Difference between revisions of "Third-party security audits"

From Internet Computer Wiki
Jump to: navigation, search
m (Just making a test edit to get familiar with the wiki publishing workflow)
m (Added forum and medium blog post links)
 
(5 intermediate revisions by 2 users not shown)
Line 1: Line 1:
== "IC Assessment" by Trail of Bits ==
+
== Overview==
 +
The DFINITY foundation, a major contributor to the Internet Computer blockchain, takes security very seriously. Not only do engineering and product security teams conduct various security checks and reviews internally before a feature is released, security tools, [https://internetcomputer.org/docs/current/developer-docs/security/ best practices], and formal models are also developed and open-sourced, so developers can perform their own code checks to detect bugs and improve the overall security of their dapps. What’s more, many of the major technical features built on the Internet Computer go through additional external security assessments conducted by leading organizations such as [https://www.trailofbits.com/ Trail of Bits] and [https://www.nccgroup.com/us/ NCC Group], specializing in software security assurance.
  
=== Report & Discussion ===
+
Getting external reviews complements internal security efforts and gives engineering and product security teams the opportunity to greatly benefit and learn from the different perspectives expert reviewers provide based on their knowledge and experience of other blockchain projects. After addressing the issues, DFINITY makes the audit reports public on this wiki page, so that the community sees an independent assessment of the feature’s security posture. Such reports signal to users and developers that minimizing the security risks of building on and engaging with the Internet Computer is of utmost importance.
 +
 
 +
== "ckBTC and BTC Integration Review" by Trail of Bits==
 +
 
 +
===Reports & Discussion===
 +
Date: October 6, 2023
 +
 
 +
Reports & Discussion:
 +
 
 +
*[https://medium.com/dfinity/taking-security-seriously-two-top-icp-features-assessed-by-trail-of-bits-4a0023ab1e68 Medium blog post]
 +
*[https://forum.dfinity.org/t/ckbtc-and-service-nervous-system-sns-third-party-security-assessments-by-trail-of-bits/24380 Forum post]
 +
*[https://github.com/trailofbits/publications/blob/master/reviews/2023-06-dfinity-ckBTC-securityreview.pdf Report], [https://mywikis-wiki-media.s3.us-central-1.wasabisys.com/internetcomputer/Trail_of_Bits_BTC_ckBTC_Review_Fix_Notes.pdf fix notes by DFINITY]
 +
 
 +
===Areas of the code which were audited===
 +
 
 +
*ckBTC and Bitcoin Integration
 +
 
 +
==Service Nervous System (SNS) Reviews by Trail of Bits==
 +
 
 +
===Reports & Discussion===
 +
Dates:
 +
 
 +
*First review: December 1, 2022
 +
* Second review: October 6, 2023
 +
 
 +
Reports & Discussion:
  
Date: January 4, 2022
+
*[https://medium.com/dfinity/taking-security-seriously-two-top-icp-features-assessed-by-trail-of-bits-4a0023ab1e68 Medium blog post]
 +
* [https://forum.dfinity.org/t/ckbtc-and-service-nervous-system-sns-third-party-security-assessments-by-trail-of-bits/24380 Forum post]
 +
*[https://github.com/trailofbits/publications/blob/master/reviews/2022-09-dfinity-sns-securityreview.pdf Report (2022)], includes the fix review by Trail of Bits
 +
*[https://github.com/trailofbits/publications/blob/master/reviews/2023-06-dfinity-sns-securityreview.pdf Report (2023)], [https://mywikis-wiki-media.s3.us-central-1.wasabisys.com/internetcomputer/Trail_of_Bits_SNS_Re-Review_Fix_Notes.pdf fix notes by DFINITY]
  
Report Discussion: [https://forum.dfinity.org/t/internet-computer-security-assessment-by-trail-of-bits-third-party-security-audit/10113 "IC Assessment" by Trail of Bits]
+
===Areas of the code which were audited===
  
=== Areas of the code which were audited: ===
+
*Service Nervous System (SNS)
* Internet Computer Interfaces
 
* Consensus Layer
 
* Network Nervous System
 
* Ledger Canister
 
* Governance Canister
 
* Registry Canister
 
* Cycles Minting Canister
 
* Genesis Token Canister
 
* Cryptography libraries
 
* Execution Environment
 
* P2P layer
 
* Third Party Dependencies
 
* Hardware Wallet
 
  
== "Internet Computer Consensus: Security Assessment" by Trail of Bits ==
+
=="Threshold ECDSA Integration and Bitcoin Canisters" by Trail of Bits==
  
