Re: [bitcoin-dev] Responsible disclosure of bugs

[Bryan Bishop via bitcoin-dev]

On Mon, Sep 11, 2017 at 10:37 PM, Anthony Towns via bitcoin-dev
 wrote:
> All of those things seem like they'd help not just altcoins but bitcoin
> investors/traders too, so it's not even a trade-off between classes of
> bitcoin core users.  And if in the end various altcoins aren't able to
> keep up with security fixes, that's probably valuable information to
> provide to the market...

I have a reply to your point, but I want to clarify first that I am
not trying to provide any sort of criticism of your character, and to
any extent that my text is misinterpreted that way, that's entirely my
fault here. Anyway, here goes.

It's not enough to defend bitcoin and its users from active threats,
there is a more general responsibility to defend all kinds of users
and different software from many kinds of threats in whatever forms,
even if folks are using stupid and insecure software that you
personally don't maintain or contribute to or advocate for. Handling
knowledge of a vulnerability is a delicate matter and you might be
receiving knowledge with more serious direct or indirect impact than
originally described.

Besides the moral and ethical reasons to not unduly accelerate the
exploitation of a vulnerability, there is also a reputational
standpoint to consider, in that your position that your own (security)
work is credible is actually harmed by showing negative care for other
works by being first to publish either insecure software or knowledge
of a vulnerability. And sometimes the opposite is true: by not
disclosing knowledge of how a design is broken to someone inviting its
review, you're showing negative care in that way too, such as by
unintentionally encouraging the implementation of really bad ideas or
entirely novel misunderstandings of what you once thought were clear
concepts. So there is a difficult path to walk and especially in
security not all may be as it seems; caution is highly recommended.

Yes it would be good for "the market" to "get the signal" that
altcoins are insecure, and that some altcoin vendors are literally and
actively malicious entities, but I think everyone needs to take a step
back here and very carefully consider the color of their hats,
including those who advocate in the name of insecure downstream/forked
software.

The downside of the approach I've advocated for is that it requires
knowledge, thinking and outsmarting the red teams; I am certainly
aware of the allure of the approaches that involve absolutist
statements like "anything weak [including bitcoin if it does have
weaknesses] deserves to die and be actively exploited" but it's not
something I am interested in espousing...nor do I think it would be
healthy for this community to internalize that perspective. Instead we
should continue to work on highly defensible software, and keep
vigilant in regards to security. In "the [civilized] garden" I would
expect there to be a general understanding that people collaborate and
work together to build highly defensible evolving systems even if
there exists knowledge of vulnerabilities. But we shouldn't be
surprised when we don't go out of our way to contribute to
alternative/parasitic systems... and we shouldn't be encouraging each
other to actively bring about the eschaton by way of mishandling
knowledge of vulnerabilities...

I know these issues are difficult to get a handle on. Hopefully I've
provided some useful perspective.

- Bryan
http://heybryan.org/
1 512 203 0507
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Re: [bitcoin-dev] Responsible disclosure of bugs

[Anthony Towns via bitcoin-dev]

On Mon, Sep 11, 2017 at 10:43:52AM -0700, Daniel Stadulis wrote:
> I think it's relevant to treat different bug severity levels with different
> response plans. 

That makes sense.

For comparison, Monero defines a response process that has three levels
and varies the response for each:

] a. HIGH: impacts network as a whole, has potential to break entire
]network, results in the loss of monero, or is on a scale of great
]catastrophe
] b. MEDIUM: impacts individual nodes, wallets, or must be carefully
]exploited
] c. LOW: is not easily exploitable

 -- 
https://github.com/monero-project/monero/blob/master/VULNERABILITY_RESPONSE_PROCESS.md

Among other things, HIGH gets treated as an emergency, MEDIUM get fixed
in a point release; LOW get deferred to the next regular release eg.

Additionally, independently of the severity, Monero's doc says they'll
either get their act together with a fix and report within 90 days,
or otherwise the researcher that found the vulnerability has the right
to publically disclose the issue themselves...

I wouldn't say that's a perfect fit for bitcoin core (at a minimum, given
the size of the ecosystem and how much care needs to go into releases,
I think 90 days is probably too short), but it seems better than current
practice...

For comparison, if you're an altcoin developer or just bitcoin core user,
and are trying to work out whether the software you're using is secure;
if you do a quick google and end up at:

  https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures

you might conclude that as long as you're running version 0.11 or later,
you're fine. That doesn't seem like an accurate conclusion for people
to draw; but if you're not tracking every commit/PR, how do you do any
better than that?

Maybe transitioning from keeping things private indefinitely to having
a public disclosure policy is tricky. Maybe it might work to build up to it,
something like:

  * We'll start releasing info about security vulnerabilities fixed in
0.12.0 and earlier releases as of 2018-01-01
  * Then we'll continue with 0.13.0 and earlier as of 2018-03-01
  * Likewise for 0.14.0 as of 2018-05-01
  * Thereafter we'll adopt a regular policy at http://...

That or something like it at least gives people relying on older,
potentially vulnerable versions a realistic chance to privately prepare
and deploy any upgrades or fixes they've missed out on until now.

Cheers,
aj

___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Re: [bitcoin-dev] Responsible disclosure of bugs

[Anthony Towns via bitcoin-dev]

On Mon, Sep 11, 2017 at 07:34:33AM -0400, Alex Morcos wrote:
> I don't think I know the right answer here, but I will point out two things
> that make this a little more complicated.
> 1 - There are lots of altcoin developers and while I'm sure the majority would
> greatly appreciate the disclosure and would behave responsibly with the
> information, I don't know where you draw the line on who you tell and who you
> don't.

If you can't pick even a small group that's trustworthy (top five by
market cap as a start [0]? or just major bitcoin wallets / exchanges /
alt node implementations?), then it still seems better to (eventually)
disclose publically than keep it unrevealed and let it be a potential
advantage for attackers against people who haven't upgraded for other
reasons?

I find it hard to imagine bitcoin's still obscure enough that people
aren't tracking git commit logs to use them as inspiration for attacks
on bitcoin users and businesses; at best I would have thought it'd
only be a few months of development time between a fix being proposed
as a PR or committed to master and black hats having the ability to
exploit it in users who are running older nodes. (Or for that matter,
being able to be exploited by otherwise legitimate bitcoin businesses
with an agenda to push, a strong financial motive behind that agenda,
and a legal team that says they'll get away with it)

> 2- Unlike other software, I'm not sure good security for bitcoin is defined by
> constant upgrading.  Obviously upgrading has an important benefit, but one of
> the security considerations for Bitcoin is knowing that your definition of the
> money hasn't changed.  Much harder to know that if you change software.

Isn't that just an argument for putting more effort into backporting
fixes/workarounds? (I don't see how you do that without essentially
publically disclosing which patches have a security impact -- "oh,
gosh, this patch gets a backport, I wonder if maybe it has security
implications...")

(In so far as bitcoin is a consensus system, there can sometimes be a
positive network effect, where having other people upgrade can help your
security, even if you don't upgrade; "herd immunity" if you will. That
way a new release going out to other people helps keep you safe, even
while you continue to maintain the same definition of money by not
upgrading at all)

If altcoin maintainers are inconvenienced by tracking bitcoin-core
updates, that would be an argument for them to contribute back to their
upstream to make their own job easier; either helping with backports,
or perhaps contributing to patches like PR#8994 might help.

All of those things seem like they'd help not just altcoins but bitcoin
investors/traders too, so it's not even a trade-off between classes of
bitcoin core users.  And if in the end various altcoins aren't able to
keep up with security fixes, that's probably valuable information to
provide to the market...

Cheers,
aj

[0] Roughly: BCash, Litecoin, Dash, BitConnect, ZCash, Dogecoin?
I've no idea which of those might have trustworthy devs to work with,
but surely at least a couple do?

___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Re: [bitcoin-dev] Merkle branch verification & tail-call semantics for generalized MAST

[Bryan Bishop via bitcoin-dev]

On Mon, Sep 11, 2017 at 9:03 PM, Mark Friedenbach via bitcoin-dev
 wrote:
> I believe you meant "unclean stack," and you are correct. This was
> also pointed out last tuesday by a participant at the in-person
> CoreDev meetup where the idea was presented.

http://diyhpl.us/wiki/transcripts/bitcoin-core-dev-tech/2017-09-07-merkleized-abstract-syntax-trees/

> > For code complexity, the minimal BIP114 could be really simple, like
> > <30 lines of code? It looks complex now because it does much more
> > than simply hiding scripts in a hash.
>
> Is there a repo that contains the latest implementation of BIP 114,
> for comparison purposes?

original bip114:
https://github.com/bitcoin/bips/blob/775f26c02696e772dac4060aa092d35dedbc647c/bip-0114.mediawiki
revised bip114: https://github.com/jl2012/bips/blob/vault/bip-0114.mediawiki
https://github.com/jl2012/bitcoin/commits/vault
from 
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017-September/014963.html

- Bryan
http://heybryan.org/
1 512 203 0507
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Re: [bitcoin-dev] Merkle branch verification & tail-call semantics for generalized MAST

[Adán Sánchez de Pedro Crespo via bitcoin-dev]

Coincidentally, the kind of Merkle tree that Mark describes in his
proposal is exactly the one that we use at Stampery.

The Stampery BTA whitepaper[1] includes pseudocode for many of the
algorithms outlined by this proposal, including fast-SHA256, the tree
building process and the inclusion proving routine.

