From eb8b85c0c9011cbfc07a09cab558878e4678ae06 Mon Sep 17 00:00:00 2001 From: ValarDragon Date: Sat, 7 Jul 2018 11:27:57 -0700 Subject: [PATCH 1/3] Add SECURITY.MD Closes #1267 --- SECURITY.md | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 000000000..9883da4c4 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,38 @@ +# Security + +As part of our [Coordinated Vulnerability Disclosure +Policy](https://tendermint.com/security), we operate a bug bounty. +See the policy for more details on submissions and rewards. + +The following is a list of examples of the kinds of bugs we're most interested in for +the cosmos-sdk. See [here](https://github.com/tendermint/tendermint/blob/master/SECURITY.md) for vulnerabilities we are interested in for tendermint / lower level libs. + +## Specification +- Conceptual flaws +- Ambiguities, inconsistencies, or incorrect statements +- Mis-match between specification and implementation of any component + +## Modules +- x/staking +- x/slashing +- SDK standard datatype library + +We are interested in bugs in other modules, however the above are most likely to have +significant vulnerabilities, due to the complexity / nuance involved + +## How we process Tx parameters +- Integer operations on tx parameters, especially sdk.Int / sdk.Uint +- Gas calculation & parameter choices +- Tx signature verification (code in x/auth/ante.go) +- Possible Node DoS vectors. (Perhaps due to Gas weighting / non constant timing) + +## Handling private keys +- HD key derivation, local and Ledger, and all key-management functionality +- Side-channel attack vectors with our implementations + +## Least capabilities system +- Attack vectors in our least capabilities system +- Scenarios where a chain runs a "Malicious module" + - One example is a malicious module getting priviledge escalation to read + a store which it doesn't have the key for + From 3a7a19deec2094323e07beff728fa77b117bdba9 Mon Sep 17 00:00:00 2001 From: ValarDragon Date: Sat, 7 Jul 2018 12:44:06 -0700 Subject: [PATCH 2/3] Address comments --- SECURITY.md | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 9883da4c4..c4e600735 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -5,7 +5,7 @@ Policy](https://tendermint.com/security), we operate a bug bounty. See the policy for more details on submissions and rewards. The following is a list of examples of the kinds of bugs we're most interested in for -the cosmos-sdk. See [here](https://github.com/tendermint/tendermint/blob/master/SECURITY.md) for vulnerabilities we are interested in for tendermint / lower level libs. +the Cosmos SDK. See [here](https://github.com/tendermint/tendermint/blob/master/SECURITY.md) for vulnerabilities we are interested in for Tendermint, and lower-level libraries, e.g. IAVL. ## Specification - Conceptual flaws @@ -15,7 +15,8 @@ the cosmos-sdk. See [here](https://github.com/tendermint/tendermint/blob/master/ ## Modules - x/staking - x/slashing -- SDK standard datatype library +- x/types +- x/gov We are interested in bugs in other modules, however the above are most likely to have significant vulnerabilities, due to the complexity / nuance involved @@ -29,10 +30,5 @@ significant vulnerabilities, due to the complexity / nuance involved ## Handling private keys - HD key derivation, local and Ledger, and all key-management functionality - Side-channel attack vectors with our implementations - -## Least capabilities system -- Attack vectors in our least capabilities system -- Scenarios where a chain runs a "Malicious module" - - One example is a malicious module getting priviledge escalation to read - a store which it doesn't have the key for - + - e.g. key exfiltration based on time or memory-access patterns when decrypting privkey + From 8603eb2f62f99d5fd719120e6c61531e668c1c78 Mon Sep 17 00:00:00 2001 From: ValarDragon Date: Mon, 9 Jul 2018 11:36:43 -0700 Subject: [PATCH 3/3] Remove mismatch in specification section (for now) --- SECURITY.md | 5 ----- 1 file changed, 5 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index c4e600735..4eddc8c4f 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -7,11 +7,6 @@ See the policy for more details on submissions and rewards. The following is a list of examples of the kinds of bugs we're most interested in for the Cosmos SDK. See [here](https://github.com/tendermint/tendermint/blob/master/SECURITY.md) for vulnerabilities we are interested in for Tendermint, and lower-level libraries, e.g. IAVL. -## Specification -- Conceptual flaws -- Ambiguities, inconsistencies, or incorrect statements -- Mis-match between specification and implementation of any component - ## Modules - x/staking - x/slashing