Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security Assessment for oqsprovider (Open Quantum Safe provider for OpenSSL 3.x) #1333

Closed
8 of 13 tasks
anvega opened this issue Jul 26, 2024 · 52 comments
Closed
8 of 13 tasks
Assignees
Labels
assessment project security assessments (one issue per project)

Comments

@anvega
Copy link
Contributor

anvega commented Jul 26, 2024

Project Name: oqsprovider - (Open Quantum Safe provider for OpenSSL3.x )

Github URL: https://github.com/open-quantum-safe/oqs-provider
Issue tracker: open-quantum-safe/oqs-provider#451

The oqsprovider project offers standards-track post-quantum key exchange, authentication, and ciphersuites in the TLS protocol without requiring code changes to any installation running OpenSSLv3.

The project is now part of the Linux Foundation PQCA. This will be the first time an assessment is done for a project not seeking to progress stages in the CNCF, but solely for sensibly "scrutinizing" it.

As @baentsch expressed:

"Most things are pretty obvious but I'm feeling an ethical obligation to first witness more committed contributors before implementing/declaring as "good" things this self-assessment suggests. Otherwise, I'd be afraid this would create a false sense of reliability to users ("badges", "alliance endorsement", etc marketing fluff) -- all the while the code is [maintained thanklessly by the proverbial random guy in Nebraska](https://www.theregister.com/2021/05/10/untangling_open_sources_sustainability_problem/) (err, Switzerland :)."

The project lead has completed a self-assessment, and I volunteer to be the lead reviewer. I declare a soft conflict of interest, having made a cosmetic contribution by fixing the CI build badges of another Open Quantum Safe project and starting to use it in my work.

  • Identify team
  • Project lead provides draft document: oqsprovider-self-assessment-20240726.md
  • "Naive question phase" Lead Security Reviewer asks clarifying questions
  • Assign issue to security reviewers
  • Initial review
  • The draft findings will be shared with the project team.
  • There will be a presentation and discussion about the findings.
  • Assessment summary and doc checked into /assessments/projects/project-name (require at least 1 co-chair approval)

Maybe I can interest @mnm678, @JustinCappos, and @hlandau to participate as reviewers.

@anvega anvega added the assessment project security assessments (one issue per project) label Jul 26, 2024
@anvega anvega self-assigned this Jul 26, 2024
@dehatideep
Copy link

dehatideep commented Jul 27, 2024

I am very keen to be part of this review. Being a newbie to this process I am going through various guides available at https://github.com/cncf/tag-security/tree/main/community/assessments/guide with furious pace, though I have done various similar security assessments for my work projects and hoping I'll move fast, and that I have no hard or soft conflict of interest whatsoever in this regard.

@hubbertsmith
Copy link

as a reviewer, I have no hard or soft conflicts of interest

@SophiaUgo
Copy link

I’m very much interested in contributing and a Cloud Sec, I’m going through the doc at https://github.com/cncf/tag-security/tree/main/community/assessments/guide

@JustinCappos
Copy link
Collaborator

I’m very much interested in contributing and a Cloud Sec, I’m going through the doc at https://github.com/cncf/tag-security/tree/main/community/assessments/guide

Okay @SophiaUgo, please send your conflict statement when ready.

@amanda-gonzalez
Copy link
Contributor

I'd love to be an observer for this assessment if you all are open to having one! I have no soft or hard conflicts :)

@JustinCappos
Copy link
Collaborator

JustinCappos commented Aug 3, 2024

Dropping @SophiaUgo until she approves her conflict statement.

@anvega , you're ready to go!

@SophiaUgo
Copy link

SophiaUgo commented Aug 4, 2024 via email

@JustinCappos
Copy link
Collaborator

How do I drop my conflict statement @justin Cappos

On Sat, Aug 3, 2024 at 7:53 PM Justin Cappos @.> wrote: Dropping @SophiaUgo https://github.com/SophiaUgo until she approves her conflict statement. @babysor https://github.com/babysor @anvega https://github.com/anvega , you're ready to go! — Reply to this email directly, view it on GitHub <#1333 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AY3KAZY6QHRZJIUWO7F7IGLZPURKHAVCNFSM6AAAAABLQ3QJKCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENRXGEYDANJRGU . You are receiving this because you were mentioned.Message ID: @.>

Sorry for the broken link. Please read this: https://github.com/cncf/tag-security/blob/main/community/assessments/guide/security-reviewer.md#conflict-of-interest and post on this issue.

@SophiaUgo
Copy link

SophiaUgo commented Aug 5, 2024

Conflict of Interest Statement

Hard Conflicts

  • Y/N: No
    • Reviewer is a currently a maintainer of the project: No
    • Reviewer is direct report of/to a current maintainer of the project: No
    • Reviewer has significant personal relationships with project maintainers: No

Soft Conflicts

  • Y/N: No
    • Reviewer is interested in contributing to the project: Yes
    • Reviewer uses the project in their personal projects or studies: No
    • Reviewer has contributed to the project in the past: No

I have reviewed the conflict of interest guidelines and declare that I have no hard conflicts of interest that would prevent me from participating in this security assessment and or soft link conflict. However, I am interested in contributing to the project and I am committed to providing a balanced and fair assessment.

I would also like to express my interest in shadowing experienced reviewers to learn more about the security assessment process.

@dehatideep
Copy link

@anvega @JustinCappos I just finished reading https://github.com/cncf/tag-security/blob/main/community/assessments/Open_and_Secure.pdf. I had started reading it to work on tag-security-baseline survey/assessment, which I just completed, and I am sure it will come handy or rather more useful for this assessment. I think you'll see some progress on this one now. I am writing though to let you know that I enjoyed reading your analysis/comments in the above doc. My entire experience of threat modeling etc. come from on the job experience and I have certainly read a few things on-demand basis, understand the terminologies and the issues involved, however above doc is so lucid, easy flowing, simple and easily understood bank example you have given, the conversational styles you have used, and I loved it all :) . Thank you!

@anvega
Copy link
Contributor Author

anvega commented Aug 14, 2024

I've completed the initial phase of asking my naive questions, which Michael has been graciously helping me with. The Markdown has been successfully converted to Google Docs, and you can find the document here.

@dehatideep has also mentioned that he’s started reviewing the material independently. It might be a good idea to wrap up this initial round of "naive" questions and aim to convene with @baentsch and everyone else next week. Considering our locations—Michael in Switzerland, Deep, @hubbertsmith, and myself on the US West Coast, and @SophiaUgo in Nigeria—I suggest we meet at 10:00 AM PT (US West Coast) / 7:00 PM CET (Switzerland) / 6:00 PM WAT (Nigeria). If that doesn’t work, we could also consider 8:00 AM PT / 5:00 PM CET / 4:00 PM WAT as an alternative time.

@hubbertsmith
Copy link

hubbertsmith commented Aug 14, 2024 via email

@dehatideep
Copy link

I've completed the initial phase of asking my naive questions, which Michael has been graciously helping me with. The Markdown has been successfully converted to Google Docs, and you can find the document here.

@dehatideep has also mentioned that he’s started reviewing the material independently. It might be a good idea to wrap up this initial round of "naive" questions and aim to convene with @baentsch and everyone else next week. Considering our locations—Michael in Switzerland, Deep, @hubbertsmith, and myself on the US West Coast, and @SophiaUgo in Nigeria—I suggest we meet at 10:00 AM PT (US West Coast) / 7:00 PM CET (Switzerland) / 6:00 PM WAT (Nigeria). If that doesn’t work, we could also consider 8:00 AM PT / 5:00 PM CET / 4:00 PM WAT as an alternative time.

@baentsch I have added my Qs in the google doc assessment. Please see and clarify. Sorry for the delay.
@anvega I am fine with the proposed time above.

@baentsch
Copy link

@anvega Will you send an invite for the slot above? Which day? Hope I will still be awake enough to give reasonable answers (am an "early bird"). Any questions ahead (via the Google doc) thus would be welcome. I answered all by @anvega and @dehatideep so far.

@anvega
Copy link
Contributor Author

anvega commented Aug 19, 2024

@baentsch @dehatideep How about 9 AM PST / 4 PM CET this coming Friday or next Tuesday?

@hubbertsmith
Copy link

I'm Ok with friday (anytime other than 9am MDT)
I'm OK with next tuesday (anytime other than 8am MDT)
cheers
H

@dehatideep
Copy link

dehatideep commented Aug 19, 2024

@baentsch @dehatideep How about 9 AM PST / 4 PM CET this coming Friday or next Tuesday?

@baentsch @anvega Funny that Fri 9 am PDT is the only day when I am not available. Please choose any day except this Fri. Thank you.

@baentsch
Copy link

@baentsch @dehatideep How about 9 AM PST / 4 PM CET this coming Friday or next Tuesday?

Hmm, 9 AM PST would be 6 PM CET, no? Assuming the PST time is right, Fri 1800 would be good for me, Tue 1800 would not be (OQS team call at 1830).

@dehatideep
Copy link

dehatideep commented Aug 20, 2024

@baentsch @dehatideep How about 9 AM PST / 4 PM CET this coming Friday or next Tuesday?

Hmm, 9 AM PST would be 6 PM CET, no? Assuming the PST time is right, Fri 1800 would be good for me, Tue 1800 would not be (OQS team call at 1830).

@baentsch @anvega Unfortunately I've work related event on Fri, morning (PT) to afternoon, so can not manage at all. Tue I can manage in the morning except 7:50 am PT- 8:30 am PT. 8:30 am PT would be 17:30 am CET.
9 am PT works for me often, including Fri, but not this Fri.

@baentsch
Copy link

This then seems to suggest 1h max @ next Tue, 8:30am PST/1730 CET/1530 UTC.

OK, @anvega @dehatideep @hubbertsmith @SophiaUgo ?

@SophiaUgo
Copy link

That works for me @baentsch

@dehatideep
Copy link

Yes, next Tue, 8:30 AM PT works for me. @baentsch

@baentsch
Copy link

@anvega For the avoidance of doubt: I don't have a Zoom link available, so could you please send/post an invite as per the above with suitable login data? Thanks in advance!

@baentsch
Copy link

@anvega Are you out there? OK with you making available meeting details for the slot above tomorrow?

@hubbertsmith
Copy link

works for me

@anvega
Copy link
Contributor Author

anvega commented Aug 26, 2024

I'm returning from a trip that ended up being extended beyond the original plan.

Instead of meeting tomorrow, let's reschedule for Thursday.

I'll send a Zoom link that requires only password authentication, without the need for an account. If you prefer Google Meet, we can easily switch to that. I'll schedule it for an hour but plan for 45 min.

@baentsch
Copy link

Instead of meeting tomorrow, let's reschedule for Thursday.

Sorry, that doesn't work for me: I'm on the road Thu-Sat. Afterwards OK again, but then with rather mercurial Internet connectivity in our holiday home: I have a hunch there's still a microwave radio link involved connecting the island: Video often drops out, but speech is OK except in strong gales. Yes, I know, sad for the 21st century but it is how it is. Pick any day at 1530 UTC from Sep 1 onwards.

@hubbertsmith
Copy link

hubbertsmith commented Aug 27, 2024 via email

@hubbertsmith
Copy link

hubbertsmith commented Aug 27, 2024 via email

@baentsch
Copy link

@hubbertsmith FWIW, I also won't be there on Thu, either (see comment above). Besides, it originally had been scheduled for 1530 UTC, i.e., only in 30mins.

@baentsch
Copy link

Tagging @anvega to reschedule as per the above, if you'd like me to participate.

@anvega
Copy link
Contributor Author

anvega commented Aug 29, 2024

Could we aim for 1530 UTC next Tuesday? Let me know if that works for you, or if there's a better day next week

@dehatideep
Copy link

@anvega @baentsch 1530 UTC (08:30 AM Pacific Time) on Tue, Sep 3 works for me. Thank you.

@hubbertsmith
Copy link

hubbertsmith commented Aug 29, 2024 via email

@dehatideep
Copy link

@anvega I do not see any zoom meeting info for today's (Sep 03) meeting. can you please share if this meeting is still on.

@baentsch
Copy link

baentsch commented Sep 3, 2024

I am waiting in the Zoom link for Aug 29 (assuming that is still valid -- "waiting for the host to open"....)

@dehatideep
Copy link

@baentsch Zoom doesn't allow me to use Aug 29 meeting link. I tried using just the meeting id but it gets stuck saying meeting was on Aug 29.

@baentsch
Copy link

baentsch commented Sep 3, 2024

@dehatideep Nope -- the link works OK (I'm using the brower access, not the app) -- it does state "Aug 29", but it opened OK -- just waiting for the host... @anvega : Any other link to use??

@baentsch
Copy link

baentsch commented Sep 3, 2024

Maybe a calendar invite would have been better (sync'd with the alarm clocks for folks on the Pacific rim :-)

@dehatideep
Copy link

dehatideep commented Sep 3, 2024

Maybe a calendar invite would have been better (sync'd with the alarm clocks for folks on the Pacific rim :-)

Yes :) , I am at the west coast too!