 
=== Report & Discussion ===
 
=== Report & Discussion ===
  
Date: March 11, 2022
+
Date: September 5, 2022
 +
 
 +
Report & Discussion: [https://forum.dfinity.org/t/threshold-ecdsa-integration-and-bitcoin-canisters-security-review-by-trail-of-bits-third-party-security-audit-5/15952 "Threshold ECDSA Integration and Bitcoin Canisters - Security Review" by Trail of Bits]
 +
 
 +
===Areas of the code which were audited:===
 +
*Threshold ECDSA Integration and Bitcoin Canisters
 +
**[https://github.com/trailofbits/publications/blob/master/reviews/DFINITYThresholdECDSAandBtcCanisters.pdf "Threshold ECDSA Integration - Executive Summary"]
 +
**[https://github.com/trailofbits/publications/blob/master/reviews/DFINITYThresholdECDSAandBtcCanistersFixReview.pdf "Threshold ECDSA Integration - Fix Review"]
 +
 
 +
=="Canister Sandboxing Review" by Trail of Bits==
  
Report & Discussion: [https://forum.dfinity.org/t/internet-computer-consensus-security-assessment-by-trail-of-bits-third-party-security-audit-2/11453 "Internet Computer Consensus: Security Assessment" by Trail of Bits]
+
===Report & Discussion===
  
=== Areas of the code which were audited: ===
+
Date: July 7, 2022
* Consensus Layer
 
  
 +
Report & Discussion: [https://forum.dfinity.org/t/canister-sandbox-review-by-trail-of-bits-third-party-security-audit-4/15951 "Canister Sandboxing" by Trail of Bits]
  
 +
===Areas of the code which were audited:===
 +
*Canister sandboxing
 +
**[https://github.com/trailofbits/publications/blob/master/reviews/DFINITYCanisterSandbox.pdf "Canister Sandbox - Executive Summary"]
 +
**[https://github.com/trailofbits/publications/blob/master/reviews/DFINITYCanisterSandboxFixReview.pdf "Canister Sandbox - Fix Review"]
  
== IC "Threshold ECDSA Cryptography Review" by NCC Group ==
+
=="Threshold ECDSA Cryptography Review" by NCC Group==
  
=== Report & Discussion ===
+
===Report & Discussion===
 
Date: June 16, 2022
 
Date: June 16, 2022
  
 
Report & Discussion: [https://forum.dfinity.org/t/threshold-ecdsa-cryptography-review-by-ncc-group-third-party-security-audit-3/13853 IC "Threshold ECDSA Cryptography Review" by NCC Group]
 
Report & Discussion: [https://forum.dfinity.org/t/threshold-ecdsa-cryptography-review-by-ncc-group-third-party-security-audit-3/13853 IC "Threshold ECDSA Cryptography Review" by NCC Group]
  
=== Areas of the code which were audited: ===
+
===Areas of the code which were audited:===
* Threshold ECDSA
+
*Threshold ECDSA
  
== IC "Canister Sandboxing Review" by Trail of Bits ==
+
=="Internet Computer Consensus Review" by Trail of Bits==
  
=== Report & Discussion ===
+
===Report & Discussion===
  
Date: July 7, 2022
+
Date: March 11, 2022
  
Report & Discussion: [https://forum.dfinity.org/t/canister-sandbox-review-by-trail-of-bits-third-party-security-audit-4/15951 "Canister Sandboxing" by Trail of Bits]
+
Report & Discussion: [https://forum.dfinity.org/t/internet-computer-consensus-security-assessment-by-trail-of-bits-third-party-security-audit-2/11453 "Internet Computer Consensus: Security Assessment" by Trail of Bits]
  
=== Areas of the code which were audited: ===
+
===Areas of the code which were audited:===
* Canister sandboxing
+
*Consensus Layer
** [https://github.com/trailofbits/publications/blob/master/reviews/DFINITYCanisterSandbox.pdf "Canister Sandbox - Executive Summary"]
 
** [https://github.com/trailofbits/publications/blob/master/reviews/DFINITYCanisterSandboxFixReview.pdf "Canister Sandbox - Fix Review"]
 
  
== IC "Threshold ECDSA Integration and Bitcoin Canisters" by Trail of Bits ==
+
=="IC Assessment" by Trail of Bits==
  
=== Report & Discussion ===
+
===Report & Discussion===
  
Date: September 5, 2022
+
Date: January 4, 2022
  
Report & Discussion: [https://forum.dfinity.org/t/threshold-ecdsa-integration-and-bitcoin-canisters-security-review-by-trail-of-bits-third-party-security-audit-5/15952 "Threshold ECDSA Integration and Bitcoin Canisters - Security Review" by Trail of Bits]
+
Report Discussion: [https://forum.dfinity.org/t/internet-computer-security-assessment-by-trail-of-bits-third-party-security-audit/10113 "IC Assessment" by Trail of Bits]  
  
=== Areas of the code which were audited: ===
+
===Areas of the code which were audited:===
* Threshold ECDSA Integration and Bitcoin Canisters
+
*Internet Computer Interfaces
** [https://github.com/trailofbits/publications/blob/master/reviews/DFINITYThresholdECDSAandBtcCanisters.pdf "Threshold ECDSA Integration - Executive Summary"]
+
*Consensus Layer
** [https://github.com/trailofbits/publications/blob/master/reviews/DFINITYThresholdECDSAandBtcCanistersFixReview.pdf "Threshold ECDSA Integration - Fix Review"]
+
*Network Nervous System
 +
*Ledger Canister
 +
*Governance Canister
 +
*Registry Canister
 +
*Cycles Minting Canister
 +
*Genesis Token Canister
 +
*Cryptography libraries
 +
*Execution Environment
 +
*P2P layer
 +
*Third Party Dependencies
 +
*Hardware Wallet
  
 
==See Also==
 
==See Also==
* '''The Internet Computer project website (hosted on the IC): [https://internetcomputer.org/ internetcomputer.org]'''
+
*'''The Internet Computer project website (hosted on the IC): [https://internetcomputer.org/ internetcomputer.org]'''

Latest revision as of 08:37, 3 November 2023

Overview

The DFINITY foundation, a major contributor to the Internet Computer blockchain, takes security very seriously. Not only do engineering and product security teams conduct various security checks and reviews internally before a feature is released, security tools, best practices, and formal models are also developed and open-sourced, so developers can perform their own code checks to detect bugs and improve the overall security of their dapps. What’s more, many of the major technical features built on the Internet Computer go through additional external security assessments conducted by leading organizations such as Trail of Bits and NCC Group, specializing in software security assurance.

Getting external reviews complements internal security efforts and gives engineering and product security teams the opportunity to greatly benefit and learn from the different perspectives expert reviewers provide based on their knowledge and experience of other blockchain projects. After addressing the issues, DFINITY makes the audit reports public on this wiki page, so that the community sees an independent assessment of the feature’s security posture. Such reports signal to users and developers that minimizing the security risks of building on and engaging with the Internet Computer is of utmost importance.

"ckBTC and BTC Integration Review" by Trail of Bits

Reports & Discussion

Date: October 6, 2023

Reports & Discussion:

Areas of the code which were audited

  • ckBTC and Bitcoin Integration

Service Nervous System (SNS) Reviews by Trail of Bits

Reports & Discussion

Dates:

  • First review: December 1, 2022
  • Second review: October 6, 2023

Reports & Discussion:

Areas of the code which were audited

  • Service Nervous System (SNS)

"Threshold ECDSA Integration and Bitcoin Canisters" by Trail of Bits

Report & Discussion

Date: September 5, 2022

Report & Discussion: "Threshold ECDSA Integration and Bitcoin Canisters - Security Review" by Trail of Bits

Areas of the code which were audited:

"Canister Sandboxing Review" by Trail of Bits

Report & Discussion

Date: July 7, 2022

Report & Discussion: "Canister Sandboxing" by Trail of Bits

Areas of the code which were audited:

"Threshold ECDSA Cryptography Review" by NCC Group

Report & Discussion

Date: June 16, 2022

Report & Discussion: IC "Threshold ECDSA Cryptography Review" by NCC Group

Areas of the code which were audited:

  • Threshold ECDSA

"Internet Computer Consensus Review" by Trail of Bits

Report & Discussion

Date: March 11, 2022

Report & Discussion: "Internet Computer Consensus: Security Assessment" by Trail of Bits

Areas of the code which were audited:

  • Consensus Layer

"IC Assessment" by Trail of Bits

Report & Discussion

Date: January 4, 2022

Report Discussion: "IC Assessment" by Trail of Bits

Areas of the code which were audited:

  • Internet Computer Interfaces
  • Consensus Layer
  • Network Nervous System
  • Ledger Canister
  • Governance Canister
  • Registry Canister
  • Cycles Minting Canister
  • Genesis Token Canister
  • Cryptography libraries
  • Execution Environment
  • P2P layer
  • Third Party Dependencies
  • Hardware Wallet

See Also