-
Notifications
You must be signed in to change notification settings - Fork 30
Security
This section has security-relevant information regarding orion.
orion has a best-effort approach to wiping sensitive memory. There are known obstacles for ensuring effective memory wiping using Rust (from zeroize):
However, be aware that Rust's current memory semantics (e.g. move) can leave copies of data in memory, and there isn't presently a good solution for ensuring all copies of data on the stack are properly cleared.
Furthermore, orion partly uses destructors to wipe memory. According to the Rustonomicon, there are no guarantees that destructors are actually called, as safe Rust considers failing to call destructors safe, "However any program that actually manages to do such a thing is probably incorrect." (from Rustonomicon).
Due to such limitations, orion offers no guarantees that all sensitive memory is wiped.
orion also makes no attempts to avoid sensitive memory being written to the system swap space.
orion only aims to protect against timing-based side-channel vulnerabilities.
orion itself forbids the use of so-called “unsafe” code, meaning that all memory-safety guarantees provided by Rust are enforced at compile-time. However, even though orion itself does not allow unsafe code, it is used in some of its dependencies.
These are metrics that give an overview of which dependencies use unsafe code and how much:
Metric output format: x/y
x = unsafe code used by the build
y = total unsafe code found in the crate
Functions Expressions Impls Traits Methods Dependency
0/0 0/0 0/0 0/0 0/0 orion v0.12.6 (**omitted**)
0/0 12/40 0/0 0/0 0/0 ☢ ├── rand_os v0.1.2
0/0 0/0 0/0 0/0 0/0 │ ├── libc v0.2.48
0/0 47/47 0/0 0/0 0/0 ☢ │ └── rand_core v0.4.0
0/0 1/1 0/0 0/0 0/0 ☢ ├── subtle v2.0.0
0/0 13/13 0/0 0/0 0/0 ☢ ├── tiny-keccak v1.4.2
0/0 0/0 0/0 0/0 0/0 │ └── crunchy v0.1.6
0/0 5/5 0/0 0/0 0/0 ☢ └── zeroize v0.5.2
[dev-dependencies]
0/0 0/0 0/0 0/0 0/0 ├── hex v0.3.2
0/0 0/0 0/0 0/0 0/0 ├── quickcheck v0.8.0
0/0 0/0 0/0 0/0 0/0 │ ├── env_logger v0.5.13
0/2 0/8 0/0 0/0 0/0 │ │ ├── atty v0.2.11
0/0 0/0 0/0 0/0 0/0 │ │ │ └── libc v0.2.48
0/0 0/8 0/0 0/0 0/0 │ │ ├── humantime v1.2.0
0/0 0/0 0/0 0/0 0/0 │ │ │ └── quick-error v1.2.2
0/0 0/31 0/0 0/0 0/0 │ │ ├── log v0.4.6
0/0 0/0 0/0 0/0 0/0 │ │ │ └── cfg-if v0.1.6
0/0 0/124 0/1 0/0 0/18 │ │ ├── regex v1.1.0
0/0 0/12 0/0 0/0 0/0 │ │ │ ├── aho-corasick v0.6.9
0/30 0/269 0/0 0/0 0/0 │ │ │ │ └── memchr v2.1.3
0/0 0/0 0/0 0/0 0/0 │ │ │ │ ├── cfg-if v0.1.6
0/0 0/0 0/0 0/0 0/0 │ │ │ │ └── libc v0.2.48
0/30 0/269 0/0 0/0 0/0 │ │ │ ├── memchr v2.1.3
0/0 0/0 0/0 0/0 0/0 │ │ │ ├── regex-syntax v0.6.5
0/0 0/2 0/0 0/0 0/0 │ │ │ │ └── ucd-util v0.1.3
0/1 0/128 0/2 0/0 0/4 │ │ │ ├── thread_local v0.3.6
0/1 0/7 0/1 0/0 0/0 │ │ │ │ └── lazy_static v1.2.0
0/0 0/1 0/0 0/0 0/0 │ │ │ └── utf8-ranges v1.0.2
0/0 0/0 0/0 0/0 0/0 │ │ └── termcolor v1.0.4
0/0 0/31 0/0 0/0 0/0 │ ├── log v0.4.6
0/0 0/19 0/0 0/0 0/0 │ ├── rand v0.6.5
0/0 0/0 0/0 0/0 0/0 │ │ ├── libc v0.2.48
0/0 0/0 0/0 0/0 0/0 │ │ ├── rand_chacha v0.1.1
0/0 0/41 0/0 0/0 0/0 │ │ │ └── rand_core v0.3.1
0/0 47/47 0/0 0/0 0/0 ☢ │ │ │ └── rand_core v0.4.0
│ │ │ [build-dependencies]
0/0 0/0 0/0 0/0 0/0 │ │ │ └── autocfg v0.1.2
0/0 47/47 0/0 0/0 0/0 ☢ │ │ ├── rand_core v0.4.0
0/0 0/58 0/0 0/0 0/0 │ │ ├── rand_hc v0.1.0
0/0 0/41 0/0 0/0 0/0 │ │ │ └── rand_core v0.3.1
0/0 0/12 0/0 0/0 0/0 │ │ ├── rand_isaac v0.1.1
0/0 0/41 0/0 0/0 0/0 │ │ │ └── rand_core v0.3.1
0/0 0/10 0/0 0/0 0/0 │ │ ├── rand_jitter v0.1.1
0/0 47/47 0/0 0/0 0/0 ☢ │ │ │ └── rand_core v0.4.0
0/0 12/40 0/0 0/0 0/0 ☢ │ │ ├── rand_os v0.1.2
0/0 0/12 0/0 0/0 0/0 │ │ ├── rand_pcg v0.1.1
0/0 0/41 0/0 0/0 0/0 │ │ │ └── rand_core v0.3.1
│ │ │ [build-dependencies]
0/0 0/0 0/0 0/0 0/0 │ │ │ └── rustc_version v0.2.3
0/0 0/0 0/0 0/0 0/0 │ │ │ └── semver v0.9.0
0/0 0/0 0/0 0/0 0/0 │ │ │ └── semver-parser v0.7.0
0/0 0/6 0/0 0/0 0/0 │ │ └── rand_xorshift v0.1.1
0/0 0/41 0/0 0/0 0/0 │ │ └── rand_core v0.3.1
│ │ [build-dependencies]
0/0 0/0 0/0 0/0 0/0 │ │ └── autocfg v0.1.2
0/0 0/41 0/0 0/0 0/0 │ └── rand_core v0.3.1
0/0 0/5 0/0 0/0 0/0 └── serde_json v1.0.37
0/0 0/1 0/0 0/0 0/0 ├── itoa v0.4.3
0/15 0/38 0/0 0/0 0/2 ├── ryu v0.2.7
0/0 0/0 0/0 0/0 0/0 └── serde v1.0.85
These metrics were made using cargo-geiger.
orion has not yet received any formal security audit.