1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
|
Return-Path: <manuelaraoz@gmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id 436C51272
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 1 Sep 2015 18:23:12 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-vk0-f51.google.com (mail-vk0-f51.google.com
[209.85.213.51])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 8C97511F
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 1 Sep 2015 18:23:11 +0000 (UTC)
Received: by vkbf67 with SMTP id f67so56470920vkb.0
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 01 Sep 2015 11:23:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
h=mime-version:in-reply-to:references:from:date:message-id:subject:to
:cc:content-type;
bh=trxhHddfARriA3U6ahSJtINfnCDpOSExMdXsmKZ6sMU=;
b=OQPhEIgf/FgSqhnQD2XYLrin2cUruDNnNv9xJ8k9/8P2qf/5Pnenkj0DF8JtWHzNcs
nCb4/GPO7NOzxBOzPHxnTJvIT1YRa8kIOM8Qc8YqH+Pi292EZ4xUYYwULMHWmelauBJo
q+4TAFxh4Rqmp1O1EPPnwcV8NgTBEKZzAGqzV8zbhLcXypjZM/YoyI5PNMx0Kq8XtduL
bi1F6Oy8DGfz6rr57G3onq9jNFEryJLGUgGVFhvlOjFc3P3ucZ5nUy1RKnEqPimLFFHW
oPf5tze/dnx6DxBT1BVSUKK1+eWN8hZ5Yk8Id0Vmr7xSukvZT4OoFEnEzsU3PCwbU/98
KXaQ==
X-Received: by 10.52.169.1 with SMTP id aa1mr17912712vdc.5.1441131790672; Tue,
01 Sep 2015 11:23:10 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.103.5.195 with HTTP; Tue, 1 Sep 2015 11:22:51 -0700 (PDT)
In-Reply-To: <20150901180333.GA3914@amethyst.visucore.com>
References: <CAGH37S+daPddzwo1bJ0sPs3RfLOE63TPkCrc-X6qhNw7nu6=Xg@mail.gmail.com>
<e5c1d53a1387dce141d30c9eee6ee2ce@cock.li>
<20150901180333.GA3914@amethyst.visucore.com>
From: =?UTF-8?Q?Manuel_Ar=C3=A1oz?= <manuelaraoz@gmail.com>
Date: Tue, 1 Sep 2015 15:22:51 -0300
Message-ID: <CABQSq2RgdrFyHw36k96FDL+uFCRuEedTLWUrXM+VtrYY_Ng8fg@mail.gmail.com>
To: "Wladimir J. van der Laan" <laanwj@gmail.com>
Content-Type: multipart/alternative; boundary=089e01633a90752969051eb3a49f
X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_LOW
autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
Cc: bitcoin-dev@lists.linuxfoundation.org
Subject: Re: [bitcoin-dev] push tx fuzzing
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Development Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Sep 2015 18:23:12 -0000
--089e01633a90752969051eb3a49f
Content-Type: text/plain; charset=UTF-8
Interesting project, Kristov. Two more ideas for fuzzing bitcoin txs:
- random bit flipping from valid txs
- random tx script generators:
- from a grammar
- from a stochastic grammar
- from a random sequence of opcodes
I've made some really small experiments on fuzzing in the past [1][2], and
I'm interested in helping out.
Best,
Manuel
[1] https://github.com/maraoz/json-fuzzer
[2] https://github.com/maraoz/bitcoin-fuzzer
On Tue, Sep 1, 2015 at 3:03 PM, Wladimir J. van der Laan via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:
> On Tue, Sep 01, 2015 at 04:59:15PM +0000, Monarch via bitcoin-dev wrote:
>
> > which uses Bitcoin Core for validation. If they aren't validating
> > transactions before broadcast they won't make it more than a single
> > hop through the P2P the network so they are of minimum concern.
>
> blockchain.info had some problems here for a while. They were not using a
> full validating node underneath:
>
> - Signatures were not verified properly. This resulted in some panic when
> it looked like (on their site) a massive number of very old coins were
> being spent.
>
> - They were relaying loose coinbase transactions. This caused them to be
> instantly banned from nodes they were connected to.
>
> So there's certainly some scope for fun with fuzzing those APIs.
>
> Wladimir
>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
--089e01633a90752969051eb3a49f
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">Interesting project, Kristov. Two more ideas for fuzzing b=
itcoin txs:=C2=A0<div><div>- random bit flipping from valid txs=C2=A0</div>=
<div>- random tx script generators:<br>=C2=A0 - from a grammar</div><div>=
=C2=A0 - from a stochastic grammar</div><div>=C2=A0 - from a random sequenc=
e of opcodes</div><div><br></div><div>I've made some really small exper=
iments on fuzzing in the past [1][2], and I'm interested in helping out=
.</div><div><br></div></div><div>Best,</div><div>Manuel</div><div><br></div=
><div>[1]=C2=A0<a href=3D"https://github.com/maraoz/json-fuzzer">https://gi=
thub.com/maraoz/json-fuzzer</a></div><div>[2]=C2=A0<a href=3D"https://githu=
b.com/maraoz/bitcoin-fuzzer">https://github.com/maraoz/bitcoin-fuzzer</a></=
div></div><div class=3D"gmail_extra"><br><div class=3D"gmail_quote">On Tue,=
Sep 1, 2015 at 3:03 PM, Wladimir J. van der Laan via bitcoin-dev <span dir=
=3D"ltr"><<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" targe=
t=3D"_blank">bitcoin-dev@lists.linuxfoundation.org</a>></span> wrote:<br=
><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1=
px #ccc solid;padding-left:1ex"><span class=3D"">On Tue, Sep 01, 2015 at 04=
:59:15PM +0000, Monarch via bitcoin-dev wrote:<br>
<br>
> which uses Bitcoin Core for validation.=C2=A0 If they aren't valid=
ating<br>
> transactions before broadcast they won't make it more than a singl=
e<br>
> hop through the P2P the network so they are of minimum concern.<br>
<br>
</span><a href=3D"http://blockchain.info" rel=3D"noreferrer" target=3D"_bla=
nk">blockchain.info</a> had some problems here for a while. They were not u=
sing a full validating node underneath:<br>
<br>
- Signatures were not verified properly. This resulted in some panic when i=
t looked like (on their site) a massive number of very old coins were being=
spent.<br>
<br>
- They were relaying loose coinbase transactions. This caused them to be in=
stantly banned from nodes they were connected to.<br>
<br>
So there's certainly some scope for fun with fuzzing those APIs.<br>
<br>
Wladimir<br>
<div class=3D"HOEnZb"><div class=3D"h5"><br>
_______________________________________________<br>
bitcoin-dev mailing list<br>
<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org">bitcoin-dev@lists.=
linuxfoundation.org</a><br>
<a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev" =
rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation.org/mail=
man/listinfo/bitcoin-dev</a><br>
</div></div></blockquote></div><br></div>
--089e01633a90752969051eb3a49f--
|
