By David Huseby, Hyperledger Security Maven
As an open source project that is part of the Linux Foundation, Hyperledger takes on a great deal of responsibility to deliver software using a process that is transparent, proactive, and uses the best security practices. This blog post is about the release process for Hyperledger projects reaching the version 1.0 milestone. It is the first in a series focused on the Hyperledger security regime. The next post in this series will focus on everything we do to make good on the promise of open source software being more secure.
When Hyperledger Fabric 1.0 was released on July 11th, 2017 several administrative initiatives were under way. The first of these was an audit of the source code to determine the open source licenses the software was under. Hyperledger uses the Apache 2.0 License for all of its original software and strives to only depend on other code licensed under the same or equally compatible licenses.
The second initiative was a cryptography export audit conducted by the Software Freedom Law Center. Despite a victory in the “crypto wars,” since blockchains require heavily on the latest cryptography, we still have a reporting requirement for all cryptography that we include in our software.
The third initiative was an outside security audit. The Hyperledger team contracted an outside firm named Nettitude to do an independent audit of the Fabric source code. The purpose was to get confirmation of the soundness of the software and to establish a baseline for its security. The team at Nettitude did a great job going through the source code and attempting penetration tests and running fuzzing processes against Fabric.
“Nettitude is delighted to have had the opportunity to work with The Linux Foundation to assess the security of their Hyperledger Fabric blockchain software. This was an exciting and timely piece of work, in a field which Nettitude had already identified as one of our security research priorities.”
The end results of the audit showed only a couple medium grade security issues that have since been mitigated. One issue was a general lack of comments in the code that documented the expected behavior of the code. This is an important detail because programmers can look at the code and figure out what it does, but bugs lurk in the difference between what the original programmer intended and what the code actually does. Having thorough comments in the code helps reduce the risk of a security regression occurring during future software maintenance work.
The other issue was focused on the general security of the Docker container used to execute chain code. The principle of least authority dictates that the Docker container should be restricted and isolated as much as possible. Today, we are finally publishing the Hyperledger Fabric 1.0 security audit report. We have published the technical report and the management report documents.
This process will be applied to all of the other Hyperledger projects as they reach the 1.0 milestone.. The next project to go through it is Hyperledger Sawtooth. The license, crypto, and security audits for Sawtooth have already been completed and readers should expect its 1.0 release in the very near future. Stay tuned for the follow up with the Sawtooth security audit report.If you would like to help us make great software, the Hyperledger community has organized meetups and hackfests all over the world. If you find a security issue please report it to email@example.com. You can find an upcoming event near you by visiting our events page here: https://hyperledger.org/events. We’ll also be talking at RSA this year in April in San Francisco. Director of Ecosystem, Marta Pierkarska and I will present “Blockchain-the new black. What about enterprise security?” We hope to see you there!