Blockchain/ Distributed Ledger

  • 1.  CWE for Single Perspective Validation

    Posted Apr 03, 2020 10:08:00 AM
    CWE (https://cwe.mitre.org/) is the Common Weakness Enumeration list, a community developed list of software and hardware weakness types (e.g. what is a "buffer overflow" as opposed to a "buffer underflow"). 

    A common class of attack in the Blockchain space is the "Single Perspective Validation" vulnerability, specifically:

    For systems that need to retrieve a piece of data over an unencrypted/unauthenticated channel (e.g. a DNS lookup of a validation record) there is a significant weakness if the system only checks once from a single location for this data rather than checking multiple times from distributed locations.

    A basic draft of the CWE entry for this attack is available at:

    https://docs.google.com/document/d/1ntVHuprosF15UdDU7EOjm6Kfq2NXB-IATuhFP0a7NZY/edit

    Please feel free to leave comments/suggestions. The plan is to submit this to the CWE list for inclusion in the CWE database on Tuesday April 14, 2020.

    ------------------------------
    Kurt Seifried
    Chief Blockchain Officer and Director of Special Projects
    Cloud Security Alliance
    [email protected]
    ------------------------------


  • 2.  RE: CWE for Single Perspective Validation

    Posted Apr 06, 2020 08:52:00 AM

    Kurt, thanks for sharing this.

    Bill

     

     

    Bill Izzo

    Director, Security Technology Team

    Senior Security Architect

    Security Architecture and Technology, Technology Risk Management

    DTCC Tampa

    Direct: +1 813-470-2962 | [email protected]

     

    image002.jpg@01CE137F.8FBC4DE0

     

    Visit us at www.dtcc.com or follow us on Twitter @The_DTCC  and on LinkedIn.

    To learn about career opportunities at DTCC, please visit dtcc.com/careers.

     

     

    DTCC Public (White)






  • 3.  RE: CWE for Single Perspective Validation

    Posted Jul 03, 2020 01:48:00 PM

    Hi Kurt,

    I believe you might be wrongly classifying or misunderstanding a risk associated with the ecosystem around blockchain technology and not blockchain technology itself. 

    First: It is incorrect to say "A common class of attack in the Blockchain space is the 'Single Perspective Validation' vulnerability". The concept of "Attack" involves taking advantage of a vulnerability through an action or a virtual artifact such as an exploit. 

    Second: Blockchain Technology by itself doesn't suffer of what you call erroneously "Single Perspective Validation". By design blockchain technology is not bound to a single perspective at all and that is the beauty of blockchain technology and the benefit of using distributed consensus protocols.

    Finally; DLT technology operates within a specific trust layer, when a component of this layer (e.g. EVM) requires data that source is outside of its trust boundary it has either; to implicitly trust the external source of the data or verify the truth of the external data each time. Since most blockchain technologies like Ethereum run Turing complete code within a sandbox that has no connection to outside realm  - precisely to preserve this trust boundary and the finality of the consensus - it can not directly verify the truth of the external data pushed into the trusted layer each time, instead operator(s) has to certify trust in an external entity to verify the data that is being pushed into the trust boundary of the DLT layer and that is why Distributed Oracle Networks exist. Now, it is up to the network participants to also either trust or not the external oracle the operator(s) decided to certify. If the trust is not agreed on then this becomes a "Trust Boundary Violation" and it already exists in CWE database. 




    ------------------------------
    Chaddy Huussin Principal Blockchain Security Architect
    ------------------------------



  • 4.  RE: CWE for Single Perspective Validation

    Posted Jul 06, 2020 11:30:00 AM
    So yes and no. This flaw is not specific to Blockchain technology, but it is commonly a problem with Blockchain systems. One challenge of Blockchain is that you have an agreed view of reality (the data in the Blockchain). but this is rarely enough data to make various decisions (for people or smart contracts), and obviously when interacting with external systems, by definition, the use of an external Oracle is required. 

    So this would qualify as a common class of attack, you can view the data for this in the Incidents CSV (https://github.com/cloudsecurityalliance/DLT-Security-Framework/blob/master/DLT-Security-Incidents.csv) it happens more than it should. As such there are several strategies to improve the "truthiness" of the data that can be employed, so there is value in classifying this attack, and there are ways to minimize the risk or completely remove it.

    ------------------------------
    Kurt Seifried
    Chief Blockchain Officer and Director of Special Projects
    Cloud Security Alliance
    [email protected]
    ------------------------------



  • 5.  RE: CWE for Single Perspective Validation

    Posted Jul 06, 2020 04:22:00 PM

    The issue of external data for Blockchain is in fact a valid security issue for Blockchain, mainly from the data authenticity and data availability perspectives. Public chain projects such as MarkerDAO has experienced this kind of problem due to data availability (congestion in the Etherium network). Projects such as Chainlink has done some research to solve this problem by leveraging multiple sources of data providers. They had some design in the economic model to encourage data authenticity and punish fake data providers. Using TEE such as Intel SGX as data source are also discussed and have been under active research by a few startups. In a permissioned blockchain, this issue could be resolved by enforcing digital signature from data providers and build redundancy to avoid a single point of failure.  



    ------------------------------
    Ken Huang , Chair, Blockchain Security Working Group, CSA GC
    ------------------------------



  • 6.  RE: CWE for Single Perspective Validation

    Posted Jul 06, 2020 07:07:00 PM
    Edited by Chaddy Huussin Jul 06, 2020 07:10:16 PM

    Ken, when we talk of Blockchain Oracles we implicitly refer to Ledger Technologies that either support Turing complete execution logic (e.g. Ethereum) or the base protocol depends on primitives outside the native consensus layer. Let us take the case of Ethereum; Using a Secure Distributed Oracle with Ethereum (Enterprise or Public) to introduce data into the ledger trust layer is a way of extending the usability of the platform and not an explicit need for using the platform. Oracles trust, correctness and finality is an external problem to the ledger and not of the ledger itself and it will never be (its like comparing XSS to the old ugly SQLi - two different problems. 

    That said, what i am debating here is;
    1) The problem is not with the ledger technology itself, but how data with different trust is introduced into the ledger trust layer and to what degree this data is trusted by the user of the ledger.
    2) Single Perspective Validation as security concept does not capture the correct nature of the problem faced when two data with different trust are mixed, instead this problem is well known and is categorized under "Trust Boundary Violation".



    ------------------------------
    Chaddy Huussin Principal Blockchain Security Architect
    ------------------------------



  • 7.  RE: CWE for Single Perspective Validation

    Posted Jul 13, 2020 11:52:00 AM
    So one comment, in my CWE proposal the word "blockchain" or "dlt" is actually never used (https://docs.google.com/document/d/1ntVHuprosF15UdDU7EOjm6Kfq2NXB-IATuhFP0a7NZY/edit). The reason for this is because it's a generic problem, not blockchain specific. Blockchain/DLT implementations have clearly made this mistake (several examples are in the incidents file), hence raising discussion here as well.

    ------------------------------
    Kurt Seifried
    Chief Blockchain Officer and Director of Special Projects
    Cloud Security Alliance
    [email protected]
    ------------------------------