eth: add new RPC method (personal.) SignAndSendTransaction

[bas-vk]

This PR introduces a new RPC method PrivateAccountAPI.SignAndSendTransaction that is exposed in the personal namespace. The method accepts a transaction and password as arguments. This allows external applications to submit a transaction without the need to first unlock an account before submitting a transaction which can give an adversary a small time window to submit a fraudulent transaction or sign data.

It also fixes several style issues in eth/api.go.

PTAL @obscuren @fjl

[robotally]

Vote	Count	Reviewers
👍	1	@karalabe
👎	0

Reaction	Users
:08:	@pat-kim

Updated: Wed May 25 11:39:37 UTC 2016

[codecov-io]

Current coverage is 55.76%

Merging #2564 into develop will decrease coverage by 0.44%

@@            develop      #2564   diff @@
==========================================
  Files           215        215          
  Lines         24471      24243   -228   
  Methods           0          0          
  Messages          0          0          
  Branches          0          0          
==========================================
- Hits          13757      13519   -238   
- Misses        10712      10723    +11   
+ Partials          2          1     -1   

1. 2 files (not in diff) in p2p were modified. more
   • Misses +1
   • Hits -1
2. 4 files (not in diff) in eth/downloader were modified. more
   • Misses -14
   • Hits -233
3. 4 files (not in diff) in eth were modified. more
   • Misses -2
   • Hits -3
4. 2 files (not in diff) in accounts were modified. more
   • Misses -14
   • Hits -1
5. File core/blockchain.go (not in diff) was modified. more
   • Misses +6
   • Partials -2
   • Hits -4
6. File eth/api.go was modified. more
   • Misses +35
   • Partials 0
   • Hits 0
7. File ...saction_test_util.go (not in diff) was modified. more
   • Misses 0
   • Partials +1
   • Hits -1
8. File node/node.go (not in diff) was modified. more
   • Misses 0
   • Partials 0
   • Hits +1
9. File event/event.go (not in diff) was modified. more
   • Misses 0
   • Partials 0
   • Hits -1
10. File cmd/geth/js.go (not in diff) was modified. more
    • Misses +2
    • Partials 0
    • Hits 0

Powered by Codecov. Last updated by 847aaff...1866558

[karalabe]

Please add a defer zeroKey(key.PrivateKey) here to make sure the key doesn't remain in main memory.

[kumavis]

introduces new security concerns -- seems like brute forcing the password becomes an attack vector -- maybe could add some mechanism for tar-pitting subsequent failures from the same ip address?

[bas-vk]

This is already possible with personal_unlockAccount. It's one of the reasons why this method is added to the personal namespace which is by default not exposed over the http and websocket interface.

I don't feel much for keeping track of failed unlock attempts from ip addressen tbh. It complicates the rpc implementation and to make such an attack possible it requires the user to:

1. enable the personal namespace over http/ws
2. start http/ws interface on an address that is accessible from outside

If a users enables both options than the user probably has good reasons and is aware of the security implications. And yes, this might not always be the case. Most modern firewalls have protection for brute force attacks and have support for content scanning. I think that is a better place to guard against these kind of brute force attacks.

[karalabe]

Also don't forget that we're using a very expensive scrypt encryption on the password. Unlocking an account can actually take 1-2 seconds, so brute forcing isn't really feasible since the machine being attacked won't be able to process the unlock requests/attempts anyway.

[karalabe]

SignHash -> SignWithPassphrase

[karalabe]

Please rebase, code LGTM apart from a few documentation issues and minor code style things. Plus one question not related to the PR, but it'd be nice to have it answered.

[karalabe]

Ah sorry, I didn't see this one before, could you also please get rid of this variable? :D

[bas-vk]

I should have seen this myself, was rushing to push it before standup.
Fixed.

[karalabe]

LGTM 👍 (if you feel like fixing the code style I just opened, great, if not, it's fine like this too)

[pat-kim]

Dev I wonder why still you guys impose the issue only RPC? which attack from outside.
The most important thing is IPC socket is being affected as well as RPC.

I believe you guys know what is the fundamental issue since mist coded with the unlock timeout mechanism and not easy to convert a logic. You guys took immediately action to get patch with this new method in order to renewal code of mist.

Even if you guys are in a decentralized organization you guys get investment from users at least for users right should state what's the real fact not only describing it as not a big deal..

See the below video. How it can be simply implemented with 2 lines of batch script.

https://www.youtube.com/watch?v=PNSwFy__m-8

[karalabe]

@pat-kim Your attack assumes that the machine is already compromised, otherwise an attacker would not have access to the IPC interface. If the machine is already compromised, and furthermore the attacker has access to the user's private files (in order to be able to send commands to the IPC socket), then he might as well replace Geth/Mist with a custom binary that does whatever he wants.

[karalabe]

PS: RPC is the protocol, not the transport. Our RPC APIs run on all the IPC, HTTP and WebSocket endpoints.

[pat-kim]

@karalabe apparently this method is making after I reported the issue below. Like you said if that is nothing matter unless user PC is compromised. Again what's importance of this patching ? Because you guys usually said RPC open is always users problem. Then why care about the RPC?

ethereum/mist#611 (comment)

[karalabe]

People are conflating RPC with HTTP.

What you're talking about is having the HTTP and/or WebSocket endpoints open publicly for the internet. That is something we never recommend (nor have ever recommended), quite on the contrary.

RPC is a protocol on top of either HTTP, or WebSockets, or IPC. This PR makes fixes to the RPC, i.e. to the Geth APIs, that is available on all above mentioned transports. This isn't meant to patch any HTTP vulnerability. We still state that a node should never open an HTTP endpoint for the internet to abuse.

[pat-kim]

@karalabe from user perspective nobody aware mist has 2 second unlock window.
Actually the following code is for the transaction for now. Mist itself does not decrypt a password
But just forwarding a password in clear text (also significant issue) with "personal.unlockAccount" for 2 seconds.

mist code
web3.personal.unlockAccount(Session.get('data').from, pw || '', 2, function(e, res){

Geth debug
I0513 21:08:07.428322 28478 mergedapi.go:61] personal_unlockAccount ["0x2134e2a2b718dca96580ecac31e653ea1fdd58da","xxxxxxxx%",2]

This is security is flaw. So the method "PrivateAccountAPI.SignAndSendTransaction" is created to
eliminated 2 seconds unlock issue.

What I am asking is nowhere it stated that 2 second is vulnerable for IPC attack however it's been exposed when I claimed and reported it's attack vector what I have affected.

But you guys still imposing it as users's fault nor program's issue but in fact the patch is ongoing.

[karalabe]

And we still maintain that the cause of theft was an improper use of the program, as it was stated everywhere that opening up access to your node to the internet is an extremely bad idea waiting for abuse.

We are not patching the software to plug up any security holes (it works as intended), rather we are extending it feature wise to ensure that someone not careful enough doesn't get bitten again so easily. It's just an extra security precaution to protect the users.

[pat-kim]

@karalabe security is first thing you guys have to concern in order to build a program .....Let me know is there any kind of program commenting with.....

for someone
" it feature wise to ensure that someone not careful enough doesn't get bitten again so easily"

And I am sad I was the someone not protected users.

All I wanted to let you know is that hope you guys consider everybody as protected users from now on please consider that someone as well in your protection.

Like you said "we are not patching the software to plug up any security holes"

From Mist's gitter channel:

subtly @subtly 21:02
@GriffGreen looks sane. the 'account unlock' mechanism used by Mist needs to be replaced with something more secure.

Ramesh Nair @hiddentao 21:44
I can confirm that a more secure replacement - personal.signAndSendTransaction is on its way. Geth will soon have it, we just need to add support in Mist. See #2564

[obscuren]

👍

[trustfarm-dev]

I can't trust anymore. In case of SW engineering there's always side-effect, what DEV didn't expected.
I'll wait for long time, until field verification.
Bulky, work-around.