doc: add safety.md in docs #23999

I would move this to a dedicated section in the developer notes and link straight to that. It prevents duplication and also makes this document less intimidating for users.

Moved to developer notes in https://github.com/bitcoin/bitcoin/commit/05511d08be7e306a60c758ee2a64edc0cd63478e

The developer notes contain some remarks for reviewers. Maybe it makes sense to have a separate section there too.

Done in https://github.com/bitcoin/bitcoin/commit/05511d08be7e306a60c758ee2a64edc0cd63478e

Finding vulnerabilities in pull requests during reviews

~0 on this section. There's not really anything here specific to finding "vulnerabilities", as opposed to just generally doing code review.

In isolation, I don't think a point like, Fuzzing is a good way to find bugs., is adding much value.

Code review can be done for lot of things. As this section is about security, finding vulnerabilities in open pull requests is one of the section that makes sense.

Fuzzing sentence can be rephrased or add more information.

Fuzzing is rephrased in https://github.com/bitcoin/bitcoin/pull/23999/commits/3c06f59b87116eb47c534ddb147446c4d531854c Let me know if it looks good

I don't think the feedback was resolved.

-0 on these developer notes additions. They don't seem specific to Bitcoin Core. Some of these points are somewhat self-evident and they are covered much better in outside resources. As it is, this is a generic list of "things to think about while reviewing" that could encompass many things like "is this change a good idea", "does it change behavior", UB, DoS vectors, privacy leaks, locks/data races, memory efficiency, cost of attacks, serialization forward/backward compatibility, etc.

Removed everything from developer notes that was added in this PR: 5295795b4feaeb75287fd300cc52a519e1f953da

Secure Programming Practices in C++

What is the purpose of this section? Some of this is basically copy-pasted from other places, i.e https://clang.llvm.org/docs/MemorySanitizer.html, in which case we'd be better off just linking to the external documentation rather than reproducing it here.

Note that we also already have a section on Sanitizers, and our usage of them in this document, which links to many external resources.

What is the purpose of this section?

To add some of the things shared in:

https://www.securecoding.com/blog/finding-and-fixing-c-vulnerabilities/

https://youtu.be/i0m0FBD-McY

https://youtu.be/gHGMDFm2MVs

Some of this is basically copy-pasted from other places

Right. This was done to not leave the section empty when drafting the pull request as I was not sure which examples of code should be mentioned here.

Added one example in https://github.com/bitcoin/bitcoin/pull/23999/commits/3c06f59b87116eb47c534ddb147446c4d531854c

You could suggest more in future commits

Removed everything from developer notes that was added in this PR: 5295795b4feaeb75287fd300cc52a519e1f953da

Telling users to verify the integrity of the download isn't useful if you don't explain what that means, or how it should be done.

Agree. I will add more information here in next update.

Added one line in 088d99b5e5c9bfd907861ce68692e638ee56448d

It's a bit contradictory that in the PR description you state Other sources of information are wiki, stackexchange, reddit, twitter etc. with their own problems, then proceed to link to stackexchange, medium, wired etc throughout this document.

This is really about BGP hijacks against Stratum miners, with only passing relevance to Bitcoin.

There is some misunderstanding about the context of other sources. There are some helpful posts on all of them however it's not organised, some of it is outdated and not maintained, contains misleading information in some posts etc.

BGP hijacking is a known issue and I could not find better examples while drafting pull request related to bitcoin.

I think @fanquake's point is you should avoid links in this doc. Bring in/summarize the information that is relevant/useful/important from those links to this doc and don't include the links. The motivation for this doc is you don't want to refer people to these links for various reasons (e.g. mutability) but then include them in this doc which needs to be maintained (assuming it is merged). Personally I don't mind so much StackExchange links but Twitter, Reddit, Wired links would be a definite no from me.

Removed most of the links and BGP line is completely removed in 088d99b5e5c9bfd907861ce68692e638ee56448d

I don't think links like this, which are to a comment in a thread which is about a completely different topic are necessarily very high quality.

Can remove it and maybe add some relevant information here that was shared by achow101.

Done in https://github.com/bitcoin/bitcoin/pull/23999/commits/317ff4e931a07c18b91ff09632956f449c9aaa6e

Multi user systems

Multi user systems doesn't provide any context, and I'd rather not have us linking to personal medium accounts.

A better description would be helpful, but objecting because it's on my Medium account is nonsense - it's no less appropriate than linking to Wired, Stack Exchange, or even bitcoincore.org for that matter.

I disagree (certainly in comparison to say Wired, Twitter, Reddit etc). Bitcoin StackExchange has maintained immutable links and remained free to view for a decade. It is widely used and contributed to and maintained by contributors to this repo (Murch, sipa, achow101, meshcollider etc). I'm sympathetic to view that we should avoid all links in a doc but if we were to include any bitcoincore.org and Bitcoin StackExchange seem like obvious choices. I feel less strongly on personal websites of long term contributors but even they introduce single points of failure.

I will write a Q&A on stackexchange for same thing and include the link

I think it would be better to summarize the suggestions here inline.

Done in https://github.com/bitcoin/bitcoin/pull/23999/commits/317ff4e931a07c18b91ff09632956f449c9aaa6e by adding summary and share cve.mitre.org link for more details

Understanding the difference between legacy and descriptor wallets:

Without anything too specific here, this seems like it would be better suited to generic wallet type documentation.

Understanding the difference in security of these two types of wallets is important

I don't see how.

I think the following suggestion would make more sense:

• Be careful with RPC commands like dumpwallet, dumpprivkey, and listdescriptors with the "private" argument set to true. These commands reveal private keys, which should never be shared with third parties.
• Be careful with commands like importdescriptor (others, @achow101?) if suggested by third parties, which can control future addresses created for incoming payments.

Looks good. Will add this in next update.

Added in https://github.com/bitcoin/bitcoin/pull/23999/commits/317ff4e931a07c18b91ff09632956f449c9aaa6e

This has no basis in fact whatsoever. The network strongly doesn't consider nodes that aren't using the standard port. Non-listening nodes have almost the exact same attack surface as listening ones, given they make promiscuous, frequent, anonymous connections to a peer to peer network.

This has a basis and you can read more about it in below links:

#23542

#23306

Non-listening nodes have almost the exact same attack surface as listening ones

This is NOT true

#23542 is currently in the state of an unmerged proposal. Until this change in policy is merged, included in releases, and adopted by a large number of nodes (which will take time), it would be detrimental for the nework if many existing nodes switched to non-standard ports, because other nodes would avoid making outbound connections to them. Therefore, I don't think this suggestion should be included at this point in time.

I've unresolved this.

As things are for now, and at least until #23542 is merged and in a release that is widely adopted on the network, using a non-default port is pretty much equivalent to disabling listening entirely. Outbound connections have a very strong bias away from such ports. That may change, but we shouldn't recommending it until the network actually has this policy adopted. @wpeckr Regarding difference between listening and non-listening: non-listening nodes aren't as susceptible to eclipse attacks (which typically require making connections to the victim). There are also privacy differences, as controlling your outbound connections, and even just making fewer connections, reduces how much an attacker can infer about transactions propagating through you, and originating from you.

#23542 is currently in the state of an unmerged proposal.

I like the assumption that this PR will be merged before #23542 :)

I don't assume that. But I also don't assume that this PR will only be merged in 2 years, when #23542 may be common on the network.

At this point in time changing the port to one that is non default is the worst of both worlds; you both will receive absolutely no incoming traffic from legitimate nodes, any you do receive will be malicious / modified software.

It is removed

This is simply false, assumevalid accepts 0 or a block hash, it has never allowed anything else.

Fixed the syntax in https://github.com/bitcoin/bitcoin/pull/23999/commits/921d6da4213acb53c38f11f8de97d4a74043ed03

This bears very little resemblance to the actual security model of Bitcoin's bootstrap. Nobody has ever run their own DNS seed in order to bootstrap a synching node, the suggestion is complete nonsense.

Nobody has ever run their own DNS seed in order to bootstrap a synching node, the suggestion is complete nonsense.

I have not written history in this sentence. Anyone CAN run DNS seed using https://github.com/sipa/bitcoin-seeder

Just because you could doesn't mean anybody has, or should. There is no reasonable person who would suggest a user run their own DNS seed, a system that requires large resources and setup cost, in order to synd their own node.

It also makes no sense, because it just shifts the problem of bootstrapping to the seeder code without improving the solution. I don't think the seeder does anything else than ask other dns seeds to bootstrap itself (code). If all other DNS seeds feed you malicious IPs, you have gained nothing by running your own DNS seed as opposed to just running a node.

There are two things shared in doc. 1. Running own DNS seed. It makes sense because you won't trust default DNS seeds. 2. Seed node can be used for bootstrapping. Difference is explained in the link.

1. Running own DNS seed. It makes sense because you won't trust default DNS seeds.

Disagree. I don't think the sentence "You can use own DNS seed for bootstrapping." is helpful, because even if I ran a DNS seed using https://github.com/sipa/bitcoin-seeder as suggested, this DNS seed would also need to bootstrap somehow to get going initially.

As indicated by the link in my previous post, the bootstrapping mechanism implemented in the DNS seeder not only queries other existing DNS seeds similar to bitcoin core - so you still "trust default DNS seeds" - but is otherwise inferior to the one used by core (no fixed seeds as fallback, outdated hardcoded DNS seed list) - which makes sense because bitcoin-seeder is just not meant to be used for the use case you are suggesting here.

Running your own DNS seed makes no sense, for multiple reasons:

• Seeds are just a way to find an initial connection to the network. If you don't believe the DNS seeds hardcoded in Bitcoin Core are trustworthy enough for that, you should manually make connections to nodes you do trust (using -seednode / -addnode). You can also disable the DNS seeds (-dnsseed=0) in that case.
• Bitcoin Core offers no functionality to using your own DNS seed.

Disagree. I don't think the sentence "You can use own DNS seed for bootstrapping." is helpful, because even if I ran a DNS seed using https://github.com/sipa/bitcoin-seeder as suggested, this DNS seed would also need to bootstrap somehow to get going initially. @mzumsande

Yes. Sentence can be improved and I am going to add/update a few things but did not because wanted to spend less time doing pull requests on weekend. Looks like this PR has lot of interest from reviewers so I will do it in next few hours.

The attack explained in doc assumes most of the DNS seeds are safe but they might get compromised at some point. I am not sure about the code you shared @sipa can explain that better as some domains dont even resolve to anything in that. Example: bitseed.xf2.org However even if we assume these are used once in a lifetime it won't be an issue using 1-2 or get IPs based on your own crawlers.

Running your own DNS seed makes no sense, for multiple reasons:

Seeds are just a way to find an initial connection to the network. If you don't believe the DNS seeds hardcoded in Bitcoin Core are trustworthy enough for that, you should manually make connections to nodes you do trust (using -seednode / -addnode). You can also disable the DNS seeds (-dnsseed=0) in that case.

Bitcoin Core offers no functionality to using your own DNS seed. @sipa -seednode thing is explained in the link and mentioned one word but I can rephrase it in a better way. Will add -dnsseed=0 on next update.

Bitcoin Core does not offer functionality to use own DNS seed but there has to be one paragraph about trust assumption even if I remove the part that suggested running own DNS seed which is technically possible as there can be several ways to bootstrap.

Yes, I definitely agree with explaining the trust assumptions around DNS seeds, and that one may want to avoid them. But "running your own DNS seed" is pointless as a solution for it.

It is removed

Somebody providing you a different, valid chain state isn't really any concern as you would just reorganize back to the majority chain as soon as it was visible. The issue is that the chain state isn't validated and so may just contain fictitious invalid entries. Someone giving you blocks is of no concern whatsoever and was even a suggested method previously.

While that's true of someone providing you with blocks, it isn't true for the chainstate. If you use a compromised chainstate, you may never find out until you have a financial loss.

Somebody providing you a different, valid chain state isn't really any concern Someone giving you blocks is of no concern whatsoever and was even a suggested method previously.

This is NOT true

Yeah, the concern is only about the chainstate, as that contains post-validated information. If you accept a chainstate from someone else, they can make your node convinced about anything (coins that don't exist/do exist, ...).

There is no problem with accepting just blocks from someone (IF combined with a -reindex-chainstate, or just an empty chainstate; in both cases the blocks will still be validated).

So you should never accept a chaincode from untrusted sources, but the reason isn't a worry about a valid chainstate for an incorrect chain (like @wpeckr points out), but the fact that it may be an invalid chainstate for the correct chain.

I agree with sipa and luke-jr and could not find anything to change so its still the same thing. Also it was mostly copied from an answer on stackexchange by achow101 to avoid issues in misunderstanding.

The text then remains incorrect; there's no concern about somebody giving you a valid copy of the chainstate, quite literally as it would be valid and everything is totally fine, the concern is about an invalid chainstate as this is undetectable and can lead to losses.

https://bitcoin.stackexchange.com/a/63860/

As this is the purpose for the creation of this document, I should point out that this still is a completely value-free suggestion. Almost no system could be sufficiently "locked down" to prevent those commands from being used in the way which is being claimed to be malicious, and the situations which would require a system to be restricted to this degree are completely beyond reason. The previous discussion in #23412 and #23850 is comprehensive.

As this is the purpose for the creation of this document

No the purpose this pull request and docs is mentioned in OP

Almost no system could be sufficiently "locked down" to prevent those commands from being used in the way which is being claimed to be malicious

This is NOT true.

Some people prefer to use restrictions and alerts in systems, networks etc.

