Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: create foundation for fraudulent block production #1992

Merged
merged 10 commits into from
Jun 28, 2023

Conversation

evan-forbes
Copy link
Member

Overview

creates a malicious package that allows for minimal changes to the rest of the application while also keeping the malicious portion of the code as separate as possible as to not accidentally trigger the malicious logic.

part of #1953

Checklist

  • New and updated code has appropriate documentation
  • New and updated code has new and/or updated testing
  • Required CI checks are passing
  • Visual proof for any user facing features like CLI or documentation updates
  • Linked issues closed with keywords

@evan-forbes evan-forbes requested a review from staheri14 June 27, 2023 04:59
@evan-forbes evan-forbes self-assigned this Jun 27, 2023
@MSevey MSevey requested a review from a team June 27, 2023 05:00
@evan-forbes evan-forbes changed the base branch from main to evan/refactor-testnode-appcreator June 27, 2023 05:00
ErrInvalidNodeNamespaceOrder = errors.New("invalid NMT node namespace order")
)

type Hasher struct {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

had to copy paste fork this from nmt in order to remove all of the protections against leafs that are out of order

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As a note, it seems outside the scope of a hasher to have all these protections in place. That feels like it belongs to the jurisdiction of the tree itself

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As a note, it seems outside the scope of a hasher to have all these protections in place. That feels like it belongs to the jurisdiction of the tree itself

Just a note on this, there are two hashers: one is the base hasher e.g., sha256, and one is the nmt hasher, or the namespace hasher, that utilizes the base hasher. The latter actually is aware of the format of the leaves and the nodes i.e., their min and max namespace, their ordering. Due to this, all the functions associated with the namespace hasher validate the format of inputs accordingly. However, the former, i.e., the basehasher, is completely unaware and is only responsible for the digest calculation. I am not sure, but I think you might be referring to the base-hasher, which, as you suggested, should be and is clueless about the namespace-related logic.

Comment on lines +32 to +33
func NewAppServer(logger log.Logger, db dbm.DB, traceStore io.Writer, appOpts servertypes.AppOptions) servertypes.Application {
var cache sdk.MultiStorePersistentCache
Copy link
Member Author

@evan-forbes evan-forbes Jun 27, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this function allows us to use the existing infrastructure (testnode, and even the create a new binary if need be), all while keeping the malicious code separate. Meaning, as long as we're using the normal application, we can't accidentally trigger the malicious logic.

Comment on lines 39 to 55
// NewTree creates a new rsmt2d.Tree using the malicious
// wrapper.ErasuredNamespacedMerkleTree with predefined square size and
// nmt.Options.
func (c constructor) NewTree(_ rsmt2d.Axis, axisIndex uint) rsmt2d.Tree {
hasher := NewBlindHasher(appconsts.NewBaseHashFunc(), appconsts.NamespaceSize, true)
opts := []nmt.Option{
nmt.CustomHasher(hasher),
nmt.NamespaceIDSize(appconsts.NamespaceSize),
nmt.IgnoreMaxNamespace(true),
}
c.opts = append(c.opts, opts...)
nmtTree := nmt.New(appconsts.NewBaseHashFunc(), opts...)
maliciousTree := &BlindTree{nmtTree}
newTree := wrapper.NewErasuredNamespacedMerkleTree(c.squareSize, axisIndex, c.opts...)
newTree.SetTree(maliciousTree)
return &newTree
}
Copy link
Member Author

@evan-forbes evan-forbes Jun 27, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

apologies, I hate this too... we're wrapping the nmt wrapper to overwrite the push method and use our own malicious hasher

we can use this to commit to rows and cols that are out of lexicographical order

@codecov-commenter
Copy link

codecov-commenter commented Jun 27, 2023

Codecov Report

Merging #1992 (a02c6e9) into main (ce0be95) will increase coverage by 0.54%.
The diff coverage is 36.77%.

❗ Current head a02c6e9 differs from pull request most recent head f4f88db. Consider uploading reports for the commit f4f88db to get more accurate results

@@            Coverage Diff             @@
##             main    #1992      +/-   ##
==========================================
+ Coverage   21.54%   22.08%   +0.54%     
==========================================
  Files         126      130       +4     
  Lines       14283    14479     +196     
==========================================
+ Hits         3077     3198     +121     
- Misses      10913    10981      +68     
- Partials      293      300       +7     
Impacted Files Coverage Δ
pkg/wrapper/nmt_wrapper.go 80.00% <0.00%> (-3.34%) ⬇️
test/util/testnode/config.go 0.00% <0.00%> (ø)
test/util/testnode/full_node.go 0.00% <0.00%> (ø)
test/util/testnode/node_interaction_api.go 0.00% <0.00%> (ø)
x/qgb/client/verify.go 0.00% <0.00%> (ø)
test/util/malicious/hasher.go 51.37% <51.37%> (ø)
test/util/malicious/test_app.go 62.22% <62.22%> (ø)
test/util/malicious/app.go 85.00% <85.00%> (ø)
test/util/malicious/tree.go 100.00% <100.00%> (ø)

cmwaters
cmwaters previously approved these changes Jun 27, 2023
Copy link
Contributor

@cmwaters cmwaters left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems all good to me.

From a high level architecture perspective I see a bit of an anti-pattern here. For me, rsmt2d should just be a eds package within core-app. I don't know who else would want to use it and I'm not sure we should really look to cater to them over serving something purpose built for the celestia network. nmt is different because it's more self standing as it's own system whereas rsmt2d is kind glue between nmt, the square package and an erasure coding library. The fact that we have this wrapper package is a bit of a giveaway.

I would also prefer a design that has greater separation between the extended data square and the nmt that is built on top of this.

I've heard prior conversations about extracting out shares, square, blobs and eds into their own repo. This is something we could look to do

go.mod Outdated
@@ -3,7 +3,7 @@ module github.com/celestiaorg/celestia-app
go 1.20

require (
github.com/celestiaorg/nmt v0.16.0
github.com/celestiaorg/nmt v0.16.1-0.20230626222946-6dc07a6c7a35 // v0.16.0
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

since upgraded to v0.17.0

ErrInvalidNodeNamespaceOrder = errors.New("invalid NMT node namespace order")
)

type Hasher struct {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As a note, it seems outside the scope of a hasher to have all these protections in place. That feels like it belongs to the jurisdiction of the tree itself

@@ -0,0 +1,67 @@
package malicious
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: I'd prefer to call this package faulty for capturing general faulty behaviour but YMMV

@MSevey MSevey requested a review from a team June 27, 2023 12:38
rootulp
rootulp previously approved these changes Jun 27, 2023
Copy link
Collaborator

@rootulp rootulp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall LGTM

go.mod Outdated
@@ -27,7 +27,7 @@ require (
require (
cosmossdk.io/errors v1.0.0-beta.7
cosmossdk.io/math v1.0.0-rc.0
github.com/celestiaorg/rsmt2d v0.9.0
github.com/celestiaorg/rsmt2d v0.9.1-0.20230623202902-25e11e517e4c
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[optional] should we cut an rsmt2d release so that this line can depend on an official release?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

whoops, this doesn't actually require any changes to rsmt2d, this was just the recent codec changes, which we probably won't have to use

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

test/util/malicious/app.go Outdated Show resolved Hide resolved
test/util/malicious/app.go Outdated Show resolved Hide resolved
test/util/malicious/app_test.go Outdated Show resolved Hide resolved
test/util/malicious/app_test.go Outdated Show resolved Hide resolved
test/util/malicious/hasher.go Outdated Show resolved Hide resolved
test/util/malicious/hasher.go Outdated Show resolved Hide resolved
test/util/malicious/hasher.go Outdated Show resolved Hide resolved
Comment on lines +70 to +73
// Write writes the namespaced data to be hashed.
//
// Requires data of fixed size to match leaf or inner NMT nodes. Only a single
// write is allowed.
// It panics if more than one single write is attempted.
// If the data does not match the format of an NMT non-leaf node or leaf node, an error will be returned.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[no change needed] maintainers should consider enabling a linter that auto wraps comment length

staheri14
staheri14 previously approved these changes Jun 27, 2023
Copy link
Collaborator

@staheri14 staheri14 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

test/util/malicious/hasher.go Show resolved Hide resolved
test/util/malicious/hasher.go Show resolved Hide resolved
test/util/malicious/hasher.go Show resolved Hide resolved
test/util/malicious/hasher.go Show resolved Hide resolved
ErrInvalidNodeNamespaceOrder = errors.New("invalid NMT node namespace order")
)

type Hasher struct {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As a note, it seems outside the scope of a hasher to have all these protections in place. That feels like it belongs to the jurisdiction of the tree itself

Just a note on this, there are two hashers: one is the base hasher e.g., sha256, and one is the nmt hasher, or the namespace hasher, that utilizes the base hasher. The latter actually is aware of the format of the leaves and the nodes i.e., their min and max namespace, their ordering. Due to this, all the functions associated with the namespace hasher validate the format of inputs accordingly. However, the former, i.e., the basehasher, is completely unaware and is only responsible for the digest calculation. I am not sure, but I think you might be referring to the base-hasher, which, as you suggested, should be and is clueless about the namespace-related logic.

Base automatically changed from evan/refactor-testnode-appcreator to main June 27, 2023 20:26
@evan-forbes evan-forbes dismissed stale reviews from staheri14, rootulp, and cmwaters June 27, 2023 20:26

The base branch was changed.

@MSevey MSevey requested a review from a team June 27, 2023 20:50
staheri14
staheri14 previously approved these changes Jun 27, 2023
@MSevey MSevey requested a review from a team June 27, 2023 20:59
@evan-forbes
Copy link
Member Author

evan-forbes commented Jun 27, 2023

Screenshot from 2023-06-27 16-04-08
sorry for the force push, I had to rebase to stop github from showing the diff from #1991 along with this one 😑

@evan-forbes
Copy link
Member Author

cc @cmwaters

From a high level architecture perspective I see a bit of an anti-pattern here. For me, rsmt2d should just be a eds package within core-app.

I agree completely! imo there are many potential ways we can organize or use the eds (one experiment from forever ago celestiaorg/rsmt2d#9 (comment)). wrapping and embedding all these different types and nmt.Visitor funcs feels kind of insane

ref celestiaorg/rsmt2d#10

@evan-forbes evan-forbes enabled auto-merge (squash) June 27, 2023 21:28
Copy link
Collaborator

@staheri14 staheri14 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:shipit:

@evan-forbes evan-forbes merged commit 3aa3c09 into main Jun 28, 2023
@evan-forbes evan-forbes deleted the evan/bad-blocks branch June 28, 2023 13:36
evan-forbes added a commit that referenced this pull request Jul 3, 2023
## Overview

creates a malicious package that allows for minimal changes to the rest
of the application while also keeping the malicious portion of the code
as separate as possible as to not accidentally trigger the malicious
logic.

part of #1953

## Checklist

- [x] New and updated code has appropriate documentation
- [x] New and updated code has new and/or updated testing
- [x] Required CI checks are passing
- [x] Visual proof for any user facing features like CLI or
documentation updates
- [ ] Linked issues closed with keywords

---------

Co-authored-by: Rootul P <[email protected]>
evan-forbes added a commit that referenced this pull request Jul 3, 2023
## Overview

creates a malicious package that allows for minimal changes to the rest
of the application while also keeping the malicious portion of the code
as separate as possible as to not accidentally trigger the malicious
logic.

part of #1953

## Checklist

- [x] New and updated code has appropriate documentation
- [x] New and updated code has new and/or updated testing
- [x] Required CI checks are passing
- [x] Visual proof for any user facing features like CLI or
documentation updates
- [ ] Linked issues closed with keywords

---------

Co-authored-by: Rootul P <[email protected]>
evan-forbes added a commit that referenced this pull request Jul 6, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants