github.com/badrootd/nibiru-cometbft@v0.37.5-0.20240307173500-2a75559eee9b/spec/light-client/attacks/isolate-attackers_001_draft.md (about) 1 <!-- markdown-link-check-disable --> 2 # Lightclient Attackers Isolation 3 4 > Warning: This is the beginning of an unfinished draft. Don't continue reading! 5 6 Adversarial nodes may have the incentive to lie to a lightclient about the 7 state of a Cosmos blockchain, built using Tendermint consensus algorithm. 8 An attempt to do so is called attack. Light client [verification][verification] checks incoming data by checking a so-called "commit", which is a forwarded set of signed messages that is (supposedly) produced during executing Tendermint consensus. Thus, an attack boils down to creating and signing Tendermint consensus messages in deviation from the Tendermint consensus algorithm rules. 9 10 As Tendermint consensus and light client verification is safe under the assumption of more than 2/3 of correct voting power per block [[CMBC-FM-2THIRDS]][CMBC-FM-2THIRDS-link], this implies that if there was an attack then [[CMBC-FM-2THIRDS]][CMBC-FM-2THIRDS-link] was violated, that is, there is a block such that 11 12 - validators deviated from the protocol, and 13 - these validators represent more than 1/3 of the voting power in that block. 14 15 In the case of an [attack][node-based-attack-characterization], the lightclient [attack detection mechanism][detection] computes data, so called evidence [[LC-DATA-EVIDENCE.1]][LC-DATA-EVIDENCE-link], that can be used 16 17 - to proof that there has been attack [[CMBC-LC-EVIDENCE-DATA.1]][CMBC-LC-EVIDENCE-DATA-link] and 18 - as basis to find the actual nodes that deviated from the Tendermint algorithm. 19 20 This specification considers how a full node in a Cosmos blockchain can isolate a set of attackers that launched the attack. The set should satisfy 21 22 - the set does not contain a correct validator 23 - the set contains validators that represent more than 1/3 of the voting power of a block that is still within the unbonding period 24 25 # Outline 26 27 **TODO** when preparing a version for broader review. 28 29 # Part I - Basics 30 31 For definitions of data structures used here, in particular LightBlocks [[LCV-DATA-LIGHTBLOCK.1]](https://github.com/cometbft/cometbft/blob/v0.37.x/spec/light-client/verification/verification_002_draft.md#lcv-data-lightblock1), cf. [Light Client Verification][verification]. 32 33 # Part II - Definition of the Problem 34 35 The specification of the [detection mechanism][detection] describes 36 37 - what is a light client attack, 38 - conditions under which the detector will detect a light client attack, 39 - and the format of the output data, called evidence, in the case an attack is detected. The format is defined in 40 [[LC-DATA-EVIDENCE.1]][LC-DATA-EVIDENCE-link] and looks as follows 41 42 ```go 43 type LightClientAttackEvidence struct { 44 ConflictingBlock LightBlock 45 CommonHeight int64 46 } 47 ``` 48 49 The isolator is a function that gets as input evidence `ev` 50 and a prefix of the blockchain `bc` at least up to height `ev.ConflictingBlock.Header.Height + 1`. The output is a set of *peerIDs* of validators. 51 52 We assume that the full node is synchronized with the blockchain and has reached the height `ev.ConflictingBlock.Header.Height + 1`. 53 54 #### **[FN-INV-Output.1]** 55 56 When an output is generated it satisfies the following properties: 57 58 - If 59 - `bc[CommonHeight].bfttime` is within the unbonding period w.r.t. the time at the full node, 60 - `ev.ConflictingBlock.Header != bc[ev.ConflictingBlock.Header.Height]` 61 - Validators in `ev.ConflictingBlock.Commit` represent more than 1/3 of the voting power in `bc[ev.CommonHeight].NextValidators` 62 - Then: A set of validators in `bc[CommonHeight].NextValidators` that 63 - represent more than 1/3 of the voting power in `bc[ev.commonHeight].NextValidators` 64 - signed Tendermint consensus messages for height `ev.ConflictingBlock.Header.Height` by violating the Tendermint consensus algorithm. 65 - Else: the empty set. 66 67 # Part IV - Protocol 68 69 Here we discuss how to solve the problem of isolating misbehaving processes. We describe the function `isolateMisbehavingProcesses` as well as all the helping functions below. In [Part V](#part-v---Completeness), we discuss why the solution is complete based on result from analysis with automated tools. 70 71 ## Isolation 72 73 ### Outline 74 75 > Describe solution (in English), decomposition into functions, where communication to other components happens. 76 77 #### **[LCAI-FUNC-MAIN.1]** 78 79 ```go 80 func isolateMisbehavingProcesses(ev LightClientAttackEvidence, bc Blockchain) []ValidatorAddress { 81 82 reference := bc[ev.conflictingBlock.Header.Height].Header 83 ev_header := ev.conflictingBlock.Header 84 85 ref_commit := bc[ev.conflictingBlock.Header.Height + 1].Header.LastCommit // + 1 !! 86 ev_commit := ev.conflictingBlock.Commit 87 88 if violatesTMValidity(reference, ev_header) { 89 // lunatic light client attack 90 signatories := Signers(ev.ConflictingBlock.Commit) 91 bonded_vals := Addresses(bc[ev.CommonHeight].NextValidators) 92 return intersection(signatories,bonded_vals) 93 94 } 95 // If this point is reached the validator sets in reference and ev_header are identical 96 else if RoundOf(ref_commit) == RoundOf(ev_commit) { 97 // equivocation light client attack 98 return intersection(Signers(ref_commit), Signers(ev_commit)) 99 } 100 else { 101 // amnesia light client attack 102 return IsolateAmnesiaAttacker(ev, bc) 103 } 104 } 105 ``` 106 107 - Implementation comment 108 - If the full node has only reached height `ev.conflictingBlock.Header.Height` then `bc[ev.conflictingBlock.Header.Height + 1].Header.LastCommit` refers to the locally stored commit for this height. (This commit must be present by the precondition on `length(bc)`.) 109 - We check in the precondition that the unbonding period is not expired. However, since time moves on, before handing the validators over Cosmos SDK, the time needs to be checked again to satisfy the contract which requires that only bonded validators are reported. This passing of validators to the SDK is out of scope of this specification. 110 - Expected precondition 111 - `length(bc) >= ev.conflictingBlock.Header.Height` 112 - `ValidAndVerifiedUnbonding(bc[ev.CommonHeight], ev.ConflictingBlock) == SUCCESS` 113 - `ev.ConflictingBlock.Header != bc[ev.ConflictingBlock.Header.Height]` 114 - TODO: input light blocks pass basic validation 115 - Expected postcondition 116 - [[FN-INV-Output.1]](#FN-INV-Output1) holds 117 - Error condition 118 - returns an error if precondition is violated. 119 120 ### Details of the Functions 121 122 #### **[LCAI-FUNC-VVU.1]** 123 124 ```go 125 func ValidAndVerifiedUnbonding(trusted LightBlock, untrusted LightBlock) Result 126 ``` 127 128 - Conditions are identical to [[LCV-FUNC-VALID.2]][LCV-FUNC-VALID.link] except the precondition "*trusted.Header.Time > now - trustingPeriod*" is substituted with 129 - `trusted.Header.Time > now - UnbondingPeriod` 130 131 #### **[LCAI-FUNC-NONVALID.1]** 132 133 ```go 134 func violatesTMValidity(ref Header, ev Header) boolean 135 ``` 136 137 - Implementation remarks 138 - checks whether the evidence header `ev` violates the validity property of Tendermint consensus algorithm, by checking agains a reference header 139 - Expected precondition 140 - `ref.Height == ev.Height` 141 - Expected postcondition 142 - returns evaluation of the following disjunction 143 **[[LCAI-NONVALID-OUTPUT.1]]** == 144 `ref.ValidatorsHash != ev.ValidatorsHash` or 145 `ref.NextValidatorsHash != ev.NextValidatorsHash` or 146 `ref.ConsensusHash != ev.ConsensusHash` or 147 `ref.AppHash != ev.AppHash` or 148 `ref.LastResultsHash != ev.LastResultsHash` 149 150 ```go 151 func IsolateAmnesiaAttacker(ev LightClientAttackEvidence, bc Blockchain) []ValidatorAddress 152 ``` 153 154 - Implementation remarks 155 **TODO:** What should we do here? Refer to the accountability doc? 156 - Expected postcondition 157 **TODO:** What should we do here? Refer to the accountability doc? 158 159 ```go 160 func RoundOf(commit Commit) []ValidatorAddress 161 ``` 162 163 - Expected precondition 164 - `commit` is well-formed. In particular all votes are from the same round `r`. 165 - Expected postcondition 166 - returns round `r` that is encoded in all the votes of the commit 167 168 ```go 169 func Signers(commit Commit) []ValidatorAddress 170 ``` 171 172 - Expected postcondition 173 - returns all validator addresses in `commit` 174 175 ```go 176 func Addresses(vals Validator[]) ValidatorAddress[] 177 ``` 178 179 - Expected postcondition 180 - returns all validator addresses in `vals` 181 182 # Part V - Completeness 183 184 As discussed in the beginning of this document, an attack boils down to creating and signing Tendermint consensus messages in deviation from the Tendermint consensus algorithm rules. 185 The main function `isolateMisbehavingProcesses` distinguishes three kinds of wrongly signing messages, namely, 186 187 - lunatic: signing invalid blocks 188 - equivocation: double-signing valid blocks in the same consensus round 189 - amnesia: signing conflicting blocks in different consensus rounds, without having seen a quorum of messages that would have allowed to do so. 190 191 The question is whether this captures all attacks. 192 First observe that the first checking in `isolateMisbehavingProcesses` is `violatesTMValidity`. It takes care of lunatic attacks. If this check passes, that is, if `violatesTMValidity` returns `FALSE` this means that [FN-NONVALID-OUTPUT] evaluates to false, which implies that `ref.ValidatorsHash = ev.ValidatorsHash`. Hence after `violatesTMValidity`, all the involved validators are the ones from the blockchain. It is thus sufficient to analyze one instance of Tendermint consensus with a fixed group membership (set of validators). Also it is sufficient to consider two different valid consensus values, that is, binary consensus. 193 194 **TODO** we have analyzed Tendermint consensus algorithm with TLA+ and have accompanied Galois in an independent study of the protocol based on [Ivy proofs](https://github.com/cometbft/cometbft/tree/v0.37.x/spec/ivy-proofs). 195 196 # References 197 198 [[supervisor]] The specification of the light client supervisor. 199 200 [[verification]] The specification of the light client verification protocol 201 202 [[detection]] The specification of the light client attack detection mechanism. 203 204 [supervisor]: 205 https://github.com/cometbft/cometbft/blob/v0.37.x/spec/light-client/supervisor/supervisor_001_draft.md 206 207 [verification]: https://github.com/cometbft/cometbft/blob/v0.37.x/spec/light-client/verification/verification_002_draft.md 208 209 [detection]: 210 https://github.com/cometbft/cometbft/blob/v0.37.x/spec/light-client/detection/detection_003_reviewed.md 211 212 [LC-DATA-EVIDENCE-link]: 213 https://github.com/cometbft/cometbft/blob/v0.37.x/spec/light-client/detection/detection_003_reviewed.md#lc-data-evidence1 214 215 [CMBC-LC-EVIDENCE-DATA-link]: 216 https://github.com/cometbft/cometbft/blob/v0.37.x/spec/light-client/detection/detection_003_reviewed.md#cmbc-lc-evidence-data1 217 218 [node-based-attack-characterization]: 219 https://github.com/cometbft/cometbft/blob/v0.37.x/spec/light-client/detection/detection_003_reviewed.md#block-based-characterization-of-attacks 220 221 [CMBC-FM-2THIRDS-link]: https://github.com/cometbft/cometbft/blob/v0.37.x/spec/light-client/verification/verification_002_draft.md#cmbc-fm-2thirds1 222 223 [LCV-FUNC-VALID.link]: https://github.com/cometbft/cometbft/blob/v0.37.x/spec/light-client/verification/verification_002_draft.md#lcv-func-valid2