[Mega tracking] - Audit Resolutions

[terencechain]

Opening this mega tracking issue to track the overall resolution progresses of the latest Quantstamp Audit report. For all medium & above risk issues. Each issue will have its own tracking issue. For the rest of the issues (e.g. low risk, informational, undetermined). The tracking issues will be grouped by component, and consolidated under one tracking issue under that component.

🥇Medium and above risk issues

• [x] QSP-4 Insecure gRPC connection by default (rpc service #6428)
• [x] QSP-6 Use of pseudo random number generator where true random number generator would be needed (sync service), use crypto/rand instead of math/rand (sync service) #6401
• [x] QSP-7 Second pre-image attack on Merkle Trees (will be complete once we deprecate custom HTR and instead use fastssz codegen) #7115
• [x] QSP-10 Possible loss of data integrity (state trie mgmt) #6350
• [x] QSP-11 Checks before the lock (state trie mgmt) #6350
• [x] QSP-14 Opening BoltDB and backup file varies on the permission (db) #6378
• [x] QSP-8 Function ActivationEligibilityEpoch() doesn't check v == nil || v.validator == nil (core processing) #6347
• [x] QSP-9 Cast from uint64 to int (core processing) #6349
• [x] QSP-12 DDoS attack vector through creating a mapping between public keys and validators’ IPs (Spec issue - out of scope of our resolution)
• [x] QSP-13 Message encoding is changeable: that could lead to network partitions (p2p) #6415
• [x] QSP-16 No support for IPv6 (p2p) #6363
• [x] QSP-15 Lack of unit tests (general)

🥈 Low risk issues grouped by components

Sync

• [x] QSP-19 Memory resources are never freed in newBlocksFetcher() #6339
• [x] QSP-20 No meaningful code in removeDisconnectedPeerStatus() #6370
• [x] QSP-31 Peer descoring and disconnect on failed validation, while being optional in the spec, should be considered (even more encompassing solution in #6622 - it involves peer scoring on GossipSub, p2p req/resp, and synchronization level)
• [x] QSP-35 finalized_root not checked in Status topic #5811 #7364
• [x] QSP-42 Double unsubscribe #6368 #6376 and finally resolved in #7285
• [x] QSP-52 Signature validation for block attestations is conditional on feature flag #6499
• [x] QSP-61 Function processPendingAtts() finishes prematurely #6371
• [x] QSP-62 Corrupted clock #6404

Beacon state trie management

• [x] QSP-44 Duplicated dirty indices (marking obsolete, as using a map as recommended by quantstamp is far too big of a performance hit to be worth it. Appending indices as it stands today is not a security hole)
• [x] QSP-64 Inconsistent rebuildTrie updates #6390

Core processing

• [x] QSP-39 areEth1DataEqual() returns false when both a and b are nil #6372
• [x] QSP-43 Unintended mutability (not relevant because input argument is an array, so it will not cause mutability issues)
• [x] QSP-49 One-time calibration of Roughtime #6393
• [x] QSP-65 Using UnshuffleList() instead of ShuffleList() contradicts the specification #6381

DB

• [x] QSP-21 Disk space exhaustion attack https://github.com/prysmaticlabs/prysm/issues/6215
• [x] QSP-38 Running out of disk space (BoltDB Freelist is not cleared up)
• [x] QSP-41 Missing implementation for filtering blocks #6397
• [x] QSP-54 DefaultDataDir() may return empty string #6394
• [x] QSP-56 Deprecated jsonpb dependency #6383 (Won't fix.)
• [x] QSP-57 Undocumented Kafka topics
• [x] QSP-58 Inconsistent spans #6352
• [x] QSP-59 Wrong StartSpan #6352
• [x] QSP-60 Functions do not add summary to the cache #6384

P2P networking

• [x] QSP-18 No header length validation #6577
• [x] QSP-23 Disconnected, stale, or bad peer status records are not cleaned up #6614
• [x] QSP-24 Connection manager options are not always initialized correctly (no longer relevant in current codebase)
• [x] QSP-25 Relay option is enabled in libp2p even when unused in Prysm #6386
• [x] QSP-26 Presence of the test-only code (blocked until mainnet release...while we have a relay, we need this current code, see #6425)
• [x] QSP-27 Potential discrepancy between NextForkVersion and ForkVersionSchedule
• [x] QSP-28 Subnet-based whitelisting not working (no longer relevant, this is already done)
• [x] QSP-29 Rate limiting not implemented for some node communication #6606
• [x] QSP-30 Incorrect (insecure) hash function is being used for determining message Ids (collisions using highway hash are acceptable for this use case, as it will not lead to a security issue if they occur)
• [x] QSP-32 Incorrect deadline for responses #6583
• [x] QSP-33 Maximum response chunk size not checked for all topics (done by #6424)
• [x] QSP-40 Return error when encoding nil buffer (not possible, see https://github.com/prysmaticlabs/prysm/issues/6327#issuecomment-650346322)
• [x] QSP-45 Undefined behaviour of BestFinalized() when no peers are connected or some peers have no finalized epochs #6402
• [x] QSP-46 Eclipse attacks are still possible (this is an issue with discv5 in general, out of scope of our code)
• [x] QSP-47 Potentially meaningless check #6388
• [x] QSP-48 Connection manager does not work properly (we no longer use connection manager)
• [x] QSP-50 Possibly unintentional fallback to TCP encryption #6440
• [x] QSP-51 NOISE support has no fallback #6440
• [x] QSP-53 Snappy “frame” (streaming) format does not seem to be supported #5127 #5435
• [x] QSP-55 Support for extra pubsub protocols #6419

Infra set up:

• [x] QSP-22 Boot nodes availability and centralization risks (this is more about just having more than one bootnode as a default, rather than any changes to Prysm itself)

UX:

• [x] QSP-36 Weak passwords allowed for validator accounts (completely revamped v2 of accounts is implemented - many closed PRs)
• [x] QSP-37 Minimal system requirements

Others:

• [x] Adherence to spec feedback #6335
• [x] Documentation feedback #6336
• [x] Best practice feedback #6337

[0xKiwi]

I'll be working on QSP-6

[terencechain]

Taking QSP-8

[terencechain]

Taking QSP-10 and QSP-11

[rauljordan]

Working on QSP-9

[terencechain]

Taking QSP-58 and QSP-59

[nisdas]

Taking QSP 13 and QSP 16

[shayzluf]

taking QSP-20

[rauljordan]

Working on 42

[rauljordan]

Workin on 61

[shayzluf]

working on QSP-14

[rauljordan]

Working on 35

[farazdagi]

Working on QSP-45 and QSP-6 (adding static analysis checker to enforce crypto/rand)

[rauljordan]

QSP-40 is not a possible condition, as the buffer can never be nil. For example:

func (e SszNetworkEncoder) EncodeGossip(w io.Writer, msg interface{}) (int, error) {
    if msg == nil {
        return 0, nil
    }
    b, err := e.doEncode(msg)
    if err != nil {
        return 0, err
    }
    if uint64(len(b)) > MaxGossipSize {
        return 0, errors.Errorf("gossip message exceeds max gossip size: %d bytes > %d bytes", len(b), MaxGossipSize)
    }
    if e.UseSnappyCompression {
        b = snappy.Encode(nil /*dst*/, b)
    }
+   if b == nil {
+       return 0, errors.New("attempting to write to nil buffer")
+   }
    return w.Write(b)
}

Even with a test that may seem like it could trigger the conditional check for b == nil, the code path is actually never reached. Worst case scenario, the result of snappy.Encode will be a buffer with length 1.

func TestSszNetworkEncoder_EncodeGossip_NilBuffer(t *testing.T) {
    buf := new(bytes.Buffer)
    type emptyContainer struct{}
    msg := &emptyContainer{}
    e := &encoder.SszNetworkEncoder{UseSnappyCompression: true}
    _, err := e.EncodeGossip(buf, msg)
    if err != nil {
        t.Error(err)
    }
}

The test above passes.

[rauljordan]

@nisdas for QSP-32, how do you think we should handle it? Basically:

The P2P specification says that: “The requester MUST wait a maximum of TTFB_TIMEOUT for the first response byte to arrive (time to first byte—or TTFB—timeout). On that happening, the requester allows a further RESP_TIMEOUT for each subsequent response_chunk received.” According to specification TTFB_TIMEOUT is 5s. It is the maximum time to wait for the first byte of request response (time-to-first-byte).

However, the deadline is set to: on L24 in beacon-chain/p2p/sender.go.

// Send a message to a specific peer. The returned stream may be used for reading, but has been
// closed for writing.
func (s *Service) Send(ctx context.Context, message interface{}, baseTopic string, pid peer.ID) (network.Stream, error) {
    ctx, span := trace.StartSpan(ctx, "p2p.Send")
    defer span.End()
    topic := baseTopic + s.Encoding().ProtocolSuffix()
    span.AddAttributes(trace.StringAttribute("topic", topic))

    // TTFB_TIME (5s) + RESP_TIMEOUT (10s).
    var deadline = params.BeaconNetworkConfig().TtfbTimeout + params.BeaconNetworkConfig().RespTimeout

Seems like we'll have to (a) be aware of how many chunks there are and (b) use that to extend the context deadline appropriately by the RESP_TIMEOUT value for each. How can we the number of chunks here?

[rauljordan]

• QSP-4 Insecure gRPC connection by default: won't fix, this is only a concern for users that are running on different machines, and it will be a significant UX constraint to force normal users to handle and deal with TLS certs when they might not need to
• QSP-57 Undocumented Kafka topics: won't fix, as it is too low priority and not much importance given barely anyone is using our kafka support
• QSP-37 Minimal system requirements: will fix via a log
• QSP-38 Running out of disk space (BoltDB Freelist is not cleared up): needs to look into, will open as a separate tracking issue