docs: revise ADR 56, documenting short term decision around amnesia evidence #5440
Merged
docs: revise ADR 56, documenting short term decision around amnesia evidence #5440
Conversation
melekes
approved these changes
Oct 2, 2020
|
|
||
| Also critical to this type of attack is that the light client that is connected to our nodes must request a light block at that specific height with which we forged this signed header but this shouldn’t be hard to do. To bring this back to a real context, say our faulty cabal, f, bought some groceries using atoms and then wanted to prove that they did, the grocery owner whips out their phone, runs the light client and f tells them the height they committed the transaction. | ||
|
|
||
| An important note here is that because the validator sets are the same between the canonical and the forged block, this attack also works on light clients that verify sequentially. In fact, they are especially vulnerable because they currently don’t run the detector function afterwards. |
Contributor
There was a problem hiding this comment.
does this mean we should run detector for sequential verification too?
Contributor
Author
There was a problem hiding this comment.
Yeah I think so, but it's different. I'm not sure if you can perform the attack on intermediate blocks because the validator set is the same but now the last block ID is different so I'm not sure how you can get the same innocent validators to vote for the next forged block in order to sustain the fork. The only way around it is if you can change the validator set completely in this forged block so that you have 2/3+ control of the next validator set.
If this is not possible then you don't need to worry about the traces you can just compare the last header and if it's incorrect form evidence from that.
Contributor
There was a problem hiding this comment.
don't you need 2/3+ malicious nodes to pull this?
Contributor
Author
There was a problem hiding this comment.
This, as in an attack on a sequentially validating light client. No theoretically it's possible with 1/3+ although extremely difficult. With 2/3+ it becomes easy
lovincyrus
added a commit
that referenced
this pull request
Oct 5, 2020
* docs: specify TM version in go tutorials (#5427) Closes #5425 * privval: allow passing options to NewSignerDialerEndpoint (#5434) Required for #5291 to set timeouts for remote signers. * config: set statesync.rpc_servers when generating config file (#5433) Required for #5291, to generate configuration files with state sync RPC servers. * consensus: check block parts don't exceed maximum block bytes (#5431) * ci: docker remvoe circleci and add github action (#5420) * privval: fix ping message encoding (#5441) Fixes #5371. * docs: revise ADR 56, documenting short term decision around amnesia evidence (#5440) * light: expand on errors and docs (#5443) * test: add end-to-end testing framework (#5435) Partial fix for #5291. For details, see [README.md](https://github.com/tendermint/tendermint/blob/erik/e2e-tests/test/e2e/README.md) and [RFC-001](https://github.com/tendermint/tendermint/blob/master/docs/rfc/rfc-001-end-to-end-testing.md). This only includes a single test case under `test/e2e/tests/`, as a proof of concept - additional test cases will be submitted separately. A randomized testnet generator will also be submitted separately, there a currently just a handful of static testnets under `test/e2e/networks/`. This will eventually replace the current P2P tests and run in CI. * changelog: add missing date to v0.33.5 release, fix indentation (#5454) I forgot to add the date when we cut 0.33.5. This fixes that. It also fixes a header indentation issue for 0.33.8. * test: add basic end-to-end test cases (#5450) Partial fix for #5291. This adds a basic set of test cases for core network invariants. Although small, it is sufficient to replace and extend the current set of P2P tests. Further test cases can be added later. * test: add GitHub action for end-to-end tests (#5452) Partial fix for #5291. * fix RPC blockresults reutrn (#5459) ## Description In blocks_results we use the proto definition of abciResponses: https://github.com/tendermint/tendermint/blob/2672b91ab099b8b02f3afabae4a0a745acd93c3f/rpc/core/blocks.go#L152-L155, this leads to the use of the proto definition of the pubkey which is an interface in go (oneof). The interface must be registered with the JSON encoder to have it work correctly. A clearer divide between proto types and native types is needed. Closes: #XXX * circleci: remove Gitian reproducible_builds job (#5462) * docs: fix links to adr 56 (#5464) ## Description fix broken link from a previous change * test: remove P2P tests (#5453) Co-authored-by: Anton Kaliaev <anton.kalyaev@gmail.com> Co-authored-by: Erik Grinaker <erik@interchain.berlin> Co-authored-by: Callum Waters <cmwaters19@gmail.com> Co-authored-by: Marko <marbar3778@yahoo.com> Co-authored-by: Tess Rinearson <tess.rinearson@gmail.com>
lovincyrus
added a commit
that referenced
this pull request
Oct 5, 2020
* docs: specify TM version in go tutorials (#5427) Closes #5425 * privval: allow passing options to NewSignerDialerEndpoint (#5434) Required for #5291 to set timeouts for remote signers. * config: set statesync.rpc_servers when generating config file (#5433) Required for #5291, to generate configuration files with state sync RPC servers. * consensus: check block parts don't exceed maximum block bytes (#5431) * ci: docker remvoe circleci and add github action (#5420) * privval: fix ping message encoding (#5441) Fixes #5371. * docs: revise ADR 56, documenting short term decision around amnesia evidence (#5440) * light: expand on errors and docs (#5443) * makefile: config build-docs for branch and path prefix * update versions with new 0.33 branch Co-authored-by: Anton Kaliaev <anton.kalyaev@gmail.com> Co-authored-by: Erik Grinaker <erik@interchain.berlin> Co-authored-by: Callum Waters <cmwaters19@gmail.com> Co-authored-by: Marko <marbar3778@yahoo.com>
melekes
pushed a commit
that referenced
this pull request
Oct 9, 2020
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This is to reflect the notion that a more well-thought protocol for amnesia accountability will need to be created in the long term future but for now 0.34 will only include the light detector algorithm and thus will be able to detect but not punish amnesia attacks.
I have also included in the appendix a more detailed description of how an amnesia attack would work.