From 8fb1005c5ea454d450b20a3ae5f5d40be3c3dd44 Mon Sep 17 00:00:00 2001 From: Taylor Hornby Date: Tue, 12 Jul 2016 13:34:34 -0600 Subject: [PATCH 1/5] Add security warnings doc with warning about side channels. --- README.md | 7 +++++++ doc/security-warnings.md | 26 ++++++++++++++++++++++++++ 2 files changed, 33 insertions(+) create mode 100644 doc/security-warnings.md diff --git a/README.md b/README.md index d05fe0eaa..e6dc3f304 100644 --- a/README.md +++ b/README.md @@ -19,8 +19,15 @@ proving scheme which preserves confidentiality of transaction metadata. Participation in the Zcash project is subject to a [Code of Conduct](code_of_conduct.md). +Security Warnings +----------------- + +See important security warnings in +[doc/security-warnings.md](doc/security-warnings.md). + License ------- Zcash Core is released under the terms of the MIT license. See [COPYING](COPYING) for more information or see http://opensource.org/licenses/MIT. + diff --git a/doc/security-warnings.md b/doc/security-warnings.md new file mode 100644 index 000000000..9838154c6 --- /dev/null +++ b/doc/security-warnings.md @@ -0,0 +1,26 @@ +Security Warnings +==================== + +Security Audit +-------------- + +Zcash has not yet been subjected to a formal third-party security review. This +section will be updated with links to security audit reports in the future. + +Side-Channel Attacks +-------------------- + +This implementation of Zcash is not resistant to side-channel attacks. You +should assume other unprivileged users running on the same hardware as your +`zcashd` process will be able to: + +- Determine which note your are spending by observing cache side-channels as you + perform a JoinSplit operation. This is due to probable side-channel leakage in + the libsnark proving machinery. + +- Determine which notes you own by observing cache side-channel information + leakage from the incremental witnesses as they are updated with new notes. + +You should ensure no other users have the ability to execute code (even +unprivileged) on the hardware your `zcashd` process runs on until these +vulnerabilities are fully analyzed and fixed. From 60991f9e7b926800e84366dd8e54fc771d7302b2 Mon Sep 17 00:00:00 2001 From: Taylor Hornby Date: Tue, 12 Jul 2016 15:22:17 -0600 Subject: [PATCH 2/5] Add another security warning --- doc/security-warnings.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/doc/security-warnings.md b/doc/security-warnings.md index 9838154c6..fcf476409 100644 --- a/doc/security-warnings.md +++ b/doc/security-warnings.md @@ -7,6 +7,14 @@ Security Audit Zcash has not yet been subjected to a formal third-party security review. This section will be updated with links to security audit reports in the future. +x86-64 Linux Only +----------------------- + +There are [known bugs](https://github.com/scipr-lab/libsnark/issues/26) which +make proving keys generated on 64-bit systems unusable on 32-bit and big-endian +systems. It's unclear if a warning will be issued in this case, or if the +proving system will be silently compromised. + Side-Channel Attacks -------------------- From 2b5c33e1016368cce079210cf325614cb2ece631 Mon Sep 17 00:00:00 2001 From: Taylor Hornby Date: Wed, 13 Jul 2016 18:23:11 -0600 Subject: [PATCH 3/5] Add the results of #784 to security warnings. --- doc/security-warnings.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/doc/security-warnings.md b/doc/security-warnings.md index fcf476409..e200c74ae 100644 --- a/doc/security-warnings.md +++ b/doc/security-warnings.md @@ -29,6 +29,9 @@ should assume other unprivileged users running on the same hardware as your - Determine which notes you own by observing cache side-channel information leakage from the incremental witnesses as they are updated with new notes. +- Determine which notes you own by observing the trial decryption process of + each note ciphertext on the blockchain. + You should ensure no other users have the ability to execute code (even unprivileged) on the hardware your `zcashd` process runs on until these vulnerabilities are fully analyzed and fixed. From 35b3168d2c6de67ed14425bc4fdd372ff0e86e10 Mon Sep 17 00:00:00 2001 From: Taylor Hornby Date: Mon, 18 Jul 2016 14:50:07 -0600 Subject: [PATCH 4/5] Note that the actual secret spending key may be leaked. --- doc/security-warnings.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/doc/security-warnings.md b/doc/security-warnings.md index e200c74ae..1066dbf90 100644 --- a/doc/security-warnings.md +++ b/doc/security-warnings.md @@ -22,9 +22,10 @@ This implementation of Zcash is not resistant to side-channel attacks. You should assume other unprivileged users running on the same hardware as your `zcashd` process will be able to: -- Determine which note your are spending by observing cache side-channels as you - perform a JoinSplit operation. This is due to probable side-channel leakage in - the libsnark proving machinery. +- Determine the values of your secret spending keys, as well as which notes you + are spending, by observing cache side-channels as you perform a JoinSplit + operation. This is due to probable side-channel leakage in the libsnark + proving machinery. - Determine which notes you own by observing cache side-channel information leakage from the incremental witnesses as they are updated with new notes. From b722000231f922f7f1789164c4b40db89ba62c61 Mon Sep 17 00:00:00 2001 From: Taylor Hornby Date: Mon, 18 Jul 2016 14:54:22 -0600 Subject: [PATCH 5/5] Mention physical access / close proximity --- doc/security-warnings.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/doc/security-warnings.md b/doc/security-warnings.md index 1066dbf90..a999fe17e 100644 --- a/doc/security-warnings.md +++ b/doc/security-warnings.md @@ -19,8 +19,9 @@ Side-Channel Attacks -------------------- This implementation of Zcash is not resistant to side-channel attacks. You -should assume other unprivileged users running on the same hardware as your -`zcashd` process will be able to: +should assume (even unprivileged) users who are running on the hardware, or who +are physically near the hardware, that your `zcashd` process is running on will +be able to: - Determine the values of your secret spending keys, as well as which notes you are spending, by observing cache side-channels as you perform a JoinSplit