Sandfly is proactive about protecting the security of our customers and has recently completed an external code audit of our on-host forensic engines with no significant security issues. Further, all builds use Veracode to do automatic static and dynamic analysis during our development cycle. Using manual and automated audits provides assurance to customers that our product is safe and following industry best practices to prevent attacks.
Sandfly engaged Cure53 to conduct an extensive code review of our on-host forensic engines. Cure53 is a highly respected firm that has conducted audits of many products such as VPN clients and password managers used by millions of people.
The audit encompassed a complete code review as well as analysis for attack vectors that could lead to privilege escalation or other problems during execution. The audit consisted of two phases:
White box penetration tests against the Sandfly implementation and binary.
Complete source code audit against the Sandfly forensic engines.
A "white box" test means that auditors have access to the source code so that they can analyze and prepare attacks with full knowledge of the underlying system. This is different than "black box" testing where the auditors have no visibility into the code and have to attempt to blindly exploit potential problems. The primary difference is with white box testing the attacks can be far more focused and efficient without risk of missing obvious problems as nothing is hidden.
Cure53 reports the following from the white box testing phase of Sandfly:
Throughout the binary review phase, no particularly noteworthy attack vectors or weaknesses were discovered. In addition, the entire scan process was traced using Linux’s syscall tracing facilities to ensure any potential attack vectors were discovered.
The most significant security risk naturally stems from the fact that Sandfly runs with super-user privileges. Given its passive nature, however, the testing team was unable to detect any vulnerabilities that would otherwise allow for privilege escalation from low to root by abusing the Sandfly binary.
Cure53 also conducted a full source code audit of the Sandfly binary. During this review no significant findings were found. Remediation was applied to a small handful of low-impact issues.
In summary, no significant privilege-escalation vectors were identified in the assigned time frame of the audit. Notably, the Sandfly agent itself only performs passive actions on the host and does not perform any active actions that would otherwise be exploitable by a malicious actor to cause harm on the system.
They conclude:
In conclusion, the scope components under scrutiny by the testing team for this audit appear robust from a security perspective. Cure53 is pleased to report that no other concerning or worrisome findings were detected. Following the successful mitigation of the relevant issues enumerated in this report, the platform will undoubtedly be well safeguarded for production use.
In addition to manual code reviews, Sandfly uses Veracode to perform automatic dynamic and static code audits to every build. Any problems detected are investigated and addressed without allowing any them to be delivered to customers. We are listed as part of the Veracode vendor directory below:
Veracode Verified Directory for Sandfly Security
The Cure53 and Veracode reports are available to licensed customers and those evaluating Sandfly for licensing. Please contact us if you'd like a copy of these reports.