Trust Issues

trouble in package paradise

@nietaki

whoami

Jacek Królikowski

whoami

Jacek Królikowski

@nietaki

Disclaimers

Prototyping

!= production

"Reasonable Security"

Infrastructure
SSL, auth
review our code
not review the libraries?

Why not to look into the libraries

The code gets peer-reviewed on GitHub!

=

?

hex.pm/packages/evil_left_pad

I only use popular packages!

$ wc -l mix.lock
106 mix.lock

  "unicode_util_compat": {:hex, :unicode_util_compat, "0.3.1", "a1f612a7b512638634a603c8f401892afbf99b8ce93a45041f8aaca99cadb85e", [:rebar3], [], "hexpm"},
  "unsafe": {:hex, :unsafe, "1.0.0", "7c21742cd05380c7875546b023481d3a26f52df8e5dfedcb9f958f322baae305", [:mix], [], "hexpm"},
  "uuid": {:hex, :uuid, "1.1.8", "e22fc04499de0de3ed1116b770c7737779f226ceefa0badb3592e64d5cfb4eb9", [:mix], [], "hexpm"},

I'm too small to be a target!

iex(1)> :code.all_loaded() |>                                                     
...(1)> Enum.map(fn {module, _path} -> module end) |>                             
...(1)> Enum.filter(fn module ->                                                  
...(1)>   behaviours = Keyword.get(module.module_info[:attributes], :behaviour, [])
...(1)>   Ecto.Repo in behaviours                                                  
...(1)> end)

[MyApp.Repo]

I would spot it if I was getting hacked!

https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5

Attacks don't happen in practