Bitcoin Forum
October 13, 2024, 01:42:32 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Bitcoin and buffer overflow attacks  (Read 3687 times)
da2ce7 (OP)
Legendary
*
Offline Offline

Activity: 1222
Merit: 1016


Live and Let Live


View Profile
December 11, 2010, 05:49:22 AM
Merited by ABCbits (2)
 #1

I am convinced that the foundation of bitcoin (ie. the block chain) is secure from any non-nationally funded attack.  The only attack that makes me scared is a buffer overflow attack that steals the private keys in the wallet, however doesn't spend them.

If a significantly large attack happens to the block chain, we can always make a new branch that doesn't include the attack; with the theft of private keys, there is no easy recovery option, save (in the case of a massive attack), starting the block chain from 0 again.

As I'm not a security expert, I do not know how secure bitcoin is against this sort of attack.  However from my non-expert understanding direct to IP address transfers seems like a obvious surface area to attack.

Two questions: what attack areas dose the current bitcoin software have that could enable the theft of bitcoin private keys?
Secondly, what efforts can be taken to minimize the attack surface area of bitcoin?

One off NP-Hard.
grondilu
Legendary
*
Offline Offline

Activity: 1288
Merit: 1080


View Profile
December 11, 2010, 05:52:40 AM
 #2

I am convinced that the foundation of bitcoin (ie. the block chain) is secure from any non-nationally funded attack.  The only attack that makes me scared is a buffer overflow attack that steals the private keys in the wallet, however doesn't spend them.

If a significantly large attack happens to the block chain, we can always make a new branch that doesn't include the attack; with the theft of private keys, there is no easy recovery option, save (in the case of a massive attack), starting the block chain from 0 again.

As I'm not a security expert, I do not know how secure bitcoin is against this sort of attack.  However from my non-expert understanding direct to IP address transfers seems like a obvious surface area to attack.

Two questions: what attack areas dose the current bitcoin software have that could enable the theft of bitcoin private keys?
Secondly, what efforts can be taken to minimize the attack surface area of bitcoin?

I've always thought that the only known possible attacks could allow double spendin or freeze the whole network.

I doubt any attack could steal private keys, apart from conventionnal attacks to the file system.

But I'm not an expert at all.

da2ce7 (OP)
Legendary
*
Offline Offline

Activity: 1222
Merit: 1016


Live and Let Live


View Profile
December 11, 2010, 06:03:38 AM
 #3

this isn't about protocol attacks, eg double spend and freezing.  Rather implementation security weaknesses.

One off NP-Hard.
wumpus
Hero Member
*****
qt
Offline Offline

Activity: 812
Merit: 1022

No Maps for These Territories


View Profile
December 11, 2010, 09:59:40 AM
Merited by ABCbits (1)
 #4

There is no way to be absolutely sure that there are no buffer overflow attacks. Although it would help to implement the client in a language that doesn't have buffer overflows because it checks array indices (Python, Java, C#, ...).

Bitcoin Core developer [PGP] Warning: For most, coin loss is a larger risk than coin theft. A disk can die any time. Regularly back up your wallet through FileBackup Wallet to an external storage or the (encrypted!) cloud. Use a separate offline wallet for storing larger amounts.
satoshi
Founder
Sr. Member
*
qt
Offline Offline

Activity: 364
Merit: 7118


View Profile
December 11, 2010, 01:32:37 PM
Merited by EFS (4), ABCbits (2), jjjfff (1), Phobosator32 (1)
 #5

direct to IP address transfers seems like a obvious surface area to attack.
If you ever find anyone who turned it on.  It's disabled by default.

There is no way to be absolutely sure that there are no buffer overflow attacks. Although it would help to implement the client in a language that doesn't have buffer overflows because it checks array indices (Python, Java, C#, ...).
It's all STL.  There are almost no buffers.
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!