Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

THREAT - All the election stages can be ignored by malicious node #247

Open
chenchanglew opened this issue Dec 21, 2022 · 0 comments
Open

THREAT - All the election stages can be ignored by malicious node #247

chenchanglew opened this issue Dec 21, 2022 · 0 comments
Labels
security issue A bad thing... web backend

Comments

@chenchanglew
Copy link
Contributor

chenchanglew commented Dec 21, 2022
edited
Loading

Scenario

Every request that is signed by the backend will send to the same node as described in config.env.template. However, if the node that is set in the backend env is a malicious node, it can selectively ignore some requests from the backend. For example, it can decide to execute a vote from certain sets of users while ignoring other users' vote that is not on their list.

Source

In the file “web/backend/Server.ts” function sendToDela.

function sendToDela(dataStr: string, req: express.Request, res: express.Response) {
  let payload = getPayload(dataStr);
  let uri = process.env.DELA_NODE_URL + req.baseUrl.slice(4);

And the value of process.env.DELA_NODE_URL is set to default = “http://localhost:9081/”
In “web/backend/config.env.template”

Breaking Property

Availability

Risk

CVSS Score: 4.1/10

Mitigation

  1. Instead of sending it to one node server, the backend will randomly pick one node server and send it to them. If the node happened to be malicious and drop the requests. The backend will pick a new random node server and send it again. However, this might cause a long wait time from frontend.
  2. In order to mitigate the long response time from the backend we can just let the frontend check using get Election Info and then report failed at frontend pages and let the end user submit the request again. But this might cause bad user experiences because users might need to submit a request multiple times.
  3. End users can choose which node to send to.
  4. There is another way that we can solve this Threat is to redesign the system architecture, while the backend no longer sends data to the node while just being used as an authentication/authorization tool. The backend will now only sign the request from the frontend and then send the backend to the frontend and let the frontend handle the request sent to the node. However, this will introduce a new threat like a “replay attack” because the end user can record the signed msg from the backend and send it over and over again. In order to solve the replay attack we might need to have a nonce or counter for every signed request and the nodes should save the nonce or counter in the Dela global state which required lots of effort to mitigate the problem
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security issue A bad thing... web backend
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@chenchanglew