Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Write a draft security triage RFC #2001

Closed
3 tasks
Tracked by #3096
teor2345 opened this issue Apr 12, 2021 · 1 comment
Closed
3 tasks
Tracked by #3096

Write a draft security triage RFC #2001

teor2345 opened this issue Apr 12, 2021 · 1 comment
Labels
A-docs Area: Documentation C-enhancement Category: This is an improvement S-needs-design Status: Needs a design decision

Comments

@teor2345
Copy link
Contributor

teor2345 commented Apr 12, 2021
edited
Loading

Scheduling

Let's spend up to half a day on a draft, then review after each incident.

Is your feature request related to a problem? Please describe.

Let's be explicit about how we triage security vulnerabilities.

Describe the solution you'd like

  • Summarise next steps

    • https://chromium.googlesource.com/chromium/src/+/master/docs/security/rule-of-2.md
    • sandboxing and process isolation for:
      • zebra-script (untrusted script data, C/C++)
      • zebra-network (untrusted peer data, Rust)
      • rocksdb (contextually verified data, C/C++)
      • other C/C++ dependencies
      • zebra-client (private keys, Rust)
      • zebrad
    • memory safe zebra-script impl
    • network integration testing
    • cross-fuzzing Zebra and zcashd verification

  • Summarise types of vulnerabilities

    • Denial of service to remote nodes
    • Arbitrary code execution (prevented by safe Rust, focus on unsafe and C/C++ dependencies)
    • Unauthorised spends / lost outputs
    • Privacy violations
    • Breaking consensus rules
    • Denial of service to the local node
    • Peer set takeover (eclipse attacks)

  • Summarise attack surfaces

Here are the barriers, dependencies, and risks:

  • zebra-network (remote DoS, peer set takeover, local DoS, privacy)
  1. Peer set fanout
  • zebra-chain (local memory DoS, broken consensus rules)
  1. Structural verification
  2. Proof of work threshold + binding the block contents (fully binds transactions in a pre-NU5 block, only binds effecting data in post-NU5 blocks, doesn't bind mempool transactions)
  • script validation (arbitrary code, local DoS, broken consensus rules, unauth spends)
  • C/C++ cryptographic dependencies (arbitrary code, broken consensus rules, unauth spends)
  1. Semantic verification
  • rejects some blocks and mempool transactions
  1. Contextual verification
  • fully binds post-NU5 blocks
  • checks current difficulty, rather than minimum difficulty
  • rejects all invalid blocks
  • rejects more mempool transactions
  • RocksDB (arbitrary code, local DoS, broken consensus rules)

It gets tricker when we start thinking about system C libraries, and indirect C/C++ dependencies.

Describe alternatives you've considered

We could just keep doing implicit best-effort security triage. But even a draft document would make a big difference.

Additional context

https://noncombatant.org/2021/04/11/long-live-sandboxing/
https://noncombatant.org/2021/04/09/prioritizing-memory-safety-migrations/
https://chromium.googlesource.com/chromium/src/+/master/docs/security/side-channel-threat-model.md
@teor2345 teor2345 added A-docs Area: Documentation S-needs-design Status: Needs a design decision C-enhancement Category: This is an improvement S-needs-triage Status: A bug report needs triage P-Medium labels Apr 12, 2021
@teor2345 teor2345 added this to the 2021 Sprint 8 milestone Apr 12, 2021
@teor2345 teor2345 self-assigned this Apr 12, 2021
@mpguerra mpguerra removed the S-needs-triage Status: A bug report needs triage label Apr 13, 2021
@teor2345 teor2345 removed this from the 2021 Sprint 8 milestone Apr 15, 2021
@mpguerra mpguerra added this to the 2021 Sprint 23 milestone Oct 13, 2021
@teor2345 teor2345 removed their assignment Jan 7, 2022
@dconnolly dconnolly mentioned this issue Jan 12, 2022
Closed
4 tasks
@teor2345 teor2345 mentioned this issue Jul 6, 2022
Closed
76 tasks
@mpguerra mpguerra moved this to 🆕 New in Zebra Sep 22, 2022
@mpguerra mpguerra added this to Zebra Sep 22, 2022
@teor2345
Copy link
Contributor Author

teor2345 commented Dec 1, 2022

Let's re-open this when we have more experience dealing with security issues, so we know what we need out of this RFC.

@teor2345 teor2345 closed this as not planned Won't fix, can't repro, duplicate, stale Dec 1, 2022
Repository owner moved this from 🆕 New to ✅ Done in Zebra Dec 1, 2022
@mpguerra mpguerra moved this from ✅ Done to 🛑 Won't Fix in Zebra Jan 19, 2023
@teor2345 teor2345 mentioned this issue Apr 26, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
A-docs Area: Documentation C-enhancement Category: This is an improvement S-needs-design Status: Needs a design decision
Projects
Zebra
Archived in project
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mpguerra @teor2345