Total Eclipse of the Heart – Disrupting the InterPlanetary File System

Bernd Prünster, Alexander Marsalek, Thomas Zefferer

Publikation: Beitrag in Buch/Bericht/KonferenzbandBeitrag in einem KonferenzbandBegutachtung

Abstract

Peer-to-peer networks are an attractive alternative to classical client-server architectures in several fields of application such as voice-over-IP telephony and file sharing. Recently, a new peer-to-peer solution called the InterPlanetary File System (IPFS) has attracted attention, which promises to re-decentralise the Web. Being increasingly used as a stand-alone application, IPFS has also emerged as the technical backbone of various other decentralised solutions and was even used to evade censorship. Decentralised applications serving millions of users rely on IPFS as one of their crucial building blocks. This popularity makes IPFS attractive for large-scale attacks. We have identified a conceptual issue in one of IPFS’s core libraries and demonstrate their exploitation by means of a successful end-to-end attack. We evaluated this attack against the IPFS reference implementation on the public IPFS network, which is used by the average user to share and consume IPFS content. Results obtained from mounting this attack on live IPFS nodes show that arbitrary IPFS nodes can be eclipsed, i.e. isolated from the network, with moderate effort and limited resources. Compared to similar works, we show that our attack scales linearly even beyond current network sizes and can disrupt the entire public IPFS network with alarmingly low effort. The vulnerability set described in this paper has been assigned CVE-2020-10937. Responsible disclosure procedures are currently being carried out and have led to mitigations being deployed, with additional fixes to be rolled out in future releases.
Originalspracheenglisch
Titel31st USENIX Security Symposium
Herausgeber (Verlag)USENIX Association
Seiten3735-3752
ISBN (elektronisch)978-1-939133-31-1
PublikationsstatusVeröffentlicht - 2022
Veranstaltung31st USENIX Security Symposium: USENIX Security 2022 - Boston, USA / Vereinigte Staaten
Dauer: 10 Aug. 202212 Aug. 2022
Konferenznummer: 31

Konferenz

Konferenz31st USENIX Security Symposium
KurztitelUSENIX '22
Land/GebietUSA / Vereinigte Staaten
OrtBoston
Zeitraum10/08/2212/08/22

Fields of Expertise

  • Information, Communication & Computing

Treatment code (Nähere Zuordnung)

  • Application

Fingerprint

Untersuchen Sie die Forschungsthemen von „Total Eclipse of the Heart – Disrupting the InterPlanetary File System“. Zusammen bilden sie einen einzigartigen Fingerprint.
  • A-SIT - Zentrum für sichere Informationstechnologie Austria

    Stranacher, K. (Teilnehmer (Co-Investigator)), Dominikus, S. (Teilnehmer (Co-Investigator)), Leitold, H. (Teilnehmer (Co-Investigator)), Marsalek, A. (Teilnehmer (Co-Investigator)), Teufl, P. (Teilnehmer (Co-Investigator)), Bauer, W. (Teilnehmer (Co-Investigator)), Aigner, M. J. (Teilnehmer (Co-Investigator)), Rössler, T. (Teilnehmer (Co-Investigator)), Neuherz, E. (Teilnehmer (Co-Investigator)), Dietrich, K. (Teilnehmer (Co-Investigator)), Zefferer, T. (Teilnehmer (Co-Investigator)), Mangard, S. (Teilnehmer (Co-Investigator)), Payer, U. (Teilnehmer (Co-Investigator)), Orthacker, C. (Teilnehmer (Co-Investigator)), Lipp, P. (Teilnehmer (Co-Investigator)), Reiter, A. (Teilnehmer (Co-Investigator)), Knall, T. (Teilnehmer (Co-Investigator)), Bratko, H. (Teilnehmer (Co-Investigator)), Bonato, M. (Teilnehmer (Co-Investigator)), Suzic, B. (Teilnehmer (Co-Investigator)), Zwattendorfer, B. (Teilnehmer (Co-Investigator)), Kreuzhuber, S. (Teilnehmer (Co-Investigator)), Oswald, M. E. (Teilnehmer (Co-Investigator)), Tauber, A. (Teilnehmer (Co-Investigator)), Posch, R. (Projektleiter (Principal Investigator)), Bratko, D. (Teilnehmer (Co-Investigator)), Feichtner, J. (Teilnehmer (Co-Investigator)), Ivkovic, M. (Teilnehmer (Co-Investigator)), Reimair, F. (Teilnehmer (Co-Investigator)), Wolkerstorfer, J. (Teilnehmer (Co-Investigator)) & Scheibelhofer, K. (Teilnehmer (Co-Investigator))

    21/05/9931/12/24

    Projekt: Arbeitsgebiet

Dieses zitieren