The wording is slightly different but the logic is just the same, so I
hope it helps future implementations in case of eventual adoption.


[1]
https://s3.amazonaws.com/stampery-cdn/docs/Stampery-BTA-v6-whitepaper.pdf


Best,
-- 
Adán Sánchez de Pedro Crespo
CTO, Stampery Inc.
San Francisco - Madrid
T: +34 663 163 375



signature.asc
Description: OpenPGP digital signature
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Re: [bitcoin-dev] Responsible disclosure of bugs

[Daniel Stadulis via bitcoin-dev]

I think it's relevant to treat different bug severity levels with different
response plans.

E.g.
Compromising UTXO custody (In CVE-2010-5141, OP_RETURN vulnerability)
Compromising UTXO state (In CVE-2013-3220, blockchain split due to Berkeley
DB -> LevelDB upgrade, CVE-2010-5139 Overflow bug, unscheduled inflation of
coins)
Compromising Node performance (Various node-specific DoS attacks)

Should have different disclosure policies, IMO

On Mon, Sep 11, 2017 at 4:34 AM, Alex Morcos via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:

> I don't think I know the right answer here, but I will point out two
> things that make this a little more complicated.
>
> 1 - There are lots of altcoin developers and while I'm sure the majority
> would greatly appreciate the disclosure and would behave responsibly with
> the information, I don't know where you draw the line on who you tell and
> who you don't.
>
> 2- Unlike other software, I'm not sure good security for bitcoin is
> defined by constant upgrading.  Obviously upgrading has an important
> benefit, but one of the security considerations for Bitcoin is knowing that
> your definition of the money hasn't changed.  Much harder to know that if
> you change software.
>
>
>
> On Sun, Sep 10, 2017 at 10:15 PM, Anthony Towns via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
>
>> On Sun, Sep 10, 2017 at 07:02:36PM -0400, Matt Corallo via bitcoin-dev
>> wrote:
>> > I believe there continues to be concern over a number of altcoins which
>> > are running old, unpatched forks of Bitcoin Core, making it rather
>> > difficult to disclose issues without putting people at risk (see, eg,
>> > some of the dos issues which are preventing release of the alert key).
>> > I'd encourage the list to have a discussion about what reasonable
>> > approaches could be taken there.
>>
>> That seems like it just says bitcoin core has two classes of users:
>> people who use it directly following mainnet or testnet, and people who
>> make derived works based on it to run altcoins.
>>
>> Having a "responsible disclosure" timeline something like:
>>
>>  * day -N: vulnerability reported privately
>>  * day -N+1: details shared amongst private trusted bitcoin core group
>>  * day 0: patch/workaround/mitigation determined, CVE reserved
>>  * day 1: basic information shared with small group of trusted users
>>   (eg, altcoin maintainers, exchanges, maybe wallet devs)
>>  * day ~7: patches can be included in git repo
>>   (without references to vulnerability)
>>  * day 90: release candidate with fix available
>>  * day 120: official release including fix
>>  * day 134: CVE published with details and acknowledgements
>>
>> could make sense. 90 days / 3 months is hopefully a fair strict upper
>> bound for how long it should take to get a fix into a rc; but that's still
>> a lot longer than many responsible disclosure timeframes, like CERT's at
>> 45 days, but also shorter than some bitcoin core minor update cycles...
>> Obviously, those timelines could be varied down if something is more
>> urgent (or just easy).
>>
>> As it is, not publishing vulnerability info just seems like it gives
>> everyone a false sense of security, and encourages ignoring good security
>> practices, either not upgrading bitcoind nodes, or not ensuring altcoin
>> implementations keep up to date...
>>
>> I suppose both "trusted bitcoin core group" and "small group of trusted
>> users" isn't 100% cypherpunk, but it sure seems better than not both not
>> disclosing vulnerability details, and not disclosing vulnerabilities
>> at all... (And maybe it could be made more cypherpunk by, say, having
>> the disclosures to trusted groups have the description/patches get
>> automatically fuzzed to perhaps allow identification of leakers?)
>>
>> Cheers,
>> aj
>>
>> > On 09/10/17 18:03, Simon Liu via bitcoin-dev wrote:
>> > > Hi,
>> > >
>> > > Given today's presentation by Chris Jeffrey at the Breaking Bitcoin
>> > > conference, and the subsequent discussion around responsible
>> disclosure
>> > > and industry practice, perhaps now would be a good time to discuss
>> > > "Bitcoin and CVEs" which has gone unanswered for 6 months.
>> > >
>> > > https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017
>> -March/013751.html
>> > >
>> > > To quote:
>> > >
>> > > "Are there are any vulnerabilities in Bitcoin which have been fixed
>> but
>> > > not yet publicly disclosed?  Is the following list of Bitcoin CVEs
>> > > up-to-date?
>> > >
>> > > https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures
>> > >
>> > > There have been no new CVEs posted for almost three years, except for
>> > > CVE-2015-3641, but there appears to be no information publicly
>> available
>> > > for that issue:
>> > >
>> > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3641
>> > >
>> > > It would be of great benefit to end users if the community of clients
>> > > and altcoins derived from Bitcoin Core could be 

Re: [bitcoin-dev] Responsible disclosure of bugs

[Alex Morcos via bitcoin-dev]

I don't think I know the right answer here, but I will point out two things
that make this a little more complicated.

