Fix/ocall oram storage authentication #1732
Conversation
Sorry about that. I had actually rebased to master. Not sure what went wrong here. I'll look at it. |
|
@wjuan-mob LMK when you've gotten the Cargo.lock restored, as of right now every dependency is updated... |
I'm sorry. I looked into this further and I can not figure out this dependency tree. I tried copying in the cargo.lock from master and rebuilding as suggested, but that just returned me to the previous state with the downgraded dependencies. I'm trying to find some reason that it might be intentionally downgrading the dependencies but I can not find that either. |
|
I will take a look |
This is a test-driven approach to investigating and fixing the issue mobilecoinfoundation#1576 These tests confirm that the trusted side indeed does not always detect when untrusted tampers with the memory, at this revision I have these results: ``` running 5 tests test helpers::exercise_oram_storage_clear_data ... FAILED test helpers::exercise_oram_storage_hammer_data ... FAILED test helpers::exercise_oram_storage_hammer_metadata ... ok test helpers::exercise_oram_storage_clear_metadata ... FAILED test helpers::exercise_oram_storage_shims ... ok ``` So the shims work normally when the memory is not tampered with, and the code detects when the untrusted metadata is hammered. But it does not detect when it is cleared, or when the data is tampered with. This is likely because of the issue point out in mobilecoinfoundation#1576, in the next commits we will fix it and get all these tests to pass. WIP try to fix trusted merkle root check Fix typo in readme Fix tests by using a branch that shares a trusted merkle root. Adding clarifying names to indices used in the test to better see what it is doing
cbeck88
force-pushed
the
fix/ocall-oram-storage-authentication
branch
from
797408d
to
99c452d
Compare
|
i think what was happening was, two things: because of the merge commit (which merged a more recent master into this PR), github was showing a diff that includes all of the changes that were merged from master. this makes the github diff view useless, and shows all the cargo.lock changes from the recent version bumps. to resolve this, i decided to squash the whole PR. i did this by i got a conflict like this: the left then i tried a rebuild, to get an up-to-date cargo.lock based on the cargo tomls. after this i added cargo.lock and continued rebasing. this caused no more cargo lock changes and dropped the last two "update cargo lock" commits. so i think the moral of the story is:
|
|
@wjuan-mob it may also be that the view was weird because you did the merge in kind of a funky way -- you started by checking out current master, and then made a branch there, and then merged my PR in. that's backwards from how it's normally done. you should probably have checked out my PR, made a new branch there, and then merged master in if that's what you wanted to do. merging is not symmetrical, deciding which is "ours" and which is "theirs" affects merge resolution, and may also affect the "view" git has of what the changes are when you look at the diff. so although it may seem counter-intuitive, you will get different results if you merge my PR into master, and then open a PR that merges that into master, from if you merge master into my PR, and then open a PR that merges that branch back into master. that may be a better moral for the story, because the squash and rebase thing is not good when the PR is big, it breaks the "changes since you last reviewed" feature of github which james likes, and which saves reviewers time |
|
also idk why the blake2 except that my diff still shows that so it must have been pre-existing... hmm |
|
I'm fine with this as-is, I think the blake2 thing was probably a partial upgrade, we should add a check for diverging dependencies within a single crate to CI. |
This is a test-driven approach to investigating and fixing the issue #1576 These tests confirm that the trusted side indeed does not always detect when untrusted tampers with the memory, at this revision I have these results: ``` running 5 tests test helpers::exercise_oram_storage_clear_data ... FAILED test helpers::exercise_oram_storage_hammer_data ... FAILED test helpers::exercise_oram_storage_hammer_metadata ... ok test helpers::exercise_oram_storage_clear_metadata ... FAILED test helpers::exercise_oram_storage_shims ... ok ``` So the shims work normally when the memory is not tampered with, and the code detects when the untrusted metadata is hammered. But it does not detect when it is cleared, or when the data is tampered with. This is likely because of the issue point out in #1576, in the next commits we will fix it and get all these tests to pass. WIP try to fix trusted merkle root check Fix typo in readme Fix tests by using a branch that shares a trusted merkle root. Adding clarifying names to indices used in the test to better see what it is doing Co-authored-by: Chris Beck <beck.ct@gmail.com>
* add tests for untrusted tampering with data and metadata (#1732) This is a test-driven approach to investigating and fixing the issue #1576 These tests confirm that the trusted side indeed does not always detect when untrusted tampers with the memory, at this revision I have these results: ``` running 5 tests test helpers::exercise_oram_storage_clear_data ... FAILED test helpers::exercise_oram_storage_hammer_data ... FAILED test helpers::exercise_oram_storage_hammer_metadata ... ok test helpers::exercise_oram_storage_clear_metadata ... FAILED test helpers::exercise_oram_storage_shims ... ok ``` So the shims work normally when the memory is not tampered with, and the code detects when the untrusted metadata is hammered. But it does not detect when it is cleared, or when the data is tampered with. This is likely because of the issue point out in #1576, in the next commits we will fix it and get all these tests to pass. WIP try to fix trusted merkle root check Fix typo in readme Fix tests by using a branch that shares a trusted merkle root. Adding clarifying names to indices used in the test to better see what it is doing Co-authored-by: Chris Beck <beck.ct@gmail.com> * Reverting blake2 version to 0.9.2 version for release 1.2 Co-authored-by: Chris Beck <beck.ct@gmail.com>
This is a clone of 1585
Adds some naming clarification around the various indices used in the tests.
Fixes the tests by using indices that actually share a trusted merkle root.