-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Assurance - initial docs #8
Draft
planetf1
wants to merge
1
commit into
pq-code-package:main
Choose a base branch
from
planetf1:assurance1
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Draft
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,151 @@ | ||
# Assurance | ||
|
||
Many different factors contribute to the perceived quality, or trust, of an algorithm implementation. | ||
|
||
Each implementation will claim different combinations of these factors and provide evidence to support. | ||
|
||
|
||
|
||
## Assurance Levels | ||
|
||
### AL0 | ||
|
||
Implementation is provided on a best-efforts basis. | ||
It is likely such implementations are currently being worked on and target | ||
AL1 at a minimum. | ||
|
||
### AL1 | ||
|
||
Standard Software Engineering best-practice has been followed | ||
including documenting usage, assumptions, execution of unit tests | ||
and using . | ||
|
||
### AL2 | ||
|
||
In addition to above, specific consideration has been made to ensure | ||
the cryptographic correctness of the algorithms. This applies not just to source but to generated/binary code. Tooling/compilers/options details must be provided. | ||
|
||
### AL3 | ||
|
||
In addition to above, implementations at this level have undergone external audit | ||
or provide a high level of formal proof. | ||
|
||
## Checks required for different levels | ||
|
||
| Check | Description | AL1 | AL2 | AL3 | | ||
| -- | -- | -- | -- | -- | | ||
| DOC-1 | Assumptions | Y | Y | Y | | ||
| TEST-1 | Unit tests | Y | Y | Y | | ||
| TEST-2 | Test Vectors | | Y | Y | | ||
| TEST-3 | Constant Time | | Y | Y | | ||
| TEST-4 | Fuzzing | | Y | Y | | ||
| TEST-5 | Static Analysis | Y | Y | Y | | ||
| TEST-6 | Bounds checking | Y | Y | Y | | ||
| TEST-7 | Address Sanity | | Y | Y | | ||
| AUDIT-1 | External audit | | | Y | | ||
| PROOF-1 | Formal Proof | | | Y | | ||
|
||
## Details on checks | ||
|
||
### Assumptions Documented | ||
|
||
Assumptions and constraints relating to use of the implementation are clearly documented. | ||
|
||
#### Evidence | ||
|
||
- Links to documentation | ||
|
||
### Unit tests | ||
|
||
Unit tests used to validate expected behaviour. 90% code coverage required. | ||
|
||
#### Evidence | ||
|
||
- documentation including how to run | ||
- explanation of what areas of code are not covered and why | ||
- Results from CI | ||
|
||
### Test Vectors | ||
|
||
tested against trusted test vectors such as those covered by NIST's [CAVP program](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program) | ||
|
||
#### Evidence | ||
|
||
- Description of test vectors used, and why chosen | ||
- Results from CI | ||
|
||
### Fuzzing | ||
|
||
Fuzz testing is used to inject invalid/unexpected test data and to then check the implementation behaves appropriately with no unexpected behaviour. | ||
|
||
#### Evidence | ||
|
||
- Description of fuzzing tool used | ||
- Results from CI | ||
|
||
### Constant Time | ||
|
||
Code is tested to ensure that it executes in constant time, regardless of secret values. For example branching based on secret values, or divisions may cause leakage of secrets. | ||
|
||
#### Evidence | ||
|
||
- Description of tool used, and why chosen | ||
- Results from CI | ||
|
||
### Static Analysis | ||
|
||
Many kinds of checks are run against source code to check for common coding errors. This may include other items on this list. | ||
|
||
#### Evidence | ||
|
||
- Description of tool used, and why chosen | ||
- Types of static analysis performed | ||
- Results from CI | ||
|
||
### Type Safety | ||
|
||
Code is checked for appropriate assignment at compile time. | ||
|
||
### Bounds checking | ||
|
||
#### Evidence | ||
|
||
### Address Sanity | ||
|
||
This goes beyond bounds checking to also validate all memory accesses and | ||
catch the use of freed memory. | ||
|
||
### Thread Sanity | ||
|
||
This checks that code is thread safe and identifies potential race conditions. | ||
|
||
### External Audit | ||
|
||
Implementation has been verified by a trusted third-party. | ||
|
||
#### Evidence Required | ||
|
||
- Details of auditing organization & references | ||
|
||
|
||
### Formal Correctness Proof | ||
|
||
Formal verification has been done of the implementation against it's specification using mathematical techniques. | ||
|
||
#### Evidence Required | ||
|
||
|
||
## Potential tools used to demonstrate assurance | ||
|
||
- [CBMC](https://github.com/diffblue/cbmc) | ||
- [F*](https://www.fstar-lang.org) | ||
|
||
## Evidence | ||
|
||
Each algorithm should provide a justification for each requirement it meets: | ||
|
||
## CBOM | ||
|
||
!!! - | ||
|
||
## Ontology |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we require reasoning at the assembly/binary level for AL2?