test: [MR-403] ensure malicious state sync chunks are rejected

ShuoWangNSL · ShuoWangNSL · commit a7fbbd64b61e · 2024-01-11T23:32:38.000Z
diff --git a/rs/config/src/config_sample.rs b/rs/config/src/config_sample.rs
@@ -324,6 +324,7 @@ pub const SAMPLE_CONFIG: &str = r#"
          maliciously_disable_ingress_validation: false,
          maliciously_corrupt_ecdsa_dealings: false,
          maliciously_alter_certified_hash: false,
+         maliciously_alter_state_sync_chunk_sending_side: false,
        },
     },
 
diff --git a/rs/p2p/state_sync_manager/tests/common.rs b/rs/p2p/state_sync_manager/tests/common.rs
@@ -436,6 +436,7 @@ fn state_sync_artifact(id: StateSyncArtifactId) -> StateSyncMessage {
         manifest,
         meta_manifest: Arc::new(meta_manifest),
         state_sync_file_group: Default::default(),
+        malicious_flags: Default::default(),
     }
 }
 
diff --git a/rs/state_manager/src/lib.rs b/rs/state_manager/src/lib.rs
@@ -118,6 +118,9 @@ const LABEL_COPY_FILES: &str = "copy_files";
 const LABEL_COPY_CHUNKS: &str = "copy_chunks";
 const LABEL_PREALLOCATE: &str = "preallocate";
 const LABEL_STATE_SYNC_MAKE_CHECKPOINT: &str = "state_sync_make_checkpoint";
+const LABEL_FETCH_META_MANIFEST_CHUNK: &str = "fetch_meta_manifest_chunk";
+const LABEL_FETCH_MANIFEST_CHUNK: &str = "fetch_manifest_chunk";
+const LABEL_FETCH_STATE_CHUNK: &str = "fetch_state_chunk";
 
 /// Labels for slice validation metrics
 const LABEL_VERIFY_SIG: &str = "verify";
@@ -533,12 +536,18 @@ impl StateSyncMetrics {
 
         let corrupted_chunks = metrics_registry.int_counter_vec(
             "state_sync_corrupted_chunks",
-            "Number of chunks not copied during state sync due to hash mismatch by source ('fetch', copy_files', 'copy_chunks')",
+            "Number of chunks not copied/applied during state sync due to hash mismatch by source ('copy_files', 'copy_chunks', 'fetch_meta_manifest_chunk', 'fetch_manifest_chunk', 'fetch_state_chunk')",
             &["source"],
         );
 
         // Note [Metrics preallocation]
-        for source in &[LABEL_FETCH, LABEL_COPY_FILES, LABEL_COPY_CHUNKS] {
+        for source in &[
+            LABEL_COPY_FILES,
+            LABEL_COPY_CHUNKS,
+            LABEL_FETCH_META_MANIFEST_CHUNK,
+            LABEL_FETCH_MANIFEST_CHUNK,
+            LABEL_FETCH_STATE_CHUNK,
+        ] {
             corrupted_chunks.with_label_values(&[*source]);
         }
 
diff --git a/rs/state_manager/src/state_sync.rs b/rs/state_manager/src/state_sync.rs
@@ -87,6 +87,7 @@ impl StateSync {
                         meta_manifest,
                         manifest: manifest.clone(),
                         state_sync_file_group,
+                        malicious_flags: self.state_manager.malicious_flags.clone(),
                     })
                 } else {
                     None
@@ -137,6 +138,7 @@ impl StateSync {
                         manifest: manifest.clone(),
                         meta_manifest,
                         state_sync_file_group: Default::default(),
+                        malicious_flags: self.state_manager.malicious_flags.clone(),
                     };
                     Some(StateSyncArtifactId {
                         height: msg.height,
diff --git a/rs/state_manager/src/state_sync/chunkable.rs b/rs/state_manager/src/state_sync/chunkable.rs
@@ -7,6 +7,7 @@ use crate::{
     },
     StateManagerMetrics, StateSyncMetrics, StateSyncRefs,
     CRITICAL_ERROR_STATE_SYNC_CORRUPTED_CHUNKS, LABEL_COPY_CHUNKS, LABEL_COPY_FILES, LABEL_FETCH,
+    LABEL_FETCH_MANIFEST_CHUNK, LABEL_FETCH_META_MANIFEST_CHUNK, LABEL_FETCH_STATE_CHUNK,
     LABEL_PREALLOCATE, LABEL_STATE_SYNC_MAKE_CHECKPOINT,
 };
 use ic_interfaces::p2p::state_sync::{
@@ -785,6 +786,7 @@ impl IncompleteState {
             // `state_sync_file_group` and `checkpoint_root` are not included in the integrity hash of this artifact.
             // Therefore it is OK to pass a default value here as it is only used when fetching chunks.
             state_sync_file_group: Default::default(),
+            malicious_flags: Default::default(),
         }
     }
 
@@ -1122,6 +1124,62 @@ impl IncompleteState {
     }
 }
 
+#[cfg(feature = "malicious_code")]
+fn maliciously_alter_chunk_data(
+    mut chunk: Chunk,
+    chunk_id: ChunkId,
+    malicious_flags: &mut MaliciousFlags,
+) -> Chunk {
+    let allowance = match malicious_flags
+        .maliciously_alter_state_sync_chunk_receiving_side
+        .as_mut()
+    {
+        Some(allowance) => allowance,
+        None => {
+            return chunk;
+        }
+    };
+
+    let payload = chunk.clone();
+
+    let ix = chunk_id.get();
+    match state_sync_chunk_type(ix) {
+        StateSyncChunk::MetaManifestChunk => {
+            if allowance.meta_manifest_chunk_error_allowance == 0 {
+                return chunk;
+            }
+            allowance.meta_manifest_chunk_error_allowance -= 1;
+            let meta_manifest = match decode_meta_manifest(&payload) {
+                Ok(meta_manifest) => meta_manifest,
+                Err(_) => {
+                    return chunk;
+                }
+            };
+            chunk = crate::state_sync::types::maliciously_alter_meta_manifest(meta_manifest);
+        }
+        StateSyncChunk::ManifestChunk(_) => {
+            if allowance.manifest_chunk_error_allowance == 0 {
+                return chunk;
+            }
+            allowance.manifest_chunk_error_allowance -= 1;
+            chunk = crate::state_sync::types::maliciously_alter_chunk_payload(payload);
+        }
+        _ => {
+            if allowance.state_chunk_error_allowance == 0 {
+                return chunk;
+            }
+            allowance.state_chunk_error_allowance -= 1;
+            chunk = crate::state_sync::types::maliciously_alter_chunk_payload(payload);
+        }
+    }
+    // Sleep for 15 seconds to allow the replica connecting to more peers for state sync.
+    // Otherwise, the first invalid chunk in the very beginning will immediately fail the state sync
+    // if there is only one peer connected.
+    // Note that this is only an issue for tests not the real system.
+    std::thread::sleep(std::time::Duration::from_secs(15));
+    chunk
+}
+
 impl Chunkable<StateSyncMessage> for IncompleteState {
     fn chunks_to_download(&self) -> Box<dyn Iterator<Item = ChunkId>> {
         match self.state {
@@ -1157,6 +1215,9 @@ impl Chunkable<StateSyncMessage> for IncompleteState {
         chunk_id: ChunkId,
         chunk: Chunk,
     ) -> Result<StateSyncMessage, ArtifactErrorCode> {
+        #[cfg(feature = "malicious_code")]
+        let chunk = maliciously_alter_chunk_data(chunk, chunk_id, &mut self.malicious_flags);
+
         let ix = chunk_id.get();
         let payload = &chunk;
         match &mut self.state {
@@ -1183,6 +1244,11 @@ impl Chunkable<StateSyncMessage> for IncompleteState {
                     crate::manifest::validate_meta_manifest(&meta_manifest, &self.root_hash)
                         .map_err(|err| {
                             warn!(self.log, "Received invalid meta-manifest: {}", err);
+                            self.metrics
+                                .state_sync_metrics
+                                .corrupted_chunks
+                                .with_label_values(&[LABEL_FETCH_META_MANIFEST_CHUNK])
+                                .inc();
                             ChunkVerificationFailed
                         })?;
                     let manifest_chunks_len = meta_manifest.sub_manifest_hashes.len();
@@ -1248,6 +1314,11 @@ impl Chunkable<StateSyncMessage> for IncompleteState {
                 )
                 .map_err(|err| {
                     warn!(self.log, "Received invalid sub-manifest: {}", err);
+                    self.metrics
+                        .state_sync_metrics
+                        .corrupted_chunks
+                        .with_label_values(&[LABEL_FETCH_MANIFEST_CHUNK])
+                        .inc();
                     ChunkVerificationFailed
                 })?;
                 manifest_in_construction.insert(ix, payload.clone());
@@ -1442,7 +1513,7 @@ impl Chunkable<StateSyncMessage> for IncompleteState {
                         metrics
                             .state_sync_metrics
                             .corrupted_chunks
-                            .with_label_values(&[LABEL_FETCH])
+                            .with_label_values(&[LABEL_FETCH_STATE_CHUNK])
                             .inc();
                         ChunkVerificationFailed
                     })?;
diff --git a/rs/state_manager/src/state_sync/chunkable/cache/tests.rs b/rs/state_manager/src/state_sync/chunkable/cache/tests.rs
@@ -81,6 +81,7 @@ fn fake_complete() -> DownloadState {
         manifest,
         meta_manifest: Arc::new(meta_manifest),
         state_sync_file_group: Default::default(),
+        malicious_flags: Default::default(),
     };
     DownloadState::Complete(Box::new(artifact))
 }
diff --git a/rs/state_manager/src/state_sync/types.rs b/rs/state_manager/src/state_sync/types.rs
@@ -82,7 +82,7 @@ pub mod proto;
 use ic_interfaces::p2p::state_sync::{Chunk, ChunkId};
 use ic_protobuf::{proxy::ProtoProxy, state::sync::v1 as pb};
 use ic_types::state_sync::StateSyncVersion;
-use ic_types::{CryptoHashOfState, Height};
+use ic_types::{malicious_flags::MaliciousFlags, CryptoHashOfState, Height};
 use serde::{Deserialize, Serialize};
 use std::{
     collections::BTreeMap,
@@ -436,6 +436,35 @@ pub struct StateSyncMessage {
     /// The manifest containing the summary of the content.
     pub manifest: Manifest,
     pub state_sync_file_group: Arc<FileGroupChunks>,
+    pub malicious_flags: MaliciousFlags,
+}
+
+#[cfg(feature = "malicious_code")]
+pub(crate) fn maliciously_alter_chunk_payload(mut payload: Vec<u8>) -> Vec<u8> {
+    match payload.last_mut() {
+        Some(last) => {
+            // Alter the last element of chunk payload.
+            *last = last.wrapping_add(1);
+        }
+        None => {
+            // The chunk payload is empty. Set it to some non-empty value.
+            payload = vec![1; 100];
+        }
+    }
+    payload
+}
+
+#[cfg(feature = "malicious_code")]
+pub(crate) fn maliciously_alter_meta_manifest(mut meta_manifest: MetaManifest) -> Vec<u8> {
+    match meta_manifest.sub_manifest_hashes.last_mut() {
+        Some(last) => {
+            last[0] = last[0].wrapping_add(1);
+        }
+        None => {
+            meta_manifest.sub_manifest_hashes.push([1; 32]);
+        }
+    }
+    encode_meta_manifest(&meta_manifest)
 }
 
 impl StateSyncMessage {
@@ -499,6 +528,26 @@ impl StateSyncMessage {
                 }
             }
 
+            #[cfg(feature = "malicious_code")]
+            {
+                if self
+                    .malicious_flags
+                    .maliciously_alter_state_sync_chunk_sending_side
+                {
+                    match state_sync_chunk_type(chunk_id.get()) {
+                        StateSyncChunk::MetaManifestChunk => {
+                            // If the chunk is for the meta-manifest, we alter its inner content and then encode it.
+                            payload =
+                                maliciously_alter_meta_manifest((*self.meta_manifest).clone());
+                        }
+                        _ => {
+                            // Otherwise, we alter the raw payload directly.
+                            payload = maliciously_alter_chunk_payload(payload);
+                        }
+                    }
+                }
+            }
+
             Some(payload)
         }
     }
diff --git a/rs/tests/Cargo.toml b/rs/tests/Cargo.toml
@@ -558,6 +558,10 @@ path = "crypto/rpc_csp_vault_reconnection_test.rs"
 name = "ic-systest-xnet-malicious-slices"
 path = "message_routing/xnet/xnet_malicious_slices.rs"
 
+[[bin]]
+name = "ic-systest-state-sync-malicious-chunk-test"
+path = "message_routing/state_sync_malicious_chunk_test.rs"
+
 [[bin]]
 name = "ic-systest-canister-global-reboot-test"
 path = "message_routing/global_reboot_test.rs"
diff --git a/rs/tests/message_routing/BUILD.bazel b/rs/tests/message_routing/BUILD.bazel
@@ -36,3 +36,16 @@ system_test(
     runtime_deps = GUESTOS_RUNTIME_DEPS + GRAFANA_RUNTIME_DEPS + NNS_CANISTER_RUNTIME_DEPS + STATESYNC_TEST_CANISTER_RUNTIME_DEPS,
     deps = DEPENDENCIES + ["//rs/tests"],
 )
+
+system_test(
+    name = "state_sync_malicious_chunk_test",
+    malicious = True,
+    proc_macro_deps = MACRO_DEPENDENCIES,
+    tags = [
+        "system_test_nightly",
+    ],
+    target_compatible_with = ["@platforms//os:linux"],  # requires libssh that does not build on Mac OS
+    test_timeout = "eternal",
+    runtime_deps = ["//ic-os:scripts/build-bootstrap-config-image.sh"] + GRAFANA_RUNTIME_DEPS + NNS_CANISTER_RUNTIME_DEPS + STATESYNC_TEST_CANISTER_RUNTIME_DEPS,
+    deps = DEPENDENCIES + ["//rs/tests"],
+)
diff --git a/rs/tests/message_routing/state_sync_malicious_chunk_test.rs b/rs/tests/message_routing/state_sync_malicious_chunk_test.rs
@@ -0,0 +1,23 @@
+#[rustfmt::skip]
+
+use anyhow::Result;
+
+use ic_tests::driver::group::SystemTestGroup;
+use ic_tests::message_routing::state_sync_malicious_chunk::Config;
+use ic_tests::systest;
+use std::time::Duration;
+const PER_TASK_TIMEOUT: Duration = Duration::from_secs(3600 * 2);
+const OVERALL_TIMEOUT: Duration = Duration::from_secs(3600 * 2);
+const NUM_NODES: usize = 7;
+
+fn main() -> Result<()> {
+    let config = Config::new(NUM_NODES);
+    let test = config.clone().test();
+    SystemTestGroup::new()
+        .with_setup(config.build())
+        .add_test(systest!(test))
+        .with_timeout_per_test(PER_TASK_TIMEOUT)
+        .with_overall_timeout(OVERALL_TIMEOUT)
+        .execute_from_args()?;
+    Ok(())
+}
diff --git a/rs/tests/src/driver/ic.rs b/rs/tests/src/driver/ic.rs
@@ -616,15 +616,23 @@ impl Subnet {
     }
 
     pub fn add_malicious_nodes(
-        mut self,
+        self,
         no_of_nodes: usize,
         malicious_behaviour: MaliciousBehaviour,
     ) -> Self {
-        for _ in 0..no_of_nodes {
-            let node = Node::new().with_malicious_behaviour(malicious_behaviour.clone());
-            self.nodes.push(node);
-        }
-        self
+        (0..no_of_nodes).fold(self, |subnet, _| {
+            let default_vm_resources = subnet.default_vm_resources;
+            let vm_allocation = subnet.vm_allocation.clone();
+            let required_host_features = subnet.required_host_features.clone();
+            subnet.add_node(
+                Node::new_with_settings(
+                    default_vm_resources,
+                    vm_allocation,
+                    required_host_features,
+                )
+                .with_malicious_behaviour(malicious_behaviour.clone()),
+            )
+        })
     }
 
     pub fn add_node_with_ipv4(self, ipv4_config: Ipv4Config) -> Self {
diff --git a/rs/tests/src/message_routing/mod.rs b/rs/tests/src/message_routing/mod.rs
@@ -2,6 +2,7 @@ pub mod global_reboot_test;
 pub mod malicious_slices;
 pub mod rejoin_test;
 pub mod rejoin_test_large_state;
+pub mod state_sync_malicious_chunk;
 pub mod xnet_slo_test;
 
 mod common {
diff --git a/rs/tests/src/message_routing/rejoin_test.rs b/rs/tests/src/message_routing/rejoin_test.rs
diff --git a/rs/tests/src/message_routing/rejoin_test_large_state.rs b/rs/tests/src/message_routing/rejoin_test_large_state.rs
diff --git a/rs/tests/src/message_routing/state_sync_malicious_chunk.rs b/rs/tests/src/message_routing/state_sync_malicious_chunk.rs
diff --git a/rs/types/types/src/malicious_behaviour.rs b/rs/types/types/src/malicious_behaviour.rs
diff --git a/rs/types/types/src/malicious_flags.rs b/rs/types/types/src/malicious_flags.rs

Original file line number	Diff line number	Diff line change
`@@ -436,6 +436,7 @@ fn state_sync_artifact(id: StateSyncArtifactId) -> StateSyncMessage {`
`436`	`436`	`manifest,`
`437`	`437`	`meta_manifest: Arc::new(meta_manifest),`
`438`	`438`	`state_sync_file_group: Default::default(),`
	`439`	`+ malicious_flags: Default::default(),`
`439`	`440`	`}`
`440`	`441`	`}`
`441`	`442`
Original file line number	Diff line number	Diff line change
`@@ -81,6 +81,7 @@ fn fake_complete() -> DownloadState {`
`81`	`81`	`manifest,`
`82`	`82`	`meta_manifest: Arc::new(meta_manifest),`
`83`	`83`	`state_sync_file_group: Default::default(),`
	`84`	`+ malicious_flags: Default::default(),`
`84`	`85`	`};`
`85`	`86`	`DownloadState::Complete(Box::new(artifact))`
`86`	`87`	`}`