[zapps-wg] Detecting Supply-Chain Attacks on the Sapling MPC

Taylor Hornby taylor at defuse.ca
Thu Jun 7 02:20:00 EDT 2018


The weakest link in the Sapling MPC process probably comes from the fact
that when cargo builds sapling-mpc, it will download and build a bunch
of crates without doing any kind of signature checking on them. The risk
is that crates.io could be compromised, or someone who hacked Sean
Bowe's crates.io credentials could have published newer versions that
contain backdoors and we might not notice.

In order to make my MPC contribution a little more auditable, I've
pre-prepared a "vendorized" version of sapling-mpc which contains all of
the necessary crates:

https://github.com/defuse/sapling-mpc-vendorized

Before we continue, some WARNINGS:

o  sapling-mpc-vendorized is unofficial and unmaintained. I won't be
updating it with any changes from upstream sapling-mpc, even if there
are security fixes made between now and the end of the MPC.

o  I prepared and tested it on ubuntu-18.04-desktop-amd64, so the
process below might not even work on other operating systems.

o  I promise I didn't add any of my own backdoors to it, but you don't
necessarily trust me. And, since I created it in a VM on my everyday
computer, someone who's hacked me could have added a backdoor. I'm only
trying to achieve the property... "If there are crate backdoors that
would compromise my part of the MPC, then they're permanently saved in
files I'm about to upload for the world to see."

Okay, here we go:

To use it, install Rust however you want, then download the zip file of
the repository from Github (sapling-mpc-vendorized-master.zip), which
should have the SHA256 hash:

1a4bbacc96055cfb3e47a3848b1e882ede887d4694955e39a9ef3c0153fe33ce

Extract it, then run: cat cargo-homea* > cargo-home.zip

The SHA256 of the resulting cargo-home.zip should be:

0e14bb30f5e4b424040901bcce51cc49c455b38aad9e05867883e0b0168706ca

Extract cargo-home.zip to ~/cargo-home.

For extra safety you should be able to delete the Rust binaries I
included by accident (I haven't tested this):

rm -rf ~/cargo-home/bin

Now you can run tell rust to use the crates in ~/cargo-home:

export CARGO_HOME=`realpath ~/cargo-home`

Now you should be able to unplug your Internet connection, and, in the
same terminal as you ran the previous command, run...

cargo build --release --bin compute

...to get a working copy of sapling-mpc without downloading anything
more from the Internet. Assuming your system is secure and the way you
installed Rust was secure, then you can be pretty confident that any
backdoored crates that would affect your computation have been archived
inside sapling-mpc-vendorized-master.zip whose SHA256 hash is given
above. Here is a mirror of that file:

https://defuse.ca/files/sapling-mpc-vendorized-master.zip

I won't have time to audit that file for backdoors myself. It would be
nice if someone else could do that. To help encourage that, I will send
40 ZEC to the first person to publish proof that there is code inside
sapling-mpc-vendorized-master.zip which would affect the security of the
MPC, and which *doesn't* appear in the history of the crates'
repositories on GitHub (i.e. proof I was attacked somehow when I created
sapling-mpc-vendorized-master.zip; security bugs that are plainly
visible on GitHub don't count).

-- 
Taylor Hornby

Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: </pipermail/zapps-wg/attachments/20180607/68f682f3/attachment.sig>


More information about the zapps-wg mailing list