Currently supported versions for security updates:
| Version | Supported |
|---|---|
| Latest (main branch) | β |
| Older releases | β |
Please DO NOT report security vulnerabilities through public GitHub issues.
- Email: Send details to the repository maintainer
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if available)
- Acknowledgment: Within 48 hours
- Assessment: Within 7 days
- Fix Timeline: Depends on severity
- Critical: 1-3 days
- High: 7-14 days
- Medium: 14-30 days
- Low: 30-90 days
- We will coordinate disclosure timing with you
- Credit will be given for responsible disclosure
- We aim for transparency while protecting users
HashServer is designed for internal network use in controlled environments. Consider these aspects:
- Cryptographic Integrity: Uses SHA256 for binary verification
- No Database Exposure: No sensitive hash database to protect
- Read-Only Golden Images: Server only reads, doesn't modify binaries
- Stateless Design: Each request is independent
- Network Exposure: Runs HTTP by default (use HTTPS in production)
- Authentication: No built-in authentication (use network controls)
- File System Access: Requires read access to golden images
- Internet Fallback: Optional external API calls
{
"App": {
"Host": {
// Use HTTPS in production
"CertificateFile": "production-cert.pfx",
"CertificatePassword": "strong-password-here"
},
"InternalSSL": {
"gRoot": "https://*:3343/"
}
}
}Recommendations:
- β Deploy behind firewall
- β Use TLS/SSL certificates
- β Implement network segmentation
- β Use VPN for remote access
- β Monitor access logs
- β Don't expose directly to internet
HashServer does not include built-in authentication. Use:
- Network-level controls: Firewall rules, VLANs
- Reverse proxy: nginx, Apache with authentication
- API Gateway: With OAuth2/JWT tokens
- VPN: For remote access
Example nginx configuration:
server {
listen 443 ssl;
server_name hashserver.internal;
ssl_certificate /path/to/cert.pem;
ssl_certificate_key /path/to/key.pem;
# Basic authentication
auth_basic "HashServer Access";
auth_basic_user_file /etc/nginx/.htpasswd;
location / {
proxy_pass http://localhost:3342;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}Golden Images:
- Store on dedicated, read-only mount
- Use filesystem permissions (read-only for service account)
- Regularly audit for unauthorized changes
- Consider using immutable snapshots
Cache Files:
# Set restrictive permissions
chmod 600 GoldState.buf
chown hashserver:hashserver GoldState.bufEnable appropriate logging:
{
"App": {
"Host": {
"LogLevel": "Warning" // Use "Information" for security monitoring
}
}
}Monitor for:
- Unusual request patterns
- Failed hash validations
- Configuration changes
- File system access anomalies
When using Internet JITHash fallback:
{
"App": {
"Host": {
// Control external access
"ProxyToExternalgRoot": false // Disable if not needed
},
"External": {
"gRoot": "https://pdb2json.azurewebsites.net/"
}
}
}Considerations:
β οΈ External calls may leak metadataβ οΈ Dependency on external service availability- β Use only for well-known Microsoft binaries
- β Consider local-only mode for sensitive environments
Keep dependencies updated:
# Check for outdated packages
dotnet list package --outdated
# Update packages
dotnet add package <PackageName>Note: This project uses .NET Core 2.0 (out of support). Consider:
- Upgrading to supported .NET version
- Regular security patches
- Dependency scanning tools
{
"App": {
"Host": {
"ProxyToExternalgRoot": true,
"BasePort": 3342
},
"Internal": {
"gRoot": "http://localhost:3342/"
}
}
}{
"App": {
"Host": {
"LogLevel": "Information",
"CertificateFile": "/secure/path/cert.pfx",
"CertificatePassword": "strong-password",
"ProxyToExternalgRoot": false,
"BasePort": 3343
},
"InternalSSL": {
"gRoot": "https://hashserver.internal:3343/"
},
"GoldSourceFiles": {
"Images": [
{
"OS": "Production",
"ROOT": "/mnt/readonly/golden-images"
}
]
}
}
}- HTTPS enabled with valid certificate
- Network firewall rules configured
- Authentication mechanism in place
- Golden images on read-only filesystem
- Service runs with minimal permissions
- Logging configured appropriately
- External API calls reviewed/disabled
- Regular security updates applied
- Logs reviewed for anomalies
- Access controls audited
- Configuration backed up securely
- Incident response plan in place
- Failed authentication attempts tracked
- Unusual request patterns detected
- File system access monitored
- Service availability monitored
- Security logs preserved
- Primary: SHA256
- Purpose: Binary integrity verification
- Collision Resistance: ~2^256 operations
- β Cryptographically secure
- β Fast computation
- β Wide support
- β No known practical attacks
- β Industry standard
HashServer does not protect against:
- β Memory injection attacks (runtime)
- β Rootkits that modify scanning process
- β Hypervisor-level attacks
- β Hardware-based attacks
- β Time-of-check to time-of-use (TOCTOU) issues
HashServer does detect:
- β Modified binaries on disk
- β Tampered in-memory code pages
- β Unknown executables
- β Relocated binary differences
We appreciate security researchers who responsibly disclose vulnerabilities. Contributors will be acknowledged (with permission) in release notes.
For security concerns, please contact the repository maintainers directly rather than opening public issues.
π Security is a shared responsibility π