Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WIP: Validate before dedup #3450

Closed
wants to merge 12 commits into from
Closed

WIP: Validate before dedup #3450

wants to merge 12 commits into from

Conversation

Impala123
Copy link
Contributor

Description

Reorder the layers to do validate / decrypt before dedup.

Motivation and Context

With the current order of layers, a malicious node could tamper with a message which would then be discarded by the validation layer. However the dedup cache currently stores this before it is discarded by validate. Thus any un-tampered version of the same message would no longer be processed.

How Has This Been Tested?

WIP, compiles but test fails, presumably because of the mockup message being invalid

@sdbondi
Copy link
Member

sdbondi commented Oct 14, 2021
edited
Loading

Nice - looking good. I've tested with the memorynet example (cargo run --example memorynet --release) and all looks like it's working.

There are two more items to call this done (they can go in a subsequent PR if preferred):

  • A failing test for the original issue. I would look to write this as a DHT crate integration test here comms/dht/tests/dht.rs with this scenario
create valid message `m1`
`NodeA` sends `m1'` to `NodeB` where `m1'` has an invalid DHT header but with same origin mac/identical body (not even sure if this is possible - maybe clearing/changing the ephemeral_pubkey field would do it)
`NodeA` sends `m1` to `NodeB`
assert that `NodeB` has received `m1` (i.e. has not deduped it)
  • include the origin_mac field in the hash_inbound_message hash - this is so a malicious peer cannot craft an faux-encrypted message that passes validation and enters dedup cache but has the same body as the message meant for that peer, causing the peer to dedup the subsequent original message.

@sdbondi sdbondi mentioned this pull request Oct 18, 2021
Merged
aviator-app bot pushed a commit that referenced this pull request Oct 18, 2021
@sdbondi
fix: validate dht header before dedup cache (#3468)
81f01d2 
Description
---
- reorders the DHT messaging layers to validate the message before entering the dedup store.
- adds the origin_mac to the dedup hash

This PR was written by @Impala123, I finished off a rust integration test 

Motivation and Context
---

From original PR: #3450 

> With the current order of layers, a malicious node could tamper with a message which would then be discarded by the 
> validation layer. However the dedup cache currently stores this before it is discarded by validate. Thus any un-tampered 
> version of the same message would no longer be processed.

A valid origin mac means the message comes from the possessor of the private key and has not been altered.
The valid origin mac bytes are included in the dedup hash preimage so that the origin of the message (if any) is tied to
the dedup entry. Previously, an attacker could craft a message `A'` that had no/different valid origin MAC but the same body and cause a subsequent message `A` to not to be discarded as a duplicate.

How Has This Been Tested?
---
Rust integration test
memorynet
@Impala123 Impala123 closed this Oct 19, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Impala123 @sdbondi