[e-lang] An attack on a mint

Tyler Close tyler.close at gmail.com
Mon Mar 3 21:40:38 EST 2008 

During the Waterken security review, I think we also determined this
money destroying bug could be fixed by simply switching the order of
the two lines:

    balance += r;
    src.balance = 0;

And as MarkM points out, adding a comment explaining why the order is important.

--Tyler

On 3/3/08, Adrian Mettler <amettler at cs.berkeley.edu> wrote:
> The bug that we found here is the opposite: that money can be destroyed
> by transferring the balance of a purse to itself.  This is of course a
> better situation then being able to create bogus money, but we still
> documented it as a bug.  It looks like this could be fixed by replacing
> "src.balance = 0" with "src.balance -= r".  Note that with this fix,
> however, we are assuming Java's well-defined overflow behavior for ints,
> specifically that x + x - x = x for all positive x.  In Caja, where
> floats are used, a similar implementation could not make this
> assumption, making the limit on total currency half of what might be
> possible otherwise.  (Actually, this might not be a problem, but only
> because 2*x is always even, and thus requires one less bit of mantissa
> to represent than x)
>
> -Adrian
>
> Tyler Close wrote:
> > On Mon, Mar 3, 2008 at 3:55 AM, Mark Miller <erights at gmail.com> wrote:
> >> On Sun, Mar 2, 2008 at 5:34 PM, David Wagner <daw at cs.berkeley.edu> wrote:
> >>  >  (I seem to recall discussing this second attack when we did the
> >>  >  Waterken security review.  I think Tyler may have already applied
> >>  >  the second transformation to defeat the second attack -- though I
> >>  >  cannot remember.
> >>
> >>  I don't remember either, and I'm curious. Tyler?
> >
> > The mint we looked at in the Waterken security review implemented the
> > IOU protocol, rather than the SimpleMoney protocol, but I think the
> > analogous call is Transfer.transfer():
> >
> >     transfer(final Hold src, final Hold dst) {
> >         return ref(kind.unsealer.unseal(((HoldX)dst).x).take(
> >                         kind.unsealer.unseal(((HoldX)src).x)));
> >     }
> >
> > The PurseX.take() method is:
> >
> >      int take(final PurseX src) {
> >             if (dead) { throw new NullPointerException(); }
> >             if (src.dead) { throw new NullPointerException(); }
> >             final int r = src.balance;
> >             balance += r;
> >             src.balance = 0;
> >             return r;
> >         }
> >
> > So, I don't think this implementation has any of the bugs discussed in
> > this email.
> >
> > --Tyler
> > _______________________________________________
> > e-lang mailing list
> > e-lang at mail.eros-os.org
> > http://www.eros-os.org/mailman/listinfo/e-lang
>
> _______________________________________________
> e-lang mailing list
> e-lang at mail.eros-os.org
> http://www.eros-os.org/mailman/listinfo/e-lang
>


-- 
Use web-keys for RESTful access-control:
http://waterken.sourceforge.net/

Name your trusted sites to distinguish them from phishing sites.
https://addons.mozilla.org/firefox/957/

More information about the e-lang mailing list