1 - There are lots of altcoin developers and while I'm sure the majority
would greatly appreciate the disclosure and would behave responsibly with
the information, I don't know where you draw the line on who you tell and
who you don't.

2- Unlike other software, I'm not sure good security for bitcoin is defined
by constant upgrading.  Obviously upgrading has an important benefit, but
one of the security considerations for Bitcoin is knowing that your
definition of the money hasn't changed.  Much harder to know that if you
change software.



On Sun, Sep 10, 2017 at 10:15 PM, Anthony Towns via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:

> On Sun, Sep 10, 2017 at 07:02:36PM -0400, Matt Corallo via bitcoin-dev
> wrote:
> > I believe there continues to be concern over a number of altcoins which
> > are running old, unpatched forks of Bitcoin Core, making it rather
> > difficult to disclose issues without putting people at risk (see, eg,
> > some of the dos issues which are preventing release of the alert key).
> > I'd encourage the list to have a discussion about what reasonable
> > approaches could be taken there.
>
> That seems like it just says bitcoin core has two classes of users:
> people who use it directly following mainnet or testnet, and people who
> make derived works based on it to run altcoins.
>
> Having a "responsible disclosure" timeline something like:
>
>  * day -N: vulnerability reported privately
>  * day -N+1: details shared amongst private trusted bitcoin core group
>  * day 0: patch/workaround/mitigation determined, CVE reserved
>  * day 1: basic information shared with small group of trusted users
>   (eg, altcoin maintainers, exchanges, maybe wallet devs)
>  * day ~7: patches can be included in git repo
>   (without references to vulnerability)
>  * day 90: release candidate with fix available
>  * day 120: official release including fix
>  * day 134: CVE published with details and acknowledgements
>
> could make sense. 90 days / 3 months is hopefully a fair strict upper
> bound for how long it should take to get a fix into a rc; but that's still
> a lot longer than many responsible disclosure timeframes, like CERT's at
> 45 days, but also shorter than some bitcoin core minor update cycles...
> Obviously, those timelines could be varied down if something is more
> urgent (or just easy).
>
> As it is, not publishing vulnerability info just seems like it gives
> everyone a false sense of security, and encourages ignoring good security
> practices, either not upgrading bitcoind nodes, or not ensuring altcoin
> implementations keep up to date...
>
> I suppose both "trusted bitcoin core group" and "small group of trusted
> users" isn't 100% cypherpunk, but it sure seems better than not both not
> disclosing vulnerability details, and not disclosing vulnerabilities
> at all... (And maybe it could be made more cypherpunk by, say, having
> the disclosures to trusted groups have the description/patches get
> automatically fuzzed to perhaps allow identification of leakers?)
>
> Cheers,
> aj
>
> > On 09/10/17 18:03, Simon Liu via bitcoin-dev wrote:
> > > Hi,
> > >
> > > Given today's presentation by Chris Jeffrey at the Breaking Bitcoin
> > > conference, and the subsequent discussion around responsible disclosure
> > > and industry practice, perhaps now would be a good time to discuss
> > > "Bitcoin and CVEs" which has gone unanswered for 6 months.
> > >
> > > https://lists.linuxfoundation.org/pipermail/bitcoin-dev/
> 2017-March/013751.html
> > >
> > > To quote:
> > >
> > > "Are there are any vulnerabilities in Bitcoin which have been fixed but
> > > not yet publicly disclosed?  Is the following list of Bitcoin CVEs
> > > up-to-date?
> > >
> > > https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures
> > >
> > > There have been no new CVEs posted for almost three years, except for
> > > CVE-2015-3641, but there appears to be no information publicly
> available
> > > for that issue:
> > >
> > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3641
> > >
> > > It would be of great benefit to end users if the community of clients
> > > and altcoins derived from Bitcoin Core could be patched for any known
> > > vulnerabilities.
> > >
> > > Does anyone keep track of security related bugs and patches, where the
> > > defect severity is similar to those found on the CVE list above?  If
> > > yes, can that list be shared with other developers?"
> > >
> > > Best Regards,
> > > Simon
> > > ___
> > > bitcoin-dev mailing list
> > > bitcoin-dev@lists.linuxfoundation.org
> > > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> > >
> > ___
> > bitcoin-dev mailing list
> > bitcoin-dev@lists.linuxfoundation.org
> >