borg icon indicating copy to clipboard operation
borg copied to clipboard
verified publisher icon borgbackup

Organize a security audit

Open rugk opened this issue 8 years ago • 12 comments

It would be nice if this backup tool could get a professional security audit. I don't know whether attic once got one, but nevertheless as much things changed in borg a security audit for it would also be a nice idea IMHO.

Maybe make a crowdfund campaign or so to raise the money and maybe also make borg popular… :smile:

rugk avatar May 04 '17 17:05 rugk

Yup, maybe when 1.2 goes beta would be a good time as crypto and multithreading changes are planned.

ThomasWaldmann avatar May 04 '17 21:05 ThomasWaldmann

How do you plan to finance it?

rugk avatar May 04 '17 21:05 rugk

Audits are quite expensive and can cover very different levels of scrutiny. Some audits just look at specification or design documents (which largely don't exist for Borg), while you are probably thinking of some folks poking the code base. Given the cost there is also the latent question whether it's worth it, or if Borg is maybe not the correct target. E.g. we use msgpack a lot, which has neither been fuzzed nor audited to the best of my knowledge. Auditing Borg but then having, say, holes in msgpack would be a lot of effort for nothing :)

From my PoV it would seem to make the most sense to mainly look at two different areas: (1) Crypto code, and especially the planned changes there (2) Filesystem code. The latter will of course have issues, that's just the nature of the thing — it's just not possible to make a race-condition free backup of a live file system.

In the meantime this might be an interesting read: https://borgbackup.readthedocs.io/en/latest/internals/security.html

enkore avatar May 05 '17 15:05 enkore

IMHO it's also important to check borg itself. I think some audits also cover the dependents of the projects, at least sometimes. Also, nowadays there are many actors sponsoring audits for FLOSS software, such as Mozilla, Google or the European Union. If borg would be a ransomware it would likely get these audits for free, easily… :wink:

rugk avatar Jul 21 '17 14:07 rugk

I'm afraid Borg is a bit too heavy in deployment to be used effectively for ransomware 😉

enkore avatar Jul 21 '17 14:07 enkore

This is an interesting read: https://guidovranken.wordpress.com/ also https://guidovranken.wordpress.com/2017/07/06/which-software-should-i-audit-next/ (probably not relevant for borg, which has few C/C++ code).

FabioPedretti avatar Jul 21 '17 16:07 FabioPedretti

And just as we're talking GitHub also announced something. The problem of course is, borg does not belong to critical infrastructure for the whole web (yet…), so make sure big companies start to use it as their backup tool… :wink:

rugk avatar Jul 21 '17 17:07 rugk

I added this to the helium milestone. It would be a good time now considering that helium (borg 2.0) will get new crypto, see #6463.

I don't think we could afford a commercial security audit, but a putting a bounty on this would be possible for sure.

ThomasWaldmann avatar Apr 01 '22 16:04 ThomasWaldmann

I'm writing this on the assumption that a commercial security audit costs ~ $5k-10k. Subject to my precise financial circumstances at the time, I'd be willing to proffer an 'anchor amount' (~ $1,000) for the cost of an audit. One could then poll the userbase to see if the remaining amount could be crowdfunded.

Prior to doing this, I think it would make sense to: (i) create a broad brush scope for the audit (e.g. enkore's 5 May 2017 comment above) (ii) reach out to one or two audit companies to get a more informed view on pricing (I don't know who they are but I presume this would be easy to find out)

Does anyone have a rough idea as to how many regular users there are of borg? I have to believe it's core software infrastructure for a meaningful number of people ('define meaningful', I know). It seems to me that the helium milestone would be a good juncture to get an audit.

awgcooper avatar Sep 28 '22 21:09 awgcooper

Hello, I would be willing to add 500€ to the audit fund.

The security audit for gocryptfs was done by Defuse Security (https://defuse.ca/software-security-auditing.htm) and it seems that they have experience in auditing open source software. EDIT: They even write "To give back to the community, I substantially reduce my rate for published open-source software (GPL, MIT, BSD, CC0, etc.) as well as open-access research."

Best-HeyGman avatar Sep 21 '24 08:09 Best-HeyGman

Also, I do think a good time for the audit would be before Borg 2.0.0 stable is released, as it would be very difficult to make changes to the security architecture after that point.

Best-HeyGman avatar Sep 22 '24 07:09 Best-HeyGman

@Best-HeyGman Thanks for offering your support!

I agree that before borg2 stable release would be a good time.

ThomasWaldmann avatar Sep 22 '24 12:09 ThomasWaldmann

@ThomasWaldmann I see you've added this to the 2.0.0 Milestone Is it ok for you if I put my 500€ in via Open Collective? (https://opencollective.com/borgbackup)

Best-HeyGman avatar Jun 30 '25 10:06 Best-HeyGman

@Best-HeyGman IIRC (didn't do much yet with OC): the funds collected via Open Collective are not bound to specific issues like "doing a security audit".

Thanks for intending to support this!

ThomasWaldmann avatar Jun 30 '25 11:06 ThomasWaldmann

@ThomasWaldmann Yeah, I guess a better way would be setting up some kind of gofundme after getting a quote on how much money is needed.

However, I didn't want to burden you with having to set that up when the Open Collective is already there.

Best-HeyGman avatar Jun 30 '25 14:06 Best-HeyGman

@ThomasWaldmann Alright, here it is, before I forget about this again: https://opencollective.com/borgbackup/contributions/865259 Don't worry, if there's no security audit in the end, just keep it. Borgbackup deserves it either way :)

Best-HeyGman avatar Jul 01 '25 07:07 Best-HeyGman

@Best-HeyGman Thanks a lot for supporting the project!

ThomasWaldmann avatar Jul 01 '25 08:07 ThomasWaldmann