Results of the Cilium Security Engagement
Cilium is an open source software for providing, securing and observing network connectivity between container workloads, powered by eBPF sandboxing in the linux kernel. It provides cloud-native network security and observability while maintaining strong security properties itself. Similar tools without eBPF have to run at high privileges and can increase security risks, giving Cilium a unique advantage.
Cilium joins a growing list of Cloud Native Computing Foundation Projects (CNCF) audited to improve security posture and help reach graduated status thanks to strategic partner OSTIF. A combination of threat modeling, manual code review and automated testing tools were used for this engagement.
The audit went exceptionally well, with only a handful of medium severity and low/informational issues discovered. The most notable issue was a mutex lock discovered in the Envoy component. A full list of the issues discovered in Cilium can be found in the report at the bottom of this page.
Tooling Updates and Security Posture Improvements
Throughout the engagement the ADA Logics team created fuzzers for both the project and its critical dependencies. A total of 13 fuzzers were written, including 10 for Cilium’s critical functions and policy handling, and an additional 3 fuzzers for the widely used netlink dependency. At the time of this writing, the three fuzzers for netlink have not been integrated into ossfuzz for continuous fuzzing.
Additionally, a lightweight threat model was developed for Cilium that helps contributors and consumers of Cilium understand from a security perspective how Cilium works, and informs users on the attack surface of Cilium, and more importantly, helps contributors to understand how changes to code as the project grows and matures can affect the security of Cilium.
The ADA Logics team also recommended that a document covering how to use Cilium securely should be created to help users understand and manage their configuration of Cilium. The Cilium team is working on creating that document now.
Supply Chain Security Evaluation
Cilium meets most of the requirements for SLSA level 3 (and 4), but does not generate a provenance document with its builds. It does however generate a Software Bill of Materials with each release, and the Cilium team has started to actively track SLSA compliance here.
We thank the Cilium maintainers from Isovalent and the audit team at ADA Logics for their help and collaboration on this engagement.
Special thanks to Cloud Native Computing Foundation for sponsoring the audit and entrusting OSTIF to get the work done. We are truly grateful for the opportunity to help make critical cloud computing infrastructure more secure and sustainable.
The full audit report can be found here: https://ostif.org/wp-content/uploads/2023/02/OSTIF-ADA-Logics-Cilium-Security-Audit.pdf
ADA Logics also did a report about their experience here: https://adalogics.com/blog/cilium-security-audit
The Cloud Native Computing Foundation also posted a blog post here: https://www.cncf.io/blog/2023/02/13/a-well-secured-project-cilium-security-audits-2022-published/