Malus: improvements in dispute ancestor and suggest garbage candidate implementation (#5011)

* Implement fake validation results Signed-off-by: Andrei Sandu <andrei-mihail@parity.io> * refactor Signed-off-by: Andrei Sandu <andrei-mihail@parity.io> * cargo lock Signed-off-by: Andrei Sandu <andrei-mihail@parity.io> * spell check Signed-off-by: Andrei Sandu <andrei-mihail@parity.io> * spellcheck Signed-off-by: Andrei Sandu <andrei-mihail@parity.io> * typos Signed-off-by: Andrei Sandu <andrei-mihail@parity.io> * Review feedback Signed-off-by: Andrei Sandu <andrei-mihail@parity.io> * move stuff around Signed-off-by: Andrei Sandu <andrei-mihail@parity.io> * chores Signed-off-by: Andrei Sandu <andrei-mihail@parity.io> * Impl valid - still wip Signed-off-by: Andrei Sandu <andrei-mihail@parity.io> * fixes Signed-off-by: Andrei Sandu <andrei-mihail@parity.io> * fmt Signed-off-by: Andrei Sandu <andrei-mihail@parity.io> * Pull Ladi's implementation: https://github.com/paritytech/polkadot/pull/4711 Co-authored-by: Lldenaurois <Ljdenaurois@gmail.com> Co-authored-by: Andrei Sandu <andrei-mihail@parity.io> Signed-off-by: Andrei Sandu <andrei-mihail@parity.io> * Fix build Signed-off-by: Andrei Sandu <andrei-mihail@parity.io> * Logs and comments Signed-off-by: Andrei Sandu <andrei-mihail@parity.io> * WIP: suggest garbage candidate + implement validation result caching Signed-off-by: Andrei Sandu <andrei-mihail@parity.io> * fix Signed-off-by: Andrei Sandu <andrei-mihail@parity.io> * Do commitment hash checks in candidate validation Signed-off-by: Andrei Sandu <andrei-mihail@parity.io> * Minor refactor in approval, backing, dispute-coord Signed-off-by: Andrei Sandu <andrei-mihail@parity.io> * Working version of suggest garbage candidate Signed-off-by: Andrei Sandu <andrei-mihail@parity.io> * Dedup Signed-off-by: Andrei Sandu <andrei-mihail@parity.io> * cleanup #1 Signed-off-by: Andrei Sandu <andrei-mihail@parity.io> * Fix tests Signed-off-by: Andrei Sandu <andrei-mihail@parity.io> * remove debug leftovers Signed-off-by: Andrei Sandu <andrei-mihail@parity.io> * fmt Signed-off-by: Andrei Sandu <andrei-mihail@parity.io> * Accidentally commited some local test Signed-off-by: Andrei Sandu <andrei-mihail@parity.io> * spellcheck Signed-off-by: Andrei Sandu <andrei-mihail@parity.io> * some more fixes Signed-off-by: Andrei Sandu <andrei-mihail@parity.io> * Refactor and fix it Signed-off-by: Andrei Sandu <andrei-mihail@parity.io> * review feedback Signed-off-by: Andrei Sandu <andrei-mihail@parity.io> * typo Signed-off-by: Andrei Sandu <andrei-mihail@parity.io> * tests review feedback Signed-off-by: Andrei Sandu <andrei-mihail@parity.io> * refactor disputer Signed-off-by: Andrei Sandu <andrei-mihail@parity.io> * fix tests Signed-off-by: Andrei Sandu <andrei-mihail@parity.io> * Fix zombienet disputes test Signed-off-by: Andrei Sandu <andrei-mihail@parity.io> * spellcheck Signed-off-by: Andrei Sandu <andrei-mihail@parity.io> * fix Signed-off-by: Andrei Sandu <andrei-mihail@parity.io> * Fix ui tests Signed-off-by: Andrei Sandu <andrei-mihail@parity.io> * fix typo Signed-off-by: Andrei Sandu <andrei-mihail@parity.io> Co-authored-by: Lldenaurois <Ljdenaurois@gmail.com>
2026-06-14 00:31:07 +00:00 · 2022-04-13 16:45:39 +03:00
parent a46237cebb
commit cddd5749d3
23 changed files with 921 additions and 529 deletions
@@ -37,7 +37,7 @@ enum NemesisVariant {
 	/// Back a candidate with a specifically crafted proof of validity.
 	BackGarbageCandidate(RunCmd),
 	/// Delayed disputing of ancestors that are perfectly fine.
-	DisputeAncestor(RunCmd),
+	DisputeAncestor(DisputeAncestorOptions),

 	#[allow(missing_docs)]
 	#[clap(name = "prepare-worker", hide = true)]
@@ -66,9 +66,11 @@ impl MalusCli {
 			NemesisVariant::BackGarbageCandidate(cmd) =>
 				polkadot_cli::run_node(run_cmd(cmd), BackGarbageCandidate)?,
 			NemesisVariant::SuggestGarbageCandidate(cmd) =>
-				polkadot_cli::run_node(run_cmd(cmd), SuggestGarbageCandidate)?,
-			NemesisVariant::DisputeAncestor(cmd) =>
-				polkadot_cli::run_node(run_cmd(cmd), DisputeValidCandidates)?,
+				polkadot_cli::run_node(run_cmd(cmd), BackGarbageCandidateWrapper)?,
+			NemesisVariant::DisputeAncestor(opts) => polkadot_cli::run_node(
+				run_cmd(opts.clone().cmd),
+				DisputeValidCandidates::new(opts),
+			)?,
 			NemesisVariant::PvfPrepareWorker(cmd) => {
 				#[cfg(target_os = "android")]
 				{
@@ -120,7 +122,7 @@ mod tests {
 			variant: NemesisVariant::DisputeAncestor(run),
 			..
 		} => {
-			assert!(run.base.bob);
+			assert!(run.cmd.base.bob);
 		});
 	}
 }
@@ -17,7 +17,7 @@
 use futures::prelude::*;
 use polkadot_node_primitives::SpawnNamed;

