more edits
This commit is contained in:
parent
b67f1599c2
commit
ed0df677e5
GPG Key ID:
44A86CFF1FDF0E85
|
|
@ -23,13 +23,13 @@ At Distrust, we operate under the assumption that nation-state actors are persis
|
|||
* Physical attacks are viable and likely
|
||||
* Side-channel attacks are viable and likely
|
||||
|
||||
These assumptions drive everything at Distrust, including the strategies and tooling outlined in this report. The controls we've developed are built specifically to address this elevated thread model. Many of our open source tools are ready to use today, some are reference designs, while other tooling requires further development.
|
||||
These assumptions drive everything at Distrust, including the strategies and tooling outlined in this report. The strategies we've developed are built specifically to address this elevated threat model. Many of our open source tools are ready to use today, some are reference designs, while other tooling requires further development.
|
||||
|
||||
### Summary
|
||||
|
||||
This report identifies critical single points of failure—cases where trust is placed in a single individual or computer—creating opportunities for compromise. In contrast, blockchains offer stronger security properties through cryptography and decentralized trust models.
|
||||
|
||||
Traditional infrastructure has historically lacked mechanisms to distribute trust, but this limitation can be addressed. By applying targeted design strategies, it's possible to distribute trust (*dis*trust, get it?) across systems and reduce the risks of a single compromised actor undermining the integrity of the entire system.
|
||||
Traditional infrastructure has historically lacked mechanisms to distribute trust, but this limitation can be addressed. By applying targeted design strategies, it's possible to distribute trust (**dis**trust, get it?) across systems and reduce the risk of a single compromised actor undermining the integrity of the entire system.
|
||||
|
||||
---
|
||||
|
||||
|
|
@ -71,7 +71,7 @@ To adequately defend against the risks outlined in the Distrust threat model, it
|
|||
|
||||
* Cold cryptographic key management systems that leverage truly random entropy sources are **not susceptible to remote attacks**, and are only exposed to localized threats such as physical access or side-channel attacks.
|
||||
|
||||
* A common misconception is that simply keeping a key offline makes a system cold and secure. But an attacker doesn't always need to steal the key—they just need to achieve the outcome where the key performs an an operation on the desired data on their behalf.
|
||||
* A common misconception is that simply keeping a key offline makes a system cold and secure. But an attacker doesn't always need to steal the key—they just need to achieve the outcome where the key performs an operation on the desired data on their behalf.
|
||||
|
||||
* **All software in the stack must be open source**, built deterministically (to support reproduction), and compiled using a fully bootstrapped toolchain. Otherwise, the system remains exposed to single points of failure, especially via supply chain compromise.
|
||||
|
||||
|
|
@ -91,13 +91,13 @@ This strategy can be implemented without major adjustments to the existing syste
|
|||
|
||||
The idea centers on extracting the **signing** component from the application (which currently operates in the UI) and converting it into an offline application.
|
||||
|
||||
However, simply making a component offline does not eliminate all single points of failure. To close off supply chain threats stemming from compiler, dependency or environment compromise requires that the application be reproduced on multiple diverse systems (using different chipsets and operating systems), using a fully bootstrapped compiler - a fully hermetic, deterministic and reproducible process.
|
||||
However, simply making a component offline does not eliminate all single points of failure. To close off supply chain threats stemming from compiler, dependency or environment compromise requires that the application is reproduced on multiple diverse systems (using different chipsets and operating systems), using a fully bootstrapped compiler—a fully hermetic, deterministic and reproducible process.
|
||||
|
||||
We've developed open-source tooling for this under **[StageX](https://codeberg.org/stagex/stagex)**. To learn more about the importance of reproducible builds, check out [this video](https://antonlivaja.com/videos/2024-incyber-stagex-talk.mp4), where one of our co-founders explains how the SolarWinds incident unfolded—and how it could have been prevented.
|
||||
We've developed open source tooling for this under **[StageX](https://codeberg.org/stagex/stagex)**. To learn more about the importance of reproducible builds, check out [this video](https://antonlivaja.com/videos/2024-incyber-stagex-talk.mp4), where one of our co-founders explains how the SolarWinds incident unfolded—and how it could have been prevented.
|
||||
|
||||
##### Reference design
|
||||
|
||||
This reference design was developed for the Safe{Wallet} team, but it can be applied to any system seeking to distribute trust in their system.
|
||||
This reference design was developed for the Safe{Wallet} team, but it can be applied to any system seeking to distribute trust.
|
||||
|
||||
1. **System administrators use dedicated offline laptops**
|
||||
|
||||
|
|
@ -111,7 +111,7 @@ This reference design was developed for the Safe{Wallet} team, but it can be app
|
|||
|
||||
* Signing operations are performed exclusively on the engineer's offline system
|
||||
|
||||
* Distrust has developed open-source tooling to drastically simplify PGP key provisioning: **[Trove](https://trove.distrust.co/generated-documents/all-levels/pgp-key-provisioning.html)**
|
||||
* Distrust has developed open source tooling to drastically simplify PGP key provisioning: **[Trove](https://trove.distrust.co/generated-documents/all-levels/pgp-key-provisioning.html)**
|
||||
|
||||
3. **Offline signing applications are deterministically compiled, verified, and signed by multiple engineers**
|
||||
|
||||
|
|
@ -121,7 +121,7 @@ This reference design was developed for the Safe{Wallet} team, but it can be app
|
|||
|
||||
4. **All sensitive operations are fully verified offline before any cryptographic action is taken**
|
||||
|
||||
This design drastically reduces exposure to remote attacks and central points of trust, aligning closely with Distrust's first-principles security model. The community has built some tools like [safe-utils](https://github.com/openzeppelin/safe-utils) - but unfortunately people are being encourages to use these tools online, which is distributing the risk in a sense, but it's largely shifting it to more online services, and tools which are not built deterministically, missing on the opportunity to fully eliminate a number of attack vectors.
|
||||
This design drastically reduces exposure to remote attacks and central points of trust, aligning closely with Distrust's first-principles security model. Some tools have been built in the Web3 ecosystem, such as [safe-utils](https://github.com/openzeppelin/safe-utils)—but, unfortunately, they completely miss the point of cold wallets, and encourge people to use these tools online. Safe-utils is also not bit-for-bit reproducible as of this writing, which disqualifies it as an adequate solution for a stack managing large sums.
|
||||
|
||||
#### Strategy 2 - Use remotely verified service
|
||||
|
||||
|
|
@ -166,8 +166,8 @@ This high-level overview is meant to illustrate the kinds of problems we focus o
|
|||
|
||||
The Distrust team has helped build and secure some of the highest-risk systems in the world. This includes vaulting infrastructure at BitGo, Unit410, and Turnkey, as well as security work with electrical grid operators, industrial control systems, and other mission-critical systems.
|
||||
|
||||
We've conducted deep security due diligence across most major custodians. Through our experience with organizations that operate under constant threat—where **every class of attack is viable**—we've developed a methodology and set of open-source tools designed to defend against even the most sophisticated adversaries.
|
||||
We've conducted deep security due diligence across most major custodians. Through our experience with organizations that operate under constant threat—where **every class of attack is viable**—we've developed a methodology and set of open source tools designed to defend against even the most sophisticated adversaries.
|
||||
|
||||
Today, we're taking the hard-earned lessons from that work and sharing them with the broader community. Our goal is to help others strengthen their security posture by making what we've learned—and the open source tools we've built—available to everyone.
|
||||
|
||||
**Looking to aid us in developing the tooling or for help analyzing and mitigating security risks in your own organization? [Talk to us](https://distrust.co/contact.html)**.
|
||||
**Looking for help analyzing and mitigating security risks in your own organization? [Talk to us](https://distrust.co/contact.html)**.
|
||||
|
|
|
|||
Loading…
Reference in New Issue