@baentsch
Copy link

baentsch commented Sep 3, 2024

@anvega I'll stay on until 1545 UTC and then call it a day (for me it's about dinner time :). Please reschedule (maybe indeed with calendar reminder) for the same time another day that suits everyone. I'm available all (next) days except Friday.

@dehatideep
Copy link

@baentsch I am not able to join Aug 29 meeting at all, it bails out every time saying Aug 29 meeting. I am hanging here till you are around, just in case Andres joins. If he does, probably we'll need a new meeting.

@baentsch
Copy link

baentsch commented Sep 3, 2024

@baentsch I am not able to join Aug 29 meeting at all, it bails out every time saying Aug 29 meeting. I am hanging here till you are around, just in case Andres joins. If he does, probably we'll need a new meeting.

OK -- I'm indeed leaving now ... Thanks @dehatideep for "having been (t)here" -- hope to meet you another day! CU

@anvega
Copy link
Contributor Author

anvega commented Sep 3, 2024

Apologies—I had a minor accident over the holiday here in the US that required a checkup, but I'm finally back online after being discharged. I have emails for Michael and Deep, and I'll move the coordination to email to ensure everyone gets the calendar invite.

@dehatideep
Copy link

Apologies—I had a minor accident over the holiday here in the US that required a checkup, but I'm finally back online after being discharged. I have emails for Michael and Deep, and I'll move the coordination to email to ensure everyone gets the calendar invite.

Thanks and take care!

@baentsch
Copy link

baentsch commented Sep 3, 2024

I'll move the coordination to email to ensure everyone gets the calendar invite.

Take your time: First get well, @anvega !

@dehatideep
Copy link

dehatideep commented Sep 16, 2024

@baentsch I have SonarQube static analysis with me. There are a few issues and I assume it could all very well be captured under open-quantum-safe/oqs-provider#514, though issue#514 is a coverity scan. Majority of issues are for test code, do you care about it or only oqsprov and oqs-template code? My scan result URL is not public, so I can put it in a word file pointing to issue, code snippet, and probable fix. Do you want me to create one and attach it in the issue#514? Below are the findings but some careful looking suggests real issues are less than 10%.
image
Also a couple of cmd inj and an xss issue seem real but I am not sure if these can be invoked directly in real env.
image
So, please let me know.
Thanks.

@baentsch
Copy link

Thanks for sharing the report @dehatideep .

Majority of issues are for test code, do you care about it or only oqsprov and oqs-template code

Fascinating observation: Indeed, I took less care when doing the test code as opposed to the actually running oqsprov code, but I wouldn't have imagined it becomes so clearly visible :-/ To answer the question: oqsprov takes precedence, but the rest should also be clean as wrong testing might also hide "real code" problems.

assume it could all very well be captured under open-quantum-safe/oqs-provider#514

I wouldn't do that: These are different tools, so different issues should be used to report/fix them (unless you'd say that open-quantum-safe/oqs-provider#514 pretty much covers everything that your tool detects (?)).

Finally, while I'm happy that several people look at the problem with different tools, this is not creating a long-term, continuous guard for oqsprovider: The code will continue to evolve and it cannot be a solution that you regularly manually run a tool to fix problems someone else introduced in a PR: CI should flag such problems and the original author should also fix them.

@dehatideep
Copy link

@baentsch Thank you for your response and clarifications. I'll create an issue and will attach issues which are indeed issues.

@dehatideep
Copy link

@baentsch @anvega
SonarQube Static Analysis captured at: open-quantum-safe/oqs-provider#526
Thank you.

@dehatideep
Copy link

dehatideep commented Nov 13, 2024

This assessment is complete and following findings were shared with oqsprovider team:

  1. Static analysis report tied to code, XSS issues and test case issues were shared with oqsprovider team.
  2. Assessment where openssl issues may also be percolated to oqsprovider, were discussed with oqsprovider team but this is no different to any provider attachment.
  3. Given oqsprovider supports hybrid mode, it must be made sure libcrypto and libpq are safeguarded against malicious update.

Given these feedback were enough to get the general feedback, this issue is closed from assessment perspective.

@mnm678 mnm678 moved this from In progress to Done in Security Assessments Queue Dec 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
assessment project security assessments (one issue per project)
Projects
Development

No branches or pull requests

8 participants