Validator Node Compromize Analysis

unicorn · June 16, 2019, 8:55am

We are currently evaluating the KMS softsign component for production use. Softsign has some good properties compared to a HSM. However, some risk analysis is required beforehand.

Assumptions
Let’s assume

we have a sentry architecture with a KMS component,
an adversary has taken over the validator node, and
that the operator key is completely offline and not accessible by the attacker.

Implications
The adversary is able to send arbitrary commands to the KMS; e.g. SignVote, SignProposal and so on. As an effect, the adversary might be able to conduct a double-signing attack and therefore slash the validator.

Remediation Ideas

Once the operator detects the attack, he should be able to put the validator into the inactive set on a voluntary basis (fees should be imposed anyhow)
Afterwards, the operator should be able to change the validator keys, otherwise the validator cannot recover from attacks at all (in case the validator key has been accessed by the adversary)

What do you think?

mdyring · June 16, 2019, 9:04am

The KMS prevents double signing as it will only sign for higher (Height, Round, Step).

I would also suggest using a HSM such as YubiHSM. It is fairly easy to setup and create a wrapped export of the secret key.

unicorn · June 16, 2019, 9:11am

I don’t see any benefits when using a HSM over softsign when it comes to double-voting. Since gaiad sends commands to KMS (and therefore to softsign or HSM) it is easily possible to cause double-voting and slashing.

HSMs are dumb

mdyring · June 16, 2019, 9:32am

There are a number of best practices around KMS that makes double signing highly unlikely:

You would typically run the KMS process on a different, locked down host from the validator. The KMS connects to the validator process, so outbound connection to validator. It then signs request from the validator, but only those that would not result in double signing.

This double signing prevention is implemented in tmkms software but also runs in Ledger devices (not YubiHSM).

unicorn · June 16, 2019, 9:54am

Good points, we are going to do some security testing around the double signing prevention in the KMS. I don’t see how HSMs are able to detect double signing.

mdyring · June 16, 2019, 10:01am

The Ledger app prevents double-signing inside try_state_transition():

github.com

tendermint/ledger-validator-app/blob/bee890e5ccc7e98b8a2a8ce30db00cbe9b5fc2bf/src/app_main.c#L207


    if (!vote_state.isInitialized) {
        view_set_data();
        view_set_pk(public_key);
        view_display_vote_init();
        UX_WAIT();
        *flags |= IO_ASYNCH_REPLY;
        break;
    }


    // Check with vote FSM if vote can be signed
    if (!try_state_transition()) {
        THROW(APDU_CODE_CONDITIONS_NOT_SATISFIED);
    }


    *tx = action_sign();
    view_set_data();
    view_display_vote_processing();
    UX_WAIT();
    THROW(APDU_CODE_OK);
}
    break;

unicorn · June 16, 2019, 10:34am

https://github.com/tendermint/ledger-validator-app/blob/bee890e5ccc7e98b8a2a8ce30db00cbe9b5fc2bf/src/lib/vote_fsm.c#L19 it’s rather a sanity than a security check. Quickly double vote twice will bypass this check

mdyring · June 16, 2019, 10:55am

I disagree. This happens serially/sequentially over USB, there is no parallelism. It can’t be bypassed by timing.

State is updated here:

github.com

tendermint/ledger-validator-app/blob/bee890e5ccc7e98b8a2a8ce30db00cbe9b5fc2bf/src/lib/vote_fsm.c#L58


                break;
            }
        }


        return 0;
    }


    return 0;
}


uint8_t try_state_transition() {
    if (!validate_state_transition()) {
        return 0;
    }


    vote_state.vote.Type = vote.Type;
    vote_state.vote.Round = vote.Round;
    vote_state.vote.Height = vote.Height;


    return 1;
}

unicorn · June 16, 2019, 7:39pm

Thanks for the great feedback. This is a very interesting topic. However, I suppose KMS should do the same check, as well. I am still in learning mode and trying to get into details

mdyring · June 17, 2019, 8:29pm

Similarly to Ledger, the tmkms service itself does a similar check. As you can see in the config it stores state files for each chain, which contains last signed height etc.

jleni · June 18, 2019, 2:17pm

Correct @mdyring. It should not be possible to skip the check or to double sign. The ledger app keeps tracking the last vote. Ledger devices needs to reply before getting another request. There are no threads or possible race conditions… before signing the state is updated.

I am always open to hear about proof-of-concept for exploits and/or interesting analyses. Nevertheless, I think it is responsible to avoid claims about security issues without strong support, otherwise, this may mislead/confuse users.

jleni · June 18, 2019, 2:27pm

Said all this, @unicorn Please! if you guys actually find anything interesting, we invite you to submit to the bounty program here: https://hackerone.com/tendermint
It is always good to hear about aspects that we might have overseen!

unicorn · June 18, 2019, 11:01pm

Sorry for the misunderstanding. There is no security issue to report right now. However, we are about to start fuzzing and real security analysis with respect to KMS … however, only if we will not drop out of the validator set

Topic		Replies	Views
[ANN] Tendermint KMS v0.2: Validator Signing Support Validation	42	8880	December 12, 2018
[ANN] Tendermint KMS v0.8: Tendermint v0.33 support Validation	3	1149	July 6, 2020
Multiple Validator Consensus Key Tendermint	0	878	October 24, 2019
[ANN] Tendermint KMS v0.13: maintenance/bugfix release with secp256k1 consensus support Validation	1	368	November 25, 2023
SOLVED: YubiHSM2 Minimal Capabilities for Signing Validation	4	1504	December 17, 2019

Validator Node Compromize Analysis

Related topics