Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Secure Mode Announcement #4881

Closed
mrcnski opened this issue Jun 6, 2023 · 2 comments · Fixed by #5346
Closed

Secure Mode Announcement #4881

mrcnski opened this issue Jun 6, 2023 · 2 comments · Fixed by #5346

Comments

@mrcnski
Copy link
Contributor

mrcnski commented Jun 6, 2023

Announcement

Attention validators! In Polkadot v1.5.0 we will be releasing our new secure-mode feature. This mode takes advantage of recent security work that has been done to protect validators from malicious PVFs, and will be enabled by default. Make sure you meet the requirements listed below!

Why?

While PVF execution is already sandboxed, in reality there can be bugs and exploits and we want validator machines to be as secure as possible. Also, on-demand parachains are coming soon, making it easier than before to get a validator to run untrusted code. Hence we have implemented additional layers of protection, to protect the very sensitive validator keys.

How does this protect me?

We have implemented very strict filesystem, networking, and process sandboxing, on top of the existing wasmtime sandbox. This will make it very unlikely for a validator machine to be compromised by running untrusted code.

What are the requirements?

  1. Linux on x86-64. This is within our existing recommendations, though it was never a hard requirement. According to our telemetry, most validators should already meet this requirement.
  2. seccomp enabled. You can check that this is the case by running the following command:
cat /boot/config-`uname -r` | grep CONFIG_SECCOMP=

The expected output, if enabled, is:

CONFIG_SECCOMP=y
  1. OPTIONAL: Linux 5.13. Provides access to even more strict filesystem protections. Many validators are not yet on this version of the kernel, so we will not require it to run secure-mode. However, while not necessary to be reasonably secure, it is highly recommended to upgrade to at least this kernel version.

What if I don't meet the requirements?

There will be a flag to bypass the secure-mode requirements, but we will highly discourage production validators from using it due to the security risks involved. Most validators should already meet the mandatory requirements (1) and (2), though you may need to upgrade to meet the optional requirement (3).
Note: As mentioned, PVFs are already executed inside wasmtime's sandbox, but by itself this may not be enough protection against a determined attacker.


Related

Implementation issue for secure-mode: paritytech/polkadot-sdk#1444

@eskimor
Copy link

eskimor commented Jun 6, 2023

With on-demand parachains coming soon, it will be easier for malicious PVFs to be submitted on-chain. Validation code could theoretically break out of wasmtime's existing sandbox and execute arbitrary code on remote machines. This means attackers can potentially steal validator keys!

I would rephrase to something like this:

While PVF execution is already sandboxed, in reality there can be bugs and we want validators to be as secure as possible. Hence we are implementing additional layers of protection as validator keys are very sensitive.

@mrcnski
Copy link
Contributor Author

mrcnski commented Jul 5, 2023

Once we decide on a version XY to roll out secure-mode, we should start emitting a warning for validators who do not meet the requirements, saying that they need to upgrade their machine before XY. See paritytech/polkadot#7303 (comment).

mrcnski added a commit to mrcnski/polkadot-wiki that referenced this issue Nov 8, 2023
This page will be linked to in an error message if a validator fails to meet the
requirements.

Let me know if there is too much or too little detail.

Closes w3f#4881
filippoweb3 added a commit that referenced this issue Nov 9, 2023
* Document secure-validator mode

This page will be linked to in an error message if a validator fails to meet the
requirements.

Let me know if there is too much or too little detail.

Closes #4881

* Make requirement use a bit less technical language

* Add warning about disabling secure mode

* minor edits, grammar check

---------

Co-authored-by: filippoweb3 <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants