From: Peter Todd <pete@petertodd•org>
To: Mike Hearn <mike@plan99•net>
Cc: Bitcoin Dev <bitcoin-development@lists•sourceforge.net>
Subject: Re: [Bitcoin-development] Bitcoin Core trial balloon: splitting blockchain engine and wallet
Date: Fri, 21 Feb 2014 06:06:02 -0500 [thread overview]
Message-ID: <20140221110602.GA29940@savin> (raw)
In-Reply-To: <CANEZrP3x368f66LyZr_Kfp=4JULqxUn_6eDCEzc_ALe20xZYJQ@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 1636 bytes --]
On Fri, Feb 21, 2014 at 04:11:06PM +0530, Mike Hearn wrote:
> On Fri, Feb 21, 2014 at 12:20 PM, Jeff Garzik <jgarzik@bitpay•com> wrote:
>
> > RE "doesn't buy you anything" Today, when unlocked, plaintext
> > private keys reside in the same address space as the blockchain engine
> > (BCE). Process separation increases the difficulty of accessing key
> > data from the BCE, even presuming a normal, no-chroot, same-uid,
> > parent-child process relationship. The attack surface is clearly
> > changed from "one buffer overflow can touch this data."
> >
> > Regardless, the split makes sense given existing modularity and coding
> > directions. I wouldn't micro-focus on the "sandbox" word.
>
> I'm not sure it does really - typical C/C++ exploits let you run arbitrary
> code, at which point you can quite easily ptrace the other process and do
> whatever you want with it, or read /proc/pid/mem etc. But process
> separation is certainly a prerequisite for sandboxing so I'm not arguing
> against such a change, just pointing out that it requires some work to
> really get the benefits. Also an SPV Bitcoin Core would obviously be of
> tremendous utility all by itself ...
The seccomp mechanism would work well here - it's a syscall whitelister,
which makes ptrace useless, among other things. Used by Chrome as of v23
to sandbox the renderers.
We'd probably need to use it with chroot and whitelist the open() call
so that the existing code can create new blockfiles and do whatever
leveldb does.
--
'peter'[:-1]@petertodd.org
000000000000000112c53364597954e79cc38f1ba7826a6420ad22a6f3be2932
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 685 bytes --]
next prev parent reply other threads:[~2014-02-21 11:06 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-02-21 6:09 Jeff Garzik
2014-02-21 6:27 ` Mike Hearn
[not found] ` <CA+s+GJCRqqmoHkmsq+6x9Wm6btKzdXoPjw5Af8zRDEkDE+6+zw@mail.gmail.com>
2014-02-21 6:43 ` [Bitcoin-development] Fwd: " Wladimir
2014-02-21 6:50 ` William Yager
2014-02-21 6:54 ` Wladimir
2014-02-22 1:09 ` Dustin D. Trammell
2014-02-22 6:53 ` Wladimir
2014-02-24 22:16 ` James Hartig
2014-02-21 6:50 ` [Bitcoin-development] " Jeff Garzik
2014-02-21 10:41 ` Mike Hearn
2014-02-21 11:06 ` Peter Todd [this message]
2014-02-22 1:04 ` Dustin D. Trammell
2014-02-22 2:08 ` Jeff Garzik
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140221110602.GA29940@savin \
--to=pete@petertodd$(echo .)org \
--cc=bitcoin-development@lists$(echo .)sourceforge.net \
--cc=mike@plan99$(echo .)net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox