Trust Issues

trouble in package paradise

@nietaki

whoami

Jacek Kr贸likowski

whoami

Jacek Kr贸likowski

@nietaki

Disclaimers

Prototyping

!= production

"Reasonable Security"

  • Infrastructure
  • SSL, auth
  • review our code
  • not review the libraries?

Why not to look into the libraries

The code gets peer-reviewed on GitHub!

=

?

I only use popular packages!

$ wc -l mix.lock
106 mix.lock
  "unicode_util_compat": {:hex, :unicode_util_compat, "0.3.1", "a1f612a7b512638634a603c8f401892afbf99b8ce93a45041f8aaca99cadb85e", [:rebar3], [], "hexpm"},
  "unsafe": {:hex, :unsafe, "1.0.0", "7c21742cd05380c7875546b023481d3a26f52df8e5dfedcb9f958f322baae305", [:mix], [], "hexpm"},
  "uuid": {:hex, :uuid, "1.1.8", "e22fc04499de0de3ed1116b770c7737779f226ceefa0badb3592e64d5cfb4eb9", [:mix], [], "hexpm"},

I'm too small to be a target!

iex(1)> :code.all_loaded() |>                                                     
...(1)> Enum.map(fn {module, _path} -> module end) |>                             
...(1)> Enum.filter(fn module ->                                                  
...(1)>   behaviours = Keyword.get(module.module_info[:attributes], :behaviour, [])
...(1)>   Ecto.Repo in behaviours                                                  
...(1)> end)

[MyApp.Repo]

I would spot it if I was getting hacked!

Attacks don't happen in practice!

MIT License (excerpt)

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, (...) INCLUDING BUT NOT LIMITED TO (...) FITNESS FOR A PARTICULAR PURPOSE (...).

IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY (...) ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE (...).

So what can we do?

Rule 6: Be proactively paranoid - paranoia does not work retroactively

What can we do?

  • Stop using external libraries 馃憥馃憥馃憥
  • Regularly read all our dependencies 馃憥馃憥
  • Get dependencies directly from git 馃憥
  • Force hex.pm to do the verification for us 馃憥
  • "Impound" all your dependencies 馃槓
  • Static analysis of dependencies 馃樁
  • Something else? 馃

What do we need?

  • rely on manual reviews
  • balance risk vs effort
  • rely on community
  • explicit reviews
  • simple trust model
  • secure by design
  • OK for individual devs
  • OK for companies
  • generalizable (!)

What do we need?

Your own decentralized package security audit network of trust

Public key cryptography refresher

How does Hoplon work?

Demo

Technical details

  • No dependencies (!)
    • :public_key, :asn1ct, :httpc
  • ASN.1 DER message encoding
  • openssl-compatible 4096 bit, password protected, RSA keys

  • sha-256 key fingerprints

  • server: Raxx/Ace

馃

Why should we trust you?

  • You shouldn't!
  • Can't the server withhold audits?
    • theoretically...
    • we can fix it
    • validate the workflow!

Follow-up work

  • cleanup
  • Erlang/rebar support
  • key revocation
  • features
    • utility APIs?
    • diffs between versions?
    • transitive trust?

Thank You!

Bonus slides...

I would spot it if I was getting hacked!

What can we do? (2018)

=

?

馃

What's an audit?

  • package definition
    • ecosystem (hex.pm)
    • name
    • hash
    • version (for convenience)
  • key fingerprint
  • verdict (dangerous|suspicious|lgtm|safe)
  • timestamp
  • comment

How does Hoplon work?

  • Each of us has a public+private key pair
  • Each of us can publish a signed "audit" of a package
  • Each of us trusts a set of people (public keys, fingerprints)
  • You download (and verify!) audits for the packages you want to use, authored by the people you trust
  • It can run in CI

Trust Issues

By Jacek Kr贸likowski

Trust Issues

trouble in package paradise

  • 1,628