Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Static Analyzer for the SDK #1

Open
ebuchman opened this issue Oct 9, 2021 · 6 comments
Open

Static Analyzer for the SDK #1

ebuchman opened this issue Oct 9, 2021 · 6 comments

Comments

@ebuchman
Copy link
Member

ebuchman commented Oct 9, 2021

Things to check for:

  • sensitive imports (unsafe, reflect, runtime, rand, etc.)
  • errors are properly propagated (we don't ignore err != nil)
  • integer casting/type conversions
  • sources of non-determinism:
    • randomness (can be covered by checking rand imports)
    • iterating over a map
    • time.Now or equivalent
    • floats
    • go routines
  • panics in Begin/EndBlock (these are allowed in tx handling, since they're handled by the SDK, but not in the Begin/EndBlock)

Other?

@odeke-em
Copy link
Collaborator

  • missing Unlock when you have a mutex.Lock() for example
mu.Lock()
defer mu.Lock()
  • an explicitly requested pass say by a comment before a function/method, that ensures that map iteration over account addresses and migrations happens deterministically to avoid such in fix: upgrade non-determinism cosmos-sdk#10188
  • Uninitialized memory for maps for example:
    var m map[string]string
    ...
    m[key] = value
    @ebuchman let's please add my colleague @cuonglm as well

@ebuchman
Copy link
Member Author

done.

If I'm not mistaken there should be relatively little locking in SDK modules since it's generally all single threaded

@odeke-em
Copy link
Collaborator

@ebuchman we've got a fix #5 for this huge problem cosmos/cosmos-sdk#10188 fixed by PR cosmos/cosmos-sdk#10189. I think we might get utility for the entire cosmos-sdk by releasing some of these.

@odeke-em
Copy link
Collaborator

@ebuchman I've documented our rules in #6

@tomtau
Copy link

tomtau commented Nov 16, 2021

Things to check for:

  • sensitive imports (unsafe, reflect, runtime, rand, etc.)

  • errors are properly propagated (we don't ignore err != nil)

  • integer casting/type conversions

  • sources of non-determinism:

    • randomness (can be covered by checking rand imports)
    • iterating over a map
    • time.Now or equivalent
    • floats
    • go routines
  • panics in Begin/EndBlock (these are allowed in tx handling, since they're handled by the SDK, but not in the Begin/EndBlock)

Other?

One more item is using hardcoded constants instead of configuration values: this caused an issue (validators not being slashed) before cosmos/cosmos-sdk#8461 and resurfaced again on master cosmos/cosmos-sdk#9212 .

I independently started on this query collection: https://github.com/crypto-com/cosmos-sdk-codeql/tree/main/src
For most of the items, they should be easily doable in Gosec... The main items that may be tricky (or impossible) are ones requiring data flow (e.g. to reduce false positives, one can restrict the findings to values that get used in consensus-related code) or control flow (e.g. some function call that may panic reachable from Begin/Endblock): https://codeql.github.com/docs/codeql-language-guides/analyzing-control-flow-in-python/

odeke-em added a commit that referenced this issue Nov 22, 2021
time.Now() uses local clocks that unfortunately when used
in distributed consensus introduce lots of skew and
can be exploited in vulnerabilities. Instead there is
consensus aware clock whose timestamp is embedded in
the current Block. This pass rejects usages as per
https://forum.cosmos.network/t/cosmos-sdk-vulnerability-retrospective-security-advisory-jackfruit-october-12-2021/5349

Updates #1
odeke-em added a commit that referenced this issue Nov 22, 2021
time.Now() uses local clocks that unfortunately when used
in distributed consensus introduce lots of skew and
can be exploited in vulnerabilities. Instead there is
consensus aware clock whose timestamp is embedded in
the current Block. This pass rejects usages as per
https://forum.cosmos.network/t/cosmos-sdk-vulnerability-retrospective-security-advisory-jackfruit-october-12-2021/5349

Updates #1
odeke-em added a commit that referenced this issue Nov 22, 2021
time.Now() uses local clocks that unfortunately when used
in distributed consensus introduce lots of skew and
can be exploited in vulnerabilities. Instead there is
consensus aware clock whose timestamp is embedded in
the current Block. This pass rejects usages as per
https://forum.cosmos.network/t/cosmos-sdk-vulnerability-retrospective-security-advisory-jackfruit-october-12-2021/5349

Updates #1
odeke-em added a commit that referenced this issue Nov 22, 2021
time.Now() uses local clocks that unfortunately when used
in distributed consensus introduce lots of skew and
can be exploited in vulnerabilities. Instead there is
consensus aware clock whose timestamp is embedded in
the current Block. This pass rejects usages as per
https://forum.cosmos.network/t/cosmos-sdk-vulnerability-retrospective-security-advisory-jackfruit-october-12-2021/5349

