Vulnerability hunting checklist

[ggutoski]

Need to comb through tofn code to hunt down the last few problem spots:

• [x] eliminate panics (it's hopeless 🙁 )
• [x] check for places where we need secure erasures of secrets in memory
• [x] check the tofn API to make sure no leakage of secrets is allowed via various queries, "injection attacks" (put a command inside some field to trigger a malicious behavior), etc. This item excludes #158 .
• [x] NCC audit findings (including appendix): non-Paillier #157
• [x] NCC audit findings (including appendix): Paillier #160

[ggutoski]

On eliminating panics

This is a weakness of Rust 🙁 . There is no complete solution. Some tools that might help:

• no-panic seems to be the leading contender. It provides a compile-time guarantee that panic cannot occur, but the caveats are quite limiting and you need to pollute your code base with #[no_panic] everywhere. It's inspired by https://github.com/Kixunil/dont_panic
• rustig
• prusti

[ggutoski]

On leakage of secrets and "injection attacks"

A convenient way to get a view of the public API is to run cargo doc --open. Cargo builds docs for the crate's public API, the --open flag opens a browser to view it.

This topic naturally includes issue #158 but we should keep #158 out of scope for this issue so as to avoid issue bloat.

[milapsheth]

NCC audit findings 003 (composite modulus check) and 004 (modulus length check) have been addressed in #160. Finding 005 will be fixed in another PR.

[milapsheth]

Finding 005 was addressed in #173