#12 - The Summer of Bitcoin Experience
A look into the evolution of Bitcoin Core's fuzzing infrastructure, chat with SOB 2022 intern Jing Liu and best bitcoin jobs for freshers!
Hello Summer of Bitcoiner!
Thought of the Week
A brief history of Bitcoin’s fuzzing infrastructure
This article was authored by Jing Liu, a Summer of Bitcoin 2022 intern from China. Jing contributed to Bitcoin Core for his Summer of Bitcoin project. He presents below a look into the evolution of Bitcoin Core's fuzzing infrastructure over the years.
Stage 1: Proof of Concept (2013-2016)
Neither Bitcoin nor fuzzing has a long history. The first piece of code about fuzzing was introduced by Gavin Andresen in PR#3173, which just added a simple protected method in the CNode
class. All it can do is randomly corrupt 1-of-N sent messages. It was understandably primitive, since AFL, the widely-used generic fuzzer, does not even exist until 2 months later in 2013.
Three years later in 2016, Patrick Strateman first attempted to bring a simple fuzzing framework to Bitcoin in PR#7940, but he did not make the code merged. Luckily, laawj resurrect pstratem's fuzzing framework as part of Bitcoin's test code in PR#9172. This simple fuzzing framework test deserialization by reading input from stdin
, which makes it compatible with AFL.
Stage 2: Standardized Fuzzing (2017 - 2018)
In May 2017, Google announced rewards for open source projects that integrate fuzz targets into OSS-Fuzz. As a quick response, contributor practicalswift proposed making Bitcoin ready for it in Issue#10364, where developers made lots of discussions. He also added two more tests for deserialization routines used by ProcessMessage
in PR#10409, brought libFuzzer support in PR#10440, and made fuzzing ~200x faster by enabling AFL's deferred forkserver and persistent mode in PR#10415. Thanks to his efforts, Bitcoin has made big progress in setting up fuzz testing suites, but that is still not enough for production due to low code coverage. Besides, OSS-Fuzz's policy about short bug disclosure period is not agreed upon by all members.
Stage 3: Scaling with the community (2019-2020)
2019 witnessed huge growth of Bitcoin's fuzzing infrastructure. To make fuzzing easily integrated with CI tests, MarcoFalke added test_runner.py, a script which is still used now, in PR#15295. He also simplified Makefile in PR#15504 by linking against BasicTestingSetup
, which was shared with unit tests. After that, practicalswift and he made lots of contribution to add more fuzzing harness for other part of Bitcoin's code, of which PR#17009 is the first newly added fuzz harness.
The increased number of fuzz targets also brings several downsides as discussed in Issue#20088. Having many targets not only slowing down build process with costly disk space and CPU time, but also makes writing new fuzz tests unnecessarily hard. In Decemeber 2020, MarcoFalke made a huge refactoring with change of 100 files to link all targets once in PR#20560. By specifying environment variables, different fuzz targets can bde executed using only one binary. He proved that the single binary approach does not affect the fuzzing performance by showing benchmark results.
Stage 4: Embracing OSS-Fuzz (2021 - Present)
In May 2021, Bitcoin Core made its initial integration into OSS-Fuzz. Till May 2022, 34 pull requests have been submitted to OSS-Fuzz for further improvement.
As Bitcoin Core participates in Google's OSS-Fuzz program, there is a dashboard of publicly disclosed vulnerabilities. Generally, vulnerabilities are disclosed as soon as possible after they are fixed to give users the knowledge they need to be protected. However, because Bitcoin is a live P2P network, and not just standalone local software, not every issue may be disclosed within Google's standard 90-day disclosure window if a partial or delayed disclosure is important to protect users or the function of the network.
Read the whole article by Jing Liu for a deeper dive into Bitcoin Core’s fuzzing infrastructure.
Are you starting out in bitcoin today and want to learn how to build apps on the bitcoin blockchain?
Build On L2 (BOL2) is a community-led effort by contributors and companies building on Core Lightning and the Liquid Network. It's a space to connect with bitcoin builders, product managers, designers and developers through events and mentorship programs and learn from experts building the future of bitcoin.
Completely free and accessible, each layer-2 protocol has a respective community platform that will host activities including:
Localized hackathons
Virtual networking events
Project bounties and other incentive programs
International builder tournaments
Career development programs
Mentorship and coaching
AMAs with leading developers
Visit buildonl2.com to join the community and learn how to build killer apps on bitcoin.
Interview with Jing Liu
We spoke with Jing Liu, a 21-year-old university student from Shanghai, China and a Summer of Bitcoin 2022 intern who contributed to Bitcoin Core. We discuss his views on bitcoin, his Summer of Bitcoin 2022 project, and advice on getting started with bitcoin development.
Listen to the full conversation on Spotify here.
You can also watch a video of the conversation here.
Read the full transcript:
ADI SHANKARA: Hey Jing, welcome to the Summer of Bitcoin Experience. Tell us a bit about yourself. Where do you come from and what are you doing?
JING LIU: Thanks for having me here. I'm Jing Liu, a final year undergrad studying cybersecurity at a university in Shanghai. There is an open source student club at my university. We regularly organize events to share our understanding of technology and promote open source culture. But I found it's not easy for new students to be involved in the open source world by themselves. They need immediate incentives and close guidance to broaden their horizons with open source development. I think Summer of Bitcoin can give them what they need. I had a chance to participate in Summer of Bitcoin last year and I want to promote this activity to more students in China.
SHANKARA: Awesome. So tell us about how you got into bitcoin. When and where was the first time you heard about it and what was your first impression?
LIU: Actually, I forget the exact time that I first heard about bitcoin. It seems that bitcoin suddenly became a hot topic in the mass media when I was in high school, but I didn't know any people around me who had actually owned bitcoin. I remember that I tried to install a bitcoin client on an old laptop, but the disk space is not large enough to download all the blocks required for running a full node. Apparently, I didn't have the computing power or money to be involved in bitcoin mining or transactions at that time as a teenager. Bitcoin is a great innovation, but I thought it was too late for me to step into the world of bitcoin, since the low hanging fruit has been picked. Later, China put more restrictions on cryptocurrencies so I didn't get the chance to dive deeper until I participated in Summer of Bitcoin.
SHANKARA: Interesting. Now that you've participated in the Summer of Bitcoin, you understand bitcoin, not just from a technology perspective, but also from the impact that it can have on society. Tell us why you think bitcoin is important or worth paying attention to?
LIU: Bitcoin is the first successful attempt to build a decentralized system using blockchain technology. It allows for secure and transparent transactions without the need of intermediaries such as banks. This has the potential to disrupt traditional financial systems and challenge the current centralized power structure. Additionally, it is decentralized, meaning that it is not controlled by any government or financial institution, it gives users more control over their own assets. These unique features have made bitcoin a popular and attention worthy topic in the financial and technology industries.
SHANKARA: Let's switch gears to Summer of Bitcoin and your experience through the application process. Tell us when or how you first heard about Summer of Bitcoin?
LIU: About one year ago, I saw a post on LinkedIn promoting Summer of Bitcoin. I didn't pay any attention to that during that time. I thought it was similar to Google Summer of Code, but the projects were all related to bitcoin. Since it was the first time that Summer of Bitcoin began to accept students from all over the world, I didn't know anyone in China who had participated in it.
SHANKARA: Indeed, we think you were one of the first people to apply from China. What made you apply?
LIU: I applied to Summer of Bitcoin for many reasons. Firstly, as an open-source enthusiast, I really enjoy participating in programs like Summer of Bitcoin, where I can contribute to open-source projects under the guidance of project maintainers and get stipend. In addition, I was taking a course in blockchain at our university in spring semester, so I think Summer of Bitcoin was a great opportunity for me to put theory into practice. Finally, I decided to apply to Summer of Bitcoin because I found a project idea that really fit my experience and interest. We can talk about the project here later.
SHANKARA: Before we dive into the specifics of the project that you worked on, the audience would like to know your experience going through the application process, if you could elaborate on that journey.
LIU: So generally, there are two rounds in the application process. First, the screening round then comes the proposal round. A few days later, after I submitted my application, I got an email reminding me that I have passed the screening round. It seems that some applicants are required to take extra coding tests during the screen round, anyway, I stepped in directly into the proposal round, where I am expected to select a project idea and submit a proposal for that. I reached out to my mentor by email two weeks before the deadline to introduce myself. It was not until three days before the deadline that I made a draft proposal and sent it to my main mentor. Luckily, he gave me positive feedback and finally I was accepted.
SHANKARA: Tell us about the organization that you ended up selecting, what it does and why did you apply to that specific organization?
LIU: There are so many organizations to choose from, to be honest, I was not familiar with the bitcoin ecosystem at that time. So I looked at the Bitcoin Core, Bitcoin Core is the reference implementation of bitcoin written in C++. We all know that bitcoin is a cryptocurrency but bitcoin is also one of the most permanent distributed software systems in the world.
After bitcoin’s inventor Satoshi Nakamoto released the original bitcoin software and disappeared, the source code of bitcoin has been maintained by a community. Everyone can be involved in the discussion of bitcoin's development on GitHub and IRC channels. I think the active community can definitely help me learn about bitcoin better.
SHANKARA: Alright, let's dive into the specifics of your project that you worked on with Bitcoin Core. Tell us about the idea. What were the benefits to Bitcoin Core and obviously the overall bitcoin ecosystem?
LIU: Bitcoin Core is the dominant client running in the Bitcoin network. So it’s crucial to ensure the security and reliability of Bitcoin Core. Fuzz testing, also known as fuzzing, is an effective technique to detect software vulnerabilities by running programs with a large number of random inputs. Bitcoin Core has developed a comprehensive testing infrastructure and applied fuzz testing to test its source code. But some components are not covered well by existing fuzz targets. In our case, fuzz targets are the pieces of code that can trigger specific fuzzing processes. My project aims to add fuzz targets for orphan transaction handling.
Let’s consider Bitcoin as a P2P network where nodes broadcast transaction records to each other. In Bitcoin’s model, each transaction has one or more parent transactions. Since the broadcasting is nondeterministic, sometimes nodes receive transactions whose parent transactions are currently unavailable. We call them orphan transactions because they don’t have valid parents. If we can receive transactions that happen to be their parents in the future, then these orphan transactions will be recognized as valid transactions. It’s unreasonable for Bitcoin nodes to reject orphan transactions without waiting for their parents. So orphan transactions are usually stored for later processing. This leaves an attack surface for denial-of-service vulnerability. Attackers can send large amounts of invalid transactions to cause memory exhaustion on Bitcoin nodes. This vulnerability was found ten years ago and fixed with a limit on the size of stored orphan transactions. My fuzz targets improve the code coverage of orphan transaction handling to more than 80%, though they don’t find new vulnerabilities. They do improve the stability and security of the bitcoin transaction handling.
SHANKARA: Wow, it's impressive that your fuzzing project helped increase the code coverage to more than 80% of Bitcoin Core, that's really awesome.
And the fact that it does not find any new vulnerabilities is obviously great because it seems like there weren't any vulnerabilities, so your fuzzing project helped validate those. Hopefully, if there are any vulnerabilities, we'll find about them soon as you or someone extends the project, or if you continue to work on it maybe we get to that state.
Talk to us about who your mentor was during the Summer of Bitcoin and what was it like working with him.
LIU: My mentor Marco Falke is a very nice and patient person. We had a video meeting before the coding period started. As a full-time maintainer of Bitcoin Core, he is much younger than I expected. Since we are in different time zone, we used Discord for daily communication. Initially, I was not familiar with the codebase of Bitcoin Core. He pointed me to the existing code so I can look at the examples and write my own fuzz targets. Whenever I have some questions or thoughts, he can always respond to me with detailed results and useful suggestions. In addition to my outcome, he also cares about my own interests and personal development. By working with him, I learn a lot about the open-source development workflow of Bitcoin.
SHANKARA: Nice. So, Jing, what are you up to now after the Summer of Bitcoin internship?
LIU: After last year’s Summer of Bitcoin project, I have been busy applying for graduate schools in North America. Now most things have been done, I can have more spare time for open-source contributions. Sometimes I review pull requests on GitHub and leave comments on those related to Bitcoin’s fuzzing infrastructure. I am still in contact with my mentor. Last year, we attempted to make fuzz targets for a newly-introduced feature in Bitcoin called package relay, which will potentially replace existing orphan transaction handling code. However, the new feature has not been officially accepted so we didn’t finish it. I may apply for Summer of Bitcoin again this year to continue working on interesting projects.
SHANKARA: Absolutely, looking forward to having you work again on bitcoin this summer.
Jing, as parting thoughts, what advice would you give to beginners? And how should they go about understanding bitcoin? Especially if they are completely new to space?
LIU: I started as a beginner learning bitcoin myself. I think there are many great free resources available for people to understand bitcoin from different perspectives. For developers, there is a famous book called Mastering Bitcoin. The book covers a wide range of topics on Bitcoin programming. You don’t have to understand all the technical details about Bitcoin. Once you have a basic knowledge of the Bitcoin system, you can dive deeper into one specific area that fits your interest and ongoing project.
SHANKARA: And do you have any specific advice for open-source development? Open-source development is its own beast. It's definitely different from working at a typical job in a company. What advice would you give as far as open-source development is concerned?
LIU: It may be a little tricky for newbies to understand the open-source development workflow at the beginning. Although platforms like GitHub have been improving their user experience, you still have to learn stuff like Git, Markdown, Linux Commands, and CI/CD. Please don’t be afraid of them. You can get almost all you need by reading the official document and searching the Web. If you cannot solve problems by yourself, reach out to the open-source community and they will help you.
SHANKARA: Awesome and for applicants who are applying to Summer of Bitcoin this year, do you have any tips on how to crack Summer of Bitcoin and how to succeed during the internship?
LIU: The most important thing is to find a project idea that suits your past experience and interests. Do your homework to write a draft proposal. Reach out to the mentor as soon as possible to get feedback. After you get accepted, stay in touch with your mentor to discuss your preferred communication channel and working style. Summer of Bitcoin is an online internship, so we cannot expect mentors to supervise our progress all the time. We have to be self-motivated to succeed during the internship.
SHANKARA: Fantastic advice. Jing, it was amazing to have you today to discuss your Summer of Bitcoin Experience.
LIU: Yes, thank you Adi. It was great to talk with you!
JOBS IN BITCOIN
If you are a fresher straight out of college, here are a few exciting job postings we recommend:
Engineering:
Senior UI/UX Design Engineer | Swan Bitcoin | Remote | Apply
Mobile developer (IOS and Adroid) | Easepay | Nigeria, Remote | Apply
Android Engineer | lipa | Bern, Switzerland, Remote | Apply
iOS Engineer | lipa | Bern, Switzerland, Remote | Apply
Software Engineer & Remnant | plebeian.market | Remote | Apply
Mobile App Developer | Synonym | Remote | Apply
Bitcoin Developer | Ordx | Remote | Apply
NodeJS Engineer | Synonym | Remote | Apply
Lead Mobile Engineer | Galoy | Remote | Apply
Design:
UX Developer / Designer | Bookmark.org | Remote | Apply