You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

217 lines
11 KiB

  1. *** This is the beginning of an unfinished draft. Don't continue reading! ***
  2. # Lightclient Attackers Isolation
  3. Adversarial nodes may have the incentive to lie to a lightclient about the state of a Tendermint blockchain. An attempt to do so is called attack. Light client [verification][verification] checks incoming data by checking a so-called "commit", which is a forwarded set of signed messages that is (supposedly) produced during executing Tendermint consensus. Thus, an attack boils down to creating and signing Tendermint consensus messages in deviation from the Tendermint consensus algorithm rules.
  4. As Tendermint consensus and light client verification is safe under the assumption of more than 2/3 of correct voting power per block [[TMBC-FM-2THIRDS]][TMBC-FM-2THIRDS-link], this implies that if there was an attack then [[TMBC-FM-2THIRDS]][TMBC-FM-2THIRDS-link] was violated, that is, there is a block such that
  5. - validators deviated from the protocol, and
  6. - these validators represent more than 1/3 of the voting power in that block.
  7. In the case of an [attack][node-based-attack-characterization], the lightclient [attack detection mechanism][detection] computes data, so called evidence [[LC-DATA-EVIDENCE.1]][LC-DATA-EVIDENCE-link], that can be used
  8. - to proof that there has been attack [[TMBC-LC-EVIDENCE-DATA.1]][TMBC-LC-EVIDENCE-DATA-link] and
  9. - as basis to find the actual nodes that deviated from the Tendermint protocol.
  10. This specification considers how a full node in a Tendermint blockchain can isolate a set of attackers that launched the attack. The set should satisfy
  11. - the set does not contain a correct validator
  12. - the set contains validators that represent more than 1/3 of the voting power of a block that is still within the unbonding period
  13. # Outline
  14. **TODO** when preparing a version for broader review.
  15. # Part I - Basics
  16. For definitions of data structures used here, in particular LightBlocks [[LCV-DATA-LIGHTBLOCK.1]](https://github.com/tendermint/spec/blob/master/rust-spec/lightclient/verification/verification_002_draft.md#lcv-data-lightblock1), cf. [Light Client Verification][verification].
  17. # Part II - Definition of the Problem
  18. The specification of the [detection mechanism][detection] describes
  19. - what is a light client attack,
  20. - conditions under which the detector will detect a light client attack,
  21. - and the format of the output data, called evidence, in the case an attack is detected. The format is defined in
  22. [[LC-DATA-EVIDENCE.1]][LC-DATA-EVIDENCE-link] and looks as follows
  23. ```go
  24. type LightClientAttackEvidence struct {
  25. ConflictingBlock LightBlock
  26. CommonHeight int64
  27. }
  28. ```
  29. The isolator is a function that gets as input evidence `ev`
  30. and a prefix of the blockchain `bc` at least up to height `ev.ConflictingBlock.Header.Height + 1`. The output is a set of *peerIDs* of validators.
  31. We assume that the full node is synchronized with the blockchain and has reached the height `ev.ConflictingBlock.Header.Height + 1`.
  32. #### **[FN-INV-Output.1]**
  33. When an output is generated it satisfies the following properties:
  34. - If
  35. - `bc[CommonHeight].bfttime` is within the unbonding period w.r.t. the time at the full node,
  36. - `ev.ConflictingBlock.Header != bc[ev.ConflictingBlock.Header.Height]`
  37. - Validators in `ev.ConflictingBlock.Commit` represent more than 1/3 of the voting power in `bc[ev.CommonHeight].NextValidators`
  38. - Then: A set of validators in `bc[CommonHeight].NextValidators` that
  39. - represent more than 1/3 of the voting power in `bc[ev.commonHeight].NextValidators`
  40. - signed Tendermint consensus messages for height `ev.ConflictingBlock.Header.Height` by violating the Tendermint consensus protocol.
  41. - Else: the empty set.
  42. # Part IV - Protocol
  43. Here we discuss how to solve the problem of isolating misbehaving processes. We describe the function `isolateMisbehavingProcesses` as well as all the helping functions below. In [Part V](#part-v---Completeness), we discuss why the solution is complete based on result from analysis with automated tools.
  44. ## Isolation
  45. ### Outline
  46. > Describe solution (in English), decomposition into functions, where communication to other components happens.
  47. #### **[LCAI-FUNC-MAIN.1]**
  48. ```go
  49. func isolateMisbehavingProcesses(ev LightClientAttackEvidence, bc Blockchain) []ValidatorAddress {
  50. reference := bc[ev.conflictingBlock.Header.Height].Header
  51. ev_header := ev.conflictingBlock.Header
  52. ref_commit := bc[ev.conflictingBlock.Header.Height + 1].Header.LastCommit // + 1 !!
  53. ev_commit := ev.conflictingBlock.Commit
  54. if violatesTMValidity(reference, ev_header) {
  55. // lunatic light client attack
  56. signatories := Signers(ev.ConflictingBlock.Commit)
  57. bonded_vals := Addresses(bc[ev.CommonHeight].NextValidators)
  58. return intersection(signatories,bonded_vals)
  59. }
  60. // If this point is reached the validator sets in reference and ev_header are identical
  61. else if RoundOf(ref_commit) == RoundOf(ev_commit) {
  62. // equivocation light client attack
  63. return intersection(Signers(ref_commit), Signers(ev_commit))
  64. }
  65. else {
  66. // amnesia light client attack
  67. return IsolateAmnesiaAttacker(ev, bc)
  68. }
  69. }
  70. ```
  71. - Implementation comment
  72. - If the full node has only reached height `ev.conflictingBlock.Header.Height` then `bc[ev.conflictingBlock.Header.Height + 1].Header.LastCommit` refers to the locally stored commit for this height. (This commit must be present by the precondition on `length(bc)`.)
  73. - We check in the precondition that the unbonding period is not expired. However, since time moves on, before handing the validators over Cosmos SDK, the time needs to be checked again to satisfy the contract which requires that only bonded validators are reported. This passing of validators to the SDK is out of scope of this specification.
  74. - Expected precondition
  75. - `length(bc) >= ev.conflictingBlock.Header.Height`
  76. - `ValidAndVerifiedUnbonding(bc[ev.CommonHeight], ev.ConflictingBlock) == SUCCESS`
  77. - `ev.ConflictingBlock.Header != bc[ev.ConflictingBlock.Header.Height]`
  78. - TODO: input light blocks pass basic validation
  79. - Expected postcondition
  80. - [[FN-INV-Output.1]](#FN-INV-Output1) holds
  81. - Error condition
  82. - returns an error if precondition is violated.
  83. ### Details of the Functions
  84. #### **[LCAI-FUNC-VVU.1]**
  85. ```go
  86. func ValidAndVerifiedUnbonding(trusted LightBlock, untrusted LightBlock) Result
  87. ```
  88. - Conditions are identical to [[LCV-FUNC-VALID.2]][LCV-FUNC-VALID.link] except the precondition "*trusted.Header.Time > now - trustingPeriod*" is substituted with
  89. - `trusted.Header.Time > now - UnbondingPeriod`
  90. #### **[LCAI-FUNC-NONVALID.1]**
  91. ```go
  92. func violatesTMValidity(ref Header, ev Header) boolean
  93. ```
  94. - Implementation remarks
  95. - checks whether the evidence header `ev` violates the validity property of Tendermint Consensus, by checking agains a reference header
  96. - Expected precondition
  97. - `ref.Height == ev.Height`
  98. - Expected postcondition
  99. - returns evaluation of the following disjunction
  100. **[[LCAI-NONVALID-OUTPUT.1]]** ==
  101. `ref.ValidatorsHash != ev.ValidatorsHash` or
  102. `ref.NextValidatorsHash != ev.NextValidatorsHash` or
  103. `ref.ConsensusHash != ev.ConsensusHash` or
  104. `ref.AppHash != ev.AppHash` or
  105. `ref.LastResultsHash != ev.LastResultsHash`
  106. ```go
  107. func IsolateAmnesiaAttacker(ev LightClientAttackEvidence, bc Blockchain) []ValidatorAddress
  108. ```
  109. - Implementation remarks
  110. **TODO:** What should we do here? Refer to the accountability doc?
  111. - Expected postcondition
  112. **TODO:** What should we do here? Refer to the accountability doc?
  113. ```go
  114. func RoundOf(commit Commit) []ValidatorAddress
  115. ```
  116. - Expected precondition
  117. - `commit` is well-formed. In particular all votes are from the same round `r`.
  118. - Expected postcondition
  119. - returns round `r` that is encoded in all the votes of the commit
  120. ```go
  121. func Signers(commit Commit) []ValidatorAddress
  122. ```
  123. - Expected postcondition
  124. - returns all validator addresses in `commit`
  125. ```go
  126. func Addresses(vals Validator[]) ValidatorAddress[]
  127. ```
  128. - Expected postcondition
  129. - returns all validator addresses in `vals`
  130. # Part V - Completeness
  131. As discussed in the beginning of this document, an attack boils down to creating and signing Tendermint consensus messages in deviation from the Tendermint consensus algorithm rules.
  132. The main function `isolateMisbehavingProcesses` distinguishes three kinds of wrongly signing messages, namely,
  133. - lunatic: signing invalid blocks
  134. - equivocation: double-signing valid blocks in the same consensus round
  135. - amnesia: signing conflicting blocks in different consensus rounds, without having seen a quorum of messages that would have allowed to do so.
  136. The question is whether this captures all attacks.
  137. First observe that the first checking in `isolateMisbehavingProcesses` is `violatesTMValidity`. It takes care of lunatic attacks. If this check passes, that is, if `violatesTMValidity` returns `FALSE` this means that [FN-NONVALID-OUTPUT] evaluates to false, which implies that `ref.ValidatorsHash = ev.ValidatorsHash`. Hence after `violatesTMValidity`, all the involved validators are the ones from the blockchain. It is thus sufficient to analyze one instance of Tendermint consensus with a fixed group membership (set of validators). Also it is sufficient to consider two different valid consensus values, that is, binary consensus.
  138. **TODO** we have analyzed Tendermint consensus with TLA+ and have accompanied Galois in an independent study of the protocol based on [Ivy proofs](https://github.com/tendermint/spec/tree/master/ivy-proofs).
  139. # References
  140. [[supervisor]] The specification of the light client supervisor.
  141. [[verification]] The specification of the light client verification protocol
  142. [[detection]] The specification of the light client attack detection mechanism.
  143. [supervisor]:
  144. https://github.com/tendermint/spec/blob/master/rust-spec/lightclient/supervisor/supervisor_001_draft.md
  145. [verification]: https://github.com/tendermint/spec/blob/master/rust-spec/lightclient/verification/verification_002_draft.md
  146. [detection]:
  147. https://github.com/tendermint/spec/blob/master/rust-spec/lightclient/detection/detection_003_reviewed.md
  148. [LC-DATA-EVIDENCE-link]:
  149. https://github.com/tendermint/spec/blob/master/rust-spec/lightclient/detection/detection_003_reviewed.md#lc-data-evidence1
  150. [TMBC-LC-EVIDENCE-DATA-link]:
  151. https://github.com/tendermint/spec/blob/master/rust-spec/lightclient/detection/detection_003_reviewed.md#tmbc-lc-evidence-data1
  152. [node-based-attack-characterization]:
  153. https://github.com/tendermint/spec/blob/master/rust-spec/lightclient/detection/detection_003_reviewed.md#node-based-characterization-of-attacks
  154. [TMBC-FM-2THIRDS-link]: https://github.com/tendermint/spec/blob/master/rust-spec/lightclient/verification/verification_002_draft.md#tmbc-fm-2thirds1
  155. [LCV-FUNC-VALID.link]: https://github.com/tendermint/spec/blob/master/rust-spec/lightclient/verification/verification_002_draft.md#lcv-func-valid2