Auditing validator signing events

[tarcieri]

YubiHSM2s support advanced auditing features: they retain an audit log (which can be permanently set to on), and can enforce the log must be consumed before additional operations can be performed.

It would nice to be able to retain these audits, and additional information about each signature performed (e.g. current block height) in an external auditing service.

This could potentially be used for a double-signing defense: the KMS could potentially consult with the auditing service to determine the last block height signed.

Launch Plan (Tentative)

The KMS can support an user-configurable auditing subcommand:

• KMS executes auditing subcommand each time a signing operation is performed
• Subcommand is given signing request and signature (via e.g. stdin). Optionally it could also be given the YubiHSM2 audit event/audit log.
• If auditing subcommand exits with an error, signature operation is aborted and an error is returned to the validator (possibly as a configurable option, i.e. fail open vs fail closed)

[tarcieri]

I think Google Trillian would be interesting for this purpose:

https://github.com/google/trillian
https://github.com/google/trillian-examples

Trillian is effectively Merkle Trees-as-a-service with support for an external signing process. It can be easily deployed onto Kubernetes, and supports MySQL and GCP Cloud Spanner as storage backends. This should make it easy to host audit logs on cloud providers, but additionally Trillian separates the roles of storing the log with signing the "tree heads", allowing the audit log's signer to be deployed separately (e.g. in a validator-operated datacenter as opposed to the cloud)

Trillian could be used to implement an append-only log of all validator signing events which also includes HSM audit logs. YubiHSM2 audit logs themselves contain a SHA-256 hash chain in which each audit event commits to the previous one. Capturing this hash chain in Trillian's signed Merkle tree would allow the KMS to detect tampering with the YubiHSM2's audit log.

It could potentially provide much more comprehensive auditing, however, not just of signing events but also of whole public chains / Cosmos Zones. For example, here is a Trillian personality which uses geth to "slurp" the Ethereum blockchain into a Trillian Log, replaying the transactions contained within and storing the resulting account state in a Trillian Map (i.e. sparse Merkle Tree) of accounts to their balances:

https://github.com/google/trillian-examples/tree/master/etherslurp