Updates #1
odeke-em added a commit that referenced this issue Nov 22, 2021
time.Now() uses local clocks that unfortunately when used
in distributed consensus introduce lots of skew and
can be exploited in vulnerabilities. Instead there is
consensus aware clock whose timestamp is embedded in
the current Block. This pass rejects usages as per
https://forum.cosmos.network/t/cosmos-sdk-vulnerability-retrospective-security-advisory-jackfruit-october-12-2021/5349

Updates #1
odeke-em added a commit that referenced this issue Nov 22, 2021
time.Now() uses local clocks that unfortunately when used
in distributed consensus introduce lots of skew and
can be exploited in vulnerabilities. Instead there is
consensus aware clock whose timestamp is embedded in
the current Block. This pass rejects usages as per
https://forum.cosmos.network/t/cosmos-sdk-vulnerability-retrospective-security-advisory-jackfruit-october-12-2021/5349

Updates #1
odeke-em added a commit that referenced this issue Nov 22, 2021
time.Now() uses local clocks that unfortunately when used
in distributed consensus introduce lots of skew and
can be exploited in vulnerabilities. Instead there is
consensus aware clock whose timestamp is embedded in
the current Block. This pass rejects usages as per
https://forum.cosmos.network/t/cosmos-sdk-vulnerability-retrospective-security-advisory-jackfruit-october-12-2021/5349

Updates #1
odeke-em added a commit that referenced this issue Nov 22, 2021
time.Now() uses local clocks that unfortunately when used
in distributed consensus introduce lots of skew and
can be exploited in vulnerabilities. Instead there is
consensus aware clock whose timestamp is embedded in
the current Block. This pass rejects usages as per
https://forum.cosmos.network/t/cosmos-sdk-vulnerability-retrospective-security-advisory-jackfruit-october-12-2021/5349

Updates #1
odeke-em added a commit that referenced this issue Nov 24, 2021
time.Now() uses local clocks that unfortunately when used
in distributed consensus introduce lots of skew and
can be exploited in vulnerabilities. Instead there is
consensus aware clock whose timestamp is embedded in
the current Block. This pass rejects usages as per
https://forum.cosmos.network/t/cosmos-sdk-vulnerability-retrospective-security-advisory-jackfruit-october-12-2021/5349

Updates #1
@tomtau
Copy link

tomtau commented May 16, 2022

@ebuchman FYI https://github.com/crypto-com/cosmos-sdk-codeql/tree/main/src now has the Cosmos SDK-specific items discussed here.
error propagation should be captured by errcheck or the standard suite.
integer casting/type conversions should be captured by GitHub's security query suite: https://github.com/github/codeql-go/blob/a10407823ac30c9dff84e007bc155c49a9c4a0f3/ql/src/Security/CWE-681/IncorrectIntegerConversionQuery.ql

odeke-em added a commit that referenced this issue Sep 2, 2022
time.Now() uses local clocks that unfortunately when used
in distributed consensus introduce lots of skew and
can be exploited in vulnerabilities. Instead there is
consensus aware clock whose timestamp is embedded in
the current Block. This pass rejects usages as per
https://forum.cosmos.network/t/cosmos-sdk-vulnerability-retrospective-security-advisory-jackfruit-october-12-2021/5349

Updates #1
odeke-em added a commit that referenced this issue Sep 2, 2022
time.Now() uses local clocks that unfortunately when used
in distributed consensus introduce lots of skew and
can be exploited in vulnerabilities. Instead there is
consensus aware clock whose timestamp is embedded in
the current Block. This pass rejects usages as per
https://forum.cosmos.network/t/cosmos-sdk-vulnerability-retrospective-security-advisory-jackfruit-october-12-2021/5349

Updates #1
odeke-em added a commit that referenced this issue Sep 24, 2022
time.Now() uses local clocks that unfortunately when used
in distributed consensus introduce lots of skew and
can be exploited in vulnerabilities. Instead there is
consensus aware clock whose timestamp is embedded in
the current Block. This pass rejects usages as per
https://forum.cosmos.network/t/cosmos-sdk-vulnerability-retrospective-security-advisory-jackfruit-october-12-2021/5349

Updates #1
odeke-em added a commit that referenced this issue Sep 24, 2022
time.Now() uses local clocks that unfortunately when used
in distributed consensus introduce lots of skew and
can be exploited in vulnerabilities. Instead there is
consensus aware clock whose timestamp is embedded in
the current Block. This pass rejects usages as per
https://forum.cosmos.network/t/cosmos-sdk-vulnerability-retrospective-security-advisory-jackfruit-october-12-2021/5349

Updates #1
odeke-em added a commit that referenced this issue Sep 24, 2022
time.Now() uses local clocks that unfortunately when used
in distributed consensus introduce lots of skew and
can be exploited in vulnerabilities. Instead there is
consensus aware clock whose timestamp is embedded in
the current Block. This pass rejects usages as per
https://forum.cosmos.network/t/cosmos-sdk-vulnerability-retrospective-security-advisory-jackfruit-october-12-2021/5349

Updates #1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants