Category: 系统攻防

BTG has been through 51% Attack recently

BTG has been through 51% Attack recently

Few days ago,a malicious miner has successfully carried out a double spending attack on the Bitcoin gold network, leaving BTG under attack.

The miner gained at least 51% of hash power of BTG network in order to carry out the attack, which allowed him to temporarily control the BTG blockchain. Even on a small network like BTG, it would be very expensive to obtain such a large hash power, but he could profit from the double spending Attack.

After gaining control of the network, attackers began to load BTGs into exchanges and also tried to send them to wallets under their control. Typically, blockchain addresses this problem by adding the first transaction only to the system, but now attackers are able to undo the transaction because they have majority control power of the network.

As a result, they are able to recharge the exchange and then withdraw the money quickly,so that they can send the original BTG to another wallet.

Since May 16, the Bitcoin gold address involved in the attack has received more than 388,200 BTG (most of the deals are sending by themself). Assuming all of these transactions are related to double spending attack, attackers may have stolen up to $18.6 million worth of funds from the exchange.

Unknown Risks of Blockchain Security

Unknown Risks of Blockchain Security

Satoshi Nakamoto’s “White Paper”

Satoshi Nakamoto’s “white paper”, Bitcoin: A Peer-to-Peer Electronic Cash System, had given rise to a series of heated discussions on cryptocurrency and blockchain.

This white paper was first sent via e-mail to an obscure cryptography Email loop on November 1st, 2008, and [email protected] was the address of the very sender. And shortly afterwards, on January 3rd, 2009, Nakamoto mined first 50 bitcoins from his own computer and inscribed a short message which read, “The Times 03/Jan/2009 Chancellor on brink of second bailout for banks.” in the “genesis block”.

At that time, Alistair Maclean Darling, Chancellor of the Exchequer was under the obligation of taking a second bail-out for banks. And this short massage soon made the headline of The Times of London. That’s how the first blockchain came into being. And the social event was recorded and preserved forever, thanks to the timestamp service powered by blockchain and its proof of existence.

The exchange rate of Bitcoin first appeared on October 5th, 2009, with 1309.03 Bitcoins for one dollar. In a decade, the value of one Bitcoin had moved up to an appalling $10,000. At its peak in 2017, the value of Bitcoin reached a record high – $ 20,000! That means the total value of the 21 million Bitcoin could be worth some 420 billion dollars and if we take alternative coins into account, we may find that the net worth of cryptocurrency market could reach a trillion dollars. The impact of Bitcoin is so huge that many of us have come to realise Hayek’s theory may be correct and that science and technology can go beyond national borders as well as governments, bringing us a “denationalised money” that will soon change human lives.

Nowadays very few of us would turn to Satoshi Nakamoto’s white paper any longer because the soaring monetary value of Bitcoins have grabbed everybody’s attention. Nine-page white paper is nothing but a technical proposal in which he tried to figure out if we can make his ideal “coin” a reality. However, there is something deeper, something more essential lying in the white paper. There’s something that goes beyond software technology: could we fully achieve the “decentralisation” process of Bitcoin? Has it really been developed into a self-governing system? Are there any flaws in Satoshi’s white paper and if there are, what are they? Is it possible that Satoshi had discovered these flaws but then neglected them on purpose?

Decentralisation brings justice for the majority

Abstract: A purely peer-to-peer technology of electronic cash system would allow online payments to be sent directly from one party to another without going through any financial institution. Digital signatures provide part of the solution, but the main benefits are lost if a trusted third party is still required to prevent double-spending. We propose a solution to the double-spending problem by adding on timestamps while using peer-to-peer network. The network timestamps transact by hashing them into an ongoing chain of hash-based proof-of-work, forming a record that cannot be changed unless recoding the proof-of-work. The longest chain not only serves as proof of the sequence of events witnessed, but proves that it came from the largest pool of CPU power. As long as a majority of CPU powers are not cooperating to attack the network, they’ll generate the longest chain and outpace attackers. The network itself requires minimum infrastructure (should be described). Messages spread on a best effort basis, and nodes can leave and return to the network any time., The longest proof-of-work chain could be the record of what happened while they were gone.

If we closely read Satoshi’s white paper, we may find that “decentralisation” can be put in much simpler words, such as “justice for the majority”. And the best description of it’s key concept is “consensus”.

Satoshi proposed to build a “decentralised peer-peer payment system which can prevent double-spending” with no central servers (intermediaries). But here comes the question: how can we record everything in a ledger? And here’s the solution: using cryptography to prevent centralisation of servers and intermediaries.

When transaction occurs (including double-spending), we can always detect its relevant time-sequence. A single peer cannot work on two transactions the same time. So, Bitcoin system has timestamp-based hash functions to produce a number of chains that are closely related to one another. And then a linked chain using hash pointers to record the spending has been created. We call this data structure “blockchain”.

To prevent double-spending, we have to prove the availability and effectiveness of one chain and include this chain into transaction system. Thus other chains become invalid and out of forces.

There is only one way to prove the availability of one chain and decentralise: make all users involve and testify “justice for the majority”.

Proof Of Work Consensus Algorithm would determine who are “the majority”. The decision made by majorities would be set up into the longest chain. A block would spare new transactions to all peer-to-peer nodes and those nodes which received the messages would start confirming and accepting. Only the new transactions included in the very block can be accepted by other nodes.

After verifying the transaction, the node would not accept messages sent out by other blocks from other nodes. Meantime, this node would stop repeating the calculation on the same transaction over and over again. Then, Calculation on new transaction blocks will begin. Thus new chains are formed.

It is possible that more than one node would simultaneously record the same chain (forks) after receiving the transaction spare to them. The tie would be broken after the next proof came to be done. Finally, there would certainly be an ultimate chain that was accepted by all. In fact, blockchain is a process of dividing and regrouping.

Thus we replace intermediaries with consensus mechanism. Now think about it: what could happen under extreme circumstances?

Brainstorming a catastrophe

Let us image a disaster that might occur:

Some day in year 2018, 15:30 in the afternoon. All of a sudden, China’s optic cable service broken down and outbound internet had been blocked. However, the global Bitcoin system work as usual. Bitcoin mining and Bitcoin transaction remained unaffected. The only difference is that China’s disconnected Bitcoin system had been split away from the global network.

17: 40: Two hours later, the problem with cables was settled and connection with outside world restored.

During the past two hours, the hashing power in China had formed a chain that was independent from the previous chain. According to our discussion about consensus Algorithm, we know that stronger chains would naturally out-compete weaker chains; and we would have to waive the transactions in weak, obsolete chains. In the meantime, incentives would become invalid.

Since China’s hashing power made up 70% of the globe, it would not be surprising if China’s chain beat its previous chain . It’s very likely that during the breakdown, computing system abroad became utterly destroyed. Transactions within two different parts of the same chain of Bitcoin had to be recalculated. It would be a disaster to “Minority chain” Bitcoin-holders whose coins were lost. And we would see bitcoin-based commerce crashed and networks ruined.

Now we see that a mass power outage will divide Bitcoin network into two parts. Perhaps the best solution is to bring a halt to the entire Bitcoin network service as soon as possible before the breakdown occurs to prevent the network from working in isolation. Or there will be an even bigger catastrophe when the connection is restored.

In Bitcoin transactions, each transaction has to be verified by six blocks and each block needs ten minutes for confirming the transaction. Apparently, each transaction needs an hour to be verified. If the breakdown lasts longer than one hour, the damage will be simply unimaginable. The longer the breakdown takes, the greater the loss will be.

When discussing whether or not Bitcoin could stand such big catastrophes, we are usually more concerned about the multi-node backup without realising what result the mechanism of consensus would bring us: chains would isolate one another, compete with one another and devour one another in the end.

Monopoly over Hashing Power ≠ 51% Attacks

Today, our confidence on Bitcoin system is reassured by the common belief that it’s nearly impossible to obtain 51% of hashing power. However, the truth is, some ASIC miners who have actually monopolised 51% of hashing power are causing headaches for Bitcoin supporters.

Latest report on MIT Technology Review (Jan.18th, 2018) suggests that both Bitcoin and Ethereum belong to an inclusive blockchain system. In other words, anyone can be a miner. However, this may also result in the monopoly of certain groups and organisations who desire to seize vast amount of mining resources.

A weekly report shows that the four biggest Bitcoin miners take some 53% of the total amount of mining power, while Ethereum mining activities turns out to be a more “centralised” model: the top three mining pool operators are taking more than 61% of the total amount every week. This has led to an intriguing question: is the core of Bitcoin, which is “decentralisation”, being undermined by the monopoly over hashing power?

