NotesStore poisoning

Store poisoning mature

An attacker may deliberately submit objects with a wrong hash to a store, in an attempt to poison the cache. If store accepts such objects, it will claim to have objects that it does not actually have.

Preventing poisoning at the store

Stores can avoid poisoning simply by checking the SHA-256 hash of each incoming object.

Alternatively, the store may defer this check until the first has object request, or until an object with the same hash is submitted.

Preventing poisoning at the client

If the client does not trust the store, it must avoid has object requests, and instead request the bytes of each object through a get object request, and verify the hash manually.

Storage errors

Conceptually, store poisoning is equivalent to data loss. In fact, errors in the underlying storage system may also result in objects with wrong hashes.