Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security audit #21

Open
brycx opened this issue Aug 11, 2018 · 10 comments
Open

Security audit #21

brycx opened this issue Aug 11, 2018 · 10 comments
Labels
security Security-related issues or improvements
Milestone

Comments

@brycx
Copy link
Member

brycx commented Aug 11, 2018

Before a stable version of orion is released, an audit should be done. Preferably of the whole library, though it may end up only being partly. This depends on the financial means available.

Edit: I currently have no idea about when I would be able to afford this.

@brycx brycx added this to the v1 milestone Aug 11, 2018
@brycx brycx added the security Security-related issues or improvements label Dec 26, 2018
@eraffaelli
Copy link

eraffaelli commented Jan 15, 2020

Could you tell us a little about how much an audit would cost if you have? maybe approximate numbers? Maybe you could put up a donation thing or on a crowdfunding website so the community could help?

@brycx
Copy link
Member Author

brycx commented Jan 16, 2020

Hi @eraffaelli

Could you tell us a little about how much an audit would cost if you have? maybe approximate numbers?

I certainly expect and audit to cost several thousand dollars. If the audit were to be scoped to the most important parts, depending on what that would include and based on what I've heard from others, I think it would be reasonable to expect pricing in the range of 10.000$ - 20.000$.

Back in October 2018 I reached out to three different companies, which seemed to have some experience auditing cryptographic implementations in Rust, or just experience with Rust in general. One of those got back to me with a very rough estimate for an audit of the entire codebase. I don't feel comfortable sharing the numbers however, since I don't know if they are OK with this.

Even so, that was two years ago and the library has changed quite a lot since then.

Maybe you could put up a donation thing or on a crowdfunding website so the community could help?

I've mainly held off on this because of the lack of users. You're right in that it's a good starting point, but I feel like having an updated estimate on cost of audit would be best to get down before having an attempt at crowdfunding.

Before paying for an audit, I also want to make sure the library is in a more stable state than it is now. It would make no sense to have an audit, just for the library to have several breaking changes following shortly thereafter.

If I were to set up crowdfunding now, donations would probably be better spent on testing resources and development time.

put up a donation thing or on a crowdfunding website

Did you have any specific platforms in mind? I've most commonly seen Patreon and cryptocurrencies being used.

@eraffaelli
Copy link

Thanks your answers.
I though about thing like patreon or gogetfunding yes, I don't know much about specifics platform.

@rjwalters
Copy link

@brycx - I'm curious to hear if you think this crate is closer to being audit-ready. My company recently funded an audit for parts of RustCrypto. We might be interested in helping out here as well...

(It would also be pretty great to if your work could be incorporated into the RustCrypto project too!)

@brycx
Copy link
Member Author

brycx commented Jul 14, 2020

Hi @rjwalters,

Many thanks for reaching out!

I do think we're much closer to audit-ready than last time I visited this thread. Mainly after the 0.15.0 release, which primarily focused on polishing the API for stability and ironing out the edges that people reported. The library has also received much more fuzzing since back in January.

I currently have no major breaking changes planned in the near future. The only thing that might bring this upon, is when const generics are stabilized, which could lead to some changes to the newtype's API.

I'm very interested in discussing a potential audit further, once you decide whether or not you're interested in this.

I think with a bit more detail on scoping, it would also be easier to discuss potential incorporation to RustCrypto as well.

@brycx
Copy link
Member Author

brycx commented Oct 26, 2020

@rjwalters Any news/developments on this? If you'd like to discuss things further, and not in this issue, perhaps there is some other place I can reach you?

@gilescope
Copy link

Could rust have an open-collective for funding security audits? I’m sure there’s lots of people who would chip in.

@brycx
Copy link
Member Author

brycx commented Dec 16, 2020

Could rust have an open-collective for funding security audits? I’m sure there’s lots of people who would chip in.

@gilescope I haven't heard of Open Collective before now, but it seems as a possible platform where small donations could be received. If you haven't heard of it yet, there's also the Mozilla SOS (Secure Open Source) project, that funds audits of open-source software. Though this is typically only for very widely-used projects.

Whether or not Rust itself could have an Open Collective for this, I can't say. This is something that is better brought up with official Rust team members/community-managers I guess, since a Rust-wide Open Collective would most likely have to be managed by people employed at Mozilla or similar.

@gilescope
Copy link

Ah - sorry I didn't mean to imply run by mozilla. I was thinking maybe conceptually 'owned' by this project: https://github.com/RustSec/advisory-db

Rust analyser's open collective is run through ferrus systems' company. HeadCrab has one for the pure rust debugger. I don't think the rust foundation would be in a position to host an open collective to do this for a good while yet.
Sometimes it's the smaller companies that can move much faster than the bigger ones. As long as some company can host the account you're more than halfway there I suspect. The key point is to make a pot available marked "rust security" and then goodwilled companies and individuals will be enabled to crowd fund the amount needed. If the rust security WG were happy with the proposal that would be official enough for me.

@brycx
Copy link
Member Author

brycx commented Dec 16, 2020

I see your point @gilescope. I think it's a good idea, at least worthwhile to investigate further. Though, since it's not directly related to Orion, and you propose the Rust Security WG, this is a topic that should be presented there, not here. If the WG would do this, Orion would still have to be selected for funding, from a list of other projects as well.

Regardless, we can still consider Open Collective if Orion itself starts accepting donations.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
security Security-related issues or improvements
Projects
None yet
Development

No branches or pull requests

4 participants