Difference between revisions of "Third-party security audits"

From Internet Computer Wiki
Jump to: navigation, search
m (minor test edit to test edit permissions)
m (Added forum and medium blog post links)
 
(2 intermediate revisions by the same user not shown)
Line 11: Line 11:
 
Reports & Discussion:  
 
Reports & Discussion:  
  
*Medium blog post: TODO
+
*[https://medium.com/dfinity/taking-security-seriously-two-top-icp-features-assessed-by-trail-of-bits-4a0023ab1e68 Medium blog post]
*Forum post: TODO
+
*[https://forum.dfinity.org/t/ckbtc-and-service-nervous-system-sns-third-party-security-assessments-by-trail-of-bits/24380 Forum post]
*[https://github.com/trailofbits/publications/blob/master/reviews/2023-03-dfinity-ckBTC-securityreview.pdf Report], fix notes (TODO)
+
*[https://github.com/trailofbits/publications/blob/master/reviews/2023-06-dfinity-ckBTC-securityreview.pdf Report], [https://mywikis-wiki-media.s3.us-central-1.wasabisys.com/internetcomputer/Trail_of_Bits_BTC_ckBTC_Review_Fix_Notes.pdf fix notes by DFINITY]
  
 
===Areas of the code which were audited===
 
===Areas of the code which were audited===
Line 29: Line 29:
 
Reports & Discussion:  
 
Reports & Discussion:  
  
*Medium blog post: TODO
+
*[https://medium.com/dfinity/taking-security-seriously-two-top-icp-features-assessed-by-trail-of-bits-4a0023ab1e68 Medium blog post]
* Forum post: TODO
+
* [https://forum.dfinity.org/t/ckbtc-and-service-nervous-system-sns-third-party-security-assessments-by-trail-of-bits/24380 Forum post]
*Report (2022), includes the fix review
+
*[https://github.com/trailofbits/publications/blob/master/reviews/2022-09-dfinity-sns-securityreview.pdf Report (2022)], includes the fix review by Trail of Bits
*[https://github.com/trailofbits/publications/blob/master/reviews/2023-03-dfinity-sns-securityreview.pdf Report (2023)], fix notes (TODO)
+
*[https://github.com/trailofbits/publications/blob/master/reviews/2023-06-dfinity-sns-securityreview.pdf Report (2023)], [https://mywikis-wiki-media.s3.us-central-1.wasabisys.com/internetcomputer/Trail_of_Bits_SNS_Re-Review_Fix_Notes.pdf fix notes by DFINITY]
  
 
===Areas of the code which were audited===
 
===Areas of the code which were audited===

Latest revision as of 08:37, 3 November 2023

Overview

The DFINITY foundation, a major contributor to the Internet Computer blockchain, takes security very seriously. Not only do engineering and product security teams conduct various security checks and reviews internally before a feature is released, security tools, best practices, and formal models are also developed and open-sourced, so developers can perform their own code checks to detect bugs and improve the overall security of their dapps. What’s more, many of the major technical features built on the Internet Computer go through additional external security assessments conducted by leading organizations such as Trail of Bits and NCC Group, specializing in software security assurance.

Getting external reviews complements internal security efforts and gives engineering and product security teams the opportunity to greatly benefit and learn from the different perspectives expert reviewers provide based on their knowledge and experience of other blockchain projects. After addressing the issues, DFINITY makes the audit reports public on this wiki page, so that the community sees an independent assessment of the feature’s security posture. Such reports signal to users and developers that minimizing the security risks of building on and engaging with the Internet Computer is of utmost importance.

"ckBTC and BTC Integration Review" by Trail of Bits

Reports & Discussion

Date: October 6, 2023

Reports & Discussion:

Areas of the code which were audited

  • ckBTC and Bitcoin Integration

Service Nervous System (SNS) Reviews by Trail of Bits

Reports & Discussion

Dates:

  • First review: December 1, 2022
  • Second review: October 6, 2023

Reports & Discussion:

Areas of the code which were audited

  • Service Nervous System (SNS)

"Threshold ECDSA Integration and Bitcoin Canisters" by Trail of Bits

Report & Discussion

Date: September 5, 2022

Report & Discussion: "Threshold ECDSA Integration and Bitcoin Canisters - Security Review" by Trail of Bits

Areas of the code which were audited:

"Canister Sandboxing Review" by Trail of Bits

Report & Discussion

Date: July 7, 2022

Report & Discussion: "Canister Sandboxing" by Trail of Bits

Areas of the code which were audited:

"Threshold ECDSA Cryptography Review" by NCC Group

Report & Discussion

Date: June 16, 2022

Report & Discussion: IC "Threshold ECDSA Cryptography Review" by NCC Group

Areas of the code which were audited:

  • Threshold ECDSA

"Internet Computer Consensus Review" by Trail of Bits

Report & Discussion

Date: March 11, 2022

Report & Discussion: "Internet Computer Consensus: Security Assessment" by Trail of Bits

Areas of the code which were audited:

  • Consensus Layer

"IC Assessment" by Trail of Bits

Report & Discussion

Date: January 4, 2022

Report Discussion: "IC Assessment" by Trail of Bits

Areas of the code which were audited:

  • Internet Computer Interfaces
  • Consensus Layer
  • Network Nervous System
  • Ledger Canister
  • Governance Canister
  • Registry Canister
  • Cycles Minting Canister
  • Genesis Token Canister
  • Cryptography libraries
  • Execution Environment
  • P2P layer
  • Third Party Dependencies
  • Hardware Wallet

See Also