Trust Issues
trouble in package paradise
@nietaki
whoami
Jacek Kr贸likowski
whoami
Jacek Kr贸likowski
聽
@nietaki
Disclaimers
Prototyping
!= production
"Reasonable Security"
- Infrastructure
- SSL, auth
- review our code
- not review the libraries?
Why not to look into the libraries
The code gets peer-reviewed on GitHub!
=
?
I only use popular packages!
$ wc -l mix.lock
106 mix.lock
"unicode_util_compat": {:hex, :unicode_util_compat, "0.3.1", "a1f612a7b512638634a603c8f401892afbf99b8ce93a45041f8aaca99cadb85e", [:rebar3], [], "hexpm"},
"unsafe": {:hex, :unsafe, "1.0.0", "7c21742cd05380c7875546b023481d3a26f52df8e5dfedcb9f958f322baae305", [:mix], [], "hexpm"},
"uuid": {:hex, :uuid, "1.1.8", "e22fc04499de0de3ed1116b770c7737779f226ceefa0badb3592e64d5cfb4eb9", [:mix], [], "hexpm"},
I'm too small to be a target!
iex(1)> :code.all_loaded() |>
...(1)> Enum.map(fn {module, _path} -> module end) |>
...(1)> Enum.filter(fn module ->
...(1)> behaviours = Keyword.get(module.module_info[:attributes], :behaviour, [])
...(1)> Ecto.Repo in behaviours
...(1)> end)
[MyApp.Repo]
I would spot it if I was getting hacked!
Attacks don't happen in practice!
MIT License (excerpt)
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, (...) INCLUDING BUT NOT LIMITED TO (...) FITNESS FOR A PARTICULAR PURPOSE (...).
聽
IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY (...) ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE (...).
So what can we do?
Rule 6: Be proactively paranoid - paranoia does not work retroactively
https://www.youtube.com/watch?v=S8GPTvq1m-w
(nsfw language)
What can we do?
- Stop using external libraries 馃憥馃憥馃憥
- Regularly read all our dependencies 馃憥馃憥
- Get dependencies directly from git 馃憥
- Force hex.pm to do the verification for us 馃憥
- "Impound" all your dependencies 馃槓
- Static analysis of dependencies 馃樁
- Something else? 馃
What do we need?
- rely on manual reviews
- balance risk vs effort
- rely on community
- explicit reviews
- simple trust model
- secure by design
- OK for individual devs
- OK for companies
- generalizable (!)
What do we need?
Your own decentralized package security audit network of trust
Public key cryptography refresher
How does Hoplon work?
Demo
Technical details
馃
Why should we trust you?
- You shouldn't!
- Can't the server withhold audits?
- theoretically...
- we can fix it
- validate the workflow!
Follow-up work
- cleanup
- Erlang/rebar support
- key revocation
- features
- utility APIs?
- diffs between versions?
- transitive trust?
Thank You!
Bonus slides...
I would spot it if I was getting hacked!
What can we do? (2018)
=
?
馃
What's an audit?
- package definition
- ecosystem (hex.pm)
- name
- hash
- version (for convenience)
- key fingerprint
- verdict (dangerous|suspicious|lgtm|safe)
- timestamp
- comment
How does Hoplon work?
- Each of us has a public+private key pair
- Each of us can publish a signed "audit" of a package
- Each of us trusts a set of people (public keys, fingerprints)
- You download (and verify!) audits for the packages you want to use, authored by the people you trust
- It can run in CI
Trust Issues
By Jacek Kr贸likowski
Trust Issues
trouble in package paradise
- 1,797