The answer is no. 51% attacks will not come from the system itself.

These big miners had tremendous investment on facilities and electricity supply for mining activities. Such an attack could possibly destroy the integrity of the system, causing the price to crash. This is clearly not good news for anyone with an interest in bitcoin, – especially miners, whose profits depend largely on the price of bitcoin. Hence, there is no reason to attack the network.

Therefore, such an attack must come from the outside.

Now back to the imagined catastrophe. We can see that attackers do not necessarily need to gain control over hashing power. The more destructive way is to disrupt network systems, which requires little labour and less investment. Attacker may take following actions:

1.Controlling the routing policy of backbone network servers.

2.Gaining network service suppliers’ back-door access.

3.Disrupting telecommunication services.

4.Breaking or disabling a nation’s firewall.

As it’s shown above, attackers do not need to be someone inside the system. And it requires little effort and electricity to start an attack by controlling the network layer. We have no difficulty, then, in finding out the deadliest flaw in the structure of Bitcoin and other cryptocurrencies: a highly-centralised network layer.

A Too Often Ignored Default Assumption: Channel Security

Peer-to-peer communication technology serves as the bottom layer of blockchain. Blockchain is in essence a P2P-based Value Delivery Protocol.

Bitcoin has adopted an Internet-based peer-to-peer network system, in which computers and nodes are equally privileged; and nodes are connected with one another in a “flat” topological structure. In the peer-to-peer network, there are no intermediary servers or centralised services; nor are there any hierarchical systems. Nodes in peer-to-peer networks work together as service suppliers of one another.

We may take a look at case of the global Internet during its early stage. Nodes in its IP networks are equally privileged, while today’s Internet had adopted a hierarchical structure (still, the flat, topological structure of IP protocols in today’s Internet remains unaltered). Document sharing is as well a typical example and one the most astounding successes of the use of peer-to-peer technology, with Napster pioneering the industry and BitTorrent bringing a revolutionary change.

The so-called Bitcoin network is in fact a whole set of nodes that operate under Bitcoin’s peer-to-peer protocols. We need to note that there are other protocols that prevail in Bitcoin network as well. Stratum Protocol, for instance, is applied to mining and Bitcoin wallets. Gateway Router Server, on the other hand, works as protocol-suppliers and install peer-to-peer protocols in Bitcoin network, allowing each node in other protocols to gain access to the network. Moreover, it bridges Stratum Protocol to Bitcoin’s peer-to-peer protocol. Here what we mean by “extended bitcoin network” is in fact the whole set of protocols, including peer-to-peer protocol, mining protocol, stratum protocol and other integrated networks that are used in Bitcoin system.

The main network where peer-to-peer protocol takes effect consists of 7000 to 10000 monitoring nodes that work for Bitcoin Core Client of different versions and hundreds of nodes that work for different sorts of applications under Bitcoin’s peer-to-peer protocol (BitcoinJ, Libbitcoin, btcd, etc.) A fraction of these nodes in the peer-to-peer network serve as mining nodes that are often involved in mining competitions, transaction confirmation and block building.

Nodes normally use 8333 port under TCP Protocol to build connection with correspondent nodes. (In Bitcoin settings, normally we would use 8333 port; other designated ports might be used as well.)

Peer-to-peer network simply offers nodes a platform for information sharing. The main part of the job is done by consensus algorithms and encryption algorithm. That means receivers have to fully trust senders and data carried by certain block should remain authentic without any alteration by any third party. In fact, this has to be based on an implied premise or a default assumption. This assumption, though rarely mentioned in Satoshi’s paper, is of grave importance:

· We assume that we fully trust blockchain softwares and that the data delivered would remain authentic and unaltered.

· We assume that we fully trust the operation system of blockchain soft wares and that the data delivered would remain authentic and unaltered.

· We assume that we fully trust the central processor intended for the network and believe that the data it carried would remain authentic and unaltered.

We all know that Bitcoin was based on the idea of “network neutrality”; but what is ironic about it is that the bottom layer of the network, which carries the decentralised system, is in fact highly centralised.

Bitcoin’s transmission protocol is accessible to us all. It is written in plain, regular characters. Because data transmission does not really matter that much to blockchain. There’s basically no need of encrypting them for fear that they might be stolen. You see, the first four characters of Bitcoin, 0xF9BEB4D9, are rather well-organised. However, Satoshi failed to realize that there’s something dangerous in the transmission protocol that may lead to 51% attack someday.

Merge attack:

What’s interesting about Blockchain is that the word “Blockchain”, used so often in Satoshi’s white-paper, was not invented by Satoshi. The word “Block” had appeared 67 times in the white-paper and “chain” 27 times. However, the author of the white-paper had not even attempted to put these two words as a whole. We all know that the word “Block” means a piece of solid material. But we should not forget that this word, when used as a verb, actually means “obstruct” or “hinder”. People simply fail to catch the hidden message in the word: Blockchain can be blocked.

Consensus mechanism lies in Bitcoin as its core. Consensus is pretty much like a voting machine supported by distributed system. Any adjustment or alteration in hosted network of distributed system will change “consensus”. This is what we call “merge attack” or “consensus attack”.

Merge attacks tear blockchain apart and divide blockchain network into two independent chains that may go beyond “Consensus Threshold” (for instance, 51% POW); and then after some while (technically speaking, after confirming transactions), the two chains will have to regroup and compete with each other.

Merge attack is essentially a certain form of combination of partition attack and delay attack. And it has been proved that merge attack is way more destructive than DDos attack and IP blocking.

· DDos’s attempts of attacking nodes and miners prove to be rather futile and fruitless. And normally its effect would not last long, for it’s not difficult for nodes and miners under attack to understand the situation when their free access to the outside world is blocked; under this circumstance, the assaulted miner may easily change his or her IP address. As a result, this sort of attack turns out to be less destructive than they seem to be for the simple reason that on changing IP address, the communication with other nodes may still be restored and transactions confirmed; the effect, therefore, would never be a devastating one.

· The way merge attack works, however, differs a good deal from that of other attacks. By tearing networks apart, two independent local area network would very naturally come into existence, the nodes in it may still communicate with one another without being conscious of danger. Exposing network layers to healing attacks may lead to the collapse of consensus mechanism: Nodes always stick to the code-is-law principle; as a result, branches and sub-chains will devour one another. If we do not stick to codes, then forks need to be created by human force and this will lead to the collapse of faith in the system. The entire network of Bitcoin would no doubt break down under several rounds of merge attacks.

It’s worthwhile to note that Bitcoin is not the only victim of merge attacks. Other cryptocurrencies (for instance, Ethereum) can be exposed to such fatal attacks as well. Ethereum, for example, used to spare no effort in encrypting its communication protocol to make safer smart contracts. However, its communication protocol is no less difficult to be identified and targeted. Attackers may still take advantage of mid-long links in network communications, overlapped heartbeat mechanisms and basic features to isolate networks and start merge attacks.

Therefore, no cryptocurrencies can stay perfectly impervious to merge attack unless certain adjustments are made on the bottom-layer of communication network to camouflage its data. And the most talked-about coins nowadays, including Litecoin, Monero, Bitcoin cash and quantum chain, are no exceptions. Claims made by such agencies seem rather groundless.

When applying consensus algorithms (POW, POS, DPOS), we need to prevent the transmission from being disturbed or disrupted. Algorithms in distributed system is used to solve the problem of consistency and validity on the premise that channels are safe. If there’s no such a premise, the consistency and validity will mean nothing.

BGP Hijacking

We know that merge attack is often used to destroy blockchains. And the most commonly launched attack is BGP hijacking. So here comes the next question: what is BGP hijacking?

Border Gateway Protocol (BGP) is a crucial component of the Internet, responsible for determining routing paths. BGP hijacking — that is, using BGP to manipulate Internet routing paths — has become more frequent in recent years. Cybercriminals and governments alike have taken advantage of this technique for their own ends, such as traffic misdirection and interception. This blog post will provide an overview to BGP and describe how BGP hijacking is performed.

BGP is a protocol used to exchange routing information between networks on the Internet. It is used to determine the most efficient way to route data between independently operated networks, or Autonomous Systems. As such, BGP is commonly used to find a path to route data from ISP to ISP. It is important to note that BGP is not used to transfer data, but rather to determine the most efficient routing path. The actual transfer is accomplished using whatever protocol is necessary, likely another member of the TCP/IP suite.

Now, assume I need to send data to the other side of the world. Eventually this data must leave the network my ISP controls, and BGP must be used. Of course, a routing path can’t be determined from one Autonomous System alone. This is where BGP peers, or neighbors, come in. Peers are Autonomous Systems that have been manually configured to share routing data. As an Autonomous System “learns” new routes, this information is propagated to its peers. By aggregating routing information received from BGP peers, the router handling the data can identify the most efficient path. This path is determined by a variety of factors, including distance and configuration settings implemented by the router administrator. Because peers, and therefore route propagation, are manually configured, it is necessary to compromise an edge router broadcasting external BGP announcements to perform Internet-level BGP hijacking. Despite this difficulty, BGP hijacking attacks are occurring in the wild. Please refer to Figure I below for a graphical overview of BGP.

Since BGP determines how data travels from its source to its destination, security is a concern. By manipulating BGP, data can be rerouted in an attacker’s favor allowing them to intercept or modify traffic. Internet-level BGP hijacking is performed by configuring an edge router to announce prefixes that have not been assigned to it. If the malicious announcement is more specific than the legitimate one, or claims to offer a shorter path, the traffic may be directed to the attacker. Attackers will frequently target unused prefixes for hijacking to avoid attention from the legitimate owner. By broadcasting false prefix announcements, the compromised router may poison the Routing Information Base (RIB) of its peers, as shown in Figure II. After poisoning one peer, the malicious routing information could propagate to other peers, to other Autonomous Systems, and onto the broader Internet.

Multiple instances of BGP hijacking have been recorded in the last three years. In several examples documented by Renesys, BGP hijacking was performed in 2013 to reroute data through arbitrary countries prior to the intended destination. One attack saw traffic, intended to go from Mexico to the United States, diverted to Belarus before reaching its destination. By advertising false BGP broadcasts, the Belarusian ISP successfully propagated illegitimate routes onto the Internet. In this case, corporate or state espionage is a likely explanation. However, there are indications of BGP hijacking being performed by non-state adversaries as well.

In a 2014 attack analyzed by Dell SecureWorks, BGP hijacking was used to intercept Bitcoin miners’ connections to a mining pool server. By rerouting traffic to a mining pool controlled by the attackers, it was possible to steal the cryptocurrency resulting from the victim’s mining. This attack collected an estimated $83,000 in cryptocurrency over a two-month period.

In July 2015, a breach of the surveillance software provider Hacking Team resulted in a leak of internal company emails. The emails revealed that, in 2013, the Italian government worked with Hacking Team and an Italian ISP to conduct BGP hijacking. After an IP block hosting a Hacking Team command and control (C&C) server went offline, the malware communicating with the C&C was also left unreachable. By fraudulently announcing the IP prefix hosting the C&C, Hacking Team reestablished access with the infected machines. This is the first documented instance of a Western government using BGP hijacking.

It’s a truth universally recognized that mining pools may work beyond geographic borders and there can be several ISP (Internet Service Suppliers) between miners and mining pools. This may bring danger. And these steps are very likely to be exposed to BGP hijackings planned by hackers.

Fatal Drawbacks: Byzantine Generals Problem & Two Generals’ Problem

Bitcoin is a large-scale social experiment with application of distributed system. It is also referred to as a practical solution to the so-called “Byzantine Generals Problem”. You can google it for more information.

Leslie Lamport, the winner of the 2013 Turing Award, first proposed the question of fault tolerance in his paper The Byzantine Generals Problem, published in the year 1980. Lamport, a master who pioneered the study of distributed system, proposed the most complicated fault-tolerance model ever in the field. Here’s a story known to many of us:

Many of us are no strangers to the history of Byzantine: Byzantine (today’s Istanbul) was the capital of the Eastern Roman Empire. The Empire had seized vast territory; and it soon felt the obligation to send fighters and soldiers to different parts of the empire. Generals of the army had to send messengers for communication. Generals, some of whom might be traitors or spies, had to reach agreement on whether or not they should attack their enemies when it came to wars and conflicts. It’s very likely that the voting result could not represent the real public opinion. So here comes the question: how should the loyal general stay unaffected by spies and reach an agreement that could represent the majority?

When discussing Byzantine Generals Problem, we do not need take messengers into consideration. Lamport had proved that it’s impossible to reach an agreement on unreliable channels where certain messages are missing.

Another problem, “Two Generals’ Problem”, is more fundamental and more intriguing.

Two armies led by two generals were about to capture a well-built town. The two armies were the stationed in different valleys near the town. Between the two valleys, there was another valley. And messengers from one army had to cross the valley to send message to the military camp of the other army. The problem is, this valley was under the control of the enemy. Some of the messages could get lost. The two generals had decided to attack together but they had not set the exact date. And they had to work together for any unilateral attempt by one army would most definitely lead to failure. So, they had to send messengers to do the communication and set a date. Moreover, the general of one army had to make sure that his partner from the other army had learned his plans by heart.

Two Generals’ Problem tries to examine the difficulties in sending message and transmitting information through an unreliable channel. This case is often used in courses for beginners to explain why TCP Protocol cannot keep both ends of communication consistent. Two Generals’ Problem may account for the failures in any point-to-point communication.

When comparing the two stories, we may find that Byzantine General Problems shares an uncanny resemblance with Two Generals’ Problem. However, it’s worthwhile to note that messengers might get caught by the enemies when they tried to travel across the valley. In other word, in the case of Two Generals’ Problem, there is actually no reliable channels. And there were no traitors in the armies. So, these two problems are essentially different.

It’s a truth universally acknowledged that the Two Generals’ Problem is the first problem to which there’s no solution in the field of computer communication. So, we have every reason to believe that there’s no way in which we may solve the Byzantine General Problem as well.

That also means during the transmission of information, it’s possible that some information may be tampered with, monitored or lost. Perhaps the solutions to these problems lie in the future “Quantum Communication”

We may leave aside the heated debate on which consensus algorithm is the best one. We must bear in mind that the most important thing is to make sure that we have a safe information channel.

The lack of consideration on the safety of communication layer is the essential defect of Bitcoin and its theory.

Blockchain Security Obscure (BSO)

Our faith in Bitcoin are built on our faith in “decentralization” i.e. we have to make sure the entire system is governed by itself and stays perfectly impervious to intermediaries. So, the success of a cryptocurrency largely depends on whether or not it has achieved perfect decentralization. Satoshi had taken everything for granted. He failed to realize the fact that the Internet is built around central servers and the importance of decentralization. Any failed attempts of decentralization will become the Achilles’ heel of Bitcoin, crushing its future.

To fully decentralize Bitcoin and make it a “value network”, we have to make sure that its network will be safe enough. In reality, we can never find a network communication that is 100% safe, open and neutral. Quantum communication still has a long way to go before it becomes a reality. So, what we can do now is to make full use of our current technology, focus on safety and cost control, and improve the peer-to-peer communication protocol. We have to figure out what is the best way to safeguard blockchain with engineering science. We have to make sure that future hackers would hardly stand the high cost of attack; and they would give up attacks of any form (intercepting, monitoring, disrupting, etc.).

Ethereum and many other cryptocurrencies began to use encryption protocols. This is of course a pretty good start. However, these protocols may still leave some traces that may be of use to attackers. Early this year, a competition was held by National Engineering Lab of Network Security. Competitors were asked to decrypt files and data. Nearly all the files and data were finally decrypted.

Therefore, we find the unavoidable necessity of designing a new version of BSO (Blockchain Security Obscure Protocol). Our goal is to obscure and “camouflage” the features of data transmission in peer-to-peer network. Attackers would find it more difficult to recognize them. And the cost of launching an attack or interception would become simply unbearable. That’s how we manage to make blockchain communication much safer.

As a security countermeasure project, normally BSO has two countermeasures. The first is a direct countermeasure. In other word, we can design a new protocol with stronger encryption which makes it hard for an intermediary to detect application services by analyzing the traffic and the flow. However, the inner features of the new protocol make it vulnerable to other attacks. The other is a circuitous, indirect countermeasure: we may camouflage application service traffic and make attackers believe that there’s nothing special about it; in the meantime, it is still works under a legal encryption protocol. In this way, we can make the traffic and flow hard to identify.

Blockchain Security Obscure Protocol is only a beginning. Obfuscation technology and machine learning will make progress together as a pair of rivals by competing with each other. And soft forks will help blockchain network develop and become better versions of itself.