[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Security audit
|
From: |
Libor Polčák |
|
Subject: |
Security audit |
|
Date: |
Thu, 27 Jan 2022 08:44:56 +0100 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 SeaMonkey/2.53.9.1 |
Hello all,
We should have our NLNet sponsored security audit soon. So far I learned
(copied from chat with the auditor):
"First some organizational topics: as you've noticed, we're working a lot with
interactive chats here in our Rocketchat instance. Your accounts will also give
access to the corresponding internal Gitlab project. I will be using the issue
tracker to document topics during the evaluation. Feel free to comment on issues I
create, that way we can have a more focused discussion on a technical topic if
necessary.
Typically, I do a kickoff- and closing meeting of ~60-90min each, with work in
between stretched over a 1.5-2W calendar time frame so that there is time for
feedback.
ROS can be a busy place - I have some other projects that are beginning or
ending at the moment, but expect to have time for the kickoff meeting and some
initial work next week.
We're here to give you developer-level internal feedback on your project. There
will be a short summary report, but this is not the focus of the evaluation and
mainly meant for internal use (unless discussed otherwise).
Overall, there are 2 person days of pentester worktime for this project, which includes
communication and documentation, so I will be mainly looking at "low-hanging fruit"
like dangerous code use, vulnerable dependencies and so on. Feel free to point out design
aspects or code positions in the code that you think are particularly important for the
evaluation."
I think that it sounds reasonable and useful.
Please, if you did not receive an invitation to the chat and want to be a part
of the audit, let me know. If you received an invitation, please, register.
Do we have any design aspects or code that is particularly important for the
evaluation?
I see some topics that might be important:
1. Code injection by the NSCL library. But AFAIK the NSCL is also a NLNet
project so it will have a separate review. If this is so, we can also merge the
two audits. Giorgio, what do you think?
2. Evasion of the wrappers and/or FPD. I am unsure if we can get a reasonable
feedback for this since this is highly specialized topic.
3. Detection of the extension. We already know that there are multiple ways of
detecting the extension like https://github.com/polcak/jsrestrictor/issues/166,
observing timestamps (e.g. Date.now()) in a loop, diploma thesis
https://www.fit.vut.cz/study/thesis-file/23972/23972.pdf (page 46 and 47, but
most anomalies and inconsistences should be resolved by now, it is in Czech but
the table should be readable even without translation), and there are likely
others.
4. Do we want to evaluate the web? Neither Ricardo, nor Ana is listed in the
review, so if you want to be a part of the process, please, let me know.
Thanks,
Libor
- Security audit,
Libor Polčák <=