diff --git a/design/img/security design.svg b/design/img/security design.svg index d58a475..02ee167 100644 --- a/design/img/security design.svg +++ b/design/img/security design.svg @@ -1,6711 +1,6748 @@ -security designBad actorsByzantineKeep sending future ticksApp impersonationClock forgerytraceabilityrealisationfrom operationsfrom updatesaccess control by storenot offlineno APIoutbox queueparsing libraryrequires published message specificationAPIvoided operations includedno native compressionallows any fusion strategyhard to correlate with statevoiding invisiblenotify voidscan expose fusion utilityFinal list indexOK if intent preservedemitted updates ≠ signed op messagese.g. insert then deletefusion cutsBase graphconstraint applysoriginal signed operation messages(inc. constraint applys)not decentraliseddecentralisation-agnosticrequires a storepush to any storee.g. RDBMStriggerrequires leaderin messagingcannot change leaderin remotesfrom updatesfrom operationsaccess control by storenot offlineno APIparsing libraryAPIrequires published message specificationvoided operations includedno native compressionallows any fusion strategycan expose fusion utilityhard to correlate with statevoiding invisiblenotify voidsFinal list indexemitted updates ≠ signed op messagesOK if intent preservedfusion cutse.g. insert then deleteconstraint applysBase graphnot decentralisedoriginal signed operation messages(inc. constraint applys)requires a storedecentralisation-agnostice.g. RDBMSpush to any storerequires leadertriggercannot change leaderin messagingin remotesusing Journalno access controlse.g. read permission to partynot extensiblesupports offlineno APIcreate one!voided operations are removedcould be optionally retainedalready does compressionoverloaded strategydifferent for journal and auditno record of compression actmachine does not have identitymachine-processedstored operations ≠ signed op messagesfusionsfusion cutsalready decentralisedneed to configure 1..* 'audit master'but not to genesisaccess controlactor "party" visible to those with readactor visible to auditoraudited datacompression ok (for readability)causal orderall operations since genesisincluding voidedvisible atomic operationsidentityversions?for tracing to other systemsprincipalsused to signverification can be onlineverifiable object just receivedmust be able to sign offlinesigning secret must existmachineshow to detect malwareclone twinningholo: peers verify blockchaindo not have state for hashstart from well-known state hashrequires enough peersm-ld not a platformassociate user IDsandboxing on iOS, Androiduser responsible for malwarenativetoken from servermaybe malwareverified installno secretbrowsersession tokensame domain as JSpage server certno private key – cannot signactionsclone re-writesconstraintsfusion & fusion cut(if included in audit log)process defn and inputs must be knownapp-level procedurescf. smart contractsusersnativeuser tokenOS IDAppleIDPKIWebIDbrowseruser tokenPKIWebIDPrivacysignature verification requires identity tokenPrincipal extension point classnon-repudiableintegritywell-known state hashor more recent non-agreement state"well-known"baseline: agreement state + signed opsneed to prove a given state is consistentwith everyone else's state + some opsif no journal – how to detect forgerya recovering clone trusts one peeragreementsviewpointsCRDT: agree to start againledger: collaboration on the next blockconcurrent agreementearliest winsrequires total ordering of clocks3. leftmost ID wins2. total ticks1. cause < effectapp protocol for resolutionbut applies to manymeans is configuredrequires consensussimilar to incompatiblesplit-brainif you don't want it, lockthis is just CAPcolonies may divergeother clones may arrive at one or the otherand may transact!disjoint scope = no problemdetect: neither is caused-by the othercan arisemultiple users with authorityProof-of-Xin blockchain ≡ longest chain ruleafter agreement, no message canbe accepted which is not caused by itcan't check agreement conditions