Check if any of the security issues are blockers for the MVP, and document the remaining security issues

[teor2345]

No description provided.

[mpguerra]

Hey team! Please add your planning poker estimate with Zenhub @arya2 @oxarbitrage @teor2345 @upbqdn

[teor2345]

Our current list of security issues is in the epic, but here's a copy from 7 December:

• security: Files created by Zebra can be read by any user on the same machine #7807
• security: Run the scanner it is own tokio executor, and use low-priority threads to avoid timing attacks #8043
• Store scanner viewing keys in a separate file, and give them more restrictive file permissions #8048
• Add a wrapper around private key types, so we never print them in display or debug code
• Stop repeating the secret key in every database row, this makes it harder to securely delete from disk

I have fixed all the places we're actually logging secret keys right now.

[teor2345]

Here is my take on the security issues:

• security: Files created by Zebra can be read by any user on the same machine #7807

Partially addressed by warning users not to use the experimental scanner on shared machines.

Server processes that run as other users and are exploited could still read the viewing keys. This is addressed by telling users to generate new keys for testing.

• security: Run the scanner it is own tokio executor to avoid timing attacks #8043

This is addressed by telling users to generate new keys for testing.

There also isn't much of an oracle here, because we're launching blocking cryptographic tasks in their own tokio threads.

• Store scanner viewing keys in a separate file, and give them more restrictive file permissions #8048

Same as "Files created by Zebra can be read by any user".

• Add a wrapper around private key types, so we never print them in display or debug code

This is addressed by removing all known key writes to logs.

It is also addressed by telling users to generate new keys for testing.

• Stop repeating the secret key in every database row, this makes it harder to securely delete from disk

Same as "Files created by Zebra can be read by any user".

• Store the private key in the database as a salted hash, so it can't be read and re-used

Not needed yet.

[mpguerra]

@ZcashFoundation/zebra-team any other input on the security analysis for the MVP? Anything else to be done before we close this issue?

[teor2345]

Can someone double-check that the changelog and scanning doc security warnings cover all these cases? And that the warnings are clear and easy to understand?

I think we're fine but it's good to check.

https://github.com/ZcashFoundation/zebra/blob/main/book/src/user/shielded-scan.md
https://github.com/ZcashFoundation/zebra/blob/main/CHANGELOG.md#zebra-150---2023-11-28
https://zfnd.org/zebra-1-5-0-release/

[mpguerra]

Can someone double-check that the changelog and scanning doc security warnings cover all these cases? And that the warnings are clear and easy to understand?

@oxarbitrage Can you please check this? ☝️