Bitcoin Forum
March 19, 2024, 09:14:19 AM *
News: Latest Bitcoin Core release: 26.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: "Critical" versus "Serious" vulnerabilities  (Read 4226 times)
Gavin Andresen (OP)
Legendary
*
qt
Offline Offline

Activity: 1652
Merit: 2164


Chief Scientist


View Profile WWW
June 21, 2012, 01:49:58 PM
Merited by ABCbits (1)
 #1

In the 0.6.3 thread Graet asks a good question:  what's do we mean by "critical" versus "serious" vulnerability?

Here's what those terms mean to me.  All examples are hypothetical:

A critical vulnerability is one that will have disastrous consequences if it is exploited. Examples might be a remote code exploit, a bug that somebody could use to take down the entire bitcoin network, or a bug that could be exploited to steal your entire wallet.

A serious vulnerability is one that will have serious consequences if it is exploited.  Examples might be a bug that can be triggered by network traffic and will cause the software to stop working or a bug that could be exploited to misdirect your next bitcoin transaction so it goes to an attacker instead of the intended recipient.

The 0.6.3 denial-of-service problem I consider "serious" -- an attacker who figures out exactly what the vulnerability is (we haven't disclosed that yet) can make bitcoind or Bitcoin-Qt stop processing transactions.

Then there are run-of-the-mill vulnerabilities; things like Sybil attacks that require an attacker to round up hundreds or thousands of machines, or denial-of-service attacks that require that the attacker be able to send the victim gigabytes of network traffic. Dealing with these often doesn't even merit a mention in the release notes, because they affect so few people and require an attacker willing to spend a fair bit of money and/or effort just to be annoying.


How often do you get the chance to work on a potentially world-changing project?
"In a nutshell, the network works like a distributed timestamp server, stamping the first transaction to spend a coin. It takes advantage of the nature of information being easy to spread but hard to stifle." -- Satoshi
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
1710839659
Hero Member
*
Offline Offline

Posts: 1710839659

View Profile Personal Message (Offline)

Ignore
1710839659
Reply with quote  #2

1710839659
Report to moderator
1710839659
Hero Member
*
Offline Offline

Posts: 1710839659

View Profile Personal Message (Offline)

Ignore
1710839659
Reply with quote  #2

1710839659
Report to moderator
1710839659
Hero Member
*
Offline Offline

Posts: 1710839659

View Profile Personal Message (Offline)

Ignore
1710839659
Reply with quote  #2

1710839659
Report to moderator
gusti
Legendary
*
Offline Offline

Activity: 1099
Merit: 1000


View Profile
June 21, 2012, 02:10:02 PM
 #2

Good to know, thanks again for your superb work !
(small donation sent)

If you don't own the private keys, you don't own the coins.
gmaxwell
Moderator
Legendary
*
expert
Offline Offline

Activity: 4158
Merit: 8343



View Profile WWW
June 21, 2012, 02:33:52 PM
 #3



I think that critical/serious definition given here sounds fine, though I wonder if I'll remember it— especially if people come up with a number of similar sounding names.

The problems with names is that always get confused, people spend time arguing over them, and people get hurt when they misunderstand them, this is one of the reasons that CVSS was created— though I've run some example Bitcoin cases through the standard scoring criteria and I think it gives broken results. (E.g. giving more sever ratings for technically easy attacker-effort-proportional DOS attacks than for harder coin theft attacks).

My preference is to actually state what the risks is  "An attacker can crash your Bitcoin if he connects to it"  vs an opaque "Code yellow" kind of label,  at least where being descriptive won't imperil people.   This avoids getting stuck in word games over "serious" vs "severe" and other such matters of angels dancing on pins, and allows people to assess their own risks in ways that no boilerplate classification can do.

I suspect that any issue where you can't even say as much as what an attacker could do without unacceptable risk is by definition the most severe kind, Critical, or whatever you'd like to call it.
Diapolo
Hero Member
*****
Offline Offline

Activity: 769
Merit: 500



View Profile WWW
June 21, 2012, 08:37:20 PM
Last edit: June 22, 2012, 02:28:38 PM by Diapolo
 #4

Why not introduce something like risk or even better severity levels / rating, however they may be called.

E.g.

Level 1 (highest)
Level 2 (medium)
Level 3 (lowest)

Now we would need to define what conditions or characteristics imply which rating.

E.g. (only examples, didn't bother thinking in detail for now)

Level 1:
- remote code execution
- take the whole Bitcoin network offline
- steal all coins

Level 2:
- slow down the Bitcoin network
- steal coins

Level 3:
- crash a node without further code execution
- DoS single nodes

So we have a table, which defines the severity. Now consider a vulnerability, which can lead to stealing coins and crashes the client without code exec, this would be a Level 2 vunlerability (highest condition counts). I think this can be worked out by the devs with input from users to create a transparent catalog. As an example take a look what MS does: http://technet.microsoft.com/en-us/security/gg309177.aspx

Dia

Liked my former work for Bitcoin Core? Drop me a donation via:
1PwnvixzVAKnAqp8LCV8iuv7ohzX2pbn5x
bitcoin:1PwnvixzVAKnAqp8LCV8iuv7ohzX2pbn5x?label=Diapolo
Sergio_Demian_Lerner
Hero Member
*****
expert
Offline Offline

Activity: 549
Merit: 608


View Profile WWW
June 22, 2012, 01:42:03 PM
 #5

Good starting point.

We have to add to the levels the required resources needed for the attack. Sometimes it requires very few, some times it requires massive amounts. Also taking down the entire Bitcoin network at once is far worse than remote code execution.

My list would be:

Level 1:
- Take the whole Bitcoin network offline (DoS)
- Steal coins from all or a subset of users at once

Level 2:
- Remote code execution (of single nodes)
- Steal coins from single users

Level 3:
- Slow down or temporally disrupt the Bitcoin network
- Crash a node without further code execution
- DoS single nodes

Level 4:
- Lost of privacy / pseudo-anonymity of single nodes.

DoS single nodes seems equivalent to disrupt the Bitcoin network, since you can prevent users from connecting by taken down each node that accepts connections.
What do you think?
ribuck
Donator
Hero Member
*
Offline Offline

Activity: 826
Merit: 1039


View Profile
June 22, 2012, 01:58:31 PM
 #6

There are really only two cases:

1. People could lose bitcoins
2. The network could be disrupted.

Gavin's original post included these two examples:

(a) a bug that could be exploited to steal your entire wallet ("critical")
(b) a bug that could be exploited to misdirect your next bitcoin transaction so it goes to an attacker ("serious")

As far as I'm concerned, those bugs are of the same level of seriousness: "people could lose bitcoins".
Gavin Andresen (OP)
Legendary
*
qt
Offline Offline

Activity: 1652
Merit: 2164


Chief Scientist


View Profile WWW
June 22, 2012, 02:00:09 PM
 #7

I think "1 2 3 4" is bad.  4 is more than 1, so a level 4 vulnerability is worse, right?

I still like critical/serious/other.  More gradations than that and I think we'll just waste time arguing over "is this a level 3 vulnerability?  level 4?  ok, let's make it a pi vulnerability (3.1415...)"

How often do you get the chance to work on a potentially world-changing project?
Pieter Wuille
Legendary
*
qt
Offline Offline

Activity: 1072
Merit: 1170


View Profile WWW
June 22, 2012, 02:03:10 PM
 #8

ok, let's make it a pi vulnerability (3.1415...)"

Let's use complex numbers. The imaginary part is the assumed mass histeria the bug will cause.

"We consider this bug to have severity log(-1)."

I do Bitcoin stuff.
Sergio_Demian_Lerner
Hero Member
*****
expert
Offline Offline

Activity: 549
Merit: 608


View Profile WWW
June 22, 2012, 02:07:53 PM
 #9

Let's use sounds (scream, shout, whisper ) or maybe odors....
pc
Sr. Member
****
Offline Offline

Activity: 253
Merit: 250


View Profile
June 22, 2012, 05:43:06 PM
 #10

I agree with the sentiment that descriptions of what can happen is more useful than generic severity levels. Could we make buckets for the likely scenarios? Categorize into: Wallet Theft, Remote Code Execution, Next Transaction Theft, Incorrect Coin Creation, Low-Effort DOS, Information Disclosure, Other, or Unknown?

Though, even with that, I'm not sure where the "encrypted wallets still had unencrypted keys in them" vulnerability would have gone, or the "blocks weren't checked during downloading" problem (assuming that it had security implications, which I'm still not sure of).
John (John K.)
Global Troll-buster and
Legendary
*
Offline Offline

Activity: 1288
Merit: 1225


Away on an extended break


View Profile
June 24, 2012, 12:52:12 PM
Merited by ABCbits (2)
 #11

Description based levels of vulnerabilities like what MS used below offers the better clarity of any other number-based (1,2,3,4) levels.

Code:
Rating Definition
Critical
A vulnerability whose exploitation could allow code execution without user interaction. These scenarios include self-propagating malware (e.g. network worms), or unavoidable common use scenarios where code execution occurs without warnings or prompts. This could mean browsing to a web page or opening email.

Microsoft recommends that customers apply Critical updates immediately.

Important
A vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of user data, or of the integrity or availability of processing resources. These scenarios include common use scenarios where client is compromised with warnings or prompts regardless of the prompt's provenance, quality, or usability. Sequences of user actions that do not generate prompts or warnings are also covered.

Microsoft recommends that customers apply Important updates at the earliest opportunity.

Moderate
Impact of the vulnerability is mitigated to a significant degree by factors such as authentication requirements or applicability only to non-default configurations.

Microsoft recommends that customers consider applying the security update.

Low Impact of the vulnerability is comprehensively mitigated by the characteristics of the affected component. Microsoft recommends that customers evaluate whether to apply the security update to the affected systems.
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!