Skip to content

Security: jof/anodize

Security

docs/security.md

Security

This document covers Anodize's security invariants, threat model, and known security findings. It assumes familiarity with the overview.

Security invariants

These are design-level guarantees enforced structurally in the code, not by policy alone.

No secrets on the terminal

Sensitive values (HSM PINs, raw private key material, wrap keys, intermediate secrets) must never be printed to the terminal. The TUI mirrors its status log to tty2 (scrollable audit trail) — an operator photographing the screen would capture any displayed secret.

SSS share display is the one controlled exception: shares are shown one at a time to each custodian as a numbered word grid, hidden by default, revealed only on explicit [S] press. The share is cleared before the next custodian steps forward. Share entry uses word-by-word input with per-word validation; the reconstructed PIN is held in memory only for the duration of the HSM login call.

Disc-before-shuttle

Every signed artifact is held in RAM after signing. The artifact is committed to write-once optical disc (BD-R, DVD-R, M-Disc) before being written to the shuttle USB. The Export phase is only reachable after the disc session closes successfully — a full SG_IO SAO session burn, not a file write to a pre-mounted path. Enforced structurally: the data does not exist on any writable path until after the disc session closes.

Write-ahead log

Before any irreversible HSM operation (key generation, PIN change, signing), an intent WAL session is committed to disc. If the machine crashes, the intent is always on record for forensic review.

Log genesis binding

prev_hash[0] = SHA-256(root_cert_DER). The audit log is irrevocably tied to the specific root ceremony. Forking the log requires possessing the original root certificate.

CSR validation

CSR signature is verified before any field is parsed. Only a conservative set of extensions is emitted (BasicConstraints, KeyUsage, SKI, AKI, CDP). All other extensions from the CSR are rejected.

PIN handling (SSS)

The HSM PIN is a 32-byte random value generated by the CSPRNG, split by SSS, verified by share commitments and pin_verify_hash — no operator ever types or sees the raw PIN.

Single-ceremony terminal

The sentinel acquires an exclusive flock before exec-ing the ceremony binary. Only one ceremony can run at a time across all TTYs.

Rewritable media rejection

GET CONFIGURATION probes the optical media profile. Rewritable profiles (CD-RW, DVD-RW, BD-RE) are rejected. Only write-once media is accepted.

Trust boundaries

Boundary Inside Outside
HSM backend interface Private key material, PIN-gated signing Anodize binary, ceremony operator
Air-gapped machine Ceremony binary, RAM state, mounted shuttle Network, external hosts
Write-once disc Committed audit sessions, STATE.JSON RAM-resident artifacts pre-commit
Shuttle USB profile.toml, CSRs, signed artifacts Operator's source environment
Custodian boundary Individual SSS share (paper) All other custodians, digital systems
Fleet boundary Each HSM device Other devices, wrap key material

Threat model

Compromised ceremony operator

Threat: operator ignores paper checklist, acts maliciously.

Mitigations:

  • Every CA operation recorded on write-once disc with hash-chained audit log.
  • Quorum (threshold SSS) prevents single-operator signing.
  • TUI enforces ceremony pipeline structurally — no skipping or reordering.

Residual risk: colluding quorum can authorize any operation.

Compromised ISO build host

Threat: backdoored ISO.

Mitigations:

  • Reproducible builds (Nix). Any party can rebuild and verify byte-for-byte.
  • Release artifacts include sha256 + detached signatures.

Residual risk: detection only — the verifier must actually compare.

Stolen HSM with known PIN

Threat: physical theft + PIN knowledge = full signing capability.

Mitigations:

  • PIN is 32-byte random, never stored digitally. Requires custodian quorum.
  • Share commitments prevent index spoofing; PIN verify hash avoids wasting retries.
  • Physical security is an operational requirement.

Residual risk: attacker with HSM + enough paper shares.

Supply-chain attack on dependencies

Threat: malicious crate version exfiltrates key material.

Mitigations:

  • cargo-deny + cargo-vet enforce license/advisory/audit policies.
  • Air-gapped ISO has no network at runtime.
  • Small, well-known crate set (RustCrypto / Mozilla families).

Residual risk: compromised crate could behave normally until a trigger.

Covert channel via signing output

Threat: secrets encoded in ECDSA nonce or cert fields.

Mitigations:

  • Nonce generation is inside the HSM, not in Rust code.
  • Certificate/CRL fields are constructed from explicit auditable parameters.
  • Audit log records enough to reconstruct what was signed.

Residual risk: HSM firmware is a trust anchor.

Disc integrity and media failure

Threat: optical media degrades or burn fails mid-write.

Mitigations:

  • WAL intent/record pairs: interrupted burns are forensically visible.
  • Copy-in: each session contains all prior sessions.
  • OPC calibration + SYNCHRONIZE CACHE.
  • M-Disc media recommended (>1000-year rating).

Residual risk: all copies lost or damaged. Maintain multiple independent copies.

Rogue shuttle USB

Threat: malicious USB device exploiting kernel drivers.

Mitigations:

  • Mount with MS_NOEXEC | MS_NOSUID | MS_NODEV.
  • No network stack on ISO.
  • Sysfs enumeration + direct mount(2) — no automount daemon.

Residual risk: kernel-level USB exploits are out of scope for userspace.

Terminal screenshot leaking secrets

Threat: operator photographing ceremony screen.

Mitigations:

  • Design invariant: secrets never printed. PIN entry uses masked input with random-length noise.
  • SSS shares: one at a time, hidden by default, cleared between custodians.
  • tty2 mirror excludes secrets.

Residual risk: custodian photographs their own share display.

Clock manipulation

Threat: wrong clock produces backdated certs/CRLs.

Mitigations:

  • ClockCheck gate requires operator confirmation of UTC time.
  • No NTP on air-gapped machine — operator sets clock from trusted reference.

Residual risk: malicious operator confirms wrong clock. Witnessed ceremonies + audit log provide detection.

Physical ceremony recommendations

  • No-Peek Keyboard Cover — opaque keyboard tent preventing keystroke observation.
  • Philbert Lux privacy hood — blocks side-angle/over-shoulder viewing of TUI display.
  • DM Screen / Trifold Poster Board — shields share transcription workspace from observers and cameras.

Out of scope

  • Online CA / OCSP / ACME: Anodize signs intermediates and CRLs only.
  • Entropy quality on the ISO: jitterentropy + hardware TRNG assumed; confirming TRNG availability is an operational step.

Known security findings

Security issues discovered during development and testing are tracked in SECURITY_FINDINGS.md in the repository root, categorized by severity. Key findings that have been resolved:

  • Critical: audit log hash chain computed over formatted string instead of raw bytes (fixed — SHA-256 over canonical byte serialization)
  • High: serial_to_u64 silently overflowed 128-bit cert serials to 0 (fixed — serials stored as hex strings)
  • High: duplicate revocations accepted silently (fixed — dedup check before append)
  • Medium: PIN displayed in debug output during tests (fixed — SecretString throughout)
  • Medium: CRL entry timestamps used local time instead of UTC (fixed)
  • Low: share reveal had no visual indicator of exposure state (fixed — ⚠ REVEALED indicator)

See SECURITY_FINDINGS.md for the complete list with descriptions and fix details.

Related documents

There aren't any published security advisories