homepage-data/Projects/Pinata

35 lines
1.7 KiB
Text
Raw Normal View History

2017-09-15 20:19:19 +00:00
---
title: The Bitcoin Piñata
author: someone
2017-09-17 18:52:58 +00:00
abstract: ![Piñata](/static/img/pinata.png)
2017-09-15 20:19:19 +00:00
---
2017-09-17 18:52:58 +00:00
![Piñata](/static/img/pinata.png)
2017-09-17 13:13:28 +00:00
The [Bitcoin Piñata](http://ownme.ipredator.se) is a unikernel which serves as
bug bounty system to test TLS and the underlying implementations. Its
communication endpoints are a website describing the setup, and both a TLS
client and a TLS server listening on a port. The total size, including TLS,
X.509, TCP/IP, of the virtual machine image is 4MB, which is less than 4% of a
comparable system using a Linux kernel and OpenSSL.
When a TLS handshake is successfully completed with mutual authentication, the
Piñata transmits the private key to a bitcoin wallet which is filled with ~10BTC
(~40000 EUR).
On startup, the Piñata generates its certificate authority on the fly, including
certificates and private keys. This means that only the Piñata itself contains
2017-09-17 14:00:44 +00:00
private keys which can authenticate successfully, and an attacker has to find
2017-09-17 13:13:28 +00:00
an exploitable flaw in any software layer (OCaml runtime, virtual network
2017-09-17 14:00:44 +00:00
device, TCP/IP stack, TLS library, X.509 validation, or elsewhere) to complete the challenge.
2017-09-17 13:13:28 +00:00
2017-09-17 14:00:44 +00:00
The Piñata is online since February 2015, and even though thousands of unique IP
2017-09-17 13:13:28 +00:00
addresses initiated connections, the wallet still contains the 10 BTC.
By using a Bitcoin wallet, the Piñata is a transparent bug bounty. Everybody
can observe (by looking into the Bitcoin blockchain) whether it has been
compromised and the money has been transferred to another wallet. It is also
self-serving: when an attacker discovers a flaw, they don't need to fill out
any forms to retrieve the bounty, instead they can take the wallet, without any
questions asked.