This document covers the security posture of:

• The .6cy binary format (v2.0.0)
• The sixcy Rust reference implementation (v2.0.0)
• The plugin_abi/sixcy_plugin.h C ABI for codec plugins

Do not open a public GitHub issue for security vulnerabilities.

Email the maintainer directly at the address in Cargo.toml. Include:

1. A concise description of the vulnerability.
2. The affected version(s).
3. Steps to reproduce (minimal archive file, code snippet, or command sequence).
4. Potential impact assessment (your view of severity).
5. Whether you have a suggested fix.

Response SLA:

We will credit reporters in the release notes and CHANGELOG.md unless they prefer to remain anonymous.

The reference implementation assumes:

• The archive file is untrusted. Every byte read from disk is treated as potentially attacker-controlled.
• The password is trusted. Key derivation is correct; the password itself is not validated beyond being a non-empty UTF-8 string.
• The plugin shared library is trusted. A plugin that exports sixcy_codec_register is loaded with the same trust as the host binary. Untrusted plugin loading is out of scope for this release.

Attack: An attacker crafts an archive with extreme comp_size, orig_size, or header_size values to cause integer overflow, out-of-bounds read, or excessive allocation.

Mitigations:

• header_crc32 is verified before any field is interpreted. A flipped bit in a size field is caught before any allocation.
• All buffer allocations are bounded by the field value (comp_size allocates exactly comp_size bytes). No unbounded reads.
• Rust's safe arithmetic panics on overflow in debug builds; release builds use explicit checked arithmetic at superblock parse time.
• orig_size is u32 (max 4 GiB per block), limiting decompressor output allocation to 4 GiB per block call.

Attack: A block reports orig_size = 1 MB but decompresses to 4 GB, exhausting memory.

Mitigations:

• orig_size is embedded in the block header and checked before decompression begins.
• The decompressor is called with the expected output size as a capacity hint. A well-behaved decompressor will not exceed this.
• The BLAKE3 content hash check (content_hash) after decompression will fail if the decompressor produces more bytes than declared, since the hash was computed over the original data.
• Recommendation for embedders: Set a max_orig_size guard before calling decode_block in untrusted contexts.

Attack: Measure the time of the content hash comparison to learn partial information about the expected hash.

Mitigation: The BLAKE3 comparison uses Rust's built-in array equality check. Embedders in timing-sensitive environments should replace the equality check with subtle::ConstantTimeEq.

Attack: A block encrypted with key A is decrypted with key B; the GCM tag check should fail, but a bug causes it to succeed.

Mitigation: AES-256-GCM authentication is delegated entirely to the aes-gcm crate (RustCrypto). The GCM tag covers the entire ciphertext. A single-bit error in the key or ciphertext causes tag failure with overwhelming probability (2^-128 false-positive rate).

Attack: A plugin registers a UUID that collides with a built-in codec, causing the wrong decompressor to be invoked.

Mitigation: Built-in codec UUIDs are checked first in CodecId::from_uuid. Plugin UUIDs that collide with built-in UUIDs should be rejected at plugin load time.

Attack: An attacker modifies the INDEX block to point file records at wrong block offsets, extracting arbitrary bytes from another file's blocks.

Mitigation: Every block header carries its own header_crc32 and content_hash. A tampered archive_offset will point to a region that either fails the CRC32 check (wrong header bytes), fails the BLAKE3 check (wrong content), or both. The attacker cannot control what data is extracted.

Attack: Future adversaries use quantum algorithms to break Argon2id/AES-256.

Status: The pq_crypto.rs module provides interface hooks for post-quantum KEM integration, but this is currently a placeholder. The cryptographic primitives used (AES-256-GCM, Argon2id) are considered secure against classical attacks; quantum-resistant algorithms are planned for a future release.

• Every block header carries a mandatory CRC32
• Every block payload is verified with BLAKE3
• Superblock carries CRC32
• AES-256-GCM encryption applied to encrypted payloads
• Argon2id key derivation from password
• Reed-Solomon FEC for error recovery (implemented in fec.rs)
• Shamir's Secret Sharing available (in sharding.rs)

• All I/O uses explicit little-endian field reads (no implicit byte-order)
• comp_size read before allocation; size is bounded by u32
• try_into().unwrap() on fixed-size slice conversions — panics if slice is wrong size, which indicates a bug in the header-size constant
• No unsafe in core library except the intentional FFI boundary in plugin.rs, which is documented
• argon2 0.5 with Argon2id algorithm
• aes-gcm with getrandom feature enabled for OS-seeded nonces

• cargo audit for known CVEs in dependencies (planned for CI)
• cargo deny for license compatibility checking (planned)
• Fuzzing harness for BlockHeader::read and Superblock::read (planned)

The same Argon2id-derived key is used for all blocks in an archive. Compromise of the archive password compromises all blocks retroactively. Per-block ephemeral keys are not implemented in this release.

The lzma-rs 0.3 decompressor is slower than optimized C implementations. This is a performance limitation, not a security issue.

Codec plugins loaded via plugin_abi/sixcy_plugin.h execute arbitrary native code within the host process. Loading an untrusted plugin is equivalent to executing untrusted code. No sandboxing is provided in this release.

The pq_crypto.rs module contains interface definitions only. Actual post-quantum algorithm integration (e.g., Kyber) is not implemented in this release.

Run cargo audit regularly to check for newly disclosed CVEs in these dependencies.

| v2.0.0 | Extended superblock flags; added Shamir SSS and Reed-Solomon FEC implementations | | v1.0.0 | Added recover, merge, bench subcommands; recovery scanner improvements | | v0.3.0 | Added mandatory header_crc32 to every block header; added superblock CRC32; codec UUID mismatch now fails at open time | | v0.2.0 | Added AES-256-GCM block encryption; Argon2id key derivation; BLAKE3 content hash verification | | v0.1.0 | Initial release |