untilincompatible ops have been voidedauthority is statutoryagreement on authority cannotassert anything non-statutorycan replay if condition failscannot have authority oversomething non-statutoryit might have changedauthority requires write permission over a statuteagreement condition is not a constrainte.g. List processingcondition impl may depend on a constraintso, can check agreement condition on current statestill have statutes from last agreementbased on prior agreementagreement pre-dates journalagreement is predicated on a statewhich may no longer exist anywhereprior to verifying agreementmust recover to snapshotretain voided opsnot atomicsusceptible to DOScan recover if interruptedcan replayACL is statutory - cannot have changedon incompatible agreement opOR incompatible recoveryvoid+ replayon failure...with constraint & access checkspre-dates snapshotif in fusiondon't fuse until agreementcould be neveralways void whole fusionagreement destroys its own proximal causeslocal causal history in conflict with agreementproximate causesmay be forgedapplies to rev-up cuts tooif using normal rev-up,it's the same problem!hash-chain proofdeliveryin-line requeston failuredisorderednetwork access during txnresponse may be longer than local fusioncut response from localsend me exactly this proximate causetwo-phase: back-out, then requestchecking conditionsbefore requestpre-void checkideally, scope constraints to statutescannot include any future agreementgenerally valid according to CRDTstate in future, will be abandonedpost-void checkconstraints could produce garbagecauses incompletestate + updatenot a 'real' statefusions voided in fullincompatible ops voidedconstraints appliedso condition is-a constraint?but will not publishor even data losssusceptible to DOSnormal rev-uprisk of escalating chaos in networknot if everyone backs-out at at the same timerisk of receiving the incompatible fusion again"revup to"agreement source always has"to" is agreementno extra in fusion"from" is lte (as now)weird API behavioursometime later, 2. it partly reappears1. some stuff is backed-outmay be offlinetreat as disorderedrolled-upmay still be bigcomplicates journalcauses assigned to agreement processcomplicates proof∑(...proximate causes, agree)by normal patch appendpackagedmay be bigdef'nlocal journal fusion notpart of m-ld protocolso, "proximate causes" need not includeany cause-of-a-proximate-causefusion in journal is broken by anoperation from another process IDall causes must have been receivedonly since last agreementGWT-referenced back-fused operationsalways availablelike snapshotinserted triple may have been deletedmain target of compressiondon't know where in a fusion a triple was deletedwe do nowmay need to void the tail of a fusionlocal clock resetLocal prev set to last-seen by agreementRemote ID ticks set to agreementbreaks local integritynature of agreementcommits not sacrosanctreverse journal entrymay not have permissionall permission checking is local anywaythis is not a real violationdata was inserted by a remoteinclude deleted-TIDs for deleted tripleskeyed to "rid" blank nodedon't know if a deleted triple-TID existedforkthis is in the m-ld core specificationapp optionsreplace with snapshotattempt replay from journalretain forknotify appsimilar to snapshot notificationdisallow further txnssusceptible to impersonation attacklike git conflict≡ blockchain forknotify rejection to senderagreement will have arrived first (FIFO)include most recent agreement in recoveryagreement has no dataeasy to void≡ optimistic lock on data/domainconditionscheckingon applyis this data subject to a condition?on transactconstraintblocks txn awaiting proofit should block!otherwise need rebasecallback to appbased on registered conditionexplicitapp provides proof with txntypesexternalconsensusFederated (Istanbul BFT)Proof-of-Xproof by duhraft / paxosleader always availableproof by asking the leaderlockingbootstrap by other"prior agreement"lock is just dataextension of authorityauthorityno consensus – quorum of oneauthority ≡ permission to triggerproof by signaturewhat if authority changesverifiable identity in dataexisting statutegenesissubjectchange typesDELETEINSERTdeclared in the databy propertyby property of reified tripleby queryuse @json for json-rql propertystatutesSignificant state changeTBox changeACL changeobjectall datalike a ledgersome datahow identifiedagreement applies to...speedcf. blockchainscf. not realtime txnshappen at "human speed"principle(does not require journal signatures)deliberate statute violations are ignored by correct clonesaccidental statute violationscan be revokedare unlikelyand you're not required for quorumneed to be partitioned from the agreementrules are encoded in statuteswhich change by agreementclones do not allow invalid ops according to visible rulessymmetric unilateral access control (SUAC)conflict-free constraintson merge, there could be many consequent operations to the violating stateprinciplealways violates one user's intentionmerge of a constraint change with a violationis an unviolating statepermissionsrecovery cannot offerverifiable signaturessnapshot: don't have principal yetrevupif don't have principal yetkeep response signature for later validationif remote operationshave been fusedis this a correct fusion of this time range?verifiable by asking someone elsefuser signs fusion + op-chain hashhow does this help?≡ Holochain local blockchainop-chain hash is cumulative from genesisrequires arbitrary associativity of hashinghash chain of contributing opsfuser signs fusionalso journal attributioninclude original principalattack: "Ivan says Bob, who has permission, did this"on responsesquery-based?fundamentally, what is allowed atone clone may not be at another"protest forking"should not revoke if original claim was validviolatorif not allowed, ermre-check permission (now have reason)receive protest(probably intervening messages)protester(ops caused-by violating update will enqueue)(allow app txns)stall app updatespublish "protest" messageidentifies suspect updatewith clockreceive update & check permissionanyone disagreeing can undoprotesting clone may not have permission to undo≡ constraintsame problems as constraint apply can violate local permissionswhat if bad actorpermission claim based on...datastatutebut automatic changes e.g. constraint apply may affect data to which the principal does not have access"data that can be changed only by agreement"volatility hierarchyso, recipient likely to have preconditionbut not guaranteeda transaction cannot cross volatilitiesa permission claim can only bemade against less-volatile dataquery result hashuncheckable if query results have changedor during an attackbased on volatile dataeveryone has access control queriesand maintains hashesexpensiveclockbut...has causal historyuncheckable ifon another strandnot currentdata hashoperation bag hashcategoricalstate-basedclone permissions = user permissionsrequirementsno central controlmetadata is in the datadata"statutes"PermissioningACLdoes not matter if internal or externalConsensus(record of consensus is in the data)PermissionlessABoxTBoxrequirementsattacksincorrect setupapp trainingsocial engineeringapp traininginjectionapp input validationdenial-of-servicenetwork traffic analysisreplaycheck idempotency before signaturemessage service authenticationmessages signedidentify bad actorcommunication interceptionTLSsignature forgeryverified appsanti-malwarestorage tamperingrecoveryrevupcoherent but forgedwhole message with clock signedinvalid state from valid messagescannot forge signaturesincoherentSUACsnapshotSUAC (state hash)localuser OS accountmessage forgerymalwareremoteSUAClocalverified appsanti-malwareMITMmessagingidempotentnot able to signnetworkTLSidentity theftout of scope componente-invoicingauditingACLsignificant state changeslegal-docsACLconfidentialitydocument-centricfine-grained(sadly never promised)variable schemaPapersOn Mixing Eventual and Strong Consistency:Acute Cloud Typescheck referencesResearchSmart Contractsevery node executesfunction call is a txncode or code hash is on-chainPrinciplesDecentralised Extensibilityauthority modelNCSC Secure design5. Reduce the impact of compromiseMinimise cachingNo arbitrary queriesAnonymise for reportingSeparate dutiesEasy to rebuild cleanNo back doors for adminMinimise functional surfaceZone & segment network4. Make compromise detection easierMonitor for normal load, I/O, performance, transactionsMinimise access violation feedbackIndependent monitoringDetect malware C&CMonitor for normal commsLogging & events (+ integrity)3. Make Disruption DifficultPlan for failure of third partiesTest for high load (e.g. DOS)Identify bottlenecksDesign for elastic scalabilityResilience to both attack and failure2. Make Compromise DifficultEasy to do the right thingEasy management of access controlEasy maintenanceIndividually authoriseDon't do anything bespokeSeparate management from user interfacesVerify security controlsReduce attack surfaceExternal input (transform, validate or render safely)1. ContextGovernanceEnd-to-endDev/test/prod (esp. cyber-physical)Insecure networksCopies of dataNetwork-security devicesThird-party servicesDevicesRolesOperatorsDesignersShared risk propositionSuppliersThreatsAttacker capabilitiesAttack treesGoalsDefend, detect or recoverWhat risks are/not acceptableUnsafetyFraudUnavailabilityUnauthorised accessWhat is needed to operate itOther systemsPeopleConnectionsDataWhat the system is for - + @@ -264,7 +264,7 @@ - + @@ -1103,7 +1103,7 @@ verifiable that the given (sent) fusion is a prefix of a known fusion (at the re - + @@ -1149,7 +1149,7 @@ verifiable that the given (sent) fusion is a prefix of a known fusion (at the re - + diff --git a/prototype/img/security prototype.svg b/prototype/img/security prototype.svg index e53e83b..212be0d 100644 --- a/prototype/img/security prototype.svg +++ b/prototype/img/security prototype.svg @@ -1,7 +1,7 @@ -security prototypeexpositionCLI PRPR descriptionextension option on startbranch -> mainSpec pre-releaserequired exports for candidate compliance testsJS engine PRw/CircleCIcompliance test"candidate" compliancelocal testextends Clonebasic docsunit testsPR descriptionlink to Spec PR(no data declaration of extension)pre-declaration of extensionbranch -> edgetraceabilitymoving partssigned entriestimestamp authorityTrusted timenot adoptedeasily mockableRFC3161online authoritiesuse fixed responses in testslive use no good for CINo nodejs-nativeUse OpenSSL in testsAPIoperation triggersin updatesanalysisaudit clonepartition from auditshut downalso shut down process/containercaused by constraint apply failureoutboxoutbox not in domainso, no atomic writeleadership electionknown quantityrestart-onlyschedulingknown quantitynot required in prototype milestoneintegrityexternally-driven authorisationmoving partsedge releaseagreement prover extension pointalso use for CloneExtensionsORM subject with declared classm-ld-irohatestcompliancem-ld-js orchestrator not publishedequivalent of agreements.spec.jsdocker-compose.yml(unit tests)appexttransport security extensionsign with ed25519 public keyagreement prover extensionmulti-signature transactionincomplete proofagreement already committed at origin2. condition signs txn1. constraint gives txn as proofapp callbackrequires that MeldApp never proxiedIrohaMeldApp subclasssee [Iroha 2 Approach]test (condition)not all proofs are in a fusioncheck all affected are in declared final state(s)construct actual final statesame algorithmgetAccountDetailcheck (constraint)proof = keyadds a blockvalueprincipal IDfinal state<4096 bytesJSON-LDmaybe encodedrelevant (statutes)affectedsecurity prototypekeyUUIDexpositionhash of valueno needCLI PR>64 bytesPR descriptionprincipalIdextension option on startcanonicalisedbranch -> mainsetAccountDetailsSpec pre-releaserequires extension pointrequired exports for candidate compliance testsrequires ed25519 public keybreaks transport securitydemo in nodeJS engine PRnot available in web cryptow/external optionsCircleCIDIVAcompliance testuses Iroha"candidate" compliancepublic blockchainlocal testTendermint Coreextends Cloneno ledgerbasic docsoriented to replicating app logicunit testsrecently re-brandedBFT enginePR descriptionSawtoothlink to Spec PRparallelismnot needed for m-ld(no data declaration of extension)great for performancepre-declaration of extensionLinux Foundationbranch -> edgeMultichainseems to have quiescedYobichainnot really maintainedtoy blockchain on MultichainHyperLedger Fabriccomplex to get startedbatteries includedconsensusPKIIdentityLinux FoundationIrohaasset-oriented"account detail" key-valuescannot add arbitrary data blockJS client librarycan be in browser!Linux Foundationanalysisrequirementsexternal ACLdullexternal consensusquorumverifiable proofdata-driven authorisationmoving partsjson-rql literalshashingalso for base64Binary etc.canonicalisationor Graph Literals(discussion)Constraint apply rejectionif reason = unauthorisedblacklist clock IDin GWC(and all forked)blacklist clone @iddoes not prevent re-joinnot in messageremove principalcan't if no permission(if has not reached agreement, op would be ignored)with statutes, can only arise from a malicious cloneACL extensionsbecause rejection = blacklistInfer statutesrequire ASKconstraintswriteable-if-patternchecks if pattern matches datawith ?s ?p ?o variables from updateO(permissions * triples)e.g. ?s a <restricted>checks insert matches patternCannot check data contexte.g. ?s <group> <restricted>e.g. ?s a <restricted>requires json-rql literalswriteable-if-class-party-roleinducable from -principaladd-only-propertycreates tombstonesesotericsh:NodeShape sh:targetClasswrite permissionmld:ifExistsneeds more thoughtrelates to e.g. SPINe.g.mld:ifExists sh:targetNode = domainsh:property sh:path state; sh:hasValue "sales-order"sh:targetClass = line-itemsh:property sh:hasValuee.g. group = "restricted"plain classagreement conditionhasAuthorityStatutes ConstraintvocabappliesTo: [DELETE | INSERT]Statute + AgreementConditionupgrades Update to AgreementData extension installationAgreement conditionsConstraintsschemaTransport SecurityAgreementsFork/Void MeldApp cbnot fundamental to prototypeapp can export or whateverresolve, rejectokToVoid(state, agreement, updatesToVoid)process before constraintsConstraints can upgrade to agreement≪agree≫ MeldOperationExplicit agreements(must have Authority, if ACL in place)= disallow concurrentany use-cases?isolate agreement feature for testingASK queriesanalysisRequirementsrequirementsstatutesCICinvoice statusschemardf:typeonly applies to deleteassumes disjoint class constraintsworkaround for missing agreement objectsbatched garbage collectevery object insert/delete is an agreementpermissionsp2pl-doccomments: by author+reviewerschema: by ownercontent: by authorsmetadata: immutableCICStateParty-rolewhole domain authorisationmoving partsinit dataPrincipal, certificate, permission[domain] Subject, access, secretACL extensionwriteN/Areadneeds access to stateread permission checkoperation encryption secret in datamld:AccessControlListextensionsmanager[Proxied] implementationsAccessControl interfacedeclaration(<[extension id]> <rdf:type> <mld:Constraint>)<[extension id]> <rdf:type> <mld:AccessControl><[extension id]> <https://nodejs.org/api/module> "[module specifier]"<[domain]> <mld:extension> <[extension id]>Pubsubcalls AccessControl extensionop encryptionsig validationcalls-back appsignapp callbacksign bufferanalysisrecovery request signatureneeds sigs before dataapp callbackjust confignegotiateTLS-likeverifysignchannel secretbuffer until setdo not connect until setEncrypt operationsidentity models(with sigs)WebCryptono secure storagevia generateKey+ e.g. OIDCWebAuthnno signaturesStrong support via FIDOUses Proof-of-PossessionWebIDsimulate with PKCS8Solid can use OIDC... but then no (guarantee of) signaturesrelies on HTML keygen! - + @@ -168,7 +168,7 @@ - + @@ -428,9 +428,9 @@ - + - + @@ -444,7 +444,7 @@ - + @@ -455,7 +455,7 @@ - + @@ -465,7 +465,7 @@ - + @@ -475,7 +475,7 @@ - + @@ -494,7 +494,7 @@ - + @@ -568,7 +568,7 @@ - +