Attack & Countermeasure: Malicious modification of binary during build process

[kristovatlas]

The attacker can target either the wallet provider or a user building the binary to include malicious logic. Unless the build process is deterministic, the user will be unable to produce a binary that is identical to the wallet provider's supplied binary.

Countermeasure: Utilize and publish instructions for using a deterministic build process, such as Gitian.

Wallets that currently include this: Bitcoin-Qt

[JeremyRand]

Armory is working on reproducible builds, and they're pretty close to having it working for the Linux releases, I think. @josephbisch is handling that effort for Armory. I'm unaware of any other wallets that are spending effort on this at the moment.

[josephbisch]

I have a question to ask on my own behalf.

How will the degree to which a particular Bitcoin wallet builds from source be measured? What happens if one wallet provider decides to build reproducibly using the Python binary downloaded from python.org and another wallet provider decides to build Python from source? While there are certain pieces of software that are not themselves reproducible at this time, and therefore, need to be trusted (the Linux distro, compiler, etc.), using the Python binary introduces another possible source of compromise in the build process.

I'm not sure how to measure this. Should the size of the dependency factor into the score? How should it be determined what is okay to not build from source? The Linux distro's default/base packages should be considered okay (because builders can't be expected to compile an entire distro from source). Bitcoin Core has set the precedent of using the automake and pkg-config (among other packages) from the distro's repositories. So do you just say that if Bitcoin Core doesn't build some dependency from source, then it is okay for everyone to not build that dependency from source?

I think reproducible builds are complex and quantifying them by simply checking whether the build produces identical hashes across multiple builds isn't going to be enough to distinguish between those wallet providers that took the time to ensure that all reasonable dependencies are built from source and those providers that just built the bare minimum and used binaries elsewhere.

[kristovatlas]

duplicate of #63 and existing countermeasures for reproducible builds

[kristovatlas]

Could add another countermeasure for attack: "Hide adverse privacy behavior from users by distributing binary versions of the wallet whose behavior differes from versions compiled from the public source code"

it would be: "Publish instructions for reproducing build."

[kristovatlas]

No new countermeasures here, actually. Possible criteria: # clicks to get to reproducible build instructions.

[kristovatlas]

@josephbisch: Good questions, but I don't think there's any real demand to go into this level of detail at present; there are very few clients that are even vaguely reproducible.

I'm going to leave this open, but it will be pushed to the next version of the threat model for further consideration of these details.