From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Sun, 07 Apr 2024 01:28:33 -0700 Received: from mail-qv1-f55.google.com ([209.85.219.55]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1rtNtB-0008He-17 for bitcoindev@gnusha.org; Sun, 07 Apr 2024 01:28:33 -0700 Received: by mail-qv1-f55.google.com with SMTP id 6a1803df08f44-69942c6d975sf23848706d6.1 for ; Sun, 07 Apr 2024 01:28:32 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1712478507; cv=pass; d=google.com; s=arc-20160816; b=fUSdZ8RTP1lBKbntEF3hEZftvo5Ji+8+tJqmXRXPCS5mdPWkLRskD1TQ+iUPC+Ajwz rkLghl1e6DVZRMcLWRZd61HRWfq/+A3w/yAjnkPouMsXqWWFOMwfWABkbVeeSIyXnkDU knB6N5pM7hGq32SAiT674XjZYwbPHQWV63R9eHCDdmPsK4V5ULwaxKYRVib3k8zt/gxL XPzXnwudcxtPtWuAYua2fi6dD86MMVKcGGIGv0gF/UbRIE2IZixFbw01tLpAJT7ZiySI Tuolf4GZYjesxoLcT3asvw+YFX3Fw+jXPnW1G3e7sW6CBLufevsCxmoQon5dtrJlAGP/ JBmA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:mime-version:feedback-id:references :in-reply-to:message-id:subject:from:to:date:sender:dkim-signature; bh=kxJvkv7EvypSQq7uLi2rkco8JKnsn9b+YfA1HvMxSJI=; fh=m6zu02Ljpqd3gBz6pCFxe5SiP4hBngkQUAoEy1fO0u0=; b=aUxTlI8ydE2Cma3B6FPW0xA211VG9qvNUWpH9EHjr5VQFlWgVa1dRoEHIOwGBOjwmk wcKYxV81JQH9dyjGkLM8TXyuX0/VtgsI7HfSkeUeDOXtWS8O23M+3xZAlMsw5JCnBl5B 9C0PnoI9gq+8+XlUogydm5fUNXH9N/AZRsanVOjkTrn5z2XxrxgSFiIpE/uh10/m6Hhi AP4nEhg4ogtz3NqaSNBzBLu23MTlngtjrrTZcnXz6mjgPzMHwvpnd43OWIJ9Uvi+4OBL zGNR8uEx5nYh0JFh0OtDm6XfjEpiGz//FP/auJ0mrr4SZQQ1dCU1lqWBHw6UMaM09WJa XHzA==; darn=gnusha.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@notatether.com header.s=protonmail header.b=AUQJnBBy; spf=pass (google.com: domain of ali@notatether.com designates 185.70.40.22 as permitted sender) smtp.mailfrom=ali@notatether.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=notatether.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1712478507; x=1713083307; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:mime-version:feedback-id:references:in-reply-to :message-id:subject:from:to:date:sender:from:to:cc:subject:date :message-id:reply-to; bh=kxJvkv7EvypSQq7uLi2rkco8JKnsn9b+YfA1HvMxSJI=; b=QReFe9WOHpke8CHGz7p70+/TGgxitcQtA4lUlHoXhrvrcGXCLej7w6lNkZlPSoir/b QOoNdPcJk9wZdIR99v2Zk9A7QLcCU2jKfsuJxhOHnmMyWrMOdNylFGJlI20DzGjObHNe mks3BRvndtD3eI4iJ66oami+BY7kHn0FR1GFDFZ/99uOHOO548dUMoFOkfh+E/A4jG4B UijPUWwklnfjWkuVGyDGyq4E3LhSAYGN+NyCF0GUZaGrNpfk/qkol8l4BOVEWOkyGOiI ZLi+B5uCW+c6s5IMI14w02nwrLq3FRnmJ7XayQEdLVEkFkLV62ftLQnT/Y+oCoP7vp1V VxlQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712478507; x=1713083307; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:mime-version:feedback-id:references:in-reply-to :message-id:subject:from:to:date:x-beenthere:x-gm-message-state :sender:from:to:cc:subject:date:message-id:reply-to; bh=kxJvkv7EvypSQq7uLi2rkco8JKnsn9b+YfA1HvMxSJI=; b=sxvVPqzjUpNQYif/FzujY4YM2nHFqxiYFmdTIe44z+l/HPtd0FZqQxdazP8Otr2GCh CtiON4jUXpdLa+0LNufbEFbXXI/tgUUxoZlIMaohJzcADlFXG4DqbxRGAKryh4fsWaMD np8D74x4VfR0oHiBq4JzRyOGNGVY1dVGKQvhQhC7iLcSoy4GYrjUEq4L+Fml8LfgsfXP uKvRHGyyWLjnis/63c3g0wQb6CZ+Uscho7VQxRNVcRhU++RpPh0OhCfK9NuWOvAE1onu LHEpT1UO3+B4a4Evv8kB6CeXmBFUgjAodBQdVuEPHwvrjTu1ybcxu8E9r69Cj6m/bgGN wC4w== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=2; AJvYcCVSDzjGMzqUCzez50kPNbbZvzXOYiIeROYjYn6W8TS0G9H5TKlGWrKjq3kPGxcCaOQ8YWHaBKP0V3bBbg8IOGiHV3mrhDo= X-Gm-Message-State: AOJu0YyUDNoxZ+DjkSr1rOJV2F9TvFz4l/qcjAeD8lNkN6TpaTBSlzMX v68DaqeLVNQJcVv6sDNUNL+58KfWCoqjiwd7Jf4MHjuZJyYgdyBT X-Google-Smtp-Source: AGHT+IGgxn9JMNfipg4oeun8y2nTzxbzGWpQ9bkZ41voroyttbK4I5VyL0TqyUs2sjSiJEzYr6bHtA== X-Received: by 2002:ad4:5d41:0:b0:699:3a91:e25 with SMTP id jk1-20020ad45d41000000b006993a910e25mr9080819qvb.11.1712478506662; Sun, 07 Apr 2024 01:28:26 -0700 (PDT) X-BeenThere: bitcoindev@googlegroups.com Received: by 2002:a05:6214:c2e:b0:690:c63c:5eaa with SMTP id a14-20020a0562140c2e00b00690c63c5eaals4122123qvd.0.-pod-prod-03-us; Sun, 07 Apr 2024 01:28:25 -0700 (PDT) X-Received: by 2002:a05:6214:3c8e:b0:699:2443:bcee with SMTP id ok14-20020a0562143c8e00b006992443bceemr144354qvb.5.1712478505642; Sun, 07 Apr 2024 01:28:25 -0700 (PDT) Received: by 2002:a05:620a:2988:b0:78d:475c:41d0 with SMTP id af79cd13be357-78d475c421ems85a; Sun, 7 Apr 2024 01:03:58 -0700 (PDT) X-Received: by 2002:a2e:b61b:0:b0:2d8:70a6:9575 with SMTP id r27-20020a2eb61b000000b002d870a69575mr2739908ljn.7.1712477036616; Sun, 07 Apr 2024 01:03:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1712477036; cv=none; d=google.com; s=arc-20160816; b=vpxBq4LJZQ8sl+MFRXanVgUpE6K6UPq5u1cEp/JJlfYyrHzijq0L+GVgXAE7C6GlIS HdeMn5ZVhc+DJ/e/Ah5sHRPftSumlS4LiGChBt7iModdbrijGEIBUQZ40qr2TI5D4e/E naJPxjorvNEgOHiNlio5xNHeAUnmmzdyVEQDPufVsZRI86VwUT6nvwYVdEOXLxW5c65A wMzXkstX4LS1P7Ehw3BxluxEZmroBPqhZLd2F2xifIdPI/jm5xK2kdZbKlYqdEORWtms 7iMwfq4YUgOn58WhieqqWedBfPAoW4SfZOmPx8ZvWHLb+ge91YAMEvw6MQwQBtAP3VDL e/ZQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=mime-version:feedback-id:references:in-reply-to:message-id:subject :from:to:date:dkim-signature; bh=AzvAaiW3ZadcGxACHbsI+wQXRX0A0ZW6EWwzwwZyUTM=; fh=lhFSo2W/mHC0QoJ9oNg3A35n0DTltt3CQl1/0RggJlk=; b=0j7w4NBShwkUW0tM/0eApOjdjZ9+VyO210DGvJKaH4rl14wWppxg/Q3ketcKrP2xug OSVtPDzGCNgtSirFeNIq9G+IsMX5cth1o5MRCPbwPbEPmyLz2KyRhE8JP8y4WHk4SMBV b3jARTWktGqfFuDB8QPpmVhwlPRcMDZqJlptX7zJXWEoDGrOev+UKe6doG4mjfsNtWGx WToc6gAHLEDbbWwmtnOlmk9wDL0MfB+9x0TN5nX49Ruh4Vh/vP/V+uyCyZOQDBYAVaEB lqrpjNEQzG7Qlst2kbRi5f7yswrw0W2rAMYgdB2RANjVKwhqgqkBEyKjQBOPrLoa8q9w waRQ==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@notatether.com header.s=protonmail header.b=AUQJnBBy; spf=pass (google.com: domain of ali@notatether.com designates 185.70.40.22 as permitted sender) smtp.mailfrom=ali@notatether.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=notatether.com Received: from mail-4022.proton.ch (mail-4022.proton.ch. [185.70.40.22]) by gmr-mx.google.com with ESMTPS id n23-20020a05600c3b9700b004166a35d7e4si265wms.1.2024.04.07.01.03.56 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 07 Apr 2024 01:03:56 -0700 (PDT) Received-SPF: pass (google.com: domain of ali@notatether.com designates 185.70.40.22 as permitted sender) client-ip=185.70.40.22; Date: Sun, 07 Apr 2024 08:03:52 +0000 To: "bitcoindev@googlegroups.com" From: Ali Sherief Subject: Re: [bitcoindev] Security implications of using pseudorandom JSON-RPC IDs Message-ID: <5U7FixH_a7lxjcGGxLi5i-XRPXSVQfMyFHyEfwI532OTI1NoGUkD1s8Is3lEj07bL_1znuiEUwRfd7RNTdsA0kRLcRP1BNBZznHDD3YY0Sw=@notatether.com> In-Reply-To: References: Feedback-ID: 34210769:user:proton MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="b1_dz10CEF07ZpdMXeDwRZ6FMRamKxfAOMlSbx367YKGE" X-Original-Sender: ali@notatether.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@notatether.com header.s=protonmail header.b=AUQJnBBy; spf=pass (google.com: domain of ali@notatether.com designates 185.70.40.22 as permitted sender) smtp.mailfrom=ali@notatether.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=notatether.com Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -0.7 (/) This is a multi-part message in MIME format. --b1_dz10CEF07ZpdMXeDwRZ6FMRamKxfAOMlSbx367YKGE Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable I think the conversation did not get sent to the mailing list somehow. Stil= l trying to get the hang of Google Groups I guess. Anyway I'm going to forw= ard it here just to be sure. ---Ali ------- Forwarded Message ------- From: Ali Sherief Date: On Sunday, April 7th, 2024 at 7:47 AM Subject: Re: [bitcoindev] Security implications of using pseudorandom JSON-= RPC IDs To: hashnoncemessage > Using the RPC method 'getrpcinfo', I can't seem to produce a parallel RPC= evaluation, even though I am using 4 RPC threads. > > If anyone wants to reproduce, you can simulate asynchronous calls in Bash= or another shell: > > bitcoin-cli getblockchaininfo & > bitcoin-cli getrpcinfo > > The output of the second command on my machine is: > > { > "active_commands": [ > { > "method": "getrpcinfo", > "duration": 58 > } > ], > "logpath": "/home/zenulabidin/.bitcoin/debug.log"} > > I see that there is a global work queue shared by all the threads from wh= ich they get the RPC request from: (https://github.com/bitcoin/bitcoin/blob= /0f0e36de5f53f82d31416dc05a24d2885781ce57/src/httpserver.cpp#L70-L125) > > So as I understand it, the system doesn't actually make use of the JSON-R= PC metadata such as id, but it's just distributing the work in the queue to= different threads. So it is not possible to use the id to corrupt the work= queue. > > However, what I did notice is that the internal evhttp_request variables = can (theoretically) be edited to resolve to a different pointer in order to= achieve the same effect, of receiving a different JSON reply. This would r= equire some form of memory corruption bug to be found in Bitcoin Core that = affects some global data structure that comes close enough before g_work_qu= eue or the queue itself, so for linux-gcc on x86 platforms at least, any of= these variables: (https://github.com/bitcoin/bitcoin/blob/0f0e36de5f53f82d= 31416dc05a24d2885781ce57/src/httpserver.cpp#L141-L147) > > But it would be more likely to cause a node crash than the intended resul= t, I think. > > Obviously I'm not a security researcher but I do have a good grasp of C++= , so just doing my due diligence to check what kind of attack vectors exist= in my program's dependencies. > > --- > Ali > > On Sunday, April 7th, 2024 at 6:33 AM, hashnoncemessage wrote: > >> As I understand it, the json rpc server responds directly to the (http) = request initiated by the client. >> >> Request IDs are used for correlation of different requests from the same= client. >> >> Core will not send your client=E2=80=99s response to a different client/= connection. >> >> On Sun, Apr 7, 2024 at 07:57, Ali Sherief <[ali@notatether.com](mailto:O= n Sun, Apr 7, 2024 at 07:57, Ali Sherief < wrote: >> >>> I am trying to figure out how the Bitcoin Core RPC server stores the Un= iValue JSON-RPC requests. >>> >>> The reason being is because I have an application that uses pseudorando= m IDs for the JSON-RPC calls, and I'm trying to make sure that Core isn't g= oing to send me someone else's JSON-RPC response if somebody else happens t= o be making a request with that ID at the same instant, which could be a po= tential security issue. >>> >>> So far I don't have any leads on the Github codebase yet, but I'm still= looking. >>> >>> Anyway I would appreciate if someone would clarify this topic for me. >>> >>> --- >>> Ali >>> >>> -- >>> You received this message because you are subscribed to the Google Grou= ps "Bitcoin Development Mailing List" group. >>> To unsubscribe from this group and stop receiving emails from it, send = an email to bitcoindev+unsubscribe@googlegroups.com. >>> To view this discussion on the web visit https://groups.google.com/d/ms= gid/bitcoindev/a358aaac-62d5-4d30-a599-40c94da66c4fn%40googlegroups.com. --=20 You received this message because you are subscribed to the Google Groups "= Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/= bitcoindev/5U7FixH_a7lxjcGGxLi5i-XRPXSVQfMyFHyEfwI532OTI1NoGUkD1s8Is3lEj07b= L_1znuiEUwRfd7RNTdsA0kRLcRP1BNBZznHDD3YY0Sw%3D%40notatether.com. --b1_dz10CEF07ZpdMXeDwRZ6FMRamKxfAOMlSbx367YKGE Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

=20
=20
=20
I thi= nk the conversation did not get sent to the mailing list somehow. Still try= ing to get the hang of Google Groups I guess. Anyway I'm going to forward i= t here just to be sure.

---
Ali
------- Forwarded Message -------
From: Ali Sherief <ali@notatether.com>
Date: On Sunday, April 7th, 2024 at 7:47 AM
Subject: Re: [bitcoindev] Security implications of using pseudorand= om JSON-RPC IDs
To: hashnoncemessage <hashnoncemessage@proton.me>

Using the RPC m= ethod 'getrpcinfo', I can't seem to produce a parallel RPC evaluation, even= though I am using 4 RPC threads.

If an= yone wants to reproduce, you can simulate asynchronous calls in Bash or ano= ther shell:

=
bitcoin-cli getblockchainin= fo &
bitcoin-cli g= etrpcinfo

The output of the second comm= and on my machine is:
=
{  "active_commands": [
    {<= /span>
      "method": "getrpcinfo",<= /div>
      "duration": 58
=     }
  ],
&nb= sp; "logpath": "/home/zenulabidin/.bitcoin/debug.log"
}

So as I understand it, the system doesn't actually make use of t= he JSON-RPC metadata such as id, but it's just distributing the work in the= queue to different threads. So it is not possible to use the id to corrupt= the work queue.
However, what I did notice is that the internal evhttp_request variable= s can (theoretically) be edited to resolve to a different pointer in order = to achieve the same effect, of receiving a different JSON reply. This would= require some form of memory corruption bug to be found in Bitcoin Core tha= t affects some global data structure that comes close enough before g_work_= queue or the queue itself, so for linux-gcc on x86 platforms at least, any = of these variables: (https://github.com/bi= tcoin/bitcoin/blob/0f0e36de5f53f82d31416dc05a24d2885781ce57/src/httpserver.= cpp#L141-L147)

But it would be more likely to cause a node= crash than the intended result, I think.

Obviously I'm not a security researcher but I do have a good grasp of= C++, so just doing my due diligence to check what kind of attack vect= ors exist in my program's dependencies.

<= /div>
---
Ali

On Sunday, April 7th, 2024 at 6:33 AM, hashnoncemessage <hashnon= cemessage@proton.me> wrote:
As I understand it, the json rpc server re= sponds directly to the (http) request initiated by the client. 
<= div dir=3D"auto">
Request IDs are used for corre= lation of different requests from the same client. 

Core will not send your client=E2=80=99s r= esponse to a different client/connection. 

=
On Sun, Apr 7, 2024 at 07:57, Ali Sherief <ali@notatether.com> wrote:<= blockquote class=3D"protonmail_quote" type=3D"cite"> I am trying to figure= out how the Bitcoin Core RPC server stores the UniValue JSON-RPC requests.=

The reason being is because I have an application that = uses pseudorandom IDs for the JSON-RPC calls, and I'm trying to make sure t= hat Core isn't going to send me someone else's JSON-RPC response if somebod= y else happens to be making a request with that ID at the same instant, whi= ch could be a potential security issue.

So far I d= on't have any leads on the Github codebase yet, but I'm still looking.

Anyway I would appreciate if someone would clarify thi= s topic for me.

---
Ali

--
You received this message because you are subscribed to the Google Groups "= Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googl= egroups.com.
To view this discussion on the web visit https://groups.= google.com/d/msgid/bitcoindev/a358aaac-62d5-4d30-a599-40c94da66c4fn%40googl= egroups.com.


--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoind= ev+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/b= itcoindev/5U7FixH_a7lxjcGGxLi5i-XRPXSVQfMyFHyEfwI532OTI1NoGUkD1s8Is3lEj07bL= _1znuiEUwRfd7RNTdsA0kRLcRP1BNBZznHDD3YY0Sw%3D%40notatether.com.
--b1_dz10CEF07ZpdMXeDwRZ6FMRamKxfAOMlSbx367YKGE--