Security audit

[brycx]

Before a stable version of orion is released, an audit should be done. Preferably of the whole library, though it may end up only being partly. This depends on the financial means available.

Edit: I currently have no idea about when I would be able to afford this.

[eraffaelli]

Could you tell us a little about how much an audit would cost if you have? maybe approximate numbers? Maybe you could put up a donation thing or on a crowdfunding website so the community could help?

[brycx]

Hi @eraffaelli

Could you tell us a little about how much an audit would cost if you have? maybe approximate numbers?

I certainly expect and audit to cost several thousand dollars. If the audit were to be scoped to the most important parts, depending on what that would include and based on what I've heard from others, I think it would be reasonable to expect pricing in the range of 10.000$ - 20.000$.

Back in October 2018 I reached out to three different companies, which seemed to have some experience auditing cryptographic implementations in Rust, or just experience with Rust in general. One of those got back to me with a very rough estimate for an audit of the entire codebase. I don't feel comfortable sharing the numbers however, since I don't know if they are OK with this.

Even so, that was two years ago and the library has changed quite a lot since then.

Maybe you could put up a donation thing or on a crowdfunding website so the community could help?

I've mainly held off on this because of the lack of users. You're right in that it's a good starting point, but I feel like having an updated estimate on cost of audit would be best to get down before having an attempt at crowdfunding.

Before paying for an audit, I also want to make sure the library is in a more stable state than it is now. It would make no sense to have an audit, just for the library to have several breaking changes following shortly thereafter.

If I were to set up crowdfunding now, donations would probably be better spent on testing resources and development time.

put up a donation thing or on a crowdfunding website

Did you have any specific platforms in mind? I've most commonly seen Patreon and cryptocurrencies being used.

[eraffaelli]

Thanks your answers.
I though about thing like patreon or gogetfunding yes, I don't know much about specifics platform.

[rjwalters]

@brycx - I'm curious to hear if you think this crate is closer to being audit-ready. My company recently funded an audit for parts of RustCrypto. We might be interested in helping out here as well...

(It would also be pretty great to if your work could be incorporated into the RustCrypto project too!)

[brycx]

Hi @rjwalters,

Many thanks for reaching out!

I do think we're much closer to audit-ready than last time I visited this thread. Mainly after the 0.15.0 release, which primarily focused on polishing the API for stability and ironing out the edges that people reported. The library has also received much more fuzzing since back in January.

I currently have no major breaking changes planned in the near future. The only thing that might bring this upon, is when const generics are stabilized, which could lead to some changes to the newtype's API.

I'm very interested in discussing a potential audit further, once you decide whether or not you're interested in this.

I think with a bit more detail on scoping, it would also be easier to discuss potential incorporation to RustCrypto as well.

[brycx]

@rjwalters Any news/developments on this? If you'd like to discuss things further, and not in this issue, perhaps there is some other place I can reach you?

[gilescope]

Could rust have an open-collective for funding security audits? I’m sure there’s lots of people who would chip in.

[brycx]

Could rust have an open-collective for funding security audits? I’m sure there’s lots of people who would chip in.

@gilescope I haven't heard of Open Collective before now, but it seems as a possible platform where small donations could be received. If you haven't heard of it yet, there's also the Mozilla SOS (Secure Open Source) project, that funds audits of open-source software. Though this is typically only for very widely-used projects.

Whether or not Rust itself could have an Open Collective for this, I can't say. This is something that is better brought up with official Rust team members/community-managers I guess, since a Rust-wide Open Collective would most likely have to be managed by people employed at Mozilla or similar.

[gilescope]

Ah - sorry I didn't mean to imply run by mozilla. I was thinking maybe conceptually 'owned' by this project: https://github.com/RustSec/advisory-db

Rust analyser's open collective is run through ferrus systems' company. HeadCrab has one for the pure rust debugger. I don't think the rust foundation would be in a position to host an open collective to do this for a good while yet.
Sometimes it's the smaller companies that can move much faster than the bigger ones. As long as some company can host the account you're more than halfway there I suspect. The key point is to make a pot available marked "rust security" and then goodwilled companies and individuals will be enabled to crowd fund the amount needed. If the rust security WG were happy with the proposal that would be official enough for me.

[brycx]

I see your point @gilescope. I think it's a good idea, at least worthwhile to investigate further. Though, since it's not directly related to Orion, and you propose the Rust Security WG, this is a topic that should be presented there, not here. If the WG would do this, Orion would still have to be selected for funding, from a list of other projects as well.

Regardless, we can still consider Open Collective if Orion itself starts accepting donations.