It would be better to instead just have a generic warning to be careful about advice to configure your nodes by untrustworthy sources. If a malicious actor can convince your to modify your configuration, they can probably also convince you to open up your RPC server to them, letting them steal your money.

Disagree with this and @wpeckr agrees that config like rpcbind should be removed or restricted in #18105 because people follow wrong things. So I don't understand this contradiction.

There are several other things that are already shared in other issues and pull requests which I don't want to repeat.

I'm not talking about rpcbind. That's a separate discussion to be had.

I don't think there is anything special about the -notify* commands that warrants calling them out here. The concern is users using configuration they don't understand. That is what we should be educating about. Perhaps we can include some examples of dangerous configurations/commands (like the dump/import commands I've mentioned elsewhere, or a list of RPC commands that may affect funds (send*), ...). But I worry about giving an impression of exhaustiveness even.

I'm not talking about rpcbind. That's a separate discussion to be had.

Its one of the config

I don't think there is anything special about the -notify* commands that warrants calling them out here.

We cannot trigger scripts based on events in bitcoin core with any other command line parameter.

We cannot trigger scripts based on events in bitcoin core with any other command line parameter.

I'm well aware. I don't think that's particularly relevant for security, if users are willing to make arbitrary changes they don't understand.

I'm not saying this isn't a concern, I'm saying this isn't a concern that can be addressed, if you're operating in the assumption that users will make configuration changes or run commands they don't understand.

To use an analogy. There is an estate with a walled garden around it and cameras for security. Inside the estate is a mansion, with a terrace. The door to the terrace is often left unlocked in summer while people walk in and out. You're complaining about the fact that people leave the door unlocked, which, while true, isn't a concern because the wall and cameras are supposed to keep attackers out. If the wall and cameras didn't work, there are probably tons of other ways of getting inside the house, because the whole thing relies on it; the window is often left unlocked too.

The wall is users knowing that making configuration changes they don't understand can be dangerous. The terrace door is the notify commands. The summer is the advanced users who have a need for those commands. The window left open is running a "sendtoaddress" command to empty their wallet.

Yes, the notify commands are special in that they're the only ones that will make Bitcoin Core execute something else. So what? There are tons of other ways a user can be harmed if they don't understand what they're doing. We should be educating people about the risk of unknown commands; not calling these config options out specifically. Doing so might even have the opposite effect: people may think that anything but these options cannot cause harm.

I'm not against mentioning these options as an example of something that can go wrong if used without understanding. But such a list would include many more commands and options.

Please unresolve this.

I'm not against mentioning these options as an example of something that can go wrong if used without understanding. But such a list would include many more commands and options.

'Other' section was kept for such things. I mentioned one thing that I recently observed.

Please unresolve this.

I would unresolve this. However, *notify options are not secure as implemented in Bitcoin Core.

I would unresolve this. However, *notify options are not secure as implemented in Bitcoin Core.

That's your opinion. I disagree, and apparently many others do too. You're entitled to your opinion, but that doesn't mean it should be included in this document.

I have rephrased the whole thing based on IRC conversation. Let me know if that looks good?

*notify config and commandline options accept shell commands to be based on different events in Bitcoin Core. Be careful while using these options and ensure that the commands are safe either by manual inspection or restrictions/alerts in the system used.

vs

*notify config and commandline options accept shell commands to be based on different events in Bitcoin Core. Ensure that the commands are safe either by manual inspection or restrictions/alerts in the system used.

It's functionally unchanged as far as I can tell. The issue it with the concept of telling people that this is a "issue" to begin with, not the wording.

The issue it with the concept of telling people that this is a "issue" to begin with, not the wording.

Sorry I have not used any financial applications that allow such things, with no restrictions and no documentation. This is a known issue for some people and not an issue for others. The compromise can be to rephrase things in a way that does not look misleading but helps users. I have tried my best to write same thing in different ways in different pull requests and we can continue this discussion forever without changing our opinion.

Restricting scripts is not a weird thing because I have seen such things used in PowerShell with Set-ExecutionPolicy. Creating alerts for malware that might try to connect with attacker's domain, IP etc. is also not a bad advice and most of the people already use firewalls. Macros in word allow executing anything but even that has some restrictions or options to disable/enable.

Sorry I have not used any financial applications that allow such things, with no restrictions and no documentation.

This is a straw man, this is about Bitcoin, not other software.

This is a known issue for some people and not an issue for others.

This is not a known issue. As has been extensively discussed, you are the only person here who has opened multiple pull requests and issues about a completely absurd situation that no reasonable person could consider problematic. You are not a martyr, you are not fighting against the tyranny of other contributors, or whatever you think is going on here. You are simply incorrect and are being too childish to admit it.

