theory in practice
play

THEORY IN PRACTICE Daniel Chechik, Rami Kogan Security Researchers - PowerPoint PPT Presentation

BITCOIN TRANSACTION MALLEABILITY THEORY IN PRACTICE Daniel Chechik, Rami Kogan Security Researchers Agenda What is Bitcoin Bitcoin Transactions Transaction Malleability Vulnerability What Happened in MT.Gox Live Demo WHAT IS


  1. BITCOIN TRANSACTION MALLEABILITY THEORY IN PRACTICE Daniel Chechik, Rami Kogan Security Researchers

  2. Agenda • What is Bitcoin • Bitcoin Transactions • Transaction Malleability Vulnerability • What Happened in MT.Gox • Live Demo

  3. WHAT IS BITCOIN?

  4. What is Bitcoin? • Bitcoin is a payment system introduced as an open-source software in 2009 by a developer known as Satoshi Nakamoto • P 2P network – Trust is a result of data transparency • Decentralization – No institution is controlling your money/coins. • Anonymous Virtual currency.

  5. What is a Block? • A container of Transactions • Can’t be changed or removed • Reference to the previous block

  6. Block Chain • The network data history PreviousBlockHash • Block • Block • Transactions • Transactions • Block • Transactions PreviousBlockHash PreviousBlockHash

  7. What is a Block? • All the peers share the Block-Chain • Transparency

  8. Wh What at is a a Bl Block ck? • S tructure Field Description Size Magic No Value Always 0xD9B4BEF9 4 bytes Number of bytes following up Blocksize 4 bytes to end of block Blockheader Consists of 6 items 80 bytes Transaction counter Positive integer VI = VarInt 1 - 9 bytes Transactions The (non empty) list of <Transaction counter>-many transactions transactions

  9. Bl Block ck Hea eader der Str truct cture ure Field Purpose Updated when... Size (Bytes) You upgrade the software and Version Block version number 4 it specifies a new version hashPre revB vBloc lock 256-bit hash of the previous A new block comes in 32 256-bit hash based on all of hashMerkleRoot the transactions in the block A transaction is accepted 32 Current timestamp as Time seconds since 1970-01- Every few seconds 4 01T00:00 UTC Current target in compact The difficulty is adjusted Bits 4 format Nonce e 32-bit number (starts at 0) A hash is tried 4

  10. Wh What at Is Is Min inin ing?

  11. What is Mining? Transaction Pending Transaction Pending Pending Transaction … … Memory Transaction

  12. What is Mining?

  13. What is Mining? $

  14. What is Mining?

  15. LET’S SIMULATE MINING RIGHT NOW!

  16. 0x02000

  17. Additional Mining Goals Keep a steady Record all coin network data

  18. Bitcoin – what we’ve learned so far … • Block – container of transactions • Block chain - record of all coin data from the beginning • Block “Solving” – a process used to keep the network steady and to generate blocks.

  19. TRANSACTIONS

  20. Transactions 100 BTC Broadcasted Alice  Bob to network Confirmed Collected by miners (Block Solved)

  21. Transactions 100 MYC Alice  Bob Bob’s Wallet

  22. Transactions 100 MYC Broadcasted Alice  Bob to network

  23. Transactions 100 MYC Broadcasted Alice  Bob to network Collected by miners

  24. Transactions 100 MYC Broadcasted Alice  Bob to network Confirmed Collected by miners (Block Solved)

  25. Transactions

  26. Transactions Transactions are built from two main components • Source of coins Inputs (Ref to Txout in block chain) • Redeemer’s Bitcoin address Outputs • Amount

  27. Transactions • Prove you have the coins (by including a reference) • Include the Bitcoin wallet address of the recipient • Sign the transaction

  28. TRANSACTION MALLEABILITY

  29. P2P Lottery MessageID (sha256) … Length Signature (DER) From: Lottery Prize: You won a Car! Life supply of Vegemite … Length To: “Rami”

  30. P2P Lottery MessageID (sha256) … Length Signature (DER) From: Lottery Prize: You won a Car! … Length ID CAR SUPPLIED To: “Rami” ✓ f5d8ee... 5e67 s… ✓

  31. P2P Lottery

  32. P2P Lottery

  33. Standard Transaction TxId (sha256*2) Source of Coins Input Signature ScriptSig ScriptSig Public Key Amount of Coins Output ScriptPubKey (Redeemer’s address)

  34. Standard Transaction TxId (sha256*2) Length Source of Coins 1 Input Signature byt ScriptSig e Public Key Amount of Coins Output Redeemer + Amount of Coins ScriptPubKey (Redeemer’s address)

  35. Standard Transaction TxId (sha256*2) Length Source of Coins 2 Input Signature byt ScriptSig e Public Key Amount of Coins Output Redeemer + Amount of Coins ScriptPubKey (Redeemer’s address)

  36. Standard Transaction opcode TxId (sha256*2) (1 byte) Source of Coins Input 2 Signature pushdata2 byte ScriptSig Public Key Amount of Coins Output Redeemer + Amount of Coins ScriptPubKey (Redeemer’s address)

  37. Standard Transaction TxId (sha256*2) Length Source of Coins Input 0x3 Signature 0 ScriptSig Public Key Amount of Coins Output Redeemer + Amount of Coins ScriptPubKey (Redeemers address)

  38. Standard Transaction TxId (sha256*2) pushdata2 Source of Coins Input 0x3 Signature 0x4D 0 ScriptSig Public Key Amount of Coins Output Redeemer + Amount of Coins ScriptPubKey (Redeemers address)

  39. Standard Transaction TxId (sha256*2) pushdata2 Source of Coins Input 0x3 Signature 0x4D 0x00 0 ScriptSig Public Key Amount of Coins Output Redeemer + Amount of Coins ScriptPubKey (Redeemers address)

  40. Standard Transaction TxId (sha256*2) pushdata2 Source of Coins Input Signature 0x4D 0x3000 ScriptSig Public Key Lit ittle e Endi dian: 0x003 0030 0 == == 0x0030 0030 Amount of Coins 0x3000 3000 0x30 30 Output Redeemer + Amount of Coins ScriptPubKey (Redeemers address)

  41. Standard Transaction TxId (sha256*2) pushdata2 Source of Coins Input Signature 0x4D 0x3000 ScriptSig Public Key ✔ Amount of Coins Output Redeemer + Amount of Coins ScriptPubKey (Redeemers address)

  42. Standard Vs Mutated TxId = Mutated TxId = c6cfe6e4f129a34671d10c1bbe158eff05197d388 dc34efd49ed738bf4500db367292164166989cb1577302 727e331951b0ec2637c194e 6e9e185b78292bbc89

  43. Transaction Malleability • Two different transactions • Same amount of coins • Same destination and source • Mutated wins and gets in a Block RACE!

  44. Rejected Transactions • Invalid transaction data • Already spent out-point • Identical transactions • Invalid signature

  45. WHAT HAPPENED IN MT.GOX?

  46. MT.Gox Announcement

  47. P2P Bitcoin 30BTC -> Attacker’s Wallet B330 ….… 5088 Mt.Gox Attacker’s Wallet Attacker

  48. B330 ….… 5088 P2P Bitcoin … 0x30 30BTC -> Attacker’s Wallet ScriptSig B330 ….… 5088 Mt.Gox Attacker’s Wallet … 30BTC 0x19 ScriptPubkey Attacker

  49. P2P Bitcoin 30BTC -> Attacker’s Wallet B330 ….… 5088 Mt.Gox Attacker’s Wallet B330 ….… 5088 … 0x30 ScriptSig … 0x19 30BTC Attacker ScriptPubkey

  50. P2P Bitcoin 30 30BTC -> > Attacker’s Wallet B330 330 ….… 5088 5088 Mt.Gox Attacker’s Wallet C3a8 ……. 03 03f8 8 B330 330 ….… 5088 5088 … … 0x30 0x30 Mut utated ed Transa nsacti ction on ScriptSig 30BT … 0x19 C Valid Signature Attacker ScriptPubkey

  51. C3a8 ……. 03f8 P2P Bitcoin … 0x30 30BTC -> Attacker’s Wallet Mutated Transaction B330 ….… 5088 Mt.Gox Attacker’s Wallet Valid Signature Attacker

  52. P2P Bitcoin 30BTC -> Attacker’s Wallet 30BTC -> Attacker’s Wallet C3a8 ……. 03f8 B330 ….… 5088 Mt.Gox Attacker’s Wallet W Attacker

  53. Unconfirmed Tx B330 ……. 5088 P2P Bitcoin … 0x30 30BTC -> Attacker’s Wallet 30BTC -> Attacker’s Wallet ScriptSig C3a8 ……. 03f8 B330 ….… 5088 Mt.Gox … 0x19 30BTC Attacker’s Wallet ScriptPubkey W Attacker

  54. P2P Bitcoin 30BTC -> Attacker’s Wallet 30BTC -> Attacker’s Wallet C3a8 ……. 03f8 B330 ….… 5088 Mt.Gox Unconfirmed Attacker’s Wallet Transaction (B330 ….… 5088) W Failed?!? Attacker

  55. P2P Bitcoin 30BTC -> Attacker’s Wallet 30BTC -> Attacker’s Wallet C3a8 ……. 03f8 B330 ….… 5088 Mt.Gox Unconfirmed Attacker’s Wallet Transaction (B330 ….… 5088) W Failed?!? Generate Another Transaction! Attacker

  56. P2P Bitcoin 30BTC -> Attacker’s Wallet 30BTC -> Attacker’s Wallet C3a8 ……. 03f8 B330 ….… 5088 Mt.Gox Unconfirmed Attacker’s Wallet Transaction (B330 ….… 5088) W Failed?!? Generate Another Transaction! Attacker

  57. P2P Bitcoin 30BTC -> Attacker’s Wallet 30BTC -> Attacker’s Wallet C3a8 ……. 03f8 B330 ….… 5088 Mt.Gox Unconfirmed Attacker’s Wallet Transaction (B330 ….… 5088) W Failed?!? Generate Another Transaction! Attacker

  58. DEMO

  59. BLOCKCHAIN OPINION

  60. PUSHDATA Mutated Transaction 1000 2000 3000 4000 5000 6000 0 Dec-12 Jan-13 Feb-13 Mar-13 Apr-13 May-13 Jun-13 Jul-13 Aug-13 Sep-13 Oct-13 Nov-13 Dec-13 Jan-14 Feb-14 Mar-14 Apr-14 May-14 Jun-14 Jul-14 Aug-14 Transaction Malleable

  61. PUSHDATA Mutated Transaction 3569 3569 1900 1900 Malleable Transaction 79 79 11 11 22 22 0 0 2 2 0 Mt.Go .Gox announ uncem cemen ent

Recommend


More recommend