Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve security by updating blst to version 0.3.12 #1257

Open
vtamara opened this issue Jul 29, 2024 · 0 comments · May be fixed by #1258
Open

Improve security by updating blst to version 0.3.12 #1257

vtamara opened this issue Jul 29, 2024 · 0 comments · May be fixed by #1258
Labels
enhancement New feature or request

Comments

@vtamara
Copy link
Contributor

vtamara commented Jul 29, 2024
edited
Loading

Context and scope
Currently subnet-evm uses the version 0.3.11 of the library blst to implement the cryptographic signature BLS12-381. The version 0.3.12 of blst improves security as described in its release notes https://github.com/supranational/blst/releases/tag/v0.3.12 and in particular includes the commits supranational/blst@dae1f94 and supranational/blst@6cca12a that

  1. Improve security of the library by moving constants to a read-only section (not allowing attackers to modify the constants after the program starts)
  2. Works with OpenBSD/adJ and advances #2782. Due to security policies of that OS the previous version 0.3.11 with avalanchego produced segmentation faults sporadically, see Segmentation fault in some machines and not in others using OpenBSD adJ74 supranational/blst#206 The issue was solved with the mentioned commits included in version 0.3.12.

Discussion and alternatives
IMHO it is a good security practice to update version of libraries periodically.

Open questions
See ava-labs/avalanchego#3079 , ava-labs/coreth#614 and ava-labs/avalanche-network-runner#724
@vtamara vtamara added the enhancement New feature or request label Jul 29, 2024
vtamara added a commit to vtamara/subnet-evm that referenced this issue Jul 29, 2024
@vtamara
Improves security by updating blst to version 0.3.12. Closes ava-labs…
b44a803 
…#1257
@vtamara vtamara linked a pull request Jul 29, 2024 that will close this issue
Open
vtamara added a commit to vtamara/subnet-evm that referenced this issue Jul 29, 2024
@vtamara
Improves security by updating blst to version 0.3.12. Closes ava-labs…
468ca45 
…#1257
vtamara added a commit to vtamara/subnet-evm that referenced this issue Jul 31, 2024
@vtamara
Improves security by updating blst to version 0.3.12. Closes ava-labs…
90e0d58 
…#1257
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Improves security by updating blst to version 0.3.12. Closes #1257 vtamara/subnet-evm
1 participant
@vtamara