm6btKzdXoPjw5Af8zRDEkDE+6+zw@mail.gmail.com>]
* [Bitcoin-development] Fwd: Bitcoin Core trial balloon: splitting blockchain engine and wallet [not found] ` <CA+s+GJCRqqmoHkmsq+6x9Wm6btKzdXoPjw5Af8zRDEkDE+6+zw@mail.gmail.com> @ 2014-02-21 6:43 ` Wladimir 2014-02-21 6:50 ` William Yager 2014-02-22 1:09 ` Dustin D. Trammell 0 siblings, 2 replies; 13+ messages in thread From: Wladimir @ 2014-02-21 6:43 UTC (permalink / raw) To: Bitcoin Dev [-- Attachment #1: Type: text/plain, Size: 636 bytes --] On Fri, Feb 21, 2014 at 7:27 AM, Mike Hearn <mike@plan99.net> wrote: > Bear in mind a separate process doesn't buy you anything without a > sandbox, and those are expensive (in terms of complexity). > Sandboxing in user space is complex, agreed, The most straightforward way would be to run the blockchain daemon as a system service (with its own uid/gid and set of Apparmor/SELinux restrictions) and the wallet daemon as the user. This would also allow sharing one blockchain daemon between multiple users and wallet processes (not necessarily on the same machine), something I've wanted to be able to do for a long time. Wladimir [-- Attachment #2: Type: text/html, Size: 1190 bytes --] ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [Bitcoin-development] Fwd: Bitcoin Core trial balloon: splitting blockchain engine and wallet 2014-02-21 6:43 ` [Bitcoin-development] Fwd: " Wladimir @ 2014-02-21 6:50 ` William Yager 2014-02-21 6:54 ` Wladimir 2014-02-22 1:09 ` Dustin D. Trammell 1 sibling, 1 reply; 13+ messages in thread From: William Yager @ 2014-02-21 6:50 UTC (permalink / raw) To: Wladimir; +Cc: Bitcoin Dev [-- Attachment #1.1: Type: text/plain, Size: 593 bytes --] Running the network part of the core as a system service might make sense for server implementations, but it’s a pain in the rear for most users. That said, I think segregating the two processes is a great idea. Let’s just try to avoid some complicated scheme that involves necessarily running things under multiple users. Will On Feb 21, 2014, at 0:43, Wladimir <laanwj@gmail.com> wrote: > The most straightforward way would be to run the blockchain daemon as a system service (with its own uid/gid and set of Apparmor/SELinux restrictions) and the wallet daemon as the user. [-- Attachment #1.2: Type: text/html, Size: 1367 bytes --] [-- Attachment #2: Message signed with OpenPGP using GPGMail --] [-- Type: application/pgp-signature, Size: 495 bytes --] ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [Bitcoin-development] Fwd: Bitcoin Core trial balloon: splitting blockchain engine and wallet 2014-02-21 6:50 ` William Yager @ 2014-02-21 6:54 ` Wladimir 0 siblings, 0 replies; 13+ messages in thread From: Wladimir @ 2014-02-21 6:54 UTC (permalink / raw) To: William Yager; +Cc: Bitcoin Dev [-- Attachment #1: Type: text/plain, Size: 384 bytes --] On Fri, Feb 21, 2014 at 7:50 AM, William Yager <will.yager@gmail.com> wrote: > Running the network part of the core as a system service might make sense > for server implementations, but it’s a pain in the rear for most users. > Come on, making it a possibility doesn't affect other kinds of use cases in any way. Are you just arguing for the sake of arguing? Wladimir [-- Attachment #2: Type: text/html, Size: 779 bytes --] ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [Bitcoin-development] Fwd: Bitcoin Core trial balloon: splitting blockchain engine and wallet 2014-02-21 6:43 ` [Bitcoin-development] Fwd: " Wladimir 2014-02-21 6:50 ` William Yager @ 2014-02-22 1:09 ` Dustin D. Trammell 2014-02-22 6:53 ` Wladimir 1 sibling, 1 reply; 13+ messages in thread From: Dustin D. Trammell @ 2014-02-22 1:09 UTC (permalink / raw) To: Wladimir; +Cc: Bitcoin Dev [-- Attachment #1: Type: text/plain, Size: 705 bytes --] On Fri, 2014-02-21 at 07:43 +0100, Wladimir wrote: > The most straightforward way would be to run the blockchain daemon as > a system service (with its own uid/gid and set of Apparmor/SELinux > restrictions) and the wallet daemon as the user. This assumes you as a user have the rights to do so. This would be preferred, but in some cases may not be possible. Perhaps it should be optional? > This would also allow sharing one blockchain daemon between multiple > users and wallet processes (not necessarily on the same machine), > something I've wanted to be able to do for a long time. Agreed (: -- Dustin D. Trammell dtrammell@dustintrammell.com http://www.dustintrammell.com [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 198 bytes --] ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [Bitcoin-development] Fwd: Bitcoin Core trial balloon: splitting blockchain engine and wallet 2014-02-22 1:09 ` Dustin D. Trammell @ 2014-02-22 6:53 ` Wladimir 2014-02-24 22:16 ` James Hartig 0 siblings, 1 reply; 13+ messages in thread From: Wladimir @ 2014-02-22 6:53 UTC (permalink / raw) To: Dustin D. Trammell; +Cc: Bitcoin Dev [-- Attachment #1: Type: text/plain, Size: 1414 bytes --] On Sat, Feb 22, 2014 at 2:09 AM, Dustin D. Trammell < dtrammell@dustintrammell.com> wrote: > On Fri, 2014-02-21 at 07:43 +0100, Wladimir wrote: > > The most straightforward way would be to run the blockchain daemon as > > a system service (with its own uid/gid and set of Apparmor/SELinux > > restrictions) and the wallet daemon as the user. > > This assumes you as a user have the rights to do so. This would be > preferred, but in some cases may not be possible. Perhaps it should be > optional? > No! I'm proposing that we force everyone to do it. Using all means necessary. There should be regular audits that everyone is running the software exactly in my configuration, and if not, a special task force will take care that spankings are carried out on the spot. Repeated offenders will lose their BitLicense. </s> Please stop kicking this dead horse. It was just a random idea. Maybe a way how Linux distributions could structure it, but it may or may not apply in your case. And that's fine, this is free software development, you can do whatever you want! Let's try to bring this discussion back to its original intention: for anyone that wants to concretely help this along, please help reviewing and testing the pull requests that jgarzik mentions. Wladimir BTW: All of those patches are helpful for monolithic-bitcoind as well as they (lay the groundwork for) speeding up block synchronization. [-- Attachment #2: Type: text/html, Size: 2031 bytes --] ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [Bitcoin-development] Fwd: Bitcoin Core trial balloon: splitting blockchain engine and wallet 2014-02-22 6:53 ` Wladimir @ 2014-02-24 22:16 ` James Hartig 0 siblings, 0 replies; 13+ messages in thread From: James Hartig @ 2014-02-24 22:16 UTC (permalink / raw) To: Wladimir; +Cc: Bitcoin Dev [-- Attachment #1: Type: text/plain, Size: 2957 bytes --] Setting aside all security benefits (which the user can obviously choose to implement or ignore), a major benefit here is being able to have multiple wallets use the same blockchain process. I have 3 different bitcoind processes running on the same server to utilize multiple wallets. Using them serially isn't an option in my case. Also, peers can run the cheaper process instead of having the wallet functionality which isn't even used. On the security front, this doesn't seem to be any less secure and it gives the user the flexibility to make it as secure as they feel comfortable. If they want to run them both as the same user with no SELinux or file protections (this isn't stopping or encouraging that) they're already doing that now with bitcoind, albeit with possibly a larger attack surface. Thanks, -- James Hartig Software Engineer @ Grooveshark.com http://twitter.com/jameshartig On Sat, Feb 22, 2014 at 1:53 AM, Wladimir <laanwj@gmail.com> wrote: > > On Sat, Feb 22, 2014 at 2:09 AM, Dustin D. Trammell < > dtrammell@dustintrammell.com> wrote: > >> On Fri, 2014-02-21 at 07:43 +0100, Wladimir wrote: >> > The most straightforward way would be to run the blockchain daemon as >> > a system service (with its own uid/gid and set of Apparmor/SELinux >> > restrictions) and the wallet daemon as the user. >> >> This assumes you as a user have the rights to do so. This would be >> preferred, but in some cases may not be possible. Perhaps it should be >> optional? >> > > No! I'm proposing that we force everyone to do it. Using all means > necessary. There should be regular audits that everyone is running the > software exactly in my configuration, and if not, a special task force will > take care that spankings are carried out on the spot. > > Repeated offenders will lose their BitLicense. > </s> > > Please stop kicking this dead horse. It was just a random idea. Maybe a > way how Linux distributions could structure it, but it may or may not apply > in your case. And that's fine, this is free software development, you can > do whatever you want! > > Let's try to bring this discussion back to its original intention: for > anyone that wants to concretely help this along, please help reviewing and > testing the pull requests that jgarzik mentions. > > Wladimir > BTW: All of those patches are helpful for monolithic-bitcoind as well as > they (lay the groundwork for) speeding up block synchronization. > > > > ------------------------------------------------------------------------------ > Managing the Performance of Cloud-Based Applications > Take advantage of what the Cloud has to offer - Avoid Common Pitfalls. > Read the Whitepaper. > > http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk > _______________________________________________ > Bitcoin-development mailing list > Bitcoin-development@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/bitcoin-development > > [-- Attachment #2: Type: text/html, Size: 4517 bytes --] ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [Bitcoin-development] Bitcoin Core trial balloon: splitting blockchain engine and wallet 2014-02-21 6:27 ` Mike Hearn [not found] ` <CA+s+GJCRqqmoHkmsq+6x9Wm6btKzdXoPjw5Af8zRDEkDE+6+zw@mail.gmail.com> @ 2014-02-21 6:50 ` Jeff Garzik 2014-02-21 10:41 ` Mike Hearn 1 sibling, 1 reply; 13+ messages in thread From: Jeff Garzik @ 2014-02-21 6:50 UTC (permalink / raw) To: Mike Hearn; +Cc: Bitcoin Dev RE "doesn't buy you anything" Today, when unlocked, plaintext private keys reside in the same address space as the blockchain engine (BCE). Process separation increases the difficulty of accessing key data from the BCE, even presuming a normal, no-chroot, same-uid, parent-child process relationship. The attack surface is clearly changed from "one buffer overflow can touch this data." Regardless, the split makes sense given existing modularity and coding directions. I wouldn't micro-focus on the "sandbox" word. On Fri, Feb 21, 2014 at 1:27 AM, Mike Hearn <mike@plan99.net> wrote: > Bear in mind a separate process doesn't buy you anything without a sandbox, > and those are expensive (in terms of complexity). > > On 21 Feb 2014 11:40, "Jeff Garzik" <jgarzik@bitpay.com> wrote: >> >> [Meta: "Bitcoin Core" is the newfangled branding of bitcoind / >> Bitcoin-Qt reference implementation, in case you wondering.] >> >> Several sites, including BitPay, use bitcoind outside the standard >> role of wallet software. bitcoind can be used purely for payment >> network access and management. I call this the "border router" role. >> Upcoming version 0.9 will feature the ability to disable the bitcoind >> wallet at compile time or runtime. This permits a more optimized >> border router profile, reducing process size by 40-200MB according to >> some reports. >> >> Recent IRC discussion have floated a rough proposal for a wallet >> next-step: Running the Bitcoin Core wallet as a separate process, a >> separate binary, from the blockchain engine. The wallet process would >> communicate with the blockchain engine using existing RPC and P2P >> channels, becoming a real SPV client. This accomplishes a >> longstanding security goal of sandboxing away wallet keys and >> sensitive data from the network-exposed P2P engine, in a separate >> process, among other benefits. >> >> Simple forking was explored a bit. I did some hacking in that >> direction, as it seemed potentially lightweight and somewhat easy to >> me: https://github.com/jgarzik/bitcoin/tree/fork fork+pipe is fine >> for Linux and OSX/BSD. However, Windows requires an exec-like >> solution to create a new process. MSDN does give us a Unix-pipe-like >> solution: >> http://msdn.microsoft.com/en-us/library/edze9h7e%28v=vs.80%29.aspx >> Others pointed to boost interprocess communication APIs, which come >> with their own set of caveats. Such a solution would involve a brand >> new IPC protocol, and lots of brand new glue code. >> >> Separate programs seems better. Windows forces us to achieve process >> separation via exec-like method. We already have IPC: RPC + P2P. >> Modern OS's make localhost sockets just about as fast as other IPCs >> methods. Linux, at least, employs zero-copy for localhost sockets in >> many situations, similar to the kernel's pipe tricks. >> >> Pieter has been working on headers-first sync: >> https://github.com/bitcoin/bitcoin/pull/2964 Moving along this >> wallet/blockchain engine split requires upping the review&test >> bandwidth on Pieter's PRs, such as >> https://github.com/bitcoin/bitcoin/pull/3514 >> >> Unsure how much of the separate-binary discussion Gavin saw, so cc'd >> for emphasis. >> >> -- >> Jeff Garzik >> Bitcoin core developer and open source evangelist >> BitPay, Inc. https://bitpay.com/ >> >> >> ------------------------------------------------------------------------------ >> Managing the Performance of Cloud-Based Applications >> Take advantage of what the Cloud has to offer - Avoid Common Pitfalls. >> Read the Whitepaper. >> >> http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk >> _______________________________________________ >> Bitcoin-development mailing list >> Bitcoin-development@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/bitcoin-development -- Jeff Garzik Bitcoin core developer and open source evangelist BitPay, Inc. https://bitpay.com/ ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [Bitcoin-development] Bitcoin Core trial balloon: splitting blockchain engine and wallet 2014-02-21 6:50 ` [Bitcoin-development] " Jeff Garzik @ 2014-02-21 10:41 ` Mike Hearn 2014-02-21 11:06 ` Peter Todd 0 siblings, 1 reply; 13+ messages in thread From: Mike Hearn @ 2014-02-21 10:41 UTC (permalink / raw) To: Jeff Garzik; +Cc: Bitcoin Dev [-- Attachment #1: Type: text/plain, Size: 4695 bytes --] I'm not sure it does really - typical C/C++ exploits let you run arbitrary code, at which point you can quite easily ptrace the other process and do whatever you want with it, or read /proc/pid/mem etc. But process separation is certainly a prerequisite for sandboxing so I'm not arguing against such a change, just pointing out that it requires some work to really get the benefits. Also an SPV Bitcoin Core would obviously be of tremendous utility all by itself ... On Fri, Feb 21, 2014 at 12:20 PM, Jeff Garzik <jgarzik@bitpay.com> wrote: > RE "doesn't buy you anything" Today, when unlocked, plaintext > private keys reside in the same address space as the blockchain engine > (BCE). Process separation increases the difficulty of accessing key > data from the BCE, even presuming a normal, no-chroot, same-uid, > parent-child process relationship. The attack surface is clearly > changed from "one buffer overflow can touch this data." > > Regardless, the split makes sense given existing modularity and coding > directions. I wouldn't micro-focus on the "sandbox" word. > > On Fri, Feb 21, 2014 at 1:27 AM, Mike Hearn <mike@plan99.net> wrote: > > Bear in mind a separate process doesn't buy you anything without a > sandbox, > > and those are expensive (in terms of complexity). > > > > On 21 Feb 2014 11:40, "Jeff Garzik" <jgarzik@bitpay.com> wrote: > >> > >> [Meta: "Bitcoin Core" is the newfangled branding of bitcoind / > >> Bitcoin-Qt reference implementation, in case you wondering.] > >> > >> Several sites, including BitPay, use bitcoind outside the standard > >> role of wallet software. bitcoind can be used purely for payment > >> network access and management. I call this the "border router" role. > >> Upcoming version 0.9 will feature the ability to disable the bitcoind > >> wallet at compile time or runtime. This permits a more optimized > >> border router profile, reducing process size by 40-200MB according to > >> some reports. > >> > >> Recent IRC discussion have floated a rough proposal for a wallet > >> next-step: Running the Bitcoin Core wallet as a separate process, a > >> separate binary, from the blockchain engine. The wallet process would > >> communicate with the blockchain engine using existing RPC and P2P > >> channels, becoming a real SPV client. This accomplishes a > >> longstanding security goal of sandboxing away wallet keys and > >> sensitive data from the network-exposed P2P engine, in a separate > >> process, among other benefits. > >> > >> Simple forking was explored a bit. I did some hacking in that > >> direction, as it seemed potentially lightweight and somewhat easy to > >> me: https://github.com/jgarzik/bitcoin/tree/fork fork+pipe is fine > >> for Linux and OSX/BSD. However, Windows requires an exec-like > >> solution to create a new process. MSDN does give us a Unix-pipe-like > >> solution: > >> http://msdn.microsoft.com/en-us/library/edze9h7e%28v=vs.80%29.aspx > >> Others pointed to boost interprocess communication APIs, which come > >> with their own set of caveats. Such a solution would involve a brand > >> new IPC protocol, and lots of brand new glue code. > >> > >> Separate programs seems better. Windows forces us to achieve process > >> separation via exec-like method. We already have IPC: RPC + P2P. > >> Modern OS's make localhost sockets just about as fast as other IPCs > >> methods. Linux, at least, employs zero-copy for localhost sockets in > >> many situations, similar to the kernel's pipe tricks. > >> > >> Pieter has been working on headers-first sync: > >> https://github.com/bitcoin/bitcoin/pull/2964 Moving along this > >> wallet/blockchain engine split requires upping the review&test > >> bandwidth on Pieter's PRs, such as > >> https://github.com/bitcoin/bitcoin/pull/3514 > >> > >> Unsure how much of the separate-binary discussion Gavin saw, so cc'd > >> for emphasis. > >> > >> -- > >> Jeff Garzik > >> Bitcoin core developer and open source evangelist > >> BitPay, Inc. https://bitpay.com/ > >> > >> > >> > ------------------------------------------------------------------------------ > >> Managing the Performance of Cloud-Based Applications > >> Take advantage of what the Cloud has to offer - Avoid Common Pitfalls. > >> Read the Whitepaper. > >> > >> > http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk > >> _______________________________________________ > >> Bitcoin-development mailing list > >> Bitcoin-development@lists.sourceforge.net > >> https://lists.sourceforge.net/lists/listinfo/bitcoin-development > > > > -- > Jeff Garzik > Bitcoin core developer and open source evangelist > BitPay, Inc. https://bitpay.com/ > [-- Attachment #2: Type: text/html, Size: 6623 bytes --] ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [Bitcoin-development] Bitcoin Core trial balloon: splitting blockchain engine and wallet 2014-02-21 10:41 ` Mike Hearn @ 2014-02-21 11:06 ` Peter Todd 0 siblings, 0 replies; 13+ messages in thread From: Peter Todd @ 2014-02-21 11:06 UTC (permalink / raw) To: Mike Hearn; +Cc: Bitcoin Dev [-- Attachment #1: Type: text/plain, Size: 1636 bytes --] On Fri, Feb 21, 2014 at 04:11:06PM +0530, Mike Hearn wrote: > On Fri, Feb 21, 2014 at 12:20 PM, Jeff Garzik <jgarzik@bitpay.com> wrote: > > > RE "doesn't buy you anything" Today, when unlocked, plaintext > > private keys reside in the same address space as the blockchain engine > > (BCE). Process separation increases the difficulty of accessing key > > data from the BCE, even presuming a normal, no-chroot, same-uid, > > parent-child process relationship. The attack surface is clearly > > changed from "one buffer overflow can touch this data." > > > > Regardless, the split makes sense given existing modularity and coding > > directions. I wouldn't micro-focus on the "sandbox" word. > > I'm not sure it does really - typical C/C++ exploits let you run arbitrary > code, at which point you can quite easily ptrace the other process and do > whatever you want with it, or read /proc/pid/mem etc. But process > separation is certainly a prerequisite for sandboxing so I'm not arguing > against such a change, just pointing out that it requires some work to > really get the benefits. Also an SPV Bitcoin Core would obviously be of > tremendous utility all by itself ... The seccomp mechanism would work well here - it's a syscall whitelister, which makes ptrace useless, among other things. Used by Chrome as of v23 to sandbox the renderers. We'd probably need to use it with chroot and whitelist the open() call so that the existing code can create new blockfiles and do whatever leveldb does. -- 'peter'[:-1]@petertodd.org 000000000000000112c53364597954e79cc38f1ba7826a6420ad22a6f3be2932 [-- Attachment #2: Digital signature --] [-- Type: application/pgp-signature, Size: 685 bytes --] ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [Bitcoin-development] Bitcoin Core trial balloon: splitting blockchain engine and wallet 2014-02-21 6:09 [Bitcoin-development] Bitcoin Core trial balloon: splitting blockchain engine and wallet Jeff Garzik 2014-02-21 6:27 ` Mike Hearn @ 2014-02-22 1:04 ` Dustin D. Trammell 2014-02-22 2:08 ` Jeff Garzik 1 sibling, 1 reply; 13+ messages in thread From: Dustin D. Trammell @ 2014-02-22 1:04 UTC (permalink / raw) To: Jeff Garzik; +Cc: Bitcoin Dev [-- Attachment #1: Type: text/plain, Size: 1291 bytes --] On Fri, 2014-02-21 at 01:09 -0500, Jeff Garzik wrote: > Recent IRC discussion have floated a rough proposal for a wallet > next-step: Running the Bitcoin Core wallet as a separate process, a > separate binary, from the blockchain engine. The wallet process would > communicate with the blockchain engine using existing RPC and P2P > channels, becoming a real SPV client. This accomplishes a > longstanding security goal of sandboxing away wallet keys and > sensitive data from the network-exposed P2P engine, in a separate > process, among other benefits. PLEASE. For those of us that prefer the reference software and also manage multiple wallets, having to store a copy of the blockchain for each one eats up disk space quite quickly. If I could run a local blockchain server (or a local network one, even) and then have whichever wallet I start up use that instead of maintain its own copy of the blockchain, my world would be much, much happier. Sandboxing keys and sensitive wallet data away from the attack surface introduced by the network interfaces into another separate process is also a good security move. Don't forget to sanitize your IPC inputs (: Thanks, -- Dustin D. Trammell dtrammell@dustintrammell.com http://www.dustintrammell.com [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 198 bytes --] ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [Bitcoin-development] Bitcoin Core trial balloon: splitting blockchain engine and wallet 2014-02-22 1:04 ` Dustin D. Trammell @ 2014-02-22 2:08 ` Jeff Garzik 0 siblings, 0 replies; 13+ messages in thread From: Jeff Garzik @ 2014-02-22 2:08 UTC (permalink / raw) To: Dustin D. Trammell; +Cc: Bitcoin Dev On Fri, Feb 21, 2014 at 8:04 PM, Dustin D. Trammell <dtrammell@dustintrammell.com> wrote: > For those of us that prefer the reference software and also manage > multiple wallets, having to store a copy of the blockchain for each one > eats up disk space quite quickly. If I could run a local blockchain > server (or a local network one, even) and then have whichever wallet I > start up use that instead of maintain its own copy of the blockchain, my > world would be much, much happier. You mean running multiple wallets simultaneously? Agreed. Multiple wallets, used serially, works fine today. I manage multiple wallets using symlink replacement. -- Jeff Garzik Bitcoin core developer and open source evangelist BitPay, Inc. https://bitpay.com/ ^ permalink raw reply [flat|nested] 13+ messages in thread
end of thread, other threads:[~2014-02-24 22:17 UTC | newest] Thread overview: 13+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2014-02-21 6:09 [Bitcoin-development] Bitcoin Core trial balloon: splitting blockchain engine and wallet Jeff Garzik 2014-02-21 6:27 ` Mike Hearn [not found] ` <CA+s+GJCRqqmoHkmsq+6x9Wm6btKzdXoPjw5Af8zRDEkDE+6+zw@mail.gmail.com> 2014-02-21 6:43 ` [Bitcoin-development] Fwd: " Wladimir 2014-02-21 6:50 ` William Yager 2014-02-21 6:54 ` Wladimir 2014-02-22 1:09 ` Dustin D. Trammell 2014-02-22 6:53 ` Wladimir 2014-02-24 22:16 ` James Hartig 2014-02-21 6:50 ` [Bitcoin-development] " Jeff Garzik 2014-02-21 10:41 ` Mike Hearn 2014-02-21 11:06 ` Peter Todd 2014-02-22 1:04 ` Dustin D. Trammell 2014-02-22 2:08 ` Jeff Garzik
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox