Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[AUDIT][MEDIUM][O-1] Orchestrator slots may be trivially exhausted #3621

Merged
merged 12 commits into from
Aug 29, 2024

Conversation

jparr721
Copy link
Contributor

@jparr721 jparr721 commented Aug 28, 2024

Closes #<ISSUE_NUMBER>

This PR:

Ochestrator is susceptible to resource exhaustion on startup for a malicious attacker. Within the orchestrator’s post_ready method, there is a limited number of available slots (also, it logs using println, which is not good) and a motivated attacker with even a modest internet connection can easily absorb all of the slots as the increment for the connected nodes is unauthenticated and has no validation. This can only occur when the server is in manual mode.

This PR fixes the problem by doing three critical steps

  1. Establishing a list of trusted public keys that are allowed to authenticate.
  2. Refusing to register certain keys that are not in the list of public keys.
  3. Loading the keys from a config file on startup.

This PR does not:

Key places to review:

Copy link
Contributor

@ss-es ss-es left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

a few comments, mostly minor.

main change I'm requesting to fix is the disable verification check (if I'm understanding correctly)

Comment on lines 511 to 514
if val.disable_registration_verification {
tracing::error!("REGISTRATION VERIFICATION IS TURNED OFF");
}

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this should probably go in run_orchestrator in orchestrator/src/lib.rs, but that's pretty minor

@@ -317,7 +323,7 @@ where
return Ok((*node_index, *is_da));
}

if !self.accepting_new_keys {
if !self.config.disable_registration_verification && !self.accepting_new_keys {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Was the disable_registration_verification check meant to go in the other conditional? (I don't think it should be here)

Comment on lines 341 to 344
if !self
.config
.public_keys
.contains(&staked_pubkey.stake_table_entry.public_key())
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this should be if !self.config.disable_verification && !self.config.public_keys.contains(..)

(though the double negatives are confusing, maybe it should be enable_verification? that's very minor though)

@@ -371,7 +391,7 @@ where
}
}

println!("Posted public key for node_index {node_index}");
tracing::info!("Posted public key for node_index {node_index}");
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can this be error? it's a start-up only log and it's very useful

Comment on lines 441 to 443
if !self.config.disable_registration_verification {
// Is this node allowed to connect?
if !self.config.public_keys.contains(pubkey) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we can replace both of these and just check known_nodes_with_stake.contains(pubkey) (a node has to register before posting ready)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This one was painful 😅 but we got it.

Copy link
Contributor

@ss-es ss-es left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just one minor comment, but overall looks great! thank you again for doing this!

crates/orchestrator/src/lib.rs Outdated Show resolved Hide resolved
@jparr721 jparr721 merged commit e36b0d1 into main Aug 29, 2024
34 of 36 checks passed
@jparr721 jparr721 deleted the jp/O-1 branch August 29, 2024 19:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants