Re: Security Analysis of Private Data Collection of Hyperledger Fabric
David Enyeart
I still think it is in your best interest to make some minor updates to the paper content to avoid using sensational language such as "design flaws" and "vulnerabilities". Researchers tend to get discredited when their assertions get shown to be misleading or untrue. The original sponsor for the private data feature specifically requested the existing chaincode-level endorsement policy design for their use cases, and the more constrained collection-level endorsement policies were added as a parallel approach for other use cases. Calling out the original broadly as a design flaw is misleading and untrue when you consider the sponsor use case or review the Fabric documentation. Dear All, We want to say Hyperledger Fabric is a great blockchain framework and did not find issues with other parts of Hyperledger Fabric although the students spent a year on security analysis of the entire Hyperledger Fabric. I also think the students’ work shall be recognized by ICDCS. We propose to put the following “Responsible Disclosure” statement into the paper and clarify your stance. “Responsible Disclosure: The authors have communicated and reported the findings of this paper to the Hyperledger Fabric team since August 2020. According to the Hyperledger Fabric team, some findings reported in the paper are the design features and they may not cause security threats as the users may choose not to use them. We nevertheless report these findings here to raise user awareness and avoid security pitfalls.” Here is our response to some of the questions. We agree with Brian: “we should not assume that Fabric networks will always be small and all users will be trusted - if there are opportunities for abuse by peers or even orderers who have been compromised, those should be closed down by design (or at least by default).”. The problem is kind of analogous to the issue with strcpy(). strcpy() is a feature of C, but causes buffer overflow attacks. Our paper shows potential attacks against some of the designs and proposes defense measures to defeat potential attacks. Most of the related statements in the Hyperledger Fabric documents Dave provided in the email were added after we reported these issues at HackerOne below. We are wondering if we contributed to the refinement of the document. https://hackerone.com/bugs?report_id=962705&subject=hyperledger https://hackerone.com/bugs?report_id=926222&subject=hyperledger https://hackerone.com/bugs?report_id=951623&subject=hyperledger We also believe that some attacks on PDC read-only transactions cannot be avoided by only following the documented guidance.
2. For the second “vulnerability” (PDC transactions are validated through the chaincode-level policy by default), under current design, the read-only PDC transactions are validated always by the chaincode-level policy according to our source code analysis. Consequently, when users submit the PDC read-only transaction for the proof purpose, users can not use collection-level endorsement policies to further restrict which organization peers can endorse such transactions. We also have disagreements on other arguments and have presented our reasoning in the paper. Thanks. Xinwen Fu Professor Department of Computer Science University of Massachusetts Lowell http://www.cs.uml.edu/~xinwenfu/
From: Fu, Xinwen
Sent: Wednesday, March 24, 2021 11:20 PM To: David Enyeart <enyeart@...>; Brian Behlendorf <bbehlendorf@...> Cc: Manish Sethi1 <Manish.Sethi1@...>; security@...; Wang, Shan <Shan_Wang@...>; wangshan@...; Yue Zhang <zyueinfosec@...> Subject: RE: Security Analysis of Private Data Collection of Hyperledger Fabric Hi Dave and Brian, Here is the third thread of our report to HackerOne: https://hackerone.com/bugs?report_id=951623&subject=hyperledger. I’m currently tangled with other errands. We will post our followup to fabric@... by this weekend. Regards, Xinwen Fu From: David Enyeart <enyeart@...> Sent: Wednesday, March 24, 2021 1:39 AM To: Brian Behlendorf <bbehlendorf@...> Cc: Manish Sethi1 <Manish.Sethi1@...>; security@...; Wang, Shan <Shan_Wang@...>; wangshan@...; Fu, Xinwen <Xinwen_Fu@...>; Yue Zhang <zyueinfosec@...> Subject: RE: Security Analysis of Private Data Collection of Hyperledger Fabric This e-mail originated from outside the UMass Lowell network. I have joined HackerOne now and added more details to the HackerOne resolutions. I agree with Brian, since the reported vulnerabilities are features rather than vulnerabilities and already described in documentation with use cases and avoidance guidance, any further discussion would be appropriate on the Fabric mailing list. Dave Enyeart IBM Blockchain enyeart@... From: Brian Behlendorf <bbehlendorf@...> To: "Fu, Xinwen" <Xinwen_Fu@...>, David Enyeart <enyeart@...>, "Wang, Shan" <Shan_Wang@...> Cc: "security@..." <security@...>, "wangshan@..." <wangshan@...>, Yue Zhang <zyueinfosec@...>, Manish Sethi1 <Manish.Sethi1@...> Date: 03/24/2021 12:45 AM Subject: [EXTERNAL] Re: Security Analysis of Private Data Collection of Hyperledger Fabric First off, it's great news to see university research groups performing this kind of review of any Hyperledger project, and I for one am appreciative of the interest. even if the end results are educational. Thank you to Mr. Fu and the rest First off, it's great news to see university research groups performing this kind of review of any Hyperledger project, and I for one am appreciative of the interest. even if the end results are educational. Thank you to Mr. Fu and the rest of the team. And thank you Dave for such a rapid and thorough response. Jumping in for context for others on security@: I found two threads from HackerOne on these issues: https://hackerone.com/bugs?report_id=926222&subject=hyperledger https://hackerone.com/bugs?report_id=962705&subject=hyperledger In both cases there were responses from Gari Singh that mostly mirrored Dave's reply, though without the fuller detail. Both ended with some remaining questions from the researchers, but there wasn't a closing follow up. After a couple of months for the first and a couple of weeks for the second, Ry closed them as "As designed". There isn't an obligation from teams to satisfy everyone with replies, but this feels like the kind of conversation that should have been moved to a more public forum after the first replies from Gari. It's terrific that the initial reports were made privately just in case they had been serious issues, as that's proper practice, but when the conversations happen privately they can't help inform the next wave of users who believe they've found the same holes, or to address what may be gaps in documentation or even design that could be addressed. Xinwen, would you feel comfortable posting your followup to Dave's points to the Fabric developer mailing list, at fabric@...? You can join at https://lists.hyperledger.org/g/fabric Dave, would you or other Fabric maintainers engage on this topic there? I suspect at the very least this conversation would demonstrate that understanding the security issues around PDC and endorsement in general is really important, so as to avoid people using it incorrectly, or inadvertently leaving open holes. A research paper on that may be less sexy than one that achieves a CERT but it might also help advance the field anyways. What would be even more helpful would be suggested fixes or additions to the Fabric docs on the topic. I also think we should not assume that Fabric networks will always be small and all users will be trusted - if there are opportunities for abuse by peers or even orderers who have been compromised, those should be closed down by design (or at least by default). Brian On 3/23/21 9:07 PM, Fu, Xinwen wrote:
We have been reporting our research to Hyperledger Fabric through HackerOne since August 2020 while the reply at HackerOne was often super brief. We believe those designs in question are problematic and will provide more detailed explanation later. Thanks. Xinwen Fu Professor Department of Computer Science University of Massachusetts Lowell http://www.cs.uml.edu/~xinwenfu/ From: David Enyeart <enyeart@...> Sent: Tuesday, March 23, 2021 11:37 PM To: Wang, Shan <Shan_Wang@...> Cc: security@...; wangshan@...; Fu, Xinwen <Xinwen_Fu@...>; Yue Zhang <zyueinfosec@...>; Manish Sethi1 <Manish.Sethi1@...> Subject: Re: Security Analysis of Private Data Collection of Hyperledger Fabric Hello, thank you for the submission. The reported vulnerabilities are actually not vulnerabilities however, but are working as designed. In fact, they are a critical and necessary aspect for how private data is used in many production solutions. And for use cases where the behavior is not desirable, it can be disabled and avoided through documented guidance. I will include links to the documentation that describe the appropriate use. Dear Hyperledger Fabric, We report some of our security analysis of the private data collections (PDC) to you and attached is a paper systematically presenting a complete security analysis. The paper will be published in July 2021 at the IEEE International Conference on Distributed Computing Systems (ICDCS). We believe we have discovered three design flaws on the private data collection in Hyperledger Fabric: (i) PDC Non-member peers can endorse PDC transactions; (ii) PDC transactions are validated through the same endorsement policy as public data transactions; (iii) Exposed ``Payload” field in transaction proposal response. We have discovered two classes of attacks against PDC transactions by exploiting the three design flaws: (i) Fake PDC results injection attack: malicious peers or clients may disrupt the integrity of the ledger. They may inject a valid transaction with a fake value into the blockchain or write fake values into the PDC in the ledger's world state. (ii) PDC leakage issues: the PDC can be revealed to PDC non-member peers and this violates the PDC design principles. We have designed defense measures to fix the three design flaws so as to defeat the discovered attacks, and implement these defense measures by modifying the source code of Hyperledger Fabric. Our patches have minor or negligible impact on the system performance. More details are presented in the attached paper. Please let us know if you have any questions. Best Regards, Shan Wang, Southeast University/University of Massachusetts Lowell Yue Zhang, Jinan University Xinwen Fu, University of Massachusetts Lowell (See attached file: Security Analysis of Private Data Collection of Hyperledger Fabric_report.pdf) Brian Behlendorf General Manager for Blockchain, Healthcare and Identity bbehlendorf@... Twitter: @brianbehlendorf [attachment "Hyperledger_PDC_ICDCS2021_final.pdf" deleted by David Enyeart/Durham/IBM]
|
|