From 354e6be565633f69f757469d7996f99ef9b4dfde Mon Sep 17 00:00:00 2001 From: "Yahya Hassanzadeh, Ph.D" Date: Fri, 8 Sep 2023 16:26:05 -0700 Subject: [PATCH 01/22] Create 20230908-message-forensic.md --- protocol/20230908-message-forensic.md | 269 ++++++++++++++++++++++++++ 1 file changed, 269 insertions(+) create mode 100644 protocol/20230908-message-forensic.md diff --git a/protocol/20230908-message-forensic.md b/protocol/20230908-message-forensic.md new file mode 100644 index 00000000..c2925332 --- /dev/null +++ b/protocol/20230908-message-forensic.md @@ -0,0 +1,269 @@ +| Status | Proposed | +:-------------- |:----------------------------------------------------| +| **FLIP #** | [4697](https://github.com/onflow/flow-go/pull/4697) | +| **Author(s)** | Yahya Hassanzadeh (yahya@dapperlabs.com) | +| **Sponsor** | Yahya Hassanzadeh (yahya@dapperlabs.com) | +| **Updated** | 8 September 2023 | + +# Message Forensic (MF) System + +## Summary +This FLIP discusses and compares two potential solutions for the Message Forensic (MF) system in the Flow protocol +— a system that enables Flow protocol to attribute protocol violations to the original malicious sender. +The two solutions under consideration are: (1) GossipSub Message Forensic (GMF), and (2) Enforced Flow-level Signing Policy For All Messages. +We delve into both, listing their pros and cons, to determine which would be more feasible given the considerations of ease of implementation, +performance efficiency, and security guarantees. + +Our analysis finds the "Enforced Flow-level Signing Policy For All Messages" to be the more promising option, +offering a generalized solution that doesn’t hinge on a specific external protocol to send the message (e.g., GossipSub), +steering clear of the complexities tied to maintaining GossipSub envelopes and dodging the necessity of duplicating GossipSub +router’s signature verification procedure at the engine level. Furthermore, it meshes well with the Flow protocol’s existing state. + +## Review Guide +This FLIP is presented as a Pull Request (PR) in the `flow-go` repository. We welcome reviewers to express their opinions and share feedback directly on the PR page, aiming for a structured and productive discussion. To aid this, please adhere to one of the following response frameworks: +1. I favor the "Enforced Flow-level Signing Policy For All Messages" and here are my thoughts: +2. I support the "GossipSub Message Forensic (GMF)" approach, articulating my views as follows. +3. I find both propositions unsatisfactory, elucidating my stance with. + +## Problem Overview +Within the Flow protocol, nodes converse through a networking layer, a medium which undertakes the dispatch and receipt of messages among nodes +via different communication methods: unicast, multicast, and publish. Unicast messages are transmitted to a single recipient over a direct connection. +The multicast and publish, on the other hand, utilize a pub-sub network constructed with the LibP2P GossipSub protocol for message +dissemination. However, this protocol encounters challenges in message attribution, particularly in determining the +initial sender of a message, which is critical for identifying protocol violations and penalizing the malicious initiators. +Below, we break down the issues seen in different communication strategies and their implications. + +### Single Recipient (Unicast) Message Attribution +Unicast messages have an implicit attribution to the sender, i.e., they are attributed to the remote node of the connection +on which the message is received. Albeit, the situation differs when the unicast message carries the explicit signature of the +sender or other attribution data (e.g., the signature of the original sender in case of a forwarded unicast). +In such cases, the message is attributed to the sender that is specified in the attribution data. Nevertheless, the current state of +Flow protocol does not enforce the attribution data to be present in the unicast messages. +A prime example is the [`ChunkDataResponse` messages](https://github.com/onflow/flow-go/blob/master/engine/execution/provider/engine.go#L326-L337) sent by the Execution Nodes to the Verification Nodes over a unicast. +Hence a node in Flow protocol cannot prove that a received unicast message is sent by a specific node, unless the message carries the explicit attribution data. + +### Group and All-Node (Multicast and Publish) Message Attribution +When dealing with multicast or publish messages, the GossipSub router initially [signs it](https://github.com/libp2p/go-libp2p-pubsub/blob/master/sign.go#L109-L134) with a local node's networking key +before releasing it into the pub-sub network. The routers are structured to verify message signatures before forwarding them or making +them accessible to the application layer (i.e., Flow protocol engines). This method does indeed block invalid messages from progressing through the network, +also [penalizing](https://github.com/onflow/flow-go/blob/master/insecure/integration/functional/test/gossipsub/scoring/scoring_test.go#L26-L188) the immediate sender of an invalid message through a built-in scoring mechanism that influences network connections and message forwarding decisions. +Yet, a significant loophole remains: the elimination of authentication data (like signatures) by the GossipSub router during message delivery to the application layer. +This eradication obstructs the Flow protocol's ability to trace a message back to its original sender in cases of protocol violations that happen at a level above the GossipSub layer. + + +## Proposal-1: GossipSub Message Forensic (GMF) +As the first option to (partially) mitigate the gap in the network to hold the malicious senders accountable, +we introduce the GossipSub Message Forensic (GMF) mechanism designed to integrate GossipSub authentication data seamlessly with the +Flow protocol engines. The principal aim is to enhance message authenticity verification through multicast and publish, +focusing on origin identification and event association. Here, we elucidate the method, its interface, and delve into the operational specifics, +weighing its pros and cons against potential alternatives. +In this proposal, we propose a mechanism to share the GossipSub authentication data with the Flow protocol. We call this mechanism +GossipSub Message Forensic (GMF). The idea is to add a new interface method to the [`EngineRegistry` interface](https://github.com/onflow/flow-go/blob/master/network/network.go#L37-L56). +The `EngineRegistry` was previously known as the `Network` interface, and is exposed to individual Flow protocol engines who are interested in receiving the +messages from the networking layer including the GossipSub protocol. In this approach, the `EngineRegistry` interface is extended +by two new methods: `GetGossipSubMessageForEvent` and `VerifyGossipSubMessage`. The `GetGossipSubMessageForEvent` method takes an origin +identifier as well as an event as input, and returns the GossipSub envelope of the message that is associated with the event and +is sent by the origin identifier. +The `VerifyGossipSubMessage` method takes a origin identifier as well as a GossipSub message as input, and verifies the signature of +the message against the networking public key of the origin id. +The method returns true if the signature is valid, and false otherwise. +The event is the scrapped message that is delivered to the application layer by the GossipSub router. The GossipSub envelope +contains the signature of the message, as well as all the other GossipSub metadata that is needed to verify the signature. +```go + +type EngineRegistry interface { + // GetGossipSubMessageForEvent takes a Flow identifier as well as an event as input, and returns the GossipSub envelope of the + // message that is associated with the event and is sent by the origin identifier. The event is the scrapped message that is delivered to the application layer by + // the GossipSub router. The GossipSub envelope contains the signature of the message, as well as all the other GossipSub metadata + // that is needed to verify the signature. + // Args: + // - originId: The Flow identifier of the node that originally sent the message. + // - event: The scrapped message that is delivered to the application layer by the GossipSub router. + // Returns: + // - message: The GossipSub envelope of the message that is associated with the event. + // - error: An error if the message is not found. + GetGossipSubMessageForEvent(originId flow.Identifier, event interface{}) (*pb.Message, error) + + // VerifyGossipSubMessage takes a Flow identifier as well as a GossipSub message as input, and verifies the signature of the + // message. The method returns true if the signature is valid, and false otherwise. + // Args: + // - originId: The Flow identifier of the node that originally sent the message. + // - message: The GossipSub message that is associated with the event. + // Returns: + // - bool: True if the signature is valid, and false otherwise. + // - error: An error if the message is not found. + VerifyGossipSubMessage(originId flow.Identifier, message *pb.Message) (bool, error) + + // Other methods are omitted for brevity + // ... +} +``` + +### Implementation Complexities +- This proposal requires the `LibP2PNode` implementation extract the individual [envelopes (i.e., `*pb.Message`)](https://github.com/libp2p/go-libp2p-pubsub/blob/master/pb/rpc.pb.go#L143-L153) from the incoming GossipSub RPCs. + This is done using the [RPC inspector](https://github.com/libp2p/go-libp2p-pubsub/blob/master/pubsub.go#L1031-L1037) dependency injection. We need to implement a new inspector that extract the envelopes in a non-blocking approach. + We should not block an incoming RPC to extract its messages, as it is interfering with the GossipSub router operation and can harm the message delivery rate of the router. +- The extracted envelopes are then required to stored persistently by their event id in a forensic component with proper ejection mechanism, + which is exposed to the `GetGossipSubMessageForEvent` to query the envelope corresponding to a `(event, originId)` pair. +- This solution also requires replicating the signature verification logic of the GossipSub in `VerifyGossipSubMessage` so that it is accessible to the engines. + We need to extend the signature verification mechanism to account for translation of `originId` from `flow.Identifier` to networking key and `peer.ID` (i.e., LibP2P level identifier). + As the engines are operating based on the `flow.Identifier`, while the GossipSub signatures are generated using the Networking Key of the node. + +### Advantages +1. The GossipSub authentication data is shared with the Flow protocol, providing attribution for `Multicast` and `Publish` messages. +2. The interface is easy to use for the engines, as it abstracts the complexity of translating the origin Flow identifier to the GossipSub peer id, and + verifying the signature of the message against the networking public key of the origin id. +3. The implementation is not a breaking change and is backward compatible with the current state of the Flow protocol. + +### Disadvantages +1. The GossipSub envelope is extractable through an RPC inspector dependency injection, which must be non-blocking and fast (a principle condition + imposed by GossipSub). This means that the GossipSub envelope extraction must be done in a separate goroutine _asynchronously_ to the message delivery to the + application layer. This entails that there can be a glitch between the message delivery to the application layer and the GossipSub envelope extraction. The potential glitch + means that the GossipSub envelope may not be available at the time of the message delivery to the application layer. Accounting for the glitch implies higher complexity in + the implementation of the Flow protocol engines (e.g., timeout queries, etc.). Moreover, the glitch may be exploited by the malicious nodes to perform timing + attacks on the Flow protocol engines and get away from detection. If an attacker can time the message delivery to the application layer in a way that the + GossipSub envelope is not available at the time of the message delivery, then the attacker can send an invalid message and get away from detection, as when + there is no GossipSub envelope available, the Flow protocol engines cannot have forensic evidence to attribute the protocol-level violation to the malicious + sender. +2. Maintaining the GossipSub envelopes poses several challenges: + - There must be an eviction policy to remove the GossipSub envelopes from the memory (or disk) after a certain period of time. Lack of an eviction policy may + lead to memory (or disk) exhaustion attacks. + - Existence of eviction policy may lead to data loss, as the GossipSub envelope may be evicted from the memory (or disk) before the Flow protocol engines + can use it to attribute a protocol-level violation to the malicious sender. + - Existence of eviction policy may also lead to attacks; if an attacker can time the message delivery to the application layer in a way that the GossipSub + envelope is evicted from the memory (or disk) before the Flow protocol engines can use it to attribute a protocol-level violation to the malicious sender, + then the attacker can send an invalid message and get away from attribution, as when there is no GossipSub envelope available, the Flow protocol engines cannot + have forensic evidence to attribute the protocol-level violation to the malicious sender. + - On a happy path when all nodes are honest, the GossipSub envelopes are not needed, and extracting and maintaining them poses a performance overhead. +3. To construct the GossipSub-level signature on an event, this solution requires maintaining the entire [GossipSub message (i.e., envelope)](https://github.com/libp2p/go-libp2p-pubsub/blob/master/pb/rpc.pb.go#L143-L153) which is more than the event itself. + This is because the GossipSub-level signature is generated on the entire message (i.e., envelope) and not just the event. Hence, this solution requires more memory and disk space. +4. This solution requires replicating the signature verification logic of the GossipSub router at the engine level (i.e., `VerifyGossipSubMessage`). Changes to the GossipSub signature + verification procedure may pose as breaking changes and be a blocker for upgrading and keeping up with GossipSub upgrades. +5. The Flow node may receive the same message from multiple senders, and this solution requires all those message envelopes to be stored for forensic purposes. +6. This solution does not cover the unicast messages, as they are not sent through the GossipSub protocol. + +## Proposal-2: Enforced Flow-level Signing Policy For All Messages +In this proposal, we introduce the policy to enforce a Flow-level signature for all messages using the staking key of the node. +The idea is to refactor the [`Conduit` interface](https://github.com/onflow/flow-go/blob/master/network/conduit.go#L26-L57), so that instead of taking an `interface{}` type event, it takes an `Envelope` type event. +The `Envelope` type event is a wrapper around the `interface{}` type event, and contains +the staking key signature of the sender on the event. The `Envelope` type is defined as follows: +```go +type Envelope struct { + // The event that is wrapped by the envelope. + Event interface{} + // The Staking Key signature of the sender on the event. + Signature []byte +} +``` + +Accordingly, the `Conduit` interface is refactored as follows: +```go +type Conduit interface { + Publish(envelope *Envelope, targetIDs ...flow.Identifier) error + + Unicast(envelope *Envelope, targetID flow.Identifier) error + + Multicast(event *Envelope, num uint, targetIDs ...flow.Identifier) error + + // Other methods are omitted for brevity + // ... +} +``` + +In this design, the engine on the sender side is required to sign the messages that are sent through the `Conduit` interface. To impose the safety mechanism, +the `Conduit` interface rejects any message that is not signed by the sender by returning an error. +On the other hand, the [`Engine` (aka `MessageProcessor`)](https://github.com/onflow/flow-go/blob/master/network/engine.go#L14-L60) interface is refactored to receive an `Envelope` type event instead of an `interface{}` type event. +The `Engine` interface is refactored as follows: +```go +// MessageProcessor represents a component which receives messages from the +// networking layer. Since these messages come from other nodes, which may +// be Byzantine, implementations must expect and handle arbitrary message inputs +// (including invalid message types, malformed messages, etc.). Because of this, +// node-internal messages should NEVER be submitted to a component using Process. +type MessageProcessor interface { + // Process is exposed by engines to accept messages from the networking layer. + // Implementations of Process should be non-blocking. In general, Process should + // only queue the message internally by the engine for later async processing. + Process(channel channels.Channel, originID flow.Identifier, envelope *Envelope) error +} +``` +Prior to delivering the message to the engine (i.e., `MessageProcessor`), the networking layer will verify the signature of the `Envelope` against the staking key of the +sender. If the signature is valid, the message will be delivered to the engine. Otherwise, the message will be rejected and reported to the Application Layer Spam Prevention (ALSP system) as an impersonation attempt, hence penalizing the +node who sent it over the network (the remote node in unicast case, and the RPC sender in multicast and publish cases). +In this way, when an engine's `Process` method is called, the engine can be sure that the message is signed by the sender. +Hence, the engine can attribute a protocol-level violation to the malicious sender that originally sent the message. + +### Implementation Complexities +- This proposal requires refactoring the `Conduit` interface, which is used by all the Flow protocol engines to send messages to the networking layer. + Currently, engines are passing arbitrary `interface{}` types as events to the conduits. This proposal requires refactoring the `Conduit` interface and + engines to pass `Envelope` type events to the conduits. +- This proposal requires refactoring the `Engine` interface, which is used by all the Flow protocol engines to receive messages from the networking layer. + Currently, engines are receiving arbitrary `interface{}` types as events from the networking layer. This proposal requires refactoring the `Engine` interface and + engines to receive `Envelope` type events from the networking layer. This is a breaking change and is not backward compatible with the current state of the Flow protocol. +- This proposal requires refactoring the networking layer of the Flow blockchain to verify the signature of the `Envelope` against the staking key of the sender prior to + delivering the message to the engine. + +### Advantages +1. This solution enables Flow protocol with attribution of a protocol-level violation to the malicious sender that originally sent the message. +2. The implementation is simple; contrary to the GMF proposal, there is no need to extract and maintain the GossipSub envelopes, no extra asynchronous processing, storage, and memory management is needed. +3. The signature and event are encapsulated together and are passed to the engine as a single `Envelope` object. Hence, the engine does not need to worry about the signature and event + being out of sync. The lifecycle of the signature and event are managed by the engine itself as an atomic entity, than dividing the responsibility between the engine and the networking layer. +4. This solution not only covers the GossipSub messages, but also covers all the messages that are sent through the `Conduit` interface. Hence, it is a more general solution + that can be used to attribute a protocol-level violation to the malicious sender that originally sent the message, regardless of the protocol that is used to send the message. + For example, the current state of codebase does not enforce signature policy for the `ChunkDataPack` responses that Execution Nodes send to the Verification Nodes over unicast. Hence, + a verification node does not have any forensic evidence to attribute a protocol-level violation to the malicious Execution Node that originally sent the message. +5. The entire authentication data is at the Flow protocol level (i.e., Staking Key) and is not dependent on the GossipSub protocol. Hence, the Flow protocol can attribute a + protocol-level violation to the malicious sender