Macros in word allow executing anything but even that has some restrictions or options to disable/enable.

Word is an application that allows end users to open documents from arbitrary sources, it bears absolutely no relevance to your argument.

This is not a known issue.

#23395 (comment)

you are the only person here who has opened multiple pull requests and issues about a completely absurd situation that no reasonable person could consider problematic.

There is nothing absurd or unreasonable in this. Feel free to NACK this PR if you don't agree with the changes.

You are not a martyr, you are not fighting against the tyranny of other contributors, or whatever you think is going on here. You are simply incorrect and are being too childish to admit it.

This is non sense.

Word is an application that allows end users to open documents from arbitrary sources, it bears absolutely no relevance to your argument.

It does because of the feature in context

Maybe explicitly mention where to find official RCs, and caution that any solicitation for private testing is likely malware (though we want to be careful not to dissuade users from heloing actually debug issues, so how it's phrased should consider that too)

Sure. Will add more information today.

Done in 088d99b5e5c9bfd907861ce68692e638ee56448d

Only 8 are expected, and only 8 are made normally.

8 full relay and 2 block relay?

Indeed, 8 full relay and 2 block relay.

Done in 088d99b5e5c9bfd907861ce68692e638ee56448d

The only way to independently check the block is part of the main chain, is to run without assumevalid...

This commit is outdated. Please suggest changes in latest commit if I could improve something in this line.

I don't understand "Bitcoin Core does not allow anyone to connect to the rpcport". Clearly it can be configured to, or RPC would be useless?

It can be configured to but does not allow by default. It was copied from this answer: https://bitcoin.stackexchange.com/a/69097/

Ok, then say that? The phrase as is is very confusing.

I'm not really sure about adding this section, but:

An integer wrap can occur when multiplying two operands, resulting in insufficient memory size allocation, as shown in the code snippet below. Here, the signed int value is converted to `size_t` before the multiplication operation. This means multiplication will occur between two unsigned `size_t` integers.

Done in 088d99b5e5c9bfd907861ce68692e638ee56448d

No need to replace fuzzing.md here IMO, but

3. [Fuzzing](/fuzzing.md) helps to find bugs in the code and documented in detail. You can also try fuzzing using third party software like burpsuite that is used by lot of penetration testers. It will work for RPC and you could write your scripts as well for fuzzing in any language if testing RPC using POST requests.

Done in 088d99b5e5c9bfd907861ce68692e638ee56448d

Download Bitcoin Core only from the links listed below and verify the integrity of the download before using:

Done in 088d99b5e5c9bfd907861ce68692e638ee56448d

DNS seeds are used for bootstrapping the P2P network. If one of the domains used for default DNS seeds is hacked, this can impact nodes. A node checks 3 seeds at a time, so it would require coordination for a malicious seed to affect the network. If you prefer not to trust the DNS seeds hardcoded in Bitcoin Core, you should manually make connections to nodes you do trust (using `-seednode` / `-addnode`). You can also disable the DNS seeds (`-dnsseed=0`) in that case.

Done in 088d99b5e5c9bfd907861ce68692e638ee56448d

CVE-2018–20587 is an Incorrect Access Control vulnerability that affects all currently released versions of Bitcoin Core. You may be affected by this issue if you have the RPC service enabled (default, with the headless bitcoind) and other users have access to run their own services on the same computer (either local or remote access). If you are the only user of the computer running your node, you are not affected. If you use the GUI but have not enabled the RPC service, you are not affected.

Done in 088d99b5e5c9bfd907861ce68692e638ee56448d

Suggest using either the second person ("you") or third person ("a user") consistently throughout the document.

Having multiple connections to the network is fundamental to safety against eclipse attacks. If you configure your node to only have outbound block-relay-only connections, they wouldn't be participating in addr relay, so wouldn't have a diverse addrman to identify candidates to connect to. It is suggested to have at least 10 outbound connections.

Also, try for consistent verb tense use throughout the document--either present or past tense, for example. I'd suggest present tense.

Done in 088d99b5e5c9bfd907861ce68692e638ee56448d

Be careful with commands like `importdescriptor` if suggested by third parties, which can control future addresses created for incoming payments.

Done in 088d99b5e5c9bfd907861ce68692e638ee56448d

_*notify_ config and command line options accept shell commands to be based on different events in Bitcoin Core. Ensure that the commands are safe either by manual inspection or restrictions/alerts in the system used.

Done in 088d99b5e5c9bfd907861ce68692e638ee56448d

Maybe generalise this to not using untrusted wallet files?