Calling parachain developers to join Composable’s Crev

Disclaimer: Information as of Feb 23, 2022. For the most recent updates, dive into our comprehensive documentation here

The Challenge of Supply Chain Attacks

When writing a codebase, we depend significantly on code written by others in the form of public repositories. While this allows us to build quickly, any codebase is only as secure as its weakest link. In the event of a targeted attack, even a single vulnerability can bring down the entire system.

We saw this recently occur with the Log4j vulnerability. Due to an oversight in an open source logging framework used ubiquitously, malicious actors had the ability to gain remote control of a computer or system. This minor piece of software maintained by a small team of unpaid volunteers had a flaw that took eight years to identify, and set off a cybersecurity crisis that affected large cap companies like Twitter ($29B mkt cap) and Apple ($2.8T mkt cap), cloud providers like Google ($​​1.8T mkt cap), and government transit companies. It may take years before all software using Log4j is appropriately updated and this vulnerability is patched.

While blockchain projects are less affected by the Log4j incident, we are not exempt from supply chain attacks. Blockchains are only as secure as their weakest dependency. Inevitably parachains have many dependencies; if any one of them contains a backdoor, the whole parachain is vulnerable. With the rollout of XCM, the security of parachains becomes even more entwined. By our estimate, parachains’ dependencies are in the hundreds to thousands — Picasso has over 1,000 dependencies itself.

Web of Trust using Cargo Crev is the most decentralized and scalable way to mitigate supply chain risks

We aim to audit all dependencies in our parachains and Substrate, but this is a large undertaking for any party; few organizations have the capacity to audit a codebase line-by-line. We want to maximize our impact by sharing our audit results with other parachains; we also want to leverage the auditing done by other parachains to enhance our security. This is done by building a Web of Trust through Cargo Crev.

Cargo Crev is a language and ecosystem agnostic system to review code. Its Web of Trust works like a social network centered on code security. It allows users to create reviews, use audits by others, and enables Trust to become transitive, revocable, and configurable: if I trust Alice’s judgment on a package, and Alice trusts Bob, then I also trust Bob. (Transitivity yay!) If Bob turns out to be evil, I will stop trusting Bob, which is propagated to the rest of the network.

I can also set different degrees of trust for different members, assigning greater trust, for example, to my direct colleagues. This allows us to scale the auditing process quickly and gives us a baseline view of the most overlooked dependencies in our codebase. In our case, it doesn’t make sense to distrust Parity, as we are building on their work.