that originally sent the message, regardless of the protocol that is used to send the message, i.e., GossipSub in this case. +6. `Envelope`-based message representation provides nested authentication, i.e., an envelope generated by sender A can be wrapped as an authenticated evidence by sender B, and so on. + +### Disadvantages +1. The implementation is a breaking change and is not backward compatible with the current state of the Flow protocol. We change the `Conduit` interface, which is used by + all the Flow protocol engines to send messages to the networking layer. Hence, all the Flow protocol engines must be refactored to sign the messages that are sent through + the `Conduit` interface. +2. This approach adds a computation overhead to the Flow protocol engines, as the engines must sign all the messages that are sent through the `Conduit` interface, and on the receiving side, the + networking layer must verify the signature of the message against the Staking Key of the sender. This overhead is not negligible, as the Flow protocol engines are the most performance critical components of the Flow blockchain. + Hence, we must carefully evaluate the performance overhead of this approach. Moreover, with this approach, we are extending the size of data sent over the wire by piggybacking the signature. + Assuming that we are using ECDSA with `secp521r1` curve and SHA-512 for hashing, the signature size is ~100 bytes (in theory). Hence, we are adding ~100 bytes to the size of data sent over the wire. + Nevertheless, the performance overhead and the size of data sent over the wire may be an acceptable trade-off for the security guarantees that this approach provides. + +### Is the GossipSub Router Signature Still Necessary? +Yes, maintaining the GossipSub router signature is essential, even while adopting Proposal-2. +The chief purpose of this signature is to authenticate messages at the GossipSub layer, serving as a robust mechanism to weed out invalid messages early in the transmission process, +before reaching the application layer or being relayed to other nodes. Moreover, GossipSub needs its own signature to penalize the immediate sender of an invalid message through a built-in +scoring mechanism that influences network connections and message forwarding decisions. +Drawing a parallel, it is akin to the ephemeral signatures employed in secure sessions like TLS and SSL. +These signatures work diligently to verify the authenticity of the session-level communications. +However, they are transient and do not function to attribute the message to its original sender after the session concludes. +For post-session message attribution, application context-based signatures are used, preserving the integral role of GossipSub-level signatures for real-time session authentication. + +### Is the `Entity` type still required? +In the Flow codebase, [`Entity` objects](https://github.com/onflow/flow-go/blob/master/model/flow/entity.go#L9-L26) are self-identified data structures, meaning that they are singularly identified through their unique hash value. Conversely, the newly proposed `Envelope` type operates through a +framework of self-authentication; it relies on its intrinsic signature to confirm authenticity. +This critical distinction underscores that the `Envelope` type does not serve to replace the `Entity` type. In fact, a viable long-term strategy might involve strictly enveloping the `Entity` type within the `Envelope` type to leverage the strengths of both, as demonstrated below: +```go +type Envelope struct { + // The event that is wrapped by the envelope. + Event Entity + // The Staking Key signature of the sender on the event. + Signature []byte +} +``` + +### Do We Need Additional Signatures for Certain Data Structures in Flow? +In the Flow architecture, various data structures, including the [`ExecutionReceipt` structure](https://github.com/onflow/flow-go/blob/master/model/flow/execution_receipt.go#L11-L18), come with a staking key signature attributed to their creating execution node. +However, this stipulation does not apply universally across all data structures present in Flow, with `ChunkDataResponse` being a notable exception that does not demand the signature +of its originating execution node. + +Preserving the internal signature of a data structure holds considerable importance for future reference and validation processes. +This retention is especially critical when introducing data structures to new nodes, which may either be lagging or freshly joining the network; +the internal signature by the creator facilitates the verification process, allowing the new node to establish trust in the data structure. +On the other hand, the envelope-level signature characterizes the node wrapping the data structure, diverging from the creator’s signature found in the data structure itself. +This approach substantially enhances forensic capabilities. Taking the instance of a scenario where a sender manipulates an execution receipt, compromising its integrity, +the system is designed to not just detect the violation via the executor's internal signature but to robustly attribute the breach to the malicious sender ensuring non-repudiation. +This process, backed by irrefutable forensic evidence, strengthens the transparency and accountability to external parties. + +To fortify security and streamline verification processes, the proposal at hand suggests a reevaluation of the existing signature protocols. +We envision a system where the intrinsic signatures of data structures are detached from the overarching envelope-level signature policy. This proposal serves dual purposes: +1. **Internal Signature As Part Of An Event (e.g., `ExecutionReceipt`'s executor signature:** Ensures protocol-level validation during the data structure processing, affirming that a claimed node genuinely created it. This signature retains its relevance over time, facilitating trust and verification for nodes newly integrated or lagging in the network, as it substantiates the original creator's identity and integrity of the data. +2. **Flow-level Signature:** Plays a pivotal role in tracing protocol violations back to malicious senders, hence fostering accountability and deterring fraudulent activities. Interestingly, this signature operates temporarily, losing its necessity once the engine affirms the message's validity. +This revamped policy opens up the opportunity to reconsider the necessity of internal signatures in various data structures, potentially eliminating them if deemed redundant, thereby streamlining the security process without compromising on the foundational principles of computer security. From a62d12aa8654b956e32686f56c0aeda542c578d0 Mon Sep 17 00:00:00 2001 From: Yahya Hassanzadeh Date: Mon, 11 Sep 2023 17:58:39 -0700 Subject: [PATCH 02/22] updates the proposal --- protocol/20230908-message-forensic.md | 126 ++++++++++++++------------ 1 file changed, 67 insertions(+), 59 deletions(-) diff --git a/protocol/20230908-message-forensic.md b/protocol/20230908-message-forensic.md index c2925332..ae6ab73b 100644 --- a/protocol/20230908-message-forensic.md +++ b/protocol/20230908-message-forensic.md @@ -50,6 +50,23 @@ also [penalizing](https://github.com/onflow/flow-go/blob/master/insecure/integra Yet, a significant loophole remains: the elimination of authentication data (like signatures) by the GossipSub router during message delivery to the application layer. This eradication obstructs the Flow protocol's ability to trace a message back to its original sender in cases of protocol violations that happen at a level above the GossipSub layer. +## Message Structure in Flow +At broad level, the Flow-protocol engines send and receive events as `interface{}` types to each other through their `Conduit` interface of the networking layer. Upon receiving +an event, the networking layer performs two rounds of encoding before sending it over the wire. +- First, the event is [encoded using the CBOR encoding scheme to bytes, which becomes the payload of an internal `messages.Message` protobuf type](https://github.com/onflow/flow-go/blob/master/network/message/message_scope.go#L178-L200). +- Second, for the unicast cases, the `messages.Message` protobuf type is encoded directly to bytes, and is [written over streams](https://github.com/onflow/flow-go/blob/master/network/p2p/p2pnet/network.go#L650) to the remote node. For the pubsub cases, +the `message.Message` protobuf type is [wrapped](https://github.com/onflow/flow-go/blob/master/network/p2p/p2pnode/libp2pNode.go#L422-L438) in a GossipSub envelope `pb.Message` type (internally by the GossipSub), and is gossiped within the network. + +Hence, on the receiving path, the networking layer performs two rounds of decoding before delivering the event to the Flow-protocol engines. +- For the unicast cases, the networking layer reads the bytes from the stream, and decodes the `messages.Message` protobuf type from the bytes. Then, the `messages.Message.Payload` +is decoded to an `interface{}` type event using CBOR, and is delivered to the Flow-protocol engines. +- For the pubsub cases, the networking layer receives the `pb.Message` type from GossipSub, and decodes the `messages.Message` protobuf type from the `pb.Message.Data` bytes. +Then, the `messages.Message.Payload` is decoded to an `interface{}` type event using CBOR, and is delivered to the Flow-protocol engines. + +In the rest of this FLIP, we refer to `pb.Message` as the GossipSub envelop, and to the `message.Message` as the Flow message. Hence, in a nutshell: +- For the unicast case, the event is wrapped in a Flow message type. +- For the pubsub case, the event is wrapped in a Flow message type, which is then wrapped in a GossipSub envelope type. +- The GossipSub envelop contains the signature of the sender over the entire envelope. The signature is generated using the networking key of the sender by the GossipSub router. ## Proposal-1: GossipSub Message Forensic (GMF) As the first option to (partially) mitigate the gap in the network to hold the malicious senders accountable, @@ -58,32 +75,39 @@ Flow protocol engines. The principal aim is to enhance message authenticity veri focusing on origin identification and event association. Here, we elucidate the method, its interface, and delve into the operational specifics, weighing its pros and cons against potential alternatives. In this proposal, we propose a mechanism to share the GossipSub authentication data with the Flow protocol. We call this mechanism -GossipSub Message Forensic (GMF). The idea is to add a new interface method to the [`EngineRegistry` interface](https://github.com/onflow/flow-go/blob/master/network/network.go#L37-L56). +GossipSub Message Forensic (GMF). + +At the current state of the code, the networking layer receives the [raw GossipSub envelop](https://github.com/onflow/flow-go/blob/master/network/p2p/p2pnet/internal/readSubscription.go#L48) from its underlying pubsub router, +validates it, and passes the incorporated Flow message to for further decoding. The Flow message is then decoded to an `interface{}` type event, +and is delivered to the Flow protocol engines. The idea is to pass along the GossipSub envelop to the Flow protocol engines together with their `interface{}` type event. +In this way, the Flow protocol engines can have access to the GossipSub authentication data. The rough idea is depicted in the following figure. +Note that it is not a production-ready code, we need to architect the solution in an Object Oriented Manner with proper abstraction and encapsulation of the interface. In this figure, +we intentionally pass along the envelope together with the event for sake of simplicity. In the actual implementation, we need to abstract the envelope and event in a single object +and pass it to the Flow protocol engines. We have to also account for the unicast case that does not have a GossipSub envelop. +```go +```go +// MessageProcessor represents a component which receives messages from the +// networking layer. Since these messages come from other nodes, which may +// be Byzantine, implementations must expect and handle arbitrary message inputs +// (including invalid message types, malformed messages, etc.). Because of this, +// node-internal messages should NEVER be submitted to a component using Process. +type MessageProcessor interface { + // Process is exposed by engines to accept messages from the networking layer. + // Implementations of Process should be non-blocking. In general, Process should + // only queue the message internally by the engine for later async processing. + Process(channel channels.Channel, originID flow.Identifier, event interface{}, envelope *pb.Message) error +} +``` + +In order to enable the engines with verification capabilities of the envelope signature in this proposal, we add new interface methods to the [`EngineRegistry` interface](https://github.com/onflow/flow-go/blob/master/network/network.go#L37-L56). The `EngineRegistry` was previously known as the `Network` interface, and is exposed to individual Flow protocol engines who are interested in receiving the messages from the networking layer including the GossipSub protocol. In this approach, the `EngineRegistry` interface is extended -by two new methods: `GetGossipSubMessageForEvent` and `VerifyGossipSubMessage`. The `GetGossipSubMessageForEvent` method takes an origin -identifier as well as an event as input, and returns the GossipSub envelope of the message that is associated with the event and -is sent by the origin identifier. -The `VerifyGossipSubMessage` method takes a origin identifier as well as a GossipSub message as input, and verifies the signature of -the message against the networking public key of the origin id. -The method returns true if the signature is valid, and false otherwise. -The event is the scrapped message that is delivered to the application layer by the GossipSub router. The GossipSub envelope -contains the signature of the message, as well as all the other GossipSub metadata that is needed to verify the signature. +by two new methods: `VerifyGossipSubMessage`. The `VerifyGossipSubMessage` method takes an origin identifier, an event `interface{} type`, +as well as the GossipSub message as input, and verifies the signature of the message against the networking public key of the origin id. +The method returns true if the signature is valid, and false otherwise. ```go type EngineRegistry interface { - // GetGossipSubMessageForEvent takes a Flow identifier as well as an event as input, and returns the GossipSub envelope of the - // message that is associated with the event and is sent by the origin identifier. The event is the scrapped message that is delivered to the application layer by - // the GossipSub router. The GossipSub envelope contains the signature of the message, as well as all the other GossipSub metadata - // that is needed to verify the signature. - // Args: - // - originId: The Flow identifier of the node that originally sent the message. - // - event: The scrapped message that is delivered to the application layer by the GossipSub router. - // Returns: - // - message: The GossipSub envelope of the message that is associated with the event. - // - error: An error if the message is not found. - GetGossipSubMessageForEvent(originId flow.Identifier, event interface{}) (*pb.Message, error) - // VerifyGossipSubMessage takes a Flow identifier as well as a GossipSub message as input, and verifies the signature of the // message. The method returns true if the signature is valid, and false otherwise. // Args: @@ -92,7 +116,7 @@ type EngineRegistry interface { // Returns: // - bool: True if the signature is valid, and false otherwise. // - error: An error if the message is not found. - VerifyGossipSubMessage(originId flow.Identifier, message *pb.Message) (bool, error) + VerifyGossipSubMessage(originId flow.Identifier, event interface{}, message *pb.Message) (bool, error) // Other methods are omitted for brevity // ... @@ -100,11 +124,9 @@ type EngineRegistry interface { ``` ### Implementation Complexities -- This proposal requires the `LibP2PNode` implementation extract the individual [envelopes (i.e., `*pb.Message`)](https://github.com/libp2p/go-libp2p-pubsub/blob/master/pb/rpc.pb.go#L143-L153) from the incoming GossipSub RPCs. - This is done using the [RPC inspector](https://github.com/libp2p/go-libp2p-pubsub/blob/master/pubsub.go#L1031-L1037) dependency injection. We need to implement a new inspector that extract the envelopes in a non-blocking approach. - We should not block an incoming RPC to extract its messages, as it is interfering with the GossipSub router operation and can harm the message delivery rate of the router. -- The extracted envelopes are then required to stored persistently by their event id in a forensic component with proper ejection mechanism, - which is exposed to the `GetGossipSubMessageForEvent` to query the envelope corresponding to a `(event, originId)` pair. +- This proposal requires refactoring the message processing pipeline of the networking layer to pass along the GossipSub envelop together with the event to the Flow protocol engines. We need to + also refactor the `Engine`'s `Process` method in a way that it can accept the GossipSub envelop together with the event. The implementation should account for proper encapsulation and abstraction of the interface, + to also support the unicast case that does not have a GossipSub envelop. - This solution also requires replicating the signature verification logic of the GossipSub in `VerifyGossipSubMessage` so that it is accessible to the engines. We need to extend the signature verification mechanism to account for translation of `originId` from `flow.Identifier` to networking key and `peer.ID` (i.e., LibP2P level identifier). As the engines are operating based on the `flow.Identifier`, while the GossipSub signatures are generated using the Networking Key of the node. @@ -113,34 +135,21 @@ type EngineRegistry interface { 1. The GossipSub authentication data is shared with the Flow protocol, providing attribution for `Multicast` and `Publish` messages. 2. The interface is easy to use for the engines, as it abstracts the complexity of translating the origin Flow identifier to the GossipSub peer id, and verifying the signature of the message against the networking public key of the origin id. -3. The implementation is not a breaking change and is backward compatible with the current state of the Flow protocol. +3. The implementation is **not a breaking change** and is backward compatible with the current state of the Flow protocol. ### Disadvantages -1. The GossipSub envelope is extractable through an RPC inspector dependency injection, which must be non-blocking and fast (a principle condition - imposed by GossipSub). This means that the GossipSub envelope extraction must be done in a separate goroutine _asynchronously_ to the message delivery to the - application layer. This entails that there can be a glitch between the message delivery to the application layer and the GossipSub envelope extraction. The potential glitch - means that the GossipSub envelope may not be available at the time of the message delivery to the application layer. Accounting for the glitch implies higher complexity in - the implementation of the Flow protocol engines (e.g., timeout queries, etc.). Moreover, the glitch may be exploited by the malicious nodes to perform timing - attacks on the Flow protocol engines and get away from detection. If an attacker can time the message delivery to the application layer in a way that the - GossipSub envelope is not available at the time of the message delivery, then the attacker can send an invalid message and get away from detection, as when - there is no GossipSub envelope available, the Flow protocol engines cannot have forensic evidence to attribute the protocol-level violation to the malicious - sender. -2. Maintaining the GossipSub envelopes poses several challenges: - - There must be an eviction policy to remove the GossipSub envelopes from the memory (or disk) after a certain period of time. Lack of an eviction policy may - lead to memory (or disk) exhaustion attacks. - - Existence of eviction policy may lead to data loss, as the GossipSub envelope may be evicted from the memory (or disk) before the Flow protocol engines - can use it to attribute a protocol-level violation to the malicious sender. - - Existence of eviction policy may also lead to attacks; if an attacker can time the message delivery to the application layer in a way that the GossipSub - envelope is evicted from the memory (or disk) before the Flow protocol engines can use it to attribute a protocol-level violation to the malicious sender, - then the attacker can send an invalid message and get away from attribution, as when there is no GossipSub envelope available, the Flow protocol engines cannot - have forensic evidence to attribute the protocol-level violation to the malicious sender. - - On a happy path when all nodes are honest, the GossipSub envelopes are not needed, and extracting and maintaining them poses a performance overhead. -3. To construct the GossipSub-level signature on an event, this solution requires maintaining the entire [GossipSub message (i.e., envelope)](https://github.com/libp2p/go-libp2p-pubsub/blob/master/pb/rpc.pb.go#L143-L153) which is more than the event itself. - This is because the GossipSub-level signature is generated on the entire message (i.e., envelope) and not just the event. Hence, this solution requires more memory and disk space. -4. This solution requires replicating the signature verification logic of the GossipSub router at the engine level (i.e., `VerifyGossipSubMessage`). Changes to the GossipSub signature +1. This solution does not cover the unicast messages, as they are not sent through the GossipSub protocol. +2. To construct the GossipSub-level signature on an event, this solution requires maintaining the entire [GossipSub message (i.e., envelope)](https://github.com/libp2p/go-libp2p-pubsub/blob/master/pb/rpc.pb.go#L143-L153) which is more than the event itself. + This is because the GossipSub-level signature is generated on the entire message (i.e., envelope) and not just the event. Hence, this solution requires more memory footprint. +3. This solution requires replicating the signature verification logic of the GossipSub router at the engine level (i.e., `VerifyGossipSubMessage`). Changes to the GossipSub signature verification procedure may pose as breaking changes and be a blocker for upgrading and keeping up with GossipSub upgrades. -5. The Flow node may receive the same message from multiple senders, and this solution requires all those message envelopes to be stored for forensic purposes. -6. This solution does not cover the unicast messages, as they are not sent through the GossipSub protocol. +4. Verification logic is not trivial: + - The first step is to ensure the event is wrapped in a GossipSub envelope. If not, the verification fails; for this, we need to replicate the entire encoding path down to the GossipSub level + as wrapping the Flow message in the GossipSub envelope is done internally at the GossipSub and is not exposed to the Flow codebase. The replication may also cause another layer of coupling + that causes breaking changes in the future upgrades of GossipSub. + - The second step is to verify the signature of the GossipSub envelope against the networking public key of the origin id. This requires translating the origin id from `flow.Identifier` + to networking key and `peer.ID` (i.e., LibP2P level identifier), and replicating the signature verification logic of the GossipSub router, which is another layer of coupling that + causes breaking changes in the future upgrades of GossipSub. ## Proposal-2: Enforced Flow-level Signing Policy For All Messages In this proposal, we introduce the policy to enforce a Flow-level signature for all messages using the staking key of the node. @@ -205,19 +214,18 @@ Hence, the engine can attribute a protocol-level violation to the malicious send ### Advantages 1. This solution enables Flow protocol with attribution of a protocol-level violation to the malicious sender that originally sent the message. -2. The implementation is simple; contrary to the GMF proposal, there is no need to extract and maintain the GossipSub envelopes, no extra asynchronous processing, storage, and memory management is needed. -3. The signature and event are encapsulated together and are passed to the engine as a single `Envelope` object. Hence, the engine does not need to worry about the signature and event - being out of sync. The lifecycle of the signature and event are managed by the engine itself as an atomic entity, than dividing the responsibility between the engine and the networking layer. -4. This solution not only covers the GossipSub messages, but also covers all the messages that are sent through the `Conduit` interface. Hence, it is a more general solution +2. The implementation is simple; contrary to the GMF proposal, there is no need to maintain and pass-along the GossipSub envelopes and no extra memory footprint. +3. This solution not only covers the GossipSub messages, but also covers all the messages that are sent through the `Conduit` interface. Hence, it is a more general solution that can be used to attribute a protocol-level violation to the malicious sender that originally sent the message, regardless of the protocol that is used to send the message. For example, the current state of codebase does not enforce signature policy for the `ChunkDataPack` responses that Execution Nodes send to the Verification Nodes over unicast. Hence, a verification node does not have any forensic evidence to attribute a protocol-level violation to the malicious Execution Node that originally sent the message. -5. The entire authentication data is at the Flow protocol level (i.e., Staking Key) and is not dependent on the GossipSub protocol. Hence, the Flow protocol can attribute a +4. The entire authentication data is at the Flow protocol level (i.e., Staking Key) and is not dependent on the GossipSub protocol. Hence, the Flow protocol can attribute a protocol-level violation to the malicious sender that originally sent the message, regardless of the protocol that is used to send the message, i.e., GossipSub in this case. -6. `Envelope`-based message representation provides nested authentication, i.e., an envelope generated by sender A can be wrapped as an authenticated evidence by sender B, and so on. +6. `Envelope`-based message representation provides nested authentication, i.e., an envelope generated by sender A can be wrapped as an authenticated evidence by sender B, and so on, with + minimum overhead. This is a powerful feature that can be leveraged to build a robust forensic system. ### Disadvantages -1. The implementation is a breaking change and is not backward compatible with the current state of the Flow protocol. We change the `Conduit` interface, which is used by +1. The implementation is a **breaking change** and is not backward compatible with the current state of the Flow protocol. We change the `Conduit` interface, which is used by all the Flow protocol engines to send messages to the networking layer. Hence, all the Flow protocol engines must be refactored to sign the messages that are sent through the `Conduit` interface. 2. This approach adds a computation overhead to the Flow protocol engines, as the engines must sign all the messages that are sent through the `Conduit` interface, and on the receiving side, the From eaec2589c88801407ec800279398298959b6f427 Mon Sep 17 00:00:00 2001 From: Yahya Hassanzadeh Date: Mon, 11 Sep 2023 18:01:00 -0700 Subject: [PATCH 03/22] fix --- protocol/20230908-message-forensic.md | 1 - 1 file changed, 1 deletion(-) diff --git a/protocol/20230908-message-forensic.md b/protocol/20230908-message-forensic.md index ae6ab73b..0647fa7b 100644 --- a/protocol/20230908-message-forensic.md +++ b/protocol/20230908-message-forensic.md @@ -85,7 +85,6 @@ Note that it is not a production-ready code, we need to architect the solution i we intentionally pass along the envelope together with the event for sake of simplicity. In the actual implementation, we need to abstract the envelope and event in a single object and pass it to the Flow protocol engines. We have to also account for the unicast case that does not have a GossipSub envelop. ```go -```go // MessageProcessor represents a component which receives messages from the // networking layer. Since these messages come from other nodes, which may // be Byzantine, implementations must expect and handle arbitrary message inputs From 53226235bc61512edacc972f27f4fd0ed33a6f6e Mon Sep 17 00:00:00 2001 From: Yahya Hassanzadeh Date: Mon, 11 Sep 2023 18:02:38 -0700 Subject: [PATCH 04/22] fix --- protocol/20230908-message-forensic.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/protocol/20230908-message-forensic.md b/protocol/20230908-message-forensic.md index 0647fa7b..836e5782 100644 --- a/protocol/20230908-message-forensic.md +++ b/protocol/20230908-message-forensic.md @@ -142,8 +142,8 @@ type EngineRegistry interface { This is because the GossipSub-level signature is generated on the entire message (i.e., envelope) and not just the event. Hence, this solution requires more memory footprint. 3. This solution requires replicating the signature verification logic of the GossipSub router at the engine level (i.e., `VerifyGossipSubMessage`). Changes to the GossipSub signature verification procedure may pose as breaking changes and be a blocker for upgrading and keeping up with GossipSub upgrades. -4. Verification logic is not trivial: - - The first step is to ensure the event is wrapped in a GossipSub envelope. If not, the verification fails; for this, we need to replicate the entire encoding path down to the GossipSub level +4. Verification logic is not straightforward, as it requires at least two steps: + - The first step is to ensure the event is wrapped in a GossipSub envelope. If not, the verification fails. For this we need to replicate the entire encoding path down to the GossipSub level as wrapping the Flow message in the GossipSub envelope is done internally at the GossipSub and is not exposed to the Flow codebase. The replication may also cause another layer of coupling that causes breaking changes in the future upgrades of GossipSub. - The second step is to verify the signature of the GossipSub envelope against the networking public key of the origin id. This requires translating the origin id from `flow.Identifier` From b6d6a3d69097b327be2322562d60bacecb9f64a1 Mon Sep 17 00:00:00 2001 From: "Yahya Hassanzadeh, Ph.D" Date: Wed, 13 Sep 2023 15:10:10 -0700 Subject: [PATCH 05/22] Update protocol/20230908-message-forensic.md Co-authored-by: Misha <15269764+gomisha@users.noreply.github.com> --- protocol/20230908-message-forensic.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/protocol/20230908-message-forensic.md b/protocol/20230908-message-forensic.md index 836e5782..ef9871e5 100644 --- a/protocol/20230908-message-forensic.md +++ b/protocol/20230908-message-forensic.md @@ -1,6 +1,6 @@ | Status | Proposed | :-------------- |:----------------------------------------------------| -| **FLIP #** | [4697](https://github.com/onflow/flow-go/pull/4697) | +| **FLIP #** | [195](https://github.com/onflow/flips/pull/195) | | **Author(s)** | Yahya Hassanzadeh (yahya@dapperlabs.com) | | **Sponsor** | Yahya Hassanzadeh (yahya@dapperlabs.com) | | **Updated** | 8 September 2023 | From 2a31789995cf050a4abc4b9cabb5a84a167b132f Mon Sep 17 00:00:00 2001 From: "Yahya Hassanzadeh, Ph.D" Date: Wed, 13 Sep 2023 15:10:29 -0700 Subject: [PATCH 06/22] Update protocol/20230908-message-forensic.md Co-authored-by: Misha <15269764+gomisha@users.noreply.github.com> --- protocol/20230908-message-forensic.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/protocol/20230908-message-forensic.md b/protocol/20230908-message-forensic.md index ef9871e5..3819c2ec 100644 --- a/protocol/20230908-message-forensic.md +++ b/protocol/20230908-message-forensic.md @@ -39,7 +39,7 @@ on which the message is received. Albeit, the situation differs when the unicast sender or other attribution data (e.g., the signature of the original sender in case of a forwarded unicast). In such cases, the message is attributed to the sender that is specified in the attribution data. Nevertheless, the current state of Flow protocol does not enforce the attribution data to be present in the unicast messages. -A prime example is the [`ChunkDataResponse` messages](https://github.com/onflow/flow-go/blob/master/engine/execution/provider/engine.go#L326-L337) sent by the Execution Nodes to the Verification Nodes over a unicast. +A prime example is the [`ChunkDataResponse` messages](https://github.com/onflow/flow-go/blob/a85341d949c8a4e42e3d1d62bcf6fbf3d7f76bd9/engine/execution/provider/engine.go#L326-L337) sent by the Execution Nodes to the Verification Nodes over a unicast. Hence a node in Flow protocol cannot prove that a received unicast message is sent by a specific node, unless the message carries the explicit attribution data. ### Group and All-Node (Multicast and Publish) Message Attribution From 684924621c120a79272688997df5b1ea85396c9e Mon Sep 17 00:00:00 2001 From: "Yahya Hassanzadeh, Ph.D" Date: Wed, 13 Sep 2023 15:10:58 -0700 Subject: [PATCH 07/22] Update protocol/20230908-message-forensic.md Co-authored-by: Misha <15269764+gomisha@users.noreply.github.com> --- protocol/20230908-message-forensic.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/protocol/20230908-message-forensic.md b/protocol/20230908-message-forensic.md index 3819c2ec..e76280dc 100644 --- a/protocol/20230908-message-forensic.md +++ b/protocol/20230908-message-forensic.md @@ -77,7 +77,7 @@ weighing its pros and cons against potential alternatives. In this proposal, we propose a mechanism to share the GossipSub authentication data with the Flow protocol. We call this mechanism GossipSub Message Forensic (GMF). -At the current state of the code, the networking layer receives the [raw GossipSub envelop](https://github.com/onflow/flow-go/blob/master/network/p2p/p2pnet/internal/readSubscription.go#L48) from its underlying pubsub router, +At the current state of the code, the networking layer receives the [raw GossipSub envelope](https://github.com/onflow/flow-go/blob/master/network/p2p/p2pnet/internal/readSubscription.go#L48) from its underlying pubsub router, validates it, and passes the incorporated Flow message to for further decoding. The Flow message is then decoded to an `interface{}` type event, and is delivered to the Flow protocol engines. The idea is to pass along the GossipSub envelop to the Flow protocol engines together with their `interface{}` type event. In this way, the Flow protocol engines can have access to the GossipSub authentication data. The rough idea is depicted in the following figure. From ebf3feea54449ea9f70969954bb0140683f113fc Mon Sep 17 00:00:00 2001 From: "Yahya Hassanzadeh, Ph.D" Date: Wed, 13 Sep 2023 15:11:06 -0700 Subject: [PATCH 08/22] Update protocol/20230908-message-forensic.md Co-authored-by: Misha <15269764+gomisha@users.noreply.github.com> --- protocol/20230908-message-forensic.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/protocol/20230908-message-forensic.md b/protocol/20230908-message-forensic.md index e76280dc..4e405590 100644 --- a/protocol/20230908-message-forensic.md +++ b/protocol/20230908-message-forensic.md @@ -66,7 +66,7 @@ Then, the `messages.Message.Payload` is decoded to an `interface{}` type event u In the rest of this FLIP, we refer to `pb.Message` as the GossipSub envelop, and to the `message.Message` as the Flow message. Hence, in a nutshell: - For the unicast case, the event is wrapped in a Flow message type. - For the pubsub case, the event is wrapped in a Flow message type, which is then wrapped in a GossipSub envelope type. -- The GossipSub envelop contains the signature of the sender over the entire envelope. The signature is generated using the networking key of the sender by the GossipSub router. +- The GossipSub envelope contains the signature of the sender over the entire envelope. The signature is generated using the networking key of the sender by the GossipSub router. ## Proposal-1: GossipSub Message Forensic (GMF) As the first option to (partially) mitigate the gap in the network to hold the malicious senders accountable, From a7272a6c01fa8ccce42e30d6cdd555bfa71a4816 Mon Sep 17 00:00:00 2001 From: "Yahya Hassanzadeh, Ph.D" Date: Wed, 13 Sep 2023 15:11:11 -0700 Subject: [PATCH 09/22] Update protocol/20230908-message-forensic.md Co-authored-by: Misha <15269764+gomisha@users.noreply.github.com> --- protocol/20230908-message-forensic.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/protocol/20230908-message-forensic.md b/protocol/20230908-message-forensic.md index 4e405590..9afa616d 100644 --- a/protocol/20230908-message-forensic.md +++ b/protocol/20230908-message-forensic.md @@ -123,7 +123,7 @@ type EngineRegistry interface { ``` ### Implementation Complexities -- This proposal requires refactoring the message processing pipeline of the networking layer to pass along the GossipSub envelop together with the event to the Flow protocol engines. We need to +- This proposal requires refactoring the message processing pipeline of the networking layer to pass along the GossipSub envelope together with the event to the Flow protocol engines. We need to also refactor the `Engine`'s `Process` method in a way that it can accept the GossipSub envelop together with the event. The implementation should account for proper encapsulation and abstraction of the interface, to also support the unicast case that does not have a GossipSub envelop. - This solution also requires replicating the signature verification logic of the GossipSub in `VerifyGossipSubMessage` so that it is accessible to the engines. From 486d7b6348fc0ee7340e8badb5a5649cf9197633 Mon Sep 17 00:00:00 2001 From: "Yahya Hassanzadeh, Ph.D" Date: Wed, 13 Sep 2023 15:11:17 -0700 Subject: [PATCH 10/22] Update protocol/20230908-message-forensic.md Co-authored-by: Misha <15269764+gomisha@users.noreply.github.com> --- protocol/20230908-message-forensic.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/protocol/20230908-message-forensic.md b/protocol/20230908-message-forensic.md index 9afa616d..b730649e 100644 --- a/protocol/20230908-message-forensic.md +++ b/protocol/20230908-message-forensic.md @@ -83,7 +83,7 @@ and is delivered to the Flow protocol engines. The idea is to pass along the Gos In this way, the Flow protocol engines can have access to the GossipSub authentication data. The rough idea is depicted in the following figure. Note that it is not a production-ready code, we need to architect the solution in an Object Oriented Manner with proper abstraction and encapsulation of the interface. In this figure, we intentionally pass along the envelope together with the event for sake of simplicity. In the actual implementation, we need to abstract the envelope and event in a single object -and pass it to the Flow protocol engines. We have to also account for the unicast case that does not have a GossipSub envelop. +and pass it to the Flow protocol engines. We have to also account for the unicast case that does not have a GossipSub envelope. ```go // MessageProcessor represents a component which receives messages from the // networking layer. Since these messages come from other nodes, which may From 04f9cfaa03250662c003e4b7c91863ec77e7910a Mon Sep 17 00:00:00 2001 From: "Yahya Hassanzadeh, Ph.D" Date: Wed, 13 Sep 2023 15:11:30 -0700 Subject: [PATCH 11/22] Update protocol/20230908-message-forensic.md Co-authored-by: Misha <15269764+gomisha@users.noreply.github.com> --- protocol/20230908-message-forensic.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/protocol/20230908-message-forensic.md b/protocol/20230908-message-forensic.md index b730649e..41084b26 100644 --- a/protocol/20230908-message-forensic.md +++ b/protocol/20230908-message-forensic.md @@ -150,7 +150,7 @@ type EngineRegistry interface { to networking key and `peer.ID` (i.e., LibP2P level identifier), and replicating the signature verification logic of the GossipSub router, which is another layer of coupling that causes breaking changes in the future upgrades of GossipSub. -## Proposal-2: Enforced Flow-level Signing Policy For All Messages +## Proposal-2: Flow-level Signing (FLS) In this proposal, we introduce the policy to enforce a Flow-level signature for all messages using the staking key of the node. The idea is to refactor the [`Conduit` interface](https://github.com/onflow/flow-go/blob/master/network/conduit.go#L26-L57), so that instead of taking an `interface{}` type event, it takes an `Envelope` type event. The `Envelope` type event is a wrapper around the `interface{}` type event, and contains From c887e31f3fe538fee55f848931eba30b3c845c35 Mon Sep 17 00:00:00 2001 From: "Yahya Hassanzadeh, Ph.D" Date: Wed, 13 Sep 2023 15:11:41 -0700 Subject: [PATCH 12/22] Update protocol/20230908-message-forensic.md Co-authored-by: Misha <15269764+gomisha@users.noreply.github.com> --- protocol/20230908-message-forensic.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/protocol/20230908-message-forensic.md b/protocol/20230908-message-forensic.md index 41084b26..9e577b55 100644 --- a/protocol/20230908-message-forensic.md +++ b/protocol/20230908-message-forensic.md @@ -271,6 +271,6 @@ This process, backed by irrefutable forensic evidence, strengthens the transpare To fortify security and streamline verification processes, the proposal at hand suggests a reevaluation of the existing signature protocols. We envision a system where the intrinsic signatures of data structures are detached from the overarching envelope-level signature policy. This proposal serves dual purposes: -1. **Internal Signature As Part Of An Event (e.g., `ExecutionReceipt`'s executor signature:** Ensures protocol-level validation during the data structure processing, affirming that a claimed node genuinely created it. This signature retains its relevance over time, facilitating trust and verification for nodes newly integrated or lagging in the network, as it substantiates the original creator's identity and integrity of the data. +1. **Internal Signature As Part Of An Event (e.g., `ExecutionReceipt`'s executor signature):** Ensures protocol-level validation during the data structure processing, affirming that a claimed node genuinely created it. This signature retains its relevance over time, facilitating trust and verification for nodes newly integrated or lagging in the network, as it substantiates the original creator's identity and integrity of the data. 2. **Flow-level Signature:** Plays a pivotal role in tracing protocol violations back to malicious senders, hence fostering accountability and deterring fraudulent activities. Interestingly, this signature operates temporarily, losing its necessity once the engine affirms the message's validity. This revamped policy opens up the opportunity to reconsider the necessity of internal signatures in various data structures, potentially eliminating them if deemed redundant, thereby streamlining the security process without compromising on the foundational principles of computer security. From 74965c2959193f497e2f484a43984645e4818c0f Mon Sep 17 00:00:00 2001 From: "Yahya Hassanzadeh, Ph.D" Date: Wed, 13 Sep 2023 15:11:49 -0700 Subject: [PATCH 13/22] Update protocol/20230908-message-forensic.md Co-authored-by: Misha <15269764+gomisha@users.noreply.github.com> --- protocol/20230908-message-forensic.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/protocol/20230908-message-forensic.md b/protocol/20230908-message-forensic.md index 9e577b55..b4fc8681 100644 --- a/protocol/20230908-message-forensic.md +++ b/protocol/20230908-message-forensic.md @@ -266,7 +266,7 @@ This retention is especially critical when introducing data structures to new no the internal signature by the creator facilitates the verification process, allowing the new node to establish trust in the data structure. On the other hand, the envelope-level signature characterizes the node wrapping the data structure, diverging from the creator’s signature found in the data structure itself. This approach substantially enhances forensic capabilities. Taking the instance of a scenario where a sender manipulates an execution receipt, compromising its integrity, -the system is designed to not just detect the violation via the executor's internal signature but to robustly attribute the breach to the malicious sender ensuring non-repudiation. +the system is designed to not just detect the violation via the executor's internal signature but to robustly attribute the breach to the malicious sender (via `Envelope` validation) ensuring non-repudiation. This process, backed by irrefutable forensic evidence, strengthens the transparency and accountability to external parties. To fortify security and streamline verification processes, the proposal at hand suggests a reevaluation of the existing signature protocols. From 76650a5b9fcf2803381d9f73f06275685145e412 Mon Sep 17 00:00:00 2001 From: "Yahya Hassanzadeh, Ph.D" Date: Wed, 13 Sep 2023 15:11:57 -0700 Subject: [PATCH 14/22] Update protocol/20230908-message-forensic.md Co-authored-by: Misha <15269764+gomisha@users.noreply.github.com> --- protocol/20230908-message-forensic.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/protocol/20230908-message-forensic.md b/protocol/20230908-message-forensic.md index b4fc8681..f4d6b536 100644 --- a/protocol/20230908-message-forensic.md +++ b/protocol/20230908-message-forensic.md @@ -101,7 +101,7 @@ type MessageProcessor interface { In order to enable the engines with verification capabilities of the envelope signature in this proposal, we add new interface methods to the [`EngineRegistry` interface](https://github.com/onflow/flow-go/blob/master/network/network.go#L37-L56). The `EngineRegistry` was previously known as the `Network` interface, and is exposed to individual Flow protocol engines who are interested in receiving the messages from the networking layer including the GossipSub protocol. In this approach, the `EngineRegistry` interface is extended -by two new methods: `VerifyGossipSubMessage`. The `VerifyGossipSubMessage` method takes an origin identifier, an event `interface{} type`, +by one new method: `VerifyGossipSubMessage`. The `VerifyGossipSubMessage` method takes an origin identifier, an event `interface{} type`, as well as the GossipSub message as input, and verifies the signature of the message against the networking public key of the origin id. The method returns true if the signature is valid, and false otherwise. ```go From 11a277061c84a1b0c68cceb352063ddf1bcdfcce Mon Sep 17 00:00:00 2001 From: "Yahya Hassanzadeh, Ph.D" Date: Wed, 13 Sep 2023 15:12:08 -0700 Subject: [PATCH 15/22] Update protocol/20230908-message-forensic.md Co-authored-by: Misha <15269764+gomisha@users.noreply.github.com> --- protocol/20230908-message-forensic.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/protocol/20230908-message-forensic.md b/protocol/20230908-message-forensic.md index f4d6b536..3bd1f6be 100644 --- a/protocol/20230908-message-forensic.md +++ b/protocol/20230908-message-forensic.md @@ -124,7 +124,7 @@ type EngineRegistry interface { ### Implementation Complexities - This proposal requires refactoring the message processing pipeline of the networking layer to pass along the GossipSub envelope together with the event to the Flow protocol engines. We need to - also refactor the `Engine`'s `Process` method in a way that it can accept the GossipSub envelop together with the event. The implementation should account for proper encapsulation and abstraction of the interface, + also refactor the `Engine`'s `Process` method in a way that it can accept the GossipSub envelope together with the event. The implementation should account for proper encapsulation and abstraction of the interface, to also support the unicast case that does not have a GossipSub envelop. - This solution also requires replicating the signature verification logic of the GossipSub in `VerifyGossipSubMessage` so that it is accessible to the engines. We need to extend the signature verification mechanism to account for translation of `originId` from `flow.Identifier` to networking key and `peer.ID` (i.e., LibP2P level identifier). From cafe80804d1245d44d97e1aec0db560cb9160c20 Mon Sep 17 00:00:00 2001 From: "Yahya Hassanzadeh, Ph.D" Date: Wed, 13 Sep 2023 15:12:16 -0700 Subject: [PATCH 16/22] Update protocol/20230908-message-forensic.md Co-authored-by: Misha <15269764+gomisha@users.noreply.github.com> --- protocol/20230908-message-forensic.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/protocol/20230908-message-forensic.md b/protocol/20230908-message-forensic.md index 3bd1f6be..10a9b8b6 100644 --- a/protocol/20230908-message-forensic.md +++ b/protocol/20230908-message-forensic.md @@ -125,7 +125,7 @@ type EngineRegistry interface { ### Implementation Complexities - This proposal requires refactoring the message processing pipeline of the networking layer to pass along the GossipSub envelope together with the event to the Flow protocol engines. We need to also refactor the `Engine`'s `Process` method in a way that it can accept the GossipSub envelope together with the event. The implementation should account for proper encapsulation and abstraction of the interface, - to also support the unicast case that does not have a GossipSub envelop. + to also support the unicast case that does not have a GossipSub envelope. - This solution also requires replicating the signature verification logic of the GossipSub in `VerifyGossipSubMessage` so that it is accessible to the engines. We need to extend the signature verification mechanism to account for translation of `originId` from `flow.Identifier` to networking key and `peer.ID` (i.e., LibP2P level identifier). As the engines are operating based on the `flow.Identifier`, while the GossipSub signatures are generated using the Networking Key of the node. From b44a9db5495e54191392bc9a862be2b8d931c4a0 Mon Sep 17 00:00:00 2001 From: Yahya Hassanzadeh Date: Wed, 13 Sep 2023 15:31:27 -0700 Subject: [PATCH 17/22] updates flip --- protocol/20230908-message-forensic.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/protocol/20230908-message-forensic.md b/protocol/20230908-message-forensic.md index 10a9b8b6..81211e22 100644 --- a/protocol/20230908-message-forensic.md +++ b/protocol/20230908-message-forensic.md @@ -10,18 +10,18 @@ ## Summary This FLIP discusses and compares two potential solutions for the Message Forensic (MF) system in the Flow protocol — a system that enables Flow protocol to attribute protocol violations to the original malicious sender. -The two solutions under consideration are: (1) GossipSub Message Forensic (GMF), and (2) Enforced Flow-level Signing Policy For All Messages. +The two solutions under consideration are: (1) GossipSub Message Forensic (GMF), and (2) Flow-level Signing Policy (FSP) For All Messages. We delve into both, listing their pros and cons, to determine which would be more feasible given the considerations of ease of implementation, performance efficiency, and security guarantees. -Our analysis finds the "Enforced Flow-level Signing Policy For All Messages" to be the more promising option, +Our analysis finds the "Flow-level Signing Policy (FSP)" to be the more promising option, offering a generalized solution that doesn’t hinge on a specific external protocol to send the message (e.g., GossipSub), steering clear of the complexities tied to maintaining GossipSub envelopes and dodging the necessity of duplicating GossipSub router’s signature verification procedure at the engine level. Furthermore, it meshes well with the Flow protocol’s existing state. ## Review Guide -This FLIP is presented as a Pull Request (PR) in the `flow-go` repository. We welcome reviewers to express their opinions and share feedback directly on the PR page, aiming for a structured and productive discussion. To aid this, please adhere to one of the following response frameworks: -1. I favor the "Enforced Flow-level Signing Policy For All Messages" and here are my thoughts: +This FLIP is presented as a Pull Request (PR) in the `onflow/flips` repository. We welcome reviewers to express their opinions and share feedback directly on the PR page, aiming for a structured and productive discussion. To aid this, please adhere to one of the following response frameworks: +1. I favor the "Flow-level Signing Policy (FSP)" and here are my thoughts: 2. I support the "GossipSub Message Forensic (GMF)" approach, articulating my views as follows. 3. I find both propositions unsatisfactory, elucidating my stance with. @@ -150,7 +150,7 @@ type EngineRegistry interface { to networking key and `peer.ID` (i.e., LibP2P level identifier), and replicating the signature verification logic of the GossipSub router, which is another layer of coupling that causes breaking changes in the future upgrades of GossipSub. -## Proposal-2: Flow-level Signing (FLS) +## Proposal-2: Flow-level Signing Policy (FSP) In this proposal, we introduce the policy to enforce a Flow-level signature for all messages using the staking key of the node. The idea is to refactor the [`Conduit` interface](https://github.com/onflow/flow-go/blob/master/network/conduit.go#L26-L57), so that instead of taking an `interface{}` type event, it takes an `Envelope` type event. The `Envelope` type event is a wrapper around the `interface{}` type event, and contains From 544c59f3de4fa83982b35dc40a8263f46f0e1ba3 Mon Sep 17 00:00:00 2001 From: Yahya Hassanzadeh Date: Wed, 13 Sep 2023 15:33:44 -0700 Subject: [PATCH 18/22] updates flip --- protocol/20230908-message-forensic.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/protocol/20230908-message-forensic.md b/protocol/20230908-message-forensic.md index 81211e22..fb56276c 100644 --- a/protocol/20230908-message-forensic.md +++ b/protocol/20230908-message-forensic.md @@ -39,7 +39,7 @@ on which the message is received. Albeit, the situation differs when the unicast sender or other attribution data (e.g., the signature of the original sender in case of a forwarded unicast). In such cases, the message is attributed to the sender that is specified in the attribution data. Nevertheless, the current state of Flow protocol does not enforce the attribution data to be present in the unicast messages. -A prime example is the [`ChunkDataResponse` messages](https://github.com/onflow/flow-go/blob/a85341d949c8a4e42e3d1d62bcf6fbf3d7f76bd9/engine/execution/provider/engine.go#L326-L337) sent by the Execution Nodes to the Verification Nodes over a unicast. +A prime example is the [`ChunkDataResponse` messages](https://github.com/onflow/flow-go/blob/master/engine/execution/provider/engine.go#L326-L337) sent by the Execution Nodes to the Verification Nodes over a unicast. Hence a node in Flow protocol cannot prove that a received unicast message is sent by a specific node, unless the message carries the explicit attribution data. ### Group and All-Node (Multicast and Publish) Message Attribution From 9da02ba1df4df9eca37e3fa1067584ffeb229124 Mon Sep 17 00:00:00 2001 From: "Yahya Hassanzadeh, Ph.D" Date: Tue, 20 Feb 2024 10:27:28 -0800 Subject: [PATCH 19/22] Update 20230908-message-forensic.md --- protocol/20230908-message-forensic.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/protocol/20230908-message-forensic.md b/protocol/20230908-message-forensic.md index fb56276c..c19c5f48 100644 --- a/protocol/20230908-message-forensic.md +++ b/protocol/20230908-message-forensic.md @@ -1,8 +1,8 @@ | Status | Proposed | :-------------- |:----------------------------------------------------| | **FLIP #** | [195](https://github.com/onflow/flips/pull/195) | -| **Author(s)** | Yahya Hassanzadeh (yahya@dapperlabs.com) | -| **Sponsor** | Yahya Hassanzadeh (yahya@dapperlabs.com) | +| **Author(s)** | Yahya Hassanzadeh (yahya@dapperlabs.com) Khalil Claybon (khalil.claybon@flowfoundation.org) | +| **Sponsor** | Yahya Hassanzadeh (yahya@dapperlabs.com) Khalil Claybon (khalil.claybon@flowfoundation.org) | | **Updated** | 8 September 2023 | # Message Forensic (MF) System @@ -77,7 +77,7 @@ weighing its pros and cons against potential alternatives. In this proposal, we propose a mechanism to share the GossipSub authentication data with the Flow protocol. We call this mechanism GossipSub Message Forensic (GMF). -At the current state of the code, the networking layer receives the [raw GossipSub envelope](https://github.com/onflow/flow-go/blob/master/network/p2p/p2pnet/internal/readSubscription.go#L48) from its underlying pubsub router, +At the current state of the code, the networking layer receives the [raw GossipSub envelope]([https://github.com/onflow/flow-go/blob/master/network/p2p/p2pnet/internal/readSubscription.go#L48](https://github.com/onflow/flips/pull/195)) from its underlying pubsub router, validates it, and passes the incorporated Flow message to for further decoding. The Flow message is then decoded to an `interface{}` type event, and is delivered to the Flow protocol engines. The idea is to pass along the GossipSub envelop to the Flow protocol engines together with their `interface{}` type event. In this way, the Flow protocol engines can have access to the GossipSub authentication data. The rough idea is depicted in the following figure. From 8e0bbf10f40738f65e0871608a587afc9f604b80 Mon Sep 17 00:00:00 2001 From: "Yahya Hassanzadeh, Ph.D" Date: Tue, 20 Feb 2024 10:28:22 -0800 Subject: [PATCH 20/22] Update 20230908-message-forensic.md --- protocol/20230908-message-forensic.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/protocol/20230908-message-forensic.md b/protocol/20230908-message-forensic.md index c19c5f48..0d367e10 100644 --- a/protocol/20230908-message-forensic.md +++ b/protocol/20230908-message-forensic.md @@ -77,7 +77,7 @@ weighing its pros and cons against potential alternatives. In this proposal, we propose a mechanism to share the GossipSub authentication data with the Flow protocol. We call this mechanism GossipSub Message Forensic (GMF). -At the current state of the code, the networking layer receives the [raw GossipSub envelope]([https://github.com/onflow/flow-go/blob/master/network/p2p/p2pnet/internal/readSubscription.go#L48](https://github.com/onflow/flips/pull/195)) from its underlying pubsub router, +At the current state of the code, the networking layer receives the [raw GossipSub envelope](https://github.com/onflow/flow-go/blob/master/network/p2p/p2pnet/internal/readSubscription.go#L48) from its underlying pubsub router, validates it, and passes the incorporated Flow message to for further decoding. The Flow message is then decoded to an `interface{}` type event, and is delivered to the Flow protocol engines. The idea is to pass along the GossipSub envelop to the Flow protocol engines together with their `interface{}` type event. In this way, the Flow protocol engines can have access to the GossipSub authentication data. The rough idea is depicted in the following figure. From 1caaa4eb7a92547351f73ac71871bfebd5a27ffa Mon Sep 17 00:00:00 2001 From: Vishal <1117327+vishalchangrani@users.noreply.github.com> Date: Fri, 12 Apr 2024 08:37:35 -0700 Subject: [PATCH 21/22] Update protocol/20230908-message-forensic.md Co-authored-by: Yahya Hassanzadeh, Ph.D. --- protocol/20230908-message-forensic.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/protocol/20230908-message-forensic.md b/protocol/20230908-message-forensic.md index 0d367e10..43fa79c6 100644 --- a/protocol/20230908-message-forensic.md +++ b/protocol/20230908-message-forensic.md @@ -1,6 +1,6 @@ | Status | Proposed | :-------------- |:----------------------------------------------------| -| **FLIP #** | [195](https://github.com/onflow/flips/pull/195) | +| **FLIP #** | [259](https://github.com/onflow/flips/pull/195) | | **Author(s)** | Yahya Hassanzadeh (yahya@dapperlabs.com) Khalil Claybon (khalil.claybon@flowfoundation.org) | | **Sponsor** | Yahya Hassanzadeh (yahya@dapperlabs.com) Khalil Claybon (khalil.claybon@flowfoundation.org) | | **Updated** | 8 September 2023 | From 10c1230cd5375e588678011d9c5a708cc16949ab Mon Sep 17 00:00:00 2001 From: j pimmel Date: Wed, 24 Jul 2024 10:05:42 -0700 Subject: [PATCH 22/22] Update protocol/20230908-message-forensic.md Co-authored-by: Tarak Ben Youssef <50252200+tarakby@users.noreply.github.com> --- protocol/20230908-message-forensic.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/protocol/20230908-message-forensic.md b/protocol/20230908-message-forensic.md index 43fa79c6..6abe488c 100644 --- a/protocol/20230908-message-forensic.md +++ b/protocol/20230908-message-forensic.md @@ -230,7 +230,7 @@ Hence, the engine can attribute a protocol-level violation to the malicious send 2. This approach adds a computation overhead to the Flow protocol engines, as the engines must sign all the messages that are sent through the `Conduit` interface, and on the receiving side, the networking layer must verify the signature of the message against the Staking Key of the sender. This overhead is not negligible, as the Flow protocol engines are the most performance critical components of the Flow blockchain. Hence, we must carefully evaluate the performance overhead of this approach. Moreover, with this approach, we are extending the size of data sent over the wire by piggybacking the signature. - Assuming that we are using ECDSA with `secp521r1` curve and SHA-512 for hashing, the signature size is ~100 bytes (in theory). Hence, we are adding ~100 bytes to the size of data sent over the wire. + Assuming that we are using ECDSA with `secp256r1` curve, the signature size is 64 bytes. Hence, we are adding 64 bytes to the size of data sent over the wire. Nevertheless, the performance overhead and the size of data sent over the wire may be an acceptable trade-off for the security guarantees that this approach provides. ### Is the GossipSub Router Signature Still Necessary?