input-output-hk / Certification-working-group

8 stars 9 forks source link

draft: a practical example #32

Open aleeusgr opened 1 year ago

aleeusgr commented 1 year ago

list the deliverables from:

aleeusgr commented 1 year ago
Reviewed artifacts:

- [ ] Guardian-CCS Blockchain Secure Authentication (BSA) [Security Target](https://www.commoncriteriaportal.org/files/epfiles/FNS%20-%20Guardian%20-%20CCS%20Blockchain%20Secure%20Authentication%20(BSA)%20Security%20Target%20-%201.1.pdf) - [ ] 6.3 Security Assurance Requirements - [x] Common Criteria Protection Profile [Cryptographic Service Provider](https://www.commoncriteriaportal.org/files/ppfiles/pp0104b_pdf.pdf) - [x] 3. Security Problem Definition: - [ ] Magic SSO V4.0 [Security Target](https://www.commoncriteriaportal.org/files/epfiles/Magic_SSO_V4.0-ST-v1.4_EN.pdf) - [x] Microsoft SQL Server 2022 Database Engine Enterprise Edition x64 (English), [version 16.0.4025.1 ](https://www.commoncriteriaportal.org/files/epfiles/2022-34_ST.pdf) - [x] CEM - [ ] [Part 2](https://www.commoncriteriaportal.org/files/ccfiles/CC2022PART2R1.pdf) - [ ] [Part 3](https://www.commoncriteriaportal.org/files/ccfiles/CC2022PART3R1.pdf) - [ ] [plutus-use-cases](https://github.com/input-output-hk/plutus-apps/tree/main/plutus-use-cases) for assets and threats. https://github.com/aleeusgr/testing-cardano/issues/1 https://github.com/aleeusgr/stellar-vesting/pull/26

aleeusgr commented 1 year ago

Today I tested a couple of existing projects using psm and nix. Build takes quite a long time and to find something that works seems like a lot of effort.

aleeusgr commented 1 year ago

Many thanks to https://github.com/Ali-Hill for the example repo.

https://github.com/aleeusgr/minimal-ptt-examples

aleeusgr commented 1 year ago

https://github.com/Plutonomicon/plutonomicon

aleeusgr commented 1 year ago
dots and arrows

Security concepts and relationships ![image](https://github.com/input-output-hk/Certification-working-group/assets/36756030/4a6ae752-3490-4ea4-8d81-87bf66d48bd5) Evaluation concepts and relationships ![image](https://github.com/input-output-hk/Certification-working-group/assets/36756030/e8341835-6368-4339-8a6d-4c03f4541a6f) ![image](https://github.com/input-output-hk/Certification-working-group/assets/36756030/f7db7bd0-1af8-4a1f-ade8-fa4f2fdc24fe) ![image](https://github.com/input-output-hk/Certification-working-group/assets/36756030/36b6e083-524d-4582-ac18-a68754c3865b) if you are an evaluator, you need to go through all the docs required, link them to the doc produced, evaluate that everything matches, evaluate that nothing is missed. This is why it's easier when you have a PP you can refer to. You just need to take that and ensures that you're compliant. Otherwise you really need to prove that everything has been considered in terms of security. they look like this: ![image](https://github.com/input-output-hk/Certification-working-group/assets/36756030/c1fb4e64-fd2a-467f-b26d-e4d36dceb368) From CEM: ![image](https://github.com/input-output-hk/Certification-working-group/assets/36756030/e9536aac-980a-4cf8-898c-5d5d7501babf)

aleeusgr commented 1 year ago

Thanks for the conversation, @RSoulatIOHK

Reviewing:

aleeusgr commented 1 year ago
RSoulatIOHK commented 1 year ago

Just because I was the one that made the mistake during our conversation, I think I should clarify. CEM contains Evaluation methods (hence the acronym) and not requirement templates. Part 2 and Part 3 contains them.

aleeusgr commented 1 year ago

Oh, I missed the indent🤯. Its a separate item, not a subitem of CEM.

Part 2 and 3 can be found here

Details

- [ ] Security Targets in the on-chain certificate - [x] https://www.commoncriteriaportal.org/products/ has a list of all CC certified products, and you can check the Security Targets. So if you want to see concrete Threats, assumptions, assets, security requirements and so on you can go through a few of them - [x] To establish a security target, you want to consider first what you have to protect. So for example in vesting you want to protect the vested funds. But maybe you also want to consider your datum as valuable because people might try to hijack it. Maybe you want to consider some special private keys that have some special permission as valuable. Maybe you have nft that gives some special permission as valuable etc. Once you have that, you can try to define what threats exist against those. It can even be from legitimate users, like your design needs the user to do this specific step in order for the security to be ensured. Well what happens if he doesn’t? But it can obviously also be from attackers. - [x] https://www.youtube.com/watch?v=PSAlyxhaf5c - [x] https://www.youtube.com/watch?v=Png3J4dlQ04&list=WL&index=9 - [ ] Protection Profiles would be so sweet for like "standard" scripts/Dapps such as Swaps, Dex, DAOs, etc - [ ] have a look at CEMs - [x] CEM is a large document that gives a large amount of "standardized" template requirements that you can take from And it is advised to use them, especially if they are relevant to your product. - [ ] security requirement templates. - [ ] https://github.com/input-output-hk/Certification-working-group/pull/34 - [ ] overview of what was verified by the evaluator and certified by the national scheme. - [ ] a document that describes the asssets to be considered for Cardno smart contracts and - [ ] a list of common threats associated https://www.commoncriteriaportal.org/cc/

aleeusgr commented 1 year ago

https://www.youtube.com/watch?v=Png3J4dlQ04&list=WL&index=9

CC is a language for specifying security requirements and a methodology for testing them.

security, but not functions or performance. CCRA 28 countries mutually recognizing certificates.

Scheme of the certificate, protection profile (set of functional requirements)

aleeusgr commented 1 year ago

Consider vesting validator. Our assets is Value: the bag of coins we define in the fund locking transaction. One threat is that the vulnerability where funds become unrecoverable. One implementation of Vesting is to have user pubKeyHash stored in the Datum. This is entail an assumption: users have secure practices around their keys.

aleeusgr commented 1 year ago

EXAMPLE Target of Evaluation TOE: ✅ a list of files in a configuration management system; ❔ — a single master copy that has just been compiled; ✅ the source code for a specific version of an open-source distribution; ❔ a box containing physical media and a manual, ready to be shipped to a customer; ❔ a binary file available for secure download; ❓ an installed and operational version.

aleeusgr commented 1 year ago

attack surface of a validator: X context, ✔️Redeemer, ✔️Datum

What can a hacker study to try and get the valuables locked at the validator?

aleeusgr commented 1 year ago

https://iohk.io/en/blog/posts/2022/01/27/simple-property-based-tests-for-plutus-validators/

aleeusgr commented 1 year ago

to Organisational practices: MSFT SQL.

An assumption could be: a programmer uses a trusted API to access the plutus script.

There was some talking about creating a validator that is a self-contained product: it could be used by different backends..

If a hacker wants cause damage they would build a transaction to steal funds from a validator.

So our level of analysis at this point is transaction building, I think.

Threats exist at multiple levels.

But what about the Redeemer and transaction context?

aleeusgr commented 1 year ago

Could an assumption be: the developer uses a trusted API for building transactions?

aleeusgr commented 1 year ago

An error a programmer could make is to add private information to the Datum. A Datum is public, it offers no cryptographic protection, and can't be used to store secrets.

So a threat would be "a developer can store private information in the Datum"

An assumption we have is that the user follows safe practices for managing secrets: does not lose his private key.

aleeusgr commented 1 year ago

A developer can build their system to meet a specific protection profile. EAL: evaluation assurance level

Details

![image](https://github.com/input-output-hk/Certification-working-group/assets/36756030/9d918841-6163-4885-be5c-4b323cef6029) ![image](https://github.com/input-output-hk/Certification-working-group/assets/36756030/94481b2d-403f-4159-8b30-7321cc50b64d) ![image](https://github.com/input-output-hk/Certification-working-group/assets/36756030/89d0347c-3a39-462c-b489-248e13908d4c)

https://www.youtube.com/watch?v=U81_psRHw90

aleeusgr commented 1 year ago
  1. Protection Profile is a request for a specific security solution
  2. Target of Evaluation is the product
  3. Security Target is vendors explanation of: a. Security functionality requirements b. security Assurance requirements
  4. Evaluation is testing the product against claimed specifications
  5. Evaluation assurance level
aleeusgr commented 1 year ago

🤔

T.Masqu Masquerade authorized users

"A malicous attacker can duplicate an authorization token by doing X and Y when interacting with the product"

aleeusgr commented 1 year ago

example

aleeusgr commented 1 year ago

https://www.youtube.com/watch?v=2Rr-u1iFbhY

aleeusgr commented 1 year ago

Consider which is the project that is related to this ST?

Adderall | Stellar-Vesting.

TODO

RSoulatIOHK commented 1 year ago

It's usually the other way around. You define a ST from an existing product. But as an exercise this could be fine as well.

aleeusgr commented 1 year ago

Ah.

Well, they are both vesting in Helios, but stellar vesting is built on a framework that implements UUT, "thread token" architecture.

The goal of aderall is to give a developer a mental model of eUTXO in code: to empower the developer to experiment with transaction building, dApp architecture and dApp models to understand how to architect a Web3 product.

Helios allows writing both validators and transactions (via blockfrost): the architecture need not contain the node.

So a goal of an audit would be to answer the question "can it be used on mainnet?"

aleeusgr commented 1 year ago

https://github.com/aleeusgr/potential-robot/issues/134