SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    Always A Novice bronze trophy
    K. Wolfe's Avatar
    Join Date
    Nov 2003
    Location
    Columbus, OH
    Posts
    2,181
    Mentioned
    65 Post(s)
    Tagged
    2 Thread(s)

    Thoughts on ensuring rpc -> correct binary

    I've just been brainstorming on something, not necessarily something I'd consider taking any action on. Without reading through the source of bitcoin, I know that there's a feature that ensures that a member of the network cannot have an altered version of the program, or else the network rejects it.

    How might one approach a project that is open source, is run as a compiled binary (varying OS's) that would make remote procedure calls to other remote binaries (same project) but ensure that the project was not recompiled with some malicious code in it. A version check doesn't do anything since it's open sourced and would just be recompiled witth he same version number. My only thoughts so far is a method to hash the binary to make sure its the same size. Issue with this is that 1) md5s would vary per OS I would assume (compiles differently per OS) and 2) someone can modify the method to spit out the static md5 result

    Let me know if this does / doesn't make sense

  2. #2
    Always A Novice bronze trophy
    K. Wolfe's Avatar
    Join Date
    Nov 2003
    Location
    Columbus, OH
    Posts
    2,181
    Mentioned
    65 Post(s)
    Tagged
    2 Thread(s)
    I thought for sure I'd at least get some big fat no ways here from the more technical crowd, as that's what I'm leaning toward.

  3. #3
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    5,122
    Mentioned
    152 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by K. Wolfe View Post
    I thought for sure I'd at least get some big fat no ways here from the more technical crowd, as that's what I'm leaning toward.
    So this may be a bit silly, but it could still be exploited. You could set up a public/private key that is used but never published in the repo to place inside the binaries to be sent to your remote validation server. That would allow it to validate the software was built by your process and not someone else's.

    Granted the fact that someone could recompile the source to go to a different server for validation, etc, etc is always going to be ever present, but that is the lay of the land when working with open source projects and wouldn't be much different than someone forking your repo.

  4. #4
    Always A Novice bronze trophy
    K. Wolfe's Avatar
    Join Date
    Nov 2003
    Location
    Columbus, OH
    Posts
    2,181
    Mentioned
    65 Post(s)
    Tagged
    2 Thread(s)
    Quote Originally Posted by cpradio View Post
    So this may be a bit silly, but it could still be exploited. You could set up a public/private key that is used but never published in the repo to place inside the binaries to be sent to your remote validation server. That would allow it to validate the software was built by your process and not someone else's.

    Granted the fact that someone could recompile the source to go to a different server for validation, etc, etc is always going to be ever present, but that is the lay of the land when working with open source projects and wouldn't be much different than someone forking your repo.
    So I haven't been able to find any sources (other than trying to read through the source code) but I know that the bitcoin client is able to achieve this. bitcoin is a truely distributed system, in which many members would vote on whether that client (or maybe just the transaction that occurs from it) is legit. Does anyone know, high level how that works?

  5. #5
    Always A Novice bronze trophy
    K. Wolfe's Avatar
    Join Date
    Nov 2003
    Location
    Columbus, OH
    Posts
    2,181
    Mentioned
    65 Post(s)
    Tagged
    2 Thread(s)
    Quote Originally Posted by K. Wolfe View Post
    So I haven't been able to find any sources (other than trying to read through the source code) but I know that the bitcoin client is able to achieve this. bitcoin is a truely distributed system, in which many members would vote on whether that client (or maybe just the transaction that occurs from it) is legit. Does anyone know, high level how that works?
    After posting this, I realize that this is probably way too complex, since scientists / programmers were trying to tackle it for quite awhile

  6. #6
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    5,122
    Mentioned
    152 Post(s)
    Tagged
    0 Thread(s)
    Yeah, I know very little about bitcoin, other than it exists and has been talked about relentlessly from various news sources.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •