Have a question? Want to advertise? Something else? Contact us: [email protected]

From the Front Page


Categories: General, Fiction, Columns

Chain Wars: Tine Attack

Published on October 13th, 2014 by mdw

This is part two of a series called Chain Wars. It started last week with this double length intro: http://letstalkbitcoin.com/blog/post/chain-wars-the-worm

Tine van der Hoeff was an expert in keeping next generation blockchains running. But she was lured away on an important task by an unknown patron. Working with her friend Theo, she plans to attack the chain worm, Naga Sib.

 

Tine understood how important it was for humans to maintain control over their technology. She knew that humans set the rules for the chain when the code was launched. Surely, she thought, better chain design could prevent chain infections from happening.

Some parts of the Naga Sib codebase remained mysterious, including the instruction set for building the next generation. Many of its secrets were hidden in a big binary blob, from which both parts of the worm could be made. It was not clear how to extract the information from that binary hunk of code, but it contained the digital DNA of the chain worm.

Tine's current goal was to figure out how it worked and how to conquer it. She would kill both halves of this at the same time. Then she intended to find out who was behind Naga Sib, and why.


Suicide Switches Kill

Chain lords were the true maintainers of order, since a running app, on most chains, could not be stopped by interacting with it, unless a virtual "suicide switch" had been coded in. This simply sent the token balance to the creator and stopped.

Most apps were built using toolkits or frameworks that included the kill switch code library by default. Apps could be built without an explicit kill switch as part of the user interface. Most hastily built apps still had the self-kill code hidden inside, ready to be exploited once an attacker gains sufficient privileges.

Tine often used the switch to kill apps, but Naga Sib was not written in a higher-level scripting language. It was all low-level code. She would need a different way to attack it. The first place to find privileged operations to exploit was to examine what the chain designers had built for themselves.

On NetherChain, the watcher app could do privileged things such as demanding audits from apps. It had access to financial data on the chain, and could halt the sending and receiving of payments by apps.

The watcher app was unusual in many ways, having system-level privileges because it was built as part of the system. The watcher app on NetherChain was an interesting place to watch the operations of both chain lords and attackers.


Theo

Theo got himself set up and soon became involved in digging through the NetherChain. He was archiving every spend in and out of the pesky Naga Sib apps, trying to correlate data in order to unmask some of the worm's financial activities. This was made easier by knowing that KillNet was the other endpoint for many transactions.

He explained his involvement as a miner to Tine as they worked comfortably together. "They pay every week, at least doubling the miner fees for each transaction of theirs you include. Transactions that are payments for bounties on assassination markets pay the most. Miners also get a percentage of the bounty fee, which could amount to quite a lot."

Tine and Theo worked around the clock, studying the enemy. They made a good team. Theo had been busy piecing together bits of a picture of the profits coming from KillNet. Miners were paid with coins sent via Coin-o-rama, a simple 1-BTC-only mixing service. He identified a half dozen miners who were getting payments.

Theo had included these and all other high-fee transactions when he mined, as a way to make it profitable. Perhaps the system reacts badly when a miner stops including them, as he had. That meant that Naga Sib kept real identity information on its miners, in case one needed to disappear. How else could it have set a bounty on Theo when he stopped?

Money was being sent to accounts on various exchanges as well. It was not clear what the BTC was being exchanged into. Some accounts bought into a competing chain's tokens, and sometimes the BTC simply changed accounts.


Impatient Sponsor

It was already time for the third meeting with her sponsor, and Tine was not ready. She had learned so much, but had not taken any action.

"Why haven't you killed off that Naga Sib yet? What are you doing?" Tine's unknown patron was growing more impatient.

Patiently, Tine explained, "This is a big, messy collection of chain-level code, which only runs on the NetherChain. Low-level, assembly-like code that makes it time consuming to figure out what Naga Sib is doing."

"It seems the chain lord, Bram, was killed this morning," the patron said with a steady voice.

"You know about the assassination market?" she asked bluntly.

"I know this Naga Sib is out of control," he countered.

Tine thought she heard something in his voice. "What else do you know?" Tine wondered, for the first time and out loud.

"People are dying!" he spoke quietly. "If I could pay you more, I would, but I can't." Her mysterious patron had never sounded more emotional. "Just kill it. As soon as possible!"

Tine readied her scripts for attack. She had a detailed strategy to identify and cripple the pair of apps that were called Naga Sib. She always had a few extra tricks up her sleeve as well.


Tine attacks the chain worm Naga Sib

Tine Attack

Tine's chain monitor script was running, identifying the "chain worm" apps with red indicators. It was set to lock onto two such apps before enabling the launch of synchronized attack scripts.

Next came NetherChain's watcher app, which could now be safely hijacked, since there was no chain lord lurking about. Tine's plan included using the watcher app to restrict all transactions to and from an identified Naga Sib twin. This would hopefully buy her enough time to identify the other, and attack and kill both together.

Naga Sib had an initialization routine that immediately downloaded a chunk of binary data and more operating code. When that download began, the chain monitor script would identify it as a new target.

Timing was important because both apps needed to be terminated before either got set up to establish a new instance. A new app could be started with a single transaction, as long as the parent had all the code it needed to send to the new one. If contact attempts between siblings went unanswered, creating a new sibling would become the top priority.

So there was a window of opportunity to fatally attack Naga Sib: when two new siblings were identified, but were not yet ready to send a transaction to start a new instance. That would be the attack window Tine wanted.

 

The Battle

Both parent apps were attacked and disabled, one replacement app was up and running now, with the other in a bootstrapping process. The watcher app, under Tine's guidance, was prepared to trap all transactions from the running sibling.

The second twin Naga app was identified, and Tine knew that its first order of business was a handshake with its elder half, followed by a scan for threats. But her attack against it had already been launched.

Tine's script spent all the tokens from the first app to some arbitrary address, using the compromised watcher app, and marked it for removal. The chain's garbage collection routine would remove the code soon, as it worked its way through the queue.

Meanwhile, the watcher app prevented any interaction between the siblings. This gave Tine's script a chance to launch attacks against the second app, until she found a weakness. And sure enough, it turned out that the app had a kill switch, activated by an external party with a password.

That turned out to be a bad strategy, since Tine had the first app silenced using the watcher app. With no warning possible from the first app, Tine's script had plenty of time for a brute force attack on the second. She would simply guess the password to access the second app's shutdown mechanism. Within seconds, Tine's scripts had killed off both Naga Sib apps, and all was quiet.

Theo celebrated loudly. Tine smiled, sure the fight would not be won that easily. She went to make a cup of tea. Both apps were disabled, yet her monitor script still ran. She lost herself in thinking about attacking the sibling apps under different circumstances.

The monitor script suddenly detected a new instance of Naga Sib on the chain. Tine smiled again, sipping her tea. Surely the second one would be detected soon. This time they came back slowly, jump starting from another chain. Next time she would end it, across as many chains as it took!

 


Thanks for supporting this story. Once again, image credits go to @rockbarcellos for the awesome artwork. Feel free to send LTBc to these:

  • Chain Lord Memorial Fund: 1P4w2HUiZjErds8RSHUc2swre2gwwNS8oV
  • Vote Naga Sib for Best Chain Worm: 1PynpNQCVHq734yM7pKFgJPDsaQpLrjV9h

Views: 2,549


Comments

Make sure to make use of the "downvote" button for any spammy posts, and the "upvote" feature for interesting conversation. Be excellent.

comments powered by Disqus