We are pleased to announce that Trail of Bits has completed the second independent audit of the SecureDrop Workstation, directly funded by The New York Times. This audit, which took place in December 2020 and January 2021, is the result of a two-engineer, six person-weeks effort. The SecureDrop Workstation, based on Qubes OS, is our next-generation platform which allows journalists to safely retrieve, decrypt, open and export anonymous submissions. It is currently being used in a limited pilot, and the first audit of the SecureDrop Workstation was completed in late 2018.
As stated in the report, the SecureDrop Workstation relies on Qubes OS and Xen to ensure isolation, and those were not the primary scope of the audit:
“ [...] the SecureDrop Workstation system relies heavily on the Qubes OS system and its features such as qrexec RPC framework or VM isolation. While we did not focus on the Qubes OS during this assessment, we reviewed the system's configuration and investigated how the Qubes features were used.”
The report confirmed some of our assumptions around the use of virtualization to segment sensitive workloads:
“Overall, the SecureDrop Workstation system represents a complex but well researched product that has been thoughtfully designed.”
None of the issues identified were directly exploitable by an attacker, and require either compromise of the SecureDrop server, or code execution in certain key VMs within the SecureDrop Workstation:
“We were unable to achieve a direct compromise of the Workstation from the position of an Internet-based attacker during our engagement. Our inability to achieve a direct compromise of SecureDrop Workstation does not imply that such a compromise is impossible or that SecureDrop Workstation is free from bugs.“
Over the course of their engagement, the auditors uncovered 1 high, 6 medium, 7 low and 12 informational findings. You may read the full audit report (PDF [securedrop.org copy]; PDF [Trail of Bits copy]) for details.
Of the findings above, the 1 high and 4 of the 6 medium severity issues identified have already been patched and released, with the fixes validated by the auditing team. As noted in the report for finding TOB-SDW-012, we are investigating better ways to surface security issues to users and administrators. The last two medium-severity issues (TOB-SDW-025 and TOB-SDW-026) will be addressed in the near future along with the remaining findings, as we deem them low risk, given the isolation properties of Qubes and the existing mitigations applied to the SecureDrop Workstation.
Finally, the report has also identified potential architectural improvements: the report recommends the creation of a custom RPC service to handle opening of files, which we will be investigating in the near future.
We would like to thank The New York Times for funding the audit, and Trail of Bits for their careful and thorough review of the codebase. In addition to addressing the findings surfaced in this report, we are also implementing feedback from current pilot participants, and planning new features around export and integration to other communication tools. We are in the process of expanding the pilot to several other news organizations, and hope to provide general availability later this year.
We would also like to invite your feedback on the SecureDrop Workstation codebase. The Workstation is in scope of our bug bounty program, and you can always contact us via an encrypted email to firstname.lastname@example.org (public key, fingerprint: 734F 6E70 7434 ECA6 C007 E1AE 82BD 6C96 16DA BB79).