[Security Review] Cilium

[xmulligan]

Project Name: Cilium

Github URL: https://github.com/cilium

CNCF project stage and issue: cncf/toc#952 (Graduation)

Security Provider: Yes

• Identify team
  • Project security lead
  • Lead security reviewer: Andrés Vega (@anvega)
  • 1 or more additional reviewer(s): Frederick F. Kautz IV (@fkautz), Justin Cappos (@JustinCappos ) Jon Zeolla ( @JonZeolla )
  • Every reviewer has read security reviewer guidelines and stated declaration of conflict
  • Sign off by 2 chairs on reviewer conflicts
• Create slack channel: #sec-assess-cilium
• Project lead provides draft document - see outline
• "Naive question phase" Lead Security Reviewer asks clarifying questions
• Assign issue to security reviewers
• Initial review
• Presentation & discussion
• Share draft findings with project
• Assessment summary and doc checked into /assessments/projects/project-name (require at least 1 co-chair approval)
• CNCF TOC presentation (if requested by TOC)

[TheFoxAtWork]

@xmulligan - I've asked @lumjjb @achetal01 @sublimino to convert this issue into a Security Pal to review the items we discussed during DD for graduation and to perform a lightweight threat model. Neither of these items are blockers for Graduation.

[anvega]

@xmulligan @TheFoxAtWork Can you please share the link to the due diligence document? I could not find one on pull/952.

The graduation process does outline the completion of an independent and third party security audit with results published as well as critical vulnerabilities need to be addressed (see graduation_criteria.md) before graduation. Note the project also did not undergo an TAG Security assessment when it was received at incubation at CNCF as it would had it progressed from sandbox. Ideal timing ahead of rubberstamping it as graduation-ready.

Cilium is a project with a core function of serving secure and security capabilities. Among the stated primary use cases there is secure connectivity, encryption, access control, and audit. Given the positioning, TAG-Security would be remiss to not conduct treat the project the scrutiny of a proper and thorough assessment. Not doing so wouldn't just be an oversight in review on our part and that of the TOC, but lack of diligence and a bad precedent.

My recommendation to the TOC is for a full assessment according to the existing process stipulated in addition to the suggest lightweight threat model and the assignment of a security pal.

[anvega]

Reading back over the commit I do see the following:

A CNCF sponsored security audit has been started with OSTIF and Cilium has previously undergone an audit by Cure53 sponsored by Isovalent. A CNCF-sponsored fuzzing audit from ADA Logics is currently underway with a goal to be completed before the end of November. Finally, Cilium currently has an LFX mentee working on increasing the security of the release process including signed SBOMs and signed release artifacts.

I wasn't able to discover links to the audit reports on the project repository or website at first glance or find using search. Links to these resources will be useful to help evaluate.

[fkautz]

If a self-assessment is necessary and still pending, I'd be happy to help facilitate this process.

[xmulligan]

@anvega I just sent you the DD doc on the CNCF slack. We haven't added the doc to the issue yet because we are still finalizing it and haven't opened the public comment period.

The third party security audit by OSTIF will be published on Monday, we were just working on remediation before publication.

[fkautz]

I have read the security reviewer guide and have no conflicts.

[JustinCappos]

I have read the security reviewer guide and have no conflicts

[anvega]

After long deliberation amongst the TAG, we have arrived that the product from assessments is an educational resource that aids adopters and end users to understand in detail the security properties of the project. Project teams find value in producing an asset that preempts the questions you are to encounter from an organization’s security and compliance teams. The benefits are ease of adoption and user enablement. Another way to look at this is the TAG helping you present and defend the case of how secure Cilium is. As part of it, direction and considerations to apply in mitigating different threat scenarios and failure modes will be incorporated into the guidance. As such, we find it pressing to serve the project and its community with the treatment of a complete assessment. Given the maturity, robustness, and rigor for which Cilium has come to be known, it should be a relatively straightforward process.

We have enough reviewers in Fred, Justin, and me to get rolling. We will recruit a few more folks who will join along the way. To get started, @xmulligan, we must identify the folks most familiar with the project's inner workings and security design. Perhaps that’s André or Daniel, but we’ll defer to you to tell us who that is. From prior experience, it does help to include a couple more folks to field review questions, help write the answers, and editorialize the document as the assessment progresses. Once the crew on the Cilium side is identified, we will need you to create the draft document following the outline. I suggest not spending more than a week putting the draft together. The reviewers can help with part of the initial draft, but without your input, we will build it off relying solely on the project's documentation.

For expectation setting, once a self-assessment project draft is ready, the review and project team will enter a phase of naive questions to develop shared context. In the past, this has been async throughout a couple of weeks but could be done over a series of meetings over two to three days to eliminate the back-and-forth toil. From there, we'll get into the actual review; it might take us a couple of days to digest the document. From that consecutive analysis, you can expect more challenging follow on questions requiring in-depth explanation, which will be captured to expand the draft. As part of that next stage, we'll perform a lightweight thread model, an accompanying threat matrix, and an attack tree.

[anvega]

I have read the security reviewer guide and have no conflicts.

@achetal01 @lumjjb @sublimino Can you please look into the three reviewers' no-conflict statements and sign off on those?

[lumjjb]

Chair sign off on conflict statements

[achetal01]

Agree with Brandon, Consider this Sign off on conflict statements

[xmulligan]

@ferozsalam has started working on our threat model here. It would be great to have some feedback on this too cilium/cilium#24497

[stale]

This issue has been automatically marked as inactive because it has not had recent activity.

[anvega]

@xmulligan Picking where we left off, it would be great if the threat model you reference could be included as part of the self-assessment doc. It's not that it's our preference, it's simply part of the established process for the sort of review that you've requested in this issue.

[JustinCappos]

As per @TheFoxAtWork 's reply above, a security assessment will not be performed. So this issue will be closed.

@xmulligan - I've asked @lumjjb @achetal01 @sublimino to convert this issue into a Security Pal to review the items we discussed during DD for graduation and to perform a lightweight threat model. Neither of these items are blockers for Graduation.

[anvega]

There needed to be better communication on this issue which I failed to capture before the chair sign-offs. I apologize for the inconvenience the confusion might have caused.

On the TOC call on March 8th, a month after the @TheFoxAtWork comment, Emily herself deferred the decision to the TAG representatives on whether to carry on with the assessments. Then, those on that call agreed that performing a full assessment would be essential due to the project's heavy positioning in its security aspects.

Justin and I have had recurring conversations about it as assessment coordinators over the last couple of weeks. We both agreed on reopening the issue.

From a scheduling perspective, the project will be placed back in the backlog of assessments. Pending the self-assessment, which the project team still needs to provide, the review will occur once reviewer availability is freed from the number of other project assessments currently in progress.

[lizrice]

@ferozsalam would be a good person from Cilium to answer questions during this process

[JonZeolla]

@anvega is this still open for additional reviewers? I would like to contribute

I have read the security reviewer guide and have no conflicts.

[anvega]

Closing this issue due to inactivity and the threat model the project did on its own. Please feel free to reopen if there is renewed interest in a joint assessment.