-pub const MALUS: &str = "MALUS😈😈😈";
+pub const MALUS: &str = "MALUS";

 #[allow(unused)]
 pub(crate) const MALICIOUS_POV: &[u8] = "😈😈pov_looks_valid_to_me😈😈".as_bytes();
@@ -14,10 +14,9 @@
 // You should have received a copy of the GNU General Public License
 // along with Polkadot.  If not, see <http://www.gnu.org/licenses/>.

-//! A malicious overseer backing a particular candidate with a
-//! malicious proof of validity that is received.
-
-#![allow(missing_docs)]
+//! This variant of Malus backs/approves all malicious candidates crafted by
+//! `suggest-garbage-candidate` variant and behaves honestly with other
+//! candidates.

 use polkadot_cli::{
 	prepared_overseer_builder,
@@ -28,170 +27,15 @@ use polkadot_cli::{
 	},
 };

-// Import extra types relevant to the particular
-// subsystem.
-use polkadot_node_core_candidate_validation::CandidateValidationSubsystem;
-use polkadot_node_subsystem::messages::{
-	AvailabilityRecoveryMessage, CandidateValidationMessage, ValidationFailed,
-};
-use polkadot_node_subsystem_util as util;
-
-// Filter wrapping related types.
-use crate::{interceptor::*, shared::*};
-use polkadot_node_primitives::{PoV, ValidationResult};
-
-use polkadot_primitives::v2::{
-	CandidateCommitments, CandidateDescriptor, CandidateReceipt, PersistedValidationData,
-	ValidationCode,
+use crate::{
+	interceptor::*,
+	variants::{FakeCandidateValidation, FakeCandidateValidationError, ReplaceValidationResult},
 };

-use futures::channel::oneshot;
-use std::{
-	collections::HashMap,
-	sync::{Arc, Mutex},
-};
+use std::sync::Arc;

-#[derive(Clone, Debug)]
-struct BribedPassageInner<Spawner> {
-	spawner: Spawner,
-	cache: HashMap<CandidateDescriptor, CandidateReceipt>,
-}
-
-#[derive(Clone, Debug)]
-struct BribedPassage<Spawner> {
-	inner: Arc<Mutex<BribedPassageInner<Spawner>>>,
-}
-
-impl<Spawner> BribedPassage<Spawner>
-where
-	Spawner: SpawnNamed,
-{
-	fn let_pass(
-		persisted_validation_data: PersistedValidationData,
-		validation_code: Option<ValidationCode>,
-		_candidate_descriptor: CandidateDescriptor,
-		_pov: Arc<PoV>,
-		response_sender: oneshot::Sender<Result<ValidationResult, ValidationFailed>>,
-	) {
-		let candidate_commitmentments = CandidateCommitments {
-			head_data: persisted_validation_data.parent_head.clone(),
-			new_validation_code: validation_code,
-			..Default::default()
-		};
-
-		response_sender
-			.send(Ok(ValidationResult::Valid(candidate_commitmentments, persisted_validation_data)))
-			.unwrap();
-	}
-}
-
-impl<Sender, Spawner> MessageInterceptor<Sender> for BribedPassage<Spawner>
-where
-	Sender: overseer::SubsystemSender<CandidateValidationMessage>
-		+ overseer::SubsystemSender<AllMessages>
-		+ Clone
-		+ Send
-		+ 'static,
-	Spawner: SpawnNamed + Send + Clone + 'static,
-{
-	type Message = CandidateValidationMessage;
-
-	fn intercept_incoming(
-		&self,
-		sender: &mut Sender,
-		msg: FromOverseer<Self::Message>,
-	) -> Option<FromOverseer<Self::Message>> {
-		match msg {
-			FromOverseer::Communication {
-				msg:
-					CandidateValidationMessage::ValidateFromExhaustive(
-						persisted_validation_data,
-						validation_code,
-						candidate_descriptor,
-						pov,
-						_duration,
-						response_sender,
-					),
-			} if pov.block_data.0.as_slice() == MALICIOUS_POV => {
-				Self::let_pass(
-					persisted_validation_data,
-					Some(validation_code),
-					candidate_descriptor,
-					pov,
-					response_sender,
-				);
-				None
-			},
-			FromOverseer::Communication {
-				msg:
-					CandidateValidationMessage::ValidateFromChainState(
-						candidate_descriptor,
-						pov,
-						_duration,
-						response_sender,
-					),
-			} if pov.block_data.0.as_slice() == MALICIOUS_POV => {
-				if let Some(candidate_receipt) =
-					self.inner.lock().unwrap().cache.get(&candidate_descriptor).cloned()
-				{
-					let mut subsystem_sender = sender.clone();
-					let spawner = self.inner.lock().unwrap().spawner.clone();
-					spawner.spawn(
-						"malus-back-garbage-adhoc",
-						Some("malus"),
-						Box::pin(async move {
-							let relay_parent = candidate_descriptor.relay_parent;
-							let session_index = util::request_session_index_for_child(
-								relay_parent,
-								&mut subsystem_sender,
-							)
-							.await;
-							let session_index = session_index.await.unwrap().unwrap();
-
-							let (a_tx, a_rx) = oneshot::channel();
-
-							subsystem_sender
-								.send_message(AllMessages::from(
-									AvailabilityRecoveryMessage::RecoverAvailableData(
-										candidate_receipt,
-										session_index,
-										None,
-										a_tx,
-									),
-								))
-								.await;
-
-							if let Ok(Ok(availability_data)) = a_rx.await {
-								Self::let_pass(
-									availability_data.validation_data,
-									None,
-									candidate_descriptor,
-									pov,
-									response_sender,
-								);
-							} else {
-								gum::info!(
-									target: MALUS,
-									"Could not get availability data, can't back"
-								);
-							}
-						}),
-					);
-				} else {
-					gum::info!(target: MALUS, "No CandidateReceipt available to work with");
-				}
-				None
-			},
-			msg => Some(msg),
-		}
-	}
-
-	fn intercept_outgoing(&self, msg: AllMessages) -> Option<AllMessages> {
-		Some(msg)
-	}
-}
-
-/// Generates an overseer that exposes bad behavior.
+/// Generates an overseer that replaces the candidate validation subsystem with our malicious
+/// variant.
 pub(crate) struct BackGarbageCandidate;

