Organize a security audit

[rugk]

It would be nice if this backup tool could get a professional security audit. I don't know whether attic once got one, but nevertheless as much things changed in borg a security audit for it would also be a nice idea IMHO.

Maybe make a crowdfund campaign or so to raise the money and maybe also make borg popular… :smile:

[ThomasWaldmann]

Yup, maybe when 1.2 goes beta would be a good time as crypto and multithreading changes are planned.

[rugk]

How do you plan to finance it?

[enkore]

Audits are quite expensive and can cover very different levels of scrutiny. Some audits just look at specification or design documents (which largely don't exist for Borg), while you are probably thinking of some folks poking the code base. Given the cost there is also the latent question whether it's worth it, or if Borg is maybe not the correct target. E.g. we use msgpack a lot, which has neither been fuzzed nor audited to the best of my knowledge. Auditing Borg but then having, say, holes in msgpack would be a lot of effort for nothing :)

From my PoV it would seem to make the most sense to mainly look at two different areas: (1) Crypto code, and especially the planned changes there (2) Filesystem code. The latter will of course have issues, that's just the nature of the thing — it's just not possible to make a race-condition free backup of a live file system.

In the meantime this might be an interesting read: https://borgbackup.readthedocs.io/en/latest/internals/security.html

[rugk]

IMHO it's also important to check borg itself. I think some audits also cover the dependents of the projects, at least sometimes. Also, nowadays there are many actors sponsoring audits for FLOSS software, such as Mozilla, Google or the European Union. If borg would be a ransomware it would likely get these audits for free, easily… :wink:

[enkore]

I'm afraid Borg is a bit too heavy in deployment to be used effectively for ransomware 😉

[FabioPedretti]

This is an interesting read: https://guidovranken.wordpress.com/ also https://guidovranken.wordpress.com/2017/07/06/which-software-should-i-audit-next/ (probably not relevant for borg, which has few C/C++ code).

[rugk]

And just as we're talking GitHub also announced something. The problem of course is, borg does not belong to critical infrastructure for the whole web (yet…), so make sure big companies start to use it as their backup tool… :wink:

[ThomasWaldmann]

I added this to the helium milestone. It would be a good time now considering that helium (borg 2.0) will get new crypto, see #6463.

I don't think we could afford a commercial security audit, but a putting a bounty on this would be possible for sure.

[awgcooper]

I'm writing this on the assumption that a commercial security audit costs ~ $5k-10k. Subject to my precise financial circumstances at the time, I'd be willing to proffer an 'anchor amount' (~ $1,000) for the cost of an audit. One could then poll the userbase to see if the remaining amount could be crowdfunded.

Prior to doing this, I think it would make sense to: (i) create a broad brush scope for the audit (e.g. enkore's 5 May 2017 comment above) (ii) reach out to one or two audit companies to get a more informed view on pricing (I don't know who they are but I presume this would be easy to find out)

Does anyone have a rough idea as to how many regular users there are of borg? I have to believe it's core software infrastructure for a meaningful number of people ('define meaningful', I know). It seems to me that the helium milestone would be a good juncture to get an audit.

[Best-HeyGman]

Hello, I would be willing to add 500€ to the audit fund.

The security audit for gocryptfs was done by Defuse Security (https://defuse.ca/software-security-auditing.htm) and it seems that they have experience in auditing open source software. EDIT: They even write "To give back to the community, I substantially reduce my rate for published open-source software (GPL, MIT, BSD, CC0, etc.) as well as open-access research."

[Best-HeyGman]

Also, I do think a good time for the audit would be before Borg 2.0.0 stable is released, as it would be very difficult to make changes to the security architecture after that point.