[e-lang] An attack on a mint

Adrian Mettler amettler at cs.berkeley.edu
Mon Mar 3 21:05:48 EST 2008 

The bug that we found here is the opposite: that money can be destroyed 
by transferring the balance of a purse to itself.  This is of course a 
better situation then being able to create bogus money, but we still 
documented it as a bug.  It looks like this could be fixed by replacing 
"src.balance = 0" with "src.balance -= r".  Note that with this fix, 
however, we are assuming Java's well-defined overflow behavior for ints, 
specifically that x + x - x = x for all positive x.  In Caja, where 
floats are used, a similar implementation could not make this 
assumption, making the limit on total currency half of what might be 
possible otherwise.  (Actually, this might not be a problem, but only 
because 2*x is always even, and thus requires one less bit of mantissa 
to represent than x)

-Adrian

Tyler Close wrote:
> On Mon, Mar 3, 2008 at 3:55 AM, Mark Miller <erights at gmail.com> wrote:
>> On Sun, Mar 2, 2008 at 5:34 PM, David Wagner <daw at cs.berkeley.edu> wrote:
>>  >  (I seem to recall discussing this second attack when we did the
>>  >  Waterken security review.  I think Tyler may have already applied
>>  >  the second transformation to defeat the second attack -- though I
>>  >  cannot remember.
>>
>>  I don't remember either, and I'm curious. Tyler?
> 
> The mint we looked at in the Waterken security review implemented the
> IOU protocol, rather than the SimpleMoney protocol, but I think the
> analogous call is Transfer.transfer():
> 
>     transfer(final Hold src, final Hold dst) {
>         return ref(kind.unsealer.unseal(((HoldX)dst).x).take(
>                         kind.unsealer.unseal(((HoldX)src).x)));
>     }
> 
> The PurseX.take() method is:
> 
>      int take(final PurseX src) {
>             if (dead) { throw new NullPointerException(); }
>             if (src.dead) { throw new NullPointerException(); }
>             final int r = src.balance;
>             balance += r;
>             src.balance = 0;
>             return r;
>         }
> 
> So, I don't think this implementation has any of the bugs discussed in
> this email.
> 
> --Tyler
> _______________________________________________
> e-lang mailing list
> e-lang at mail.eros-os.org
> http://www.eros-os.org/mailman/listinfo/e-lang

More information about the e-lang mailing list