dandri/simplex-chat
1
0
Fork 0
mirror of https://github.com/simplex-chat/simplex-chat.git synced 2026-04-04 09:06:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

deploy: 6b71cc59c8

Browse Source
This commit is contained in:
epoberezkin
2022-11-22 08:50:19 +00:00
parent 0d6f903b67
commit 42bc54141c
1 changed files with 9 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
blog/20221108-simplex-chat-v4.2-security-audit-new-website.html
View File

@@ -227,25 +227,25 @@ window.addEventListener('scroll',changeHeaderBg);
<h2 id="security-assessment-by-trail-of-bits" tabindex="-1">Security assessment by Trail of Bits</h2>
<img src="./images/20221108-trail-of-bits.jpg" width=240>
<p>When we first launched the app in March the response on Reddit was: <em>&quot;Have you been audited or should we just ignore you?&quot;</em>.</p>
<p>We have a growing number of enthusiasts using SimpleX Chat who can accept the security risks of unaudited system, but the users who depend on their security were patiently waiting until some independent experts validate our claims.</p>
<p><a href="https://www.trailofbits.com/about">Trail of Bits</a>, a US based security and technology consultancy whose clients include big tech companies, governmental agencies and major blockchain projects, had 2 engineers reviewing SimpleX Chat, specifically <a href="https://github.com/simplex-chat/simplexmq">simplexmq library</a> that is responsible for all cryptography and networking of SimpleX platform.</p>
<p>We have a growing number of enthusiasts using SimpleX Chat who can accept the security risks of unaudited system, but the users who depend on their security were patiently waiting until some independent experts review our codebase.</p>
<p><a href="https://www.trailofbits.com/about">Trail of Bits</a>, a US based security and technology consultancy whose clients include big tech companies, governmental agencies and major blockchain projects, had 2 engineers reviewing SimpleX Chat for one calendar week, specifically <a href="https://github.com/simplex-chat/simplexmq">simplexmq library</a> that is responsible for all cryptography and networking of SimpleX platform.</p>
<p>2 medium and 2 low severity issues were identified, all of which require a high difficulty attack to exploit the attacker would need to have a privileged access to the system, may need to know complex technical details, or must discover other weaknesses to exploit them. 3 of these issues are already fixed in v4.2.</p>
<p>Overall we have SimpleX Chat in a decent shape, with most reviewed areas other than identified issues being marked as &quot;satisfactory&quot;, and authentication and access controls as &quot;strong&quot;.</p>
<p>The issues are explained below, and the full security review is available via <a href="https://github.com/trailofbits/publications#technology-product-reviews">Trail of Bits publications</a>.</p>
<p>We are hugely thankful to Trails Of Bits and their engineers for the work they did, helping us identify these issues and strengthen the security of SimpleX Chat.</p>
<p>In the course of the audit, Trail of Bits assessed the maturity of the <a href="https://github.com/simplex-chat/simplexmq">simplexmq library</a> across eight categories and found five of them to be strong or satisfactory.</p>
<p>Explained below is our understanding of the issues, as well as fixes implemented by the SimpleX Chat team after project completion. The full security review is available via <a href="https://github.com/trailofbits/publications/blob/master/reviews/SimpleXChat.pdf">Trail of Bits publications</a>.</p>
<p>We are hugely thankful to Trail of Bits and their engineers for the work they did, helping us identify these issues and supporting the ongoing efforts to make Simple Chat more secure.</p>
<h3 id="medium-severity-issues" tabindex="-1">Medium severity issues</h3>
<h4 id="x3dh-key-exchange-for-double-ratchet-protocol" tabindex="-1">X3DH key exchange for double ratchet protocol</h4>
<p>We made a mistake implementing X3DH key exchange - the key derivation function was not applied to the result of concatenation of three DH operations. The attack to exploit this mistake has high complexity, as it would require compromising one of private keys generated by the clients, and also it would only affect forward secrecy until break-in recovery happens (after both sides sent some messages).</p>
<p>We made a mistake implementing X3DH key exchange - the key derivation function was not applied to the result of concatenation of three DH operations. The attack to exploit this mistake has high difficulty, as it would require compromising one of private keys generated by the clients, and also it would only affect forward secrecy until break-in recovery happens (after both sides sent some messages).</p>
<p>Please note that SimpleX does not perform X3DH with long-term identity keys, as the SimpleX protocol does not rely on long-term keys to identify client devices. Therefore, the impact of compromising a key will be less severe, as it will affect only the secrets of the connection where the key was compromised.</p>
<p>This issue is fixed in version 4.2 in <a href="https://github.com/simplex-chat/simplexmq/pull/548/files">this PR</a>, and if both clients are updated the key exchange will not have this vulnerability. Also, previously created connections should be secure as long as both sides sent the messages, but if you believe that your private key(s) could have been compromised (for example, if you used SimpleX Chat since before we added database encryption), we recommend that you create the new connections with your contacts, at least with the security-critical ones. Simply rotating the connection queue (manual queue rotation is added in version 4.2) will not be sufficient, as this rotation does not re-initialize the ratchets - this is something we will be adding in the future.</p>
<h4 id="keys-are-stored-in-unpinned-memory-and-not-cleared-after-their-lifetime" tabindex="-1">Keys are stored in unpinned memory and not cleared after their lifetime</h4>
<p>The problem here is that the memory with cryptographic keys can be swapped to the storage and potentially accessed by an attacker who has root-level access to the device (or the level of access required to access swap file of the application). So, if you are running SimpleX Chat on desktop you could improve its security by running it in an isolated container.</p>
<p>On mobile operating systems it is less severe as each application already runs in its own container, and applications do not share access to their swap areas (e.g., on Android swap is a <a href="https://developer.android.com/topic/performance/memory-management">compressed area in RAM</a> not accessible to other applications).</p>
<p>In our opinion, on mobile operating systems it is less severe as each application already runs in its own container, and applications do not share access to their swap areas (e.g., on Android swap is a <a href="https://developer.android.com/topic/performance/memory-management">compressed area in RAM</a> not accessible to other applications).</p>
<p>To exploit this issue an attacker needs to have a privileged system access to the device. Also, we believe <a href="https://www.microsoft.com/en-us/research/wp-content/uploads/1993/01/gen-gc-for-haskell.pdf">Haskell generational garbage collection</a> makes the lifetime of unused memory lower than in other languages.</p>
<p>We will be addressing this issue in the near future, possibly by using library <a href="https://hackage.haskell.org/package/secure-memory-0.0.0.2">secure-memory</a> created by Kirill Elagin, an engineer at Serokell, or some other similar approach.</p>
<h3 id="low-severity-issues" tabindex="-1">Low severity issues</h3>
<h4 id="the-functions-that-do-string-padding-and-unpadding-can-throw-exceptions" tabindex="-1">The functions that do string padding and unpadding can throw exceptions</h4>
<p>Both these issues are fixed in 4.2 in <a href="https://github.com/simplex-chat/simplexmq/pull/547/files">this PR</a>, with the additional unit tests, and we also validated that even before the fix the strings that would cause such exception were never passed to this function we could not find the possibility of the attack that would succeed because of this issue.</p>
<h4 id="the-string-padding-function-is-incorrect-for-long-messages-and-the-string-unpadding-function-throws-exception-for-short-messages" tabindex="-1">The string padding function is incorrect for long messages, and the string unpadding function throws exception for short messages</h4>
<p>Both these issues are fixed in 4.2 in <a href="https://github.com/simplex-chat/simplexmq/pull/547/files">this PR</a>, with the additional unit tests, and we also validated that even before the fix the strings that would cause such exception were never passed to this function The SimpleX Chat team could not find the possibility of the attack that would succeed because of this issue.</p>
<h3 id="whats-next" tabindex="-1">What's next</h3>
<p>There are areas of SimpleX Chat that were out of scope of this review, specifically:</p>
<ul>