Difference between revisions of "Third-party security audits"
Diego.prats (talk | contribs) |
m (Added forum and medium blog post links) |
||
(14 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
− | == " | + | == Overview== |
+ | The DFINITY foundation, a major contributor to the Internet Computer blockchain, takes security very seriously. Not only do engineering and product security teams conduct various security checks and reviews internally before a feature is released, security tools, [https://internetcomputer.org/docs/current/developer-docs/security/ best practices], and formal models are also developed and open-sourced, so developers can perform their own code checks to detect bugs and improve the overall security of their dapps. What’s more, many of the major technical features built on the Internet Computer go through additional external security assessments conducted by leading organizations such as [https://www.trailofbits.com/ Trail of Bits] and [https://www.nccgroup.com/us/ NCC Group], specializing in software security assurance. | ||
+ | |||
+ | Getting external reviews complements internal security efforts and gives engineering and product security teams the opportunity to greatly benefit and learn from the different perspectives expert reviewers provide based on their knowledge and experience of other blockchain projects. After addressing the issues, DFINITY makes the audit reports public on this wiki page, so that the community sees an independent assessment of the feature’s security posture. Such reports signal to users and developers that minimizing the security risks of building on and engaging with the Internet Computer is of utmost importance. | ||
+ | |||
+ | == "ckBTC and BTC Integration Review" by Trail of Bits== | ||
+ | |||
+ | ===Reports & Discussion=== | ||
+ | Date: October 6, 2023 | ||
+ | |||
+ | Reports & Discussion: | ||
+ | |||
+ | *[https://medium.com/dfinity/taking-security-seriously-two-top-icp-features-assessed-by-trail-of-bits-4a0023ab1e68 Medium blog post] | ||
+ | *[https://forum.dfinity.org/t/ckbtc-and-service-nervous-system-sns-third-party-security-assessments-by-trail-of-bits/24380 Forum post] | ||
+ | *[https://github.com/trailofbits/publications/blob/master/reviews/2023-06-dfinity-ckBTC-securityreview.pdf Report], [https://mywikis-wiki-media.s3.us-central-1.wasabisys.com/internetcomputer/Trail_of_Bits_BTC_ckBTC_Review_Fix_Notes.pdf fix notes by DFINITY] | ||
+ | |||
+ | ===Areas of the code which were audited=== | ||
+ | |||
+ | *ckBTC and Bitcoin Integration | ||
+ | |||
+ | ==Service Nervous System (SNS) Reviews by Trail of Bits== | ||
+ | |||
+ | ===Reports & Discussion=== | ||
+ | Dates: | ||
+ | |||
+ | *First review: December 1, 2022 | ||
+ | * Second review: October 6, 2023 | ||
+ | |||
+ | Reports & Discussion: | ||
+ | |||
+ | *[https://medium.com/dfinity/taking-security-seriously-two-top-icp-features-assessed-by-trail-of-bits-4a0023ab1e68 Medium blog post] | ||
+ | * [https://forum.dfinity.org/t/ckbtc-and-service-nervous-system-sns-third-party-security-assessments-by-trail-of-bits/24380 Forum post] | ||
+ | *[https://github.com/trailofbits/publications/blob/master/reviews/2022-09-dfinity-sns-securityreview.pdf Report (2022)], includes the fix review by Trail of Bits | ||
+ | *[https://github.com/trailofbits/publications/blob/master/reviews/2023-06-dfinity-sns-securityreview.pdf Report (2023)], [https://mywikis-wiki-media.s3.us-central-1.wasabisys.com/internetcomputer/Trail_of_Bits_SNS_Re-Review_Fix_Notes.pdf fix notes by DFINITY] | ||
+ | |||
+ | ===Areas of the code which were audited=== | ||
+ | |||
+ | *Service Nervous System (SNS) | ||
+ | |||
+ | =="Threshold ECDSA Integration and Bitcoin Canisters" by Trail of Bits== | ||
=== Report & Discussion === | === Report & Discussion === | ||
− | Date: | + | Date: September 5, 2022 |
+ | |||
+ | Report & Discussion: [https://forum.dfinity.org/t/threshold-ecdsa-integration-and-bitcoin-canisters-security-review-by-trail-of-bits-third-party-security-audit-5/15952 "Threshold ECDSA Integration and Bitcoin Canisters - Security Review" by Trail of Bits] | ||
+ | |||
+ | ===Areas of the code which were audited:=== | ||
+ | *Threshold ECDSA Integration and Bitcoin Canisters | ||
+ | **[https://github.com/trailofbits/publications/blob/master/reviews/DFINITYThresholdECDSAandBtcCanisters.pdf "Threshold ECDSA Integration - Executive Summary"] | ||
+ | **[https://github.com/trailofbits/publications/blob/master/reviews/DFINITYThresholdECDSAandBtcCanistersFixReview.pdf "Threshold ECDSA Integration - Fix Review"] | ||
+ | |||
+ | =="Canister Sandboxing Review" by Trail of Bits== | ||
+ | |||
+ | ===Report & Discussion=== | ||
+ | |||
+ | Date: July 7, 2022 | ||
+ | |||
+ | Report & Discussion: [https://forum.dfinity.org/t/canister-sandbox-review-by-trail-of-bits-third-party-security-audit-4/15951 "Canister Sandboxing" by Trail of Bits] | ||
+ | |||
+ | ===Areas of the code which were audited:=== | ||
+ | *Canister sandboxing | ||
+ | **[https://github.com/trailofbits/publications/blob/master/reviews/DFINITYCanisterSandbox.pdf "Canister Sandbox - Executive Summary"] | ||
+ | **[https://github.com/trailofbits/publications/blob/master/reviews/DFINITYCanisterSandboxFixReview.pdf "Canister Sandbox - Fix Review"] | ||
+ | |||
+ | =="Threshold ECDSA Cryptography Review" by NCC Group== | ||
+ | |||
+ | ===Report & Discussion=== | ||
+ | Date: June 16, 2022 | ||
− | Report Discussion: [https://forum.dfinity.org/t/ | + | Report & Discussion: [https://forum.dfinity.org/t/threshold-ecdsa-cryptography-review-by-ncc-group-third-party-security-audit-3/13853 IC "Threshold ECDSA Cryptography Review" by NCC Group] |
− | === Areas of the code which were audited: === | + | ===Areas of the code which were audited:=== |
− | * | + | *Threshold ECDSA |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | == "Internet Computer Consensus | + | =="Internet Computer Consensus Review" by Trail of Bits== |
− | === Report & Discussion === | + | ===Report & Discussion=== |
Date: March 11, 2022 | Date: March 11, 2022 | ||
Line 30: | Line 82: | ||
Report & Discussion: [https://forum.dfinity.org/t/internet-computer-consensus-security-assessment-by-trail-of-bits-third-party-security-audit-2/11453 "Internet Computer Consensus: Security Assessment" by Trail of Bits] | Report & Discussion: [https://forum.dfinity.org/t/internet-computer-consensus-security-assessment-by-trail-of-bits-third-party-security-audit-2/11453 "Internet Computer Consensus: Security Assessment" by Trail of Bits] | ||
− | === Areas of the code which were audited: === | + | ===Areas of the code which were audited:=== |
− | * Consensus Layer | + | *Consensus Layer |
+ | =="IC Assessment" by Trail of Bits== | ||
+ | ===Report & Discussion=== | ||
− | + | Date: January 4, 2022 | |
− | + | Report Discussion: [https://forum.dfinity.org/t/internet-computer-security-assessment-by-trail-of-bits-third-party-security-audit/10113 "IC Assessment" by Trail of Bits] | |
− | |||
− | + | ===Areas of the code which were audited:=== | |
+ | *Internet Computer Interfaces | ||
+ | *Consensus Layer | ||
+ | *Network Nervous System | ||
+ | *Ledger Canister | ||
+ | *Governance Canister | ||
+ | *Registry Canister | ||
+ | *Cycles Minting Canister | ||
+ | *Genesis Token Canister | ||
+ | *Cryptography libraries | ||
+ | *Execution Environment | ||
