Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DIP: aj-tx-vuln for enforcing transaction hygiene / rejecting vulnerable txes #129

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
203 changes: 203 additions & 0 deletions dip-aj-tx-vuln.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,203 @@
<pre>
DIP: aj-tx-vuln
Title: Enforce Secure Deterministic Transaction Indexing
Authors: coolaj86
Special-Thanks: Rion Gull
Comments-Summary: No comments yet.
Status: Draft
Type: Standard
Created: 2023-06-27
License: CC0-1.0
</pre>

## Table of Contents

- [Table of Contents](#table-of-contents)
- [Abstract](#abstract)
- [Prior Art](#prior-art)
- [Motivation](#motivation)
- [Transaction Index Vulnerability](#transaction-index-vulnerability)
- [Specification](#specification)
- [Enforce Secure Deterministic Transaction Indexing](#enforce-secure-deterministic-transaction-indexing)
- [Copyright](#copyright)

## Abstract

This DIP proposes to block transactions from insecure software written with a
security vulnerability by which the indexes of inputs and outputs in a
transaction expose information about the sender(s) and receiver(s).

## Prior Art

- [Lexicographical Indexing of Transaction Inputs and Outputs](https://github.com/bitcoin/bips/blob/master/bip-0069.mediawiki)

## Motivation

I've personally written vulnerable transaction software (on accident), modeling
after transactions that exist in the wild.

I was able to broadcast insecure transactions without any error messages are
warnings.

I've also seen broadcasts which follow an alternate form of lexicographical sort
for outputs (`pubkeyhash` first, rather than amount first)

### Transaction Index Vulnerability

A naive implementation of code that creates transactions leaks data, which then
becomes available to malicious parties / bad actors.

The vulnerability is known, but no protection against it is enforced, so many
applications implementation transaction in a way that exposes a portion of
confidential user details via the list position (array index) of the consumed
inputs and generated outputs.

A typical transaction in vulnerable software is always constructed in this form:

```text
version: 3
inputs: 3
0.2 pkh1...
0.5 pkh2...
1.5 pkh3...
outputs: 3
1.0 recipient 1 or xpub 1
0.7 recipient 2 or xpub 1
Comment on lines +64 to +65
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

duplicate "xpub 1"

0.5 change back to sender
locktime: 0
```

The construction of the transaction includes information related to the user's
actions:

- which addresses likely belong to the recevier(s)
- which XPub-generated addresses are likely linked
- which address is likely change back to the sender
- other statistically related information about the inputs
- the selection algorithm used by the client

A naive algorithm may constructed as follows:

- selection algorithm reveals its sorting (time-based, amount-based, etc)
- receiver address(es) are always the first outputs
- when XPubs are used, addresses related to the same XPub are placed adjacently
- when change is generated, the change address is always in the final position

For example, consider
[598fa5c477ebef8ab74979c8a51d159d8c028b332af973020ec58ec807f009cc](https://insight.dash.org/insight/tx/598fa5c477ebef8ab74979c8a51d159d8c028b332af973020ec58ec807f009cc),
which was selected while sampling transactions at random just minutes ago, and
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
which was selected while sampling transactions at random just minutes ago, and
which was selected while sampling transactions at random, and

found to be produced by vulnerable software:

We can know, with very high confidence that:

- there are two recipients
- the sender's change address is `Xf7JKrFdbQaWTZszRsQthm2s4xXCX2uZRb`
Comment on lines +93 to +94
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

explain how you know this in the dip?

Comment on lines +91 to +94
Copy link
Member

@PastaPastaPasta PastaPastaPasta Jul 18, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also this is VIRTUALLY impossible to be the case as one input and output both have the same address XmZQkfLtk3xLtbBMenTdaZMxsUBYAsRz1o that seems significantly more likely to be the change don't we think?

Copy link
Author

@coolaj86 coolaj86 Jul 25, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mentioned above, this was a typo. I had several txes open in the inspector and I copied from the wrong example.

I can go back and find the example that's typical of what I'm talking about. Picking 4 non-CoinJoin TXes at random, one of them will use the vulnerable naive implementation.


## Specification

The default transaction version byte should be bumped from 3 to 4.

All software that verifies transactions should assert that the inputs and
outputs are sorted, completely deterministically, as specified in
"Lexicographical Indexing of Transaction Inputs and Outputs".

Transactions with version 3 or lower SHOULD print a warning and MUST return an
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

who / what is printing this warning?

error when vulnerable transactions are detected.

All transactions version 4 or higher MUST be rejected with an error.

### Enforce Secure Deterministic Transaction Indexing

As a recap of "Lexicographical Indexing of Transaction Inputs and Outputs",
although some statistically relevant information is always conveyed in a
transaction, there is a mathematically perfect solution to maximally limit how
much information is made available without any breaking changes to existing
Master Nodes:

Before a transaction is signed:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it is not clear what this means


1. All inputs MUST be sorted ASCENDING by

- previous transaction id `txId`, in (Big-Endian) byte order \
(NOTE: this is the _REVERSE_ byte order from how they are stored in a transaction)
- previous transaction `vout`, as INTEGER

2. All outputs MUST be sorted ASCENDING by

- `amount` as an INTEGER
- The `script` (a.k.a. 'lock script', 'locking script', 'pubkey script') \
(NOTE: this is compared in the _SAME_ byte order as written in the transaction)
- The length SHOULD be checked before comparing

As a side benefit, this also makes it possible to index transactions for
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
As a side benefit, this also makes it possible to index transactions for
As a side benefit, this also makes it possible to index transactions more

efficiently, as all inputs and outputs are pre-sorted in manner compatible with
binary search and JIT-optimization.

Obviously, we can't stop all of this information from being revealed as some of
it is necessary for the transaction, however, this DIP along with other
data-leak vulnerability-focused DIPs can significantly decrease the attack
vector for malicious actors using tools to statistically analysis correlated
data and metadata.

### Example

[63add7757a336b1d9956d0d042956ebad2f643cbd47086738226625da319b698](https://insight.dash.org/insight/tx/63add7757a336b1d9956d0d042956ebad2f643cbd47086738226625da319b698)
is an example of a transaction with multiple inputs and outputs that follow this
algorithm:

```text
version: 2

inputs: 5
# sorts as 0453f3..., 7
f8d756d408985d7b eabe611457d3cd08 f847a8c33198dd86 0a57ff10baf35304 (7)

# sorts as 378dc7..., 4
2ecc8bacb0fce212 0f7ce2ec99ea7d97 57a15d427601b433 4251bdd0a6c78d37 (4)

# sorts as bf0d8f..., 3
7e6e14793b18d458 e0ae8d34f60f35a5 8ab7d43fc11838c0 0b1af6f4ba8f0dbf (3)

# these two sorts as fd3b22..., 1, 3
b947c3b1a56556fc 0f8c84e4938becb5 3840da1d1b5f0a44 482a580c20223bfd (1)
b947c3b1a56556fc 0f8c84e4938becb5 3840da1d1b5f0a44 482a580c20223bfd (3)

outputs: 5
# sorts as 1000010000 sats, 19 76a9 14 121f...
10f19a3b00000000
# Script Size, Script Meta, Script
19 76a9 14 121f6b8cde5fe2163899 6d4a756ac90b64671c75 88ac

# sorts as 1000010000 sats, 19 76a9 14 30fde...
10f19a3b00000000
19 76a9 14 30fde3dc06aae6075952 fa42a0d1a6b4d0f390d5 88ac

# sorts as 1000010000 sats, 19 76a9 14 4855...
10f19a3b00000000
19 76a9 14 485597ef2b6d53a94d38 4a1ad4c31da87ccfac61 88ac

# sorts as 1000010000 sats, 19 76a9 14 6930...
10f19a3b00000000
19 76a9 14 6930a94e354467dbb6e0 96c0ec6650bad3878c4f 88ac

# sorts as 1000010000 sats, 19 76a9 14 7b3e...
10f19a3b00000000
19 76a9 14 7b3ec1a2370d82e72921 af6a418cc125651404b3 88ac

locktime: 0
```

## Copyright

Copyright 2023 AJ ONeal.

DIP to Secure Transactions - Patch Data Leak Vulnerability via Deterministic
Index Ordering

Written in 2023 by AJ ONeal <[email protected]> \
To the extent possible under law, the author(s) have dedicated all copyright \
and related and neighboring rights to this software to the public domain \
worldwide. This software is distributed without any warranty. \

You should have received a copy of the CC0 Public Domain Dedication along with \
this software. If not, see <https://creativecommons.org/publicdomain/zero/1.0/>.