define scope for code audit

brenzi commented 3 years ago

Please define source code files that must undergo a security audit

quantification: We need to know lines of code (LOC) of

worker
client
enclave

pure lines, no comments or whitespace

[x] study previous audits for polkadot/substrate

murerfel commented 3 years ago

Using SCC to count lines of code against the current master branch of https://github.com/scs/substraTEE-worker:

Worker

───────────────────────────────────────────────────────────────────────────────
Language                 Files     Lines   Blanks  Comments     Code Complexity
───────────────────────────────────────────────────────────────────────────────
Rust                        17      2544      272       329     1943        141
TOML                         2       101       21         1       79          0
YAML                         1       119        3         4      112          0
───────────────────────────────────────────────────────────────────────────────
Total                       20      2764      296       334     2134        141
───────────────────────────────────────────────────────────────────────────────
Estimated Cost to Develop (organic) $59,875
Estimated Schedule Effort (organic) 4.718119 months
Estimated People Required (organic) 1.127448
───────────────────────────────────────────────────────────────────────────────
Processed 91750 bytes, 0.092 megabytes (SI)
───────────────────────────────────────────────────────────────────────────────

--> 1943 lines of code

Enclave

───────────────────────────────────────────────────────────────────────────────
Language                 Files     Lines   Blanks  Comments     Code Complexity
───────────────────────────────────────────────────────────────────────────────
Rust                        38     12106     1459      1726     8921        476
TOML                         3       272       52         6      214          0
XML                          2        24        0         2       22          0
JSON                         1        31        0         0       31          0
LD Script                    1         9        0         0        9          0
Makefile                     1        52        5        27       20          0
───────────────────────────────────────────────────────────────────────────────
Total                       46     12494     1516      1761     9217        476
───────────────────────────────────────────────────────────────────────────────
Estimated Cost to Develop (organic) $278,236
Estimated Schedule Effort (organic) 8.458464 months
Estimated People Required (organic) 2.922394
───────────────────────────────────────────────────────────────────────────────
Processed 421695 bytes, 0.422 megabytes (SI)
───────────────────────────────────────────────────────────────────────────────

--> 8921 lines of code

client

───────────────────────────────────────────────────────────────────────────────
Language                 Files     Lines   Blanks  Comments     Code Complexity
───────────────────────────────────────────────────────────────────────────────
Shell                        3       327       46        64      217         12
Markdown                     1        20        2         0       18          0
Rust                         1       883       45        44      794         31
TOML                         1        85       17         2       66          0
───────────────────────────────────────────────────────────────────────────────
Total                        6      1315      110       110     1095         43
───────────────────────────────────────────────────────────────────────────────
Estimated Cost to Develop (organic) $29,715
Estimated Schedule Effort (organic) 3.615318 months
Estimated People Required (organic) 0.730213
───────────────────────────────────────────────────────────────────────────────
Processed 48607 bytes, 0.049 megabytes (SI)
───────────────────────────────────────────────────────────────────────────────

--> 794 lines of code

murerfel commented 3 years ago

Parity Substrate Security Review

Found a report from 2018, where parity had parts of their code base audited: https://www.parity.io/blog/parity-completes-trail-of-bits-security-review/ , with a pdf report: https://www.trailofbits.com/reports/parity.pdf

Report was made for (now obsolete?) wallet and smart contracts done by Parity (Rust, JS and Solidity)
Only select security critical modules were assessed, including RPC/Http server

Polkadot Security Audit

Security audit of Polkadot -> https://medium.com/web3foundation/polkadot-security-audits-atredis-ba14246aa7c5 and detailed report is here https://assets.polkadot.network/security-audits/Atredis_Partners-Web3-Polkadot-PlatformSecurityAssessment.pdf

murerfel commented 3 years ago

Parts to exclude

Test / mock code
- core-primitives/test/
- enclave-runtime/test/
- enclave-runtime/tests.rs
CLI client
- cli/*
- app-libs/stf/cli.rs
- core/rpc-client/
- core/rpc-server/
(maybe?) untrusted worker / service -> service/*. Only if there aren't any security critical parts
Parts in the enclave-runtime that were mostly copied from substrate:
- top_pool/*
- rpc/author/*

Parts to include

app-libs/stf/*
core/*
core-primitives/*
enclave-runtime/*
sidechain/*

Issues to resolve before audit

[ ] #367
[ ] #368
[ ] #364
[x] #361
[ ] #410
[ ] (maybe?) #88

integritee-network / worker

define scope for code audit #270

Worker

Enclave

client

Parity Substrate Security Review

Polkadot Security Audit

Parts to exclude

Parts to include

Issues to resolve before audit