 impl OverseerGen for BackGarbageCandidate {
@@ -205,24 +49,16 @@ impl OverseerGen for BackGarbageCandidate {
 		RuntimeClient::Api: ParachainHost<Block> + BabeApi<Block> + AuthorityDiscoveryApi<Block>,
 		Spawner: 'static + SpawnNamed + Clone + Unpin,
 	{
-		let candidate_validation_config = args.candidate_validation_config.clone();
 		let spawner = args.spawner.clone();
+		let validation_filter = ReplaceValidationResult::new(
+			FakeCandidateValidation::BackingAndApprovalValid,
+			FakeCandidateValidationError::InvalidOutputs,
+			spawner.clone(),
+		);

 		prepared_overseer_builder(args)?
-			.replace_candidate_validation(|cv| {
-				InterceptedSubsystem::new(
-					CandidateValidationSubsystem::with_config(
-						candidate_validation_config,
-						cv.metrics,
-						cv.pvf_metrics,
-					),
-					BribedPassage::<Spawner> {
-						inner: Arc::new(Mutex::new(BribedPassageInner {
-							spawner,
-							cache: Default::default(),
-						})),
-					},
-				)
+			.replace_candidate_validation(move |cv_subsystem| {
+				InterceptedSubsystem::new(cv_subsystem, validation_filter)
 			})
 			.build_with_connector(connector)
 			.map_err(|e| e.into())
@@ -0,0 +1,342 @@
+// Copyright 2022 Parity Technologies (UK) Ltd.
+// This file is part of Polkadot.
+
+// Polkadot is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+
+// Polkadot is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+
+// You should have received a copy of the GNU General Public License
+// along with Polkadot.  If not, see <http://www.gnu.org/licenses/>.
+
+//! Implements common code for nemesis. Currently, only `FakeValidationResult`
+//! interceptor is implemented.
+use crate::{
+	interceptor::*,
+	shared::{MALICIOUS_POV, MALUS},
+};
+
+use polkadot_node_core_candidate_validation::find_validation_data;
+use polkadot_node_primitives::{InvalidCandidate, ValidationResult};
+use polkadot_node_subsystem::messages::{CandidateValidationMessage, ValidationFailed};
+
+use polkadot_primitives::v2::{
+	CandidateCommitments, CandidateDescriptor, CandidateReceipt, PersistedValidationData,
+};
+
+use polkadot_cli::service::SpawnNamed;
+
+use futures::channel::oneshot;
+
+#[derive(clap::ArgEnum, Clone, Copy, Debug, PartialEq)]
+#[clap(rename_all = "kebab-case")]
+#[non_exhaustive]
+pub enum FakeCandidateValidation {
+	Disabled,
+	BackingInvalid,
+	ApprovalInvalid,
+	BackingAndApprovalInvalid,
+	BackingValid,
+	ApprovalValid,
+	BackingAndApprovalValid,
+}
+
+/// Candidate invalidity details
+#[derive(clap::ArgEnum, Clone, Copy, Debug, PartialEq)]
+#[clap(rename_all = "kebab-case")]
+pub enum FakeCandidateValidationError {
+	/// Validation outputs check doesn't pass.
+	InvalidOutputs,
+	/// Failed to execute.`validate_block`. This includes function panicking.
+	ExecutionError,
+	/// Execution timeout.
+	Timeout,
+	/// Validation input is over the limit.
+	ParamsTooLarge,
+	/// Code size is over the limit.
+	CodeTooLarge,
+	/// Code does not decompress correctly.
+	CodeDecompressionFailure,
+	/// PoV does not decompress correctly.
+	POVDecompressionFailure,
+	/// Validation function returned invalid data.
+	BadReturn,
+	/// Invalid relay chain parent.
+	BadParent,
+	/// POV hash does not match.
+	POVHashMismatch,
+	/// Bad collator signature.
+	BadSignature,
+	/// Para head hash does not match.
+	ParaHeadHashMismatch,
+	/// Validation code hash does not match.
+	CodeHashMismatch,
+}
+
+impl Into<InvalidCandidate> for FakeCandidateValidationError {
+	fn into(self) -> InvalidCandidate {
+		match self {
+			FakeCandidateValidationError::ExecutionError =>
+				InvalidCandidate::ExecutionError("Malus".into()),
+			FakeCandidateValidationError::InvalidOutputs => InvalidCandidate::InvalidOutputs,
+			FakeCandidateValidationError::Timeout => InvalidCandidate::Timeout,
+			FakeCandidateValidationError::ParamsTooLarge => InvalidCandidate::ParamsTooLarge(666),
+			FakeCandidateValidationError::CodeTooLarge => InvalidCandidate::CodeTooLarge(666),
+			FakeCandidateValidationError::CodeDecompressionFailure =>
+				InvalidCandidate::CodeDecompressionFailure,
+			FakeCandidateValidationError::POVDecompressionFailure =>
+				InvalidCandidate::PoVDecompressionFailure,
+			FakeCandidateValidationError::BadReturn => InvalidCandidate::BadReturn,
+			FakeCandidateValidationError::BadParent => InvalidCandidate::BadParent,
+			FakeCandidateValidationError::POVHashMismatch => InvalidCandidate::PoVHashMismatch,
+			FakeCandidateValidationError::BadSignature => InvalidCandidate::BadSignature,
+			FakeCandidateValidationError::ParaHeadHashMismatch =>
+				InvalidCandidate::ParaHeadHashMismatch,
+			FakeCandidateValidationError::CodeHashMismatch => InvalidCandidate::CodeHashMismatch,
+		}
+	}
+}
+
+#[derive(Clone, Debug)]
+/// An interceptor which fakes validation result with a preconfigured result.
+/// Replaces `CandidateValidationSubsystem`.
+pub struct ReplaceValidationResult<Spawner> {
+	fake_validation: FakeCandidateValidation,
+	fake_validation_error: FakeCandidateValidationError,
+	spawner: Spawner,
+}
+
+impl<Spawner> ReplaceValidationResult<Spawner>
+where
+	Spawner: SpawnNamed,
+{
+	pub fn new(
+		fake_validation: FakeCandidateValidation,
+		fake_validation_error: FakeCandidateValidationError,
+		spawner: Spawner,
+	) -> Self {
+		Self { fake_validation, fake_validation_error, spawner }
+	}
+
+	/// Creates and sends the validation response for a given candidate. Queries the runtime to obtain the validation data for the
+	/// given candidate.
+	pub fn send_validation_response<Sender>(
+		&self,
+		candidate_descriptor: CandidateDescriptor,
+		subsystem_sender: Sender,
+		response_sender: oneshot::Sender<Result<ValidationResult, ValidationFailed>>,
+	) where
+		Sender: overseer::SubsystemSender<AllMessages>
+			+ overseer::SubsystemSender<CandidateValidationMessage>
+			+ Clone
+			+ Send
+			+ 'static,
+	{
+		let _candidate_descriptor = candidate_descriptor.clone();
+		let mut subsystem_sender = subsystem_sender.clone();
+		let (sender, receiver) = std::sync::mpsc::channel();
+		self.spawner.spawn_blocking(
+			"malus-get-validation-data",
+			Some("malus"),
+			Box::pin(async move {
+				match find_validation_data(&mut subsystem_sender, &_candidate_descriptor).await {
+					Ok(Some((validation_data, validation_code))) => {
+						sender
+							.send((validation_data, validation_code))
+							.expect("channel is still open");
+					},
+					_ => {
+						panic!("Unable to fetch validation data");
+					},
+				}
+			}),
+		);
+		let (validation_data, _) = receiver.recv().unwrap();
+		create_validation_response(validation_data, candidate_descriptor, response_sender);
+	}
+}
+
+pub fn create_fake_candidate_commitments(
+	persisted_validation_data: &PersistedValidationData,
+) -> CandidateCommitments {
+	CandidateCommitments {
+		upward_messages: Vec::new(),
+		horizontal_messages: Vec::new(),
+		new_validation_code: None,
+		head_data: persisted_validation_data.parent_head.clone(),
+		processed_downward_messages: 0,
+		hrmp_watermark: persisted_validation_data.relay_parent_number,
+	}
+}
+
+// Create and send validation response. This function needs the persistent validation data.
+fn create_validation_response(
+	persisted_validation_data: PersistedValidationData,
+	descriptor: CandidateDescriptor,
+	response_sender: oneshot::Sender<Result<ValidationResult, ValidationFailed>>,
+) {
+	let commitments = create_fake_candidate_commitments(&persisted_validation_data);
+
+	// Craft the new malicious candidate.
+	let candidate_receipt = CandidateReceipt { descriptor, commitments_hash: commitments.hash() };
+
+	let result = Ok(ValidationResult::Valid(commitments, persisted_validation_data));
+
+	gum::debug!(
+		target: MALUS,
+		para_id = ?candidate_receipt.descriptor.para_id,
+		candidate_hash = ?candidate_receipt.hash(),
+		"ValidationResult: {:?}",
+		&result
+	);
+
+	response_sender.send(result).unwrap();
+}
+
+impl<Sender, Spawner> MessageInterceptor<Sender> for ReplaceValidationResult<Spawner>
+where
+	Sender: overseer::SubsystemSender<CandidateValidationMessage>
+		+ overseer::SubsystemSender<AllMessages>
+		+ Clone
+		+ Send
+		+ 'static,
+	Spawner: SpawnNamed + Clone + 'static,
+{
+	type Message = CandidateValidationMessage;
+
+	// Capture all candidate validation requests and depending on configuration fail them.
+	fn intercept_incoming(
+		&self,
+		subsystem_sender: &mut Sender,
+		msg: FromOverseer<Self::Message>,
+	) -> Option<FromOverseer<Self::Message>> {
+		match msg {
+			FromOverseer::Communication {
+				msg:
+					CandidateValidationMessage::ValidateFromExhaustive(
+						validation_data,
+						validation_code,
+						candidate_receipt,
+						pov,
+						timeout,
+						sender,
+					),
+			} => {
+				match self.fake_validation {
+					FakeCandidateValidation::ApprovalValid |
+					FakeCandidateValidation::BackingAndApprovalValid => {
+						// Behave normally if the `PoV` is not known to be malicious.
+						if pov.block_data.0.as_slice() != MALICIOUS_POV {
+							return Some(FromOverseer::Communication {
+								msg: CandidateValidationMessage::ValidateFromExhaustive(
+									validation_data,
+									validation_code,
+									candidate_receipt,
+									pov,
+									timeout,
+									sender,
+								),
+							})
+						}
+						create_validation_response(
+							validation_data,
+							candidate_receipt.descriptor,
+							sender,
+						);
+						None
+					},
+					FakeCandidateValidation::ApprovalInvalid |
+					FakeCandidateValidation::BackingAndApprovalInvalid => {
+						let validation_result =
+							ValidationResult::Invalid(InvalidCandidate::InvalidOutputs);
+
+						gum::debug!(
+							target: MALUS,
+							para_id = ?candidate_receipt.descriptor.para_id,
+							"ValidateFromExhaustive result: {:?}",
+							&validation_result
+						);
+						// We're not even checking the candidate, this makes us appear faster than honest validators.
+						sender.send(Ok(validation_result)).unwrap();
+						None
+					},
+					_ => Some(FromOverseer::Communication {
+						msg: CandidateValidationMessage::ValidateFromExhaustive(
+							validation_data,
+							validation_code,
+							candidate_receipt,
+							pov,
+							timeout,
+							sender,
+						),
+					}),
+				}
+			},
+			FromOverseer::Communication {
+				msg:
+					CandidateValidationMessage::ValidateFromChainState(
+						candidate_receipt,
+						pov,
+						timeout,
+						response_sender,
+					),
+			} => {
+				match self.fake_validation {
+					FakeCandidateValidation::BackingValid |
+					FakeCandidateValidation::BackingAndApprovalValid => {
+						// Behave normally if the `PoV` is not known to be malicious.
+						if pov.block_data.0.as_slice() != MALICIOUS_POV {
+							return Some(FromOverseer::Communication {
+								msg: CandidateValidationMessage::ValidateFromChainState(
+									candidate_receipt,
+									pov,
+									timeout,
+									response_sender,
+								),
+							})
+						}
+						self.send_validation_response(
+							candidate_receipt.descriptor,
+							subsystem_sender.clone(),
+							response_sender,
+						);
+						None
+					},
+					FakeCandidateValidation::BackingInvalid |
+					FakeCandidateValidation::BackingAndApprovalInvalid => {
+						let validation_result =
+							ValidationResult::Invalid(self.fake_validation_error.clone().into());
+						gum::debug!(
+							target: MALUS,
+							para_id = ?candidate_receipt.descriptor.para_id,
+							"ValidateFromChainState result: {:?}",
+							&validation_result
+						);
+
+						// We're not even checking the candidate, this makes us appear faster than honest validators.
+						response_sender.send(Ok(validation_result)).unwrap();
+						None
+					},
+					_ => Some(FromOverseer::Communication {
+						msg: CandidateValidationMessage::ValidateFromChainState(
+							candidate_receipt,
+							pov,
+							timeout,
+							response_sender,
+						),
+					}),
+				}
+			},
+			msg => Some(msg),
+		}
+	}
+
+	fn intercept_outgoing(&self, msg: AllMessages) -> Option<AllMessages> {
+		Some(msg)
+	}
+}
@@ -15,7 +15,8 @@
 // along with Polkadot.  If not, see <http://www.gnu.org/licenses/>.

 //! A malicious node that replaces approvals with invalid disputes
-//! against valid candidates.
+//! against valid candidates. Additionally, the malus node can be configured to
+//! fake candidate validation and return a static result for candidate checking.
 //!
 //! Attention: For usage with `zombienet` only!

@@ -28,70 +29,44 @@ use polkadot_cli::{
 		OverseerConnector, OverseerGen, OverseerGenArgs, OverseerHandle, ParachainHost,
 		ProvideRuntimeApi, SpawnNamed,
 	},
+	RunCmd,
 };

 // Filter wrapping related types.
-use crate::interceptor::*;
-
-// Import extra types relevant to the particular
-// subsystem.
-use polkadot_node_core_backing::CandidateBackingSubsystem;
-use polkadot_node_subsystem::messages::{
-	ApprovalDistributionMessage, CandidateBackingMessage, DisputeCoordinatorMessage,
-};
-use sp_keystore::SyncCryptoStorePtr;
+use super::common::{FakeCandidateValidation, FakeCandidateValidationError};
+use crate::{interceptor::*, variants::ReplaceValidationResult};

 use std::sync::Arc;

-/// Replace outgoing approval messages with disputes.
-#[derive(Clone, Debug)]
-struct ReplaceApprovalsWithDisputes;
+#[derive(Clone, Debug, clap::Parser)]
+#[clap(rename_all = "kebab-case")]
+#[allow(missing_docs)]
+pub struct DisputeAncestorOptions {
+	/// Malicious candidate validation subsystem configuration. When enabled, node PVF execution is skipped
+	/// during backing and/or approval and it's result can by specified by this option and `--fake-validation-error`
+	/// for invalid candidate outcomes.
+	#[clap(long, arg_enum, ignore_case = true, default_value_t = FakeCandidateValidation::BackingAndApprovalInvalid)]
+	pub fake_validation: FakeCandidateValidation,

-impl<Sender> MessageInterceptor<Sender> for ReplaceApprovalsWithDisputes
-where
-	Sender: overseer::SubsystemSender<CandidateBackingMessage> + Clone + Send + 'static,
-{
-	type Message = CandidateBackingMessage;
+	/// Applies only when `--fake-validation` is configured to reject candidates as invalid. It allows
+	/// to specify the exact error to return from the malicious candidate validation subsystem.
+	#[clap(long, arg_enum, ignore_case = true, default_value_t = FakeCandidateValidationError::InvalidOutputs)]
+	pub fake_validation_error: FakeCandidateValidationError,

-	fn intercept_incoming(
-		&self,
-		_sender: &mut Sender,
-		msg: FromOverseer<Self::Message>,
-	) -> Option<FromOverseer<Self::Message>> {
-		Some(msg)
-	}
-
-	fn intercept_outgoing(&self, msg: AllMessages) -> Option<AllMessages> {
-		match msg {
-			AllMessages::ApprovalDistribution(ApprovalDistributionMessage::DistributeApproval(
-				_,
-			)) => {
-				// drop the message on the floor
-				None
-			},
-			AllMessages::DisputeCoordinator(DisputeCoordinatorMessage::ImportStatements {
-				candidate_hash,
-				candidate_receipt,
-				session,
-				..
-			}) => {
-				// this would also dispute candidates we were not assigned to approve
-				Some(AllMessages::DisputeCoordinator(
-					DisputeCoordinatorMessage::IssueLocalStatement(
-						session,
-						candidate_hash,
-						candidate_receipt,
-						false,
-					),
-				))
-			},
-			msg => Some(msg),
-		}
-	}
+	#[clap(flatten)]
+	pub cmd: RunCmd,
 }

-/// Generates an overseer that disputes instead of approving valid candidates.
-pub(crate) struct DisputeValidCandidates;
+pub(crate) struct DisputeValidCandidates {
+	/// Fake validation config (applies to disputes as well).
+	opts: DisputeAncestorOptions,
+}
+
+impl DisputeValidCandidates {
+	pub fn new(opts: DisputeAncestorOptions) -> Self {
+		Self { opts }
+	}
+}

 impl OverseerGen for DisputeValidCandidates {
 	fn generate<'a, Spawner, RuntimeClient>(
@@ -105,15 +80,15 @@ impl OverseerGen for DisputeValidCandidates {
 		Spawner: 'static + SpawnNamed + Clone + Unpin,
 	{
 		let spawner = args.spawner.clone();
-		let crypto_store_ptr = args.keystore.clone() as SyncCryptoStorePtr;
-		let filter = ReplaceApprovalsWithDisputes;
+		let validation_filter = ReplaceValidationResult::new(
+			self.opts.fake_validation,
+			self.opts.fake_validation_error,
+			spawner.clone(),
+		);

 		prepared_overseer_builder(args)?
-			.replace_candidate_backing(move |cb| {
-				InterceptedSubsystem::new(
-					CandidateBackingSubsystem::new(spawner, crypto_store_ptr, cb.params.metrics),
-					filter,
-				)
+			.replace_candidate_validation(move |cv_subsystem| {
+				InterceptedSubsystem::new(cv_subsystem, validation_filter)
 			})
 			.build_with_connector(connector)
 			.map_err(|e| e.into())
@@ -17,10 +17,13 @@
 //! Collection of behavior variants.

 mod back_garbage_candidate;
+mod common;
 mod dispute_valid_candidates;
 mod suggest_garbage_candidate;

 pub(crate) use self::{
-	back_garbage_candidate::BackGarbageCandidate, dispute_valid_candidates::DisputeValidCandidates,
-	suggest_garbage_candidate::SuggestGarbageCandidate,
+	back_garbage_candidate::BackGarbageCandidate,
+	dispute_valid_candidates::{DisputeAncestorOptions, DisputeValidCandidates},
+	suggest_garbage_candidate::BackGarbageCandidateWrapper,
 };
+pub(crate) use common::*;
@@ -14,11 +14,11 @@
 // You should have received a copy of the GNU General Public License
 // along with Polkadot.  If not, see <http://www.gnu.org/licenses/>.

-//! A malicious overseer proposing a garbage block.
+//! A malicious node that stores bogus availability chunks, preventing others from
+//! doing approval voting. This should lead to disputes depending if the validator
+//! has fetched a malicious chunk.
 //!
-//! Supposed to be used with regular nodes or in conjunction
-//! with [`malus-back-garbage-candidate.rs`](./malus-back-garbage-candidate.rs)
-//! to simulate a coordinated attack.
+//! Attention: For usage with `zombienet` only!

 #![allow(missing_docs)]

@@ -30,73 +30,220 @@ use polkadot_cli::{
 		ProvideRuntimeApi, SpawnNamed,
 	},
 };
+use polkadot_node_core_candidate_validation::find_validation_data;
+use polkadot_node_primitives::{AvailableData, BlockData, PoV};
+use polkadot_primitives::v2::{CandidateDescriptor, CandidateHash};
+
+use polkadot_node_subsystem_util::request_validators;
+
+// Filter wrapping related types.
+use crate::{
+	interceptor::*,
+	shared::{MALICIOUS_POV, MALUS},
+	variants::{
+		create_fake_candidate_commitments, FakeCandidateValidation, FakeCandidateValidationError,
+		ReplaceValidationResult,
+	},
+};

 // Import extra types relevant to the particular
 // subsystem.
-use polkadot_node_core_backing::CandidateBackingSubsystem;
-use polkadot_node_primitives::Statement;
-use polkadot_node_subsystem::{
-	messages::{CandidateBackingMessage, StatementDistributionMessage},
-	overseer::{self, SubsystemSender},
+use polkadot_node_subsystem::messages::{CandidateBackingMessage, CollatorProtocolMessage};
+use polkadot_primitives::v2::CandidateReceipt;
+
+use std::{
+	collections::HashMap,
+	sync::{Arc, Mutex},
 };
-use polkadot_node_subsystem_util as util;
-// Filter wrapping related types.
-use crate::interceptor::*;
-use polkadot_primitives::v2::{
-	CandidateCommitments, CandidateReceipt, CommittedCandidateReceipt, CompactStatement, Hash,
-	Signed,
-};
-use sp_keystore::SyncCryptoStorePtr;
-use util::metered;

-use std::sync::Arc;
-
-use crate::shared::*;
-
-/// Replaces the seconded PoV data
-/// of outgoing messages by some garbage data.
-#[derive(Clone)]
-struct ReplacePoVBytes<Sender>
-where
-	Sender: Send,
-{
-	queue: metered::UnboundedMeteredSender<(Sender, Hash, CandidateReceipt)>,
+struct Inner {
+	/// Maps malicious candidate hash to original candidate hash.
+	/// It is used to replace outgoing collator protocol seconded messages.
+	map: HashMap<CandidateHash, CandidateHash>,
 }

-impl<Sender> MessageInterceptor<Sender> for ReplacePoVBytes<Sender>
+/// Replace outgoing approval messages with disputes.
+#[derive(Clone)]
+struct NoteCandidate<Spawner> {
+	inner: Arc<Mutex<Inner>>,
+	spawner: Spawner,
+}
+
+impl<Sender, Spawner> MessageInterceptor<Sender> for NoteCandidate<Spawner>
 where
-	Sender: overseer::SubsystemSender<CandidateBackingMessage> + Clone + Send + 'static,
+	Sender: overseer::SubsystemSender<AllMessages>
+		+ overseer::SubsystemSender<CandidateBackingMessage>
+		+ Clone
+		+ Send
+		+ 'static,
+	Spawner: SpawnNamed + Clone + 'static,
 {
 	type Message = CandidateBackingMessage;

+	/// Intercept incoming `Second` requests from the `collator-protocol` subsystem. We take
 	fn intercept_incoming(
 		&self,
-		sender: &mut Sender,
+		subsystem_sender: &mut Sender,
 		msg: FromOverseer<Self::Message>,
 	) -> Option<FromOverseer<Self::Message>> {
 		match msg {
 			FromOverseer::Communication {
-				msg: CandidateBackingMessage::Second(hash, candidate_receipt, _pov),
+				msg: CandidateBackingMessage::Second(relay_parent, candidate, _pov),
 			} => {
-				self.queue
-					.unbounded_send((sender.clone(), hash, candidate_receipt.clone()))
-					.unwrap();
+				gum::debug!(
+					target: MALUS,
+					candidate_hash = ?candidate.hash(),
+					?relay_parent,
+					"Received request to second candidate"
+				);

-				None
+				let pov = PoV { block_data: BlockData(MALICIOUS_POV.into()) };
+
+				let (sender, receiver) = std::sync::mpsc::channel();
+				let mut new_sender = subsystem_sender.clone();
+				let _candidate = candidate.clone();
+				self.spawner.spawn_blocking(
+					"malus-get-validation-data",
+					Some("malus"),
+					Box::pin(async move {
+						gum::trace!(target: MALUS, "Requesting validators");
+						let n_validators = request_validators(relay_parent, &mut new_sender)
+							.await
+							.await
+							.unwrap()
+							.unwrap()
+							.len();
+						gum::trace!(target: MALUS, "Validators {}", n_validators);
+						match find_validation_data(&mut new_sender, &_candidate.descriptor()).await
+						{
+							Ok(Some((validation_data, validation_code))) => {
+								sender
+									.send((validation_data, validation_code, n_validators))
+									.expect("channel is still open");
+							},
+							_ => {
+								panic!("Unable to fetch validation data");
+							},
+						}
+					}),
+				);
+
+				let (validation_data, validation_code, n_validators) = receiver.recv().unwrap();
+
+				let validation_data_hash = validation_data.hash();
+				let validation_code_hash = validation_code.hash();
+				let validation_data_relay_parent_number = validation_data.relay_parent_number;
+
+				gum::trace!(
+					target: MALUS,
+					candidate_hash = ?candidate.hash(),
+					?relay_parent,
+					?n_validators,
+					?validation_data_hash,
+					?validation_code_hash,
+					?validation_data_relay_parent_number,
+					"Fetched validation data."
+				);
+
+				let malicious_available_data =
+					AvailableData { pov: Arc::new(pov.clone()), validation_data };
+
+				let pov_hash = pov.hash();
+				let erasure_root = {
+					let chunks =
+						erasure::obtain_chunks_v1(n_validators as usize, &malicious_available_data)
+							.unwrap();
+
+					let branches = erasure::branches(chunks.as_ref());
+					branches.root()
+				};
+
+				let (collator_id, collator_signature) = {
+					use polkadot_primitives::v2::CollatorPair;
+					use sp_core::crypto::Pair;
+
+					let collator_pair = CollatorPair::generate().0;
+					let signature_payload = polkadot_primitives::v2::collator_signature_payload(
+						&relay_parent,
+						&candidate.descriptor().para_id,
+						&validation_data_hash,
+						&pov_hash,
+						&validation_code_hash,
+					);
+
+					(collator_pair.public(), collator_pair.sign(&signature_payload))
+				};
+
+				let malicious_commitments =
+					create_fake_candidate_commitments(&malicious_available_data.validation_data);
+
+				let malicious_candidate = CandidateReceipt {
+					descriptor: CandidateDescriptor {
+						para_id: candidate.descriptor().para_id,
+						relay_parent,
+						collator: collator_id,
+						persisted_validation_data_hash: validation_data_hash,
+						pov_hash,
+						erasure_root,
+						signature: collator_signature,
+						para_head: malicious_commitments.head_data.hash(),
+						validation_code_hash,
+					},
+					commitments_hash: malicious_commitments.hash(),
+				};
+				let malicious_candidate_hash = malicious_candidate.hash();
+
+				gum::debug!(
+					target: MALUS,
+					candidate_hash = ?candidate.hash(),
+					?malicious_candidate_hash,
+					"Created malicious candidate"
+				);
+
+				// Map malicious candidate to the original one. We need this mapping to send back the correct seconded statement
+				// to the collators.
+				self.inner
+					.lock()
+					.expect("bad lock")
+					.map
+					.insert(malicious_candidate_hash, candidate.hash());
+
+				let message = FromOverseer::Communication {
+					msg: CandidateBackingMessage::Second(relay_parent, malicious_candidate, pov),
+				};
+
+				Some(message)
 			},
-			other => Some(other),
+			FromOverseer::Communication { msg } => Some(FromOverseer::Communication { msg }),
+			FromOverseer::Signal(signal) => Some(FromOverseer::Signal(signal)),
 		}
 	}

 	fn intercept_outgoing(&self, msg: AllMessages) -> Option<AllMessages> {
+		let msg = match msg {
+			AllMessages::CollatorProtocol(CollatorProtocolMessage::Seconded(
+				relay_parent,
+				statement,
+			)) => {
+				// `parachain::collator-protocol: received an unexpected `CollationSeconded`: unknown statement statement=...`
+				// TODO: Fix this error. We get this on colaltors because `malicious backing` creates a candidate that gets backed/included.
+				// It is harmless for test parachain collators, but it will prevent cumulus based collators to make progress
+				// as they wait for the relay chain to confirm the seconding of the collation.
+				AllMessages::CollatorProtocol(CollatorProtocolMessage::Seconded(
+					relay_parent,
+					statement,
+				))
+			},
+			msg => msg,
+		};
 		Some(msg)
 	}
 }

-/// Generates an overseer that exposes bad behavior.
-pub(crate) struct SuggestGarbageCandidate;
+/// Garbage candidate implementation wrapper which implements `OverseerGen` glue.
+pub(crate) struct BackGarbageCandidateWrapper;

-impl OverseerGen for SuggestGarbageCandidate {
+impl OverseerGen for BackGarbageCandidateWrapper {
 	fn generate<'a, Spawner, RuntimeClient>(
 		&self,
 		connector: OverseerConnector,
@@ -107,65 +254,23 @@ impl OverseerGen for SuggestGarbageCandidate {
 		RuntimeClient::Api: ParachainHost<Block> + BabeApi<Block> + AuthorityDiscoveryApi<Block>,
 		Spawner: 'static + SpawnNamed + Clone + Unpin,
 	{
-		let spawner = args.spawner.clone();
-		let (sink, source) = metered::unbounded();
-		let keystore = args.keystore.clone() as SyncCryptoStorePtr;
+		let inner = Inner { map: std::collections::HashMap::new() };
+		let inner_mut = Arc::new(Mutex::new(inner));
+		let note_candidate =
+			NoteCandidate { inner: inner_mut.clone(), spawner: args.spawner.clone() };

-		let filter = ReplacePoVBytes { queue: sink };
-
-		let keystore2 = keystore.clone();
-		let spawner2 = spawner.clone();
-
-		let result = prepared_overseer_builder(args)?
-			.replace_candidate_backing(move |cb| {
-				InterceptedSubsystem::new(
-					CandidateBackingSubsystem::new(spawner2, keystore2, cb.params.metrics),
-					filter,
-				)
-			})
-			.build_with_connector(connector)
-			.map_err(|e| e.into());
-
-		launch_processing_task(
-			&spawner,
-			source,
-			move |(mut subsystem_sender, hash, candidate_receipt): (_, Hash, CandidateReceipt)| {
-				let keystore = keystore.clone();
-				async move {
-					gum::info!(
-						target: MALUS,
-						"Replacing seconded candidate pov with something else"
-					);
-
-					let committed_candidate_receipt = CommittedCandidateReceipt {
-						descriptor: candidate_receipt.descriptor.clone(),
-						commitments: CandidateCommitments::default(),
-					};
-
-					let statement = Statement::Seconded(committed_candidate_receipt);
-
-					if let Ok(validator) =
-						util::Validator::new(hash, keystore.clone(), &mut subsystem_sender).await
-					{
-						let signed_statement: Signed<Statement, CompactStatement> = validator
-							.sign(keystore, statement)
-							.await
-							.expect("Signing works. qed")
-							.expect("Something must come out of this. qed");
-
-						subsystem_sender
-							.send_message(StatementDistributionMessage::Share(
-								hash,
-								signed_statement,
-							))
-							.await;
-					} else {
-						gum::info!("We are not a validator. Not siging anything.");
-					}
-				}
-			},
+		let validation_filter = ReplaceValidationResult::new(
+			FakeCandidateValidation::BackingAndApprovalValid,
+			FakeCandidateValidationError::InvalidOutputs,
+			args.spawner.clone(),
 		);

-		result
+		prepared_overseer_builder(args)?
+			.replace_candidate_backing(move |cb| InterceptedSubsystem::new(cb, note_candidate))
+			.replace_candidate_validation(move |cb| {
+				InterceptedSubsystem::new(cb, validation_filter)
+			})
+			.build_with_connector(connector)
+			.map_err(|e| e.into())
 	}
 }