+ | *P2P layer | ||
+ | *Third Party Dependencies | ||
+ | *Hardware Wallet | ||
− | == | + | ==See Also== |
− | * | + | *'''The Internet Computer project website (hosted on the IC): [https://internetcomputer.org/ internetcomputer.org]''' |
Latest revision as of 08:37, 3 November 2023
Overview
The DFINITY foundation, a major contributor to the Internet Computer blockchain, takes security very seriously. Not only do engineering and product security teams conduct various security checks and reviews internally before a feature is released, security tools, best practices, and formal models are also developed and open-sourced, so developers can perform their own code checks to detect bugs and improve the overall security of their dapps. What’s more, many of the major technical features built on the Internet Computer go through additional external security assessments conducted by leading organizations such as Trail of Bits and NCC Group, specializing in software security assurance.
Getting external reviews complements internal security efforts and gives engineering and product security teams the opportunity to greatly benefit and learn from the different perspectives expert reviewers provide based on their knowledge and experience of other blockchain projects. After addressing the issues, DFINITY makes the audit reports public on this wiki page, so that the community sees an independent assessment of the feature’s security posture. Such reports signal to users and developers that minimizing the security risks of building on and engaging with the Internet Computer is of utmost importance.
"ckBTC and BTC Integration Review" by Trail of Bits
Reports & Discussion
Date: October 6, 2023
Reports & Discussion:
Areas of the code which were audited
- ckBTC and Bitcoin Integration
Service Nervous System (SNS) Reviews by Trail of Bits
Reports & Discussion
Dates:
- First review: December 1, 2022
- Second review: October 6, 2023
Reports & Discussion:
- Medium blog post
- Forum post
- Report (2022), includes the fix review by Trail of Bits
- Report (2023), fix notes by DFINITY
Areas of the code which were audited
- Service Nervous System (SNS)
"Threshold ECDSA Integration and Bitcoin Canisters" by Trail of Bits
Report & Discussion
Date: September 5, 2022
Report & Discussion: "Threshold ECDSA Integration and Bitcoin Canisters - Security Review" by Trail of Bits
Areas of the code which were audited:
- Threshold ECDSA Integration and Bitcoin Canisters
"Canister Sandboxing Review" by Trail of Bits
Report & Discussion
Date: July 7, 2022
Report & Discussion: "Canister Sandboxing" by Trail of Bits
Areas of the code which were audited:
- Canister sandboxing
"Threshold ECDSA Cryptography Review" by NCC Group
Report & Discussion
Date: June 16, 2022
Report & Discussion: IC "Threshold ECDSA Cryptography Review" by NCC Group
Areas of the code which were audited:
- Threshold ECDSA
"Internet Computer Consensus Review" by Trail of Bits
Report & Discussion
Date: March 11, 2022
Report & Discussion: "Internet Computer Consensus: Security Assessment" by Trail of Bits
Areas of the code which were audited:
- Consensus Layer
"IC Assessment" by Trail of Bits
Report & Discussion
Date: January 4, 2022
Report Discussion: "IC Assessment" by Trail of Bits
Areas of the code which were audited:
- Internet Computer Interfaces
- Consensus Layer
- Network Nervous System
- Ledger Canister
- Governance Canister
- Registry Canister
- Cycles Minting Canister
- Genesis Token Canister
- Cryptography libraries
- Execution Environment
- P2P layer
- Third Party Dependencies
- Hardware Wallet
See Also
- The Internet Computer project website (hosted on the IC): internetcomputer.org