Done
Details
Details
Assignee
Fraser Hutchison
Fraser HutchisonReporter
Pierre Chevalier
Pierre ChevalierStart date
Jan 16, 2019
End date
Feb 15, 2019
Story Points
8
Components
Priority
Created January 16, 2019 at 11:18 AM
Updated March 26, 2019 at 4:04 PM
Resolved March 26, 2019 at 2:37 PM
We have identified a possible attack that would allow a malicious node to influence the concrete coin process in favour of them deciding the coin value. If exploited 100% of the time, with full knowledge of every other node's point of view, it could be used to affect Liveness of the protocol; e.g: stall consensus forever.
We already have plans for mechanisms that forbid
DuplicateResponse
s to the same request: https://maidsafe.atlassian.net/browse/MAID-3091 and another mechanism to forbidInvalidResponse
s, e.g response to an event that isn't a Request: https://maidsafe.atlassian.net/browse/MAID-3088 .However, we spotted an alternative way to send many Responses in a short time: create many gossip events with cause
Request
even though the author of these Requests hasn't actually sent a request.To address it, we need to add a way to detect "fake Requests" and punish their malicious authors.
We discussed a few implementation options and here is our preferred route at the moment (performance analysis may make us investigate other routes as necessary).
While sending a sync request, each node will create an event in their graph with cause:
cause::Requesting(RecipientId)
Any event with
cause::Request
where theother_parent
doesn't havecause::Requesting(RecipientId)
where theRecipientId
is the author of that event withcause::Request
can immediately be identified as malicious, with malice typeInvalidRequest
. This is a provable type of malice so the author should be punished as soon as the information propagates.When receiving a sync response, the recipient will create an event with
cause::Response
as previously; however, they will first ensure that the event withcause::Request
is the unique such event created with that specificother_parent
[1]. If theRequest
is not unique with thisRequesting
ancestor, an event withcause::Response
won't be created, but instead an event withcause::MaliceAccusation(DuplicateRequest)
will be created and that type of malice too is provable which means the offending node should be kicked out as soon as the accusation spreads.Accomplice detection should also be covered for
InvalidRequest
andDuplicateRequest
This changes the topology of a gossip graph so we will need to update the tests with hard coded graphs (in dot format)
[1] Note: here is a way to implement detection of
DuplicateRequest
check the tip of the gossip graph for the node who sent the response. It should contain a
Request
eventcheck its other_parent. It should have
cause::Requesting(response author)
iterate over the events created by us from that event on. For any event with
cause::Response
, check that this event'sother_parent
'sother_parent
is not the event withcause::Requesting
we are iterating fromIf it is,
DuplicateRequest
was detectedIf we reach the latest event we created without hitting such a case, we're good to create an event with
cause::Response