bit more in depth after running it for five months. Mindy recently wrote about
<a href="https://somerandomidiot.com/blog/2018/04/17/whacking-the-bitcoin-pinata/">whacking the Bitcoin
Piñata</a>.</p>
<p>On March 18th 2018, after more than three years, IPredator, the lender of the Bitcoins, repurposed the 10 Bitcoins for other projects. Initially, we thought that the Piñata would maybe run for a month or two, but IPredator, David, and I decided to keep it running. The update of the Piñata's bounty is a good opportunity to reflect on the project.</p>
<p>The 10 Bitcoin in the Piñata were fluctuating in price over time, at peak worth 165000€.</p>
<p>From the start of the Piñata project, we published the <a href="https://github.com/mirleft/btc-pinata">source code</a>, the virtual machine image, and the versions of the used libraries in a git repository. Everybody could develop their exploits locally before launching them against our Piñata. The Piñata provides TLS endpoints, which require private keys and certificates. These are generated by the Piñata at startup, and the secret for the Bitcoin wallet is provided as a command line argument.</p>
<p>Initially the Piñata was deployed on a Linux/Xen machine, later it was migrated to a FreeBSD host using BHyve and VirtIO with <a href="https://github.com/solo5/solo5">solo5</a>, and in December 2017 it was migrated to native BHyve (<a href="/Posts/Solo5">using <code>ukvm-bin</code> and solo5</a>). We also changed the Piñata code to accomodate for updates, such as the <a href="https://mirageos.org/blog/announcing-mirage-30-release">MirageOS 3.0 release</a>, and the discontinuation of floating point numbers for timestamps (asn1-combinators 0.2.0, x509 0.6.0, tls 0.9.0).</p>
<p>We built the Piñata for many purposes: to attract security professionals to evaluate our <a href="https://mirageos.org/blog/introducing-ocaml-tls">from-scratch developed TLS stack</a>, to gather empirical data for our <a href="https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/kaloper-mersinjak">Usenix Security 15 paper</a>, and as an improvement to current bug bounty programs.</p>
<p>I still remember vividly the first nights in February 2015, being so nervous that I woke up every two hours and checked the blockchain. Did the Piñata still have the Bitcoins? I was familiar with the code of the Piñata and was afraid there might be a bug which allows to bypass authentication or leak the private key. So far, this doesn't seem to be the case.</p>
<p>In April 2016 we stumbled upon an <a href="/Posts/BadRecordMac">information disclosure in the virtual network
device driver for Xen in MirageOS</a>. Given enough
bandwidth, this could have been used to access the private wallet key. We
<p>We analysed the Piñata's access logs to the and bucketed them into website traffic and bounty connections. We are still wondering what happened in July 2015 and July 2017 where the graph shows spikes. Could it be a presentation mentioning the Piñata, or a new automated tool which tests for TLS vulnerabilities, or an increase in market price for Bitcoins?</p>
<p>The cumulative graph shows that more than 500,000 accesses to the Piñata website, and more than 150,000 attempts at connecting to the Piñata bounty.</p>
<p>You can short-circuit the client and server Piñata endpoint and observe the private wallet key being transferred on your computer, TLS encrypted with the secret exchanged by client and server, using <code>socat -x TCP:ownme.ipredator.se:10000 TCP:ownme.ipredator.se:10002</code>.</p>
<p>If you attempted to exploit the Piñata, please let us know what you tried! Via
<a href="http://mastodon.social/@hannesm">hannesm@mastodon.social</a> or via eMail.</p>
<p>Since <a href="/Posts/DNS">the start of 2018</a> we are developing robust software and systems at <a href="http://robur.io">robur</a>. If you like our work and want to support us with donations or development contracts, please get in touch with <code>team@robur.io</code>. Robur is a project of the German non-profit <a href="https://techcultivation.org">Center for the cultivation of technology</a>. Donations to robur are tax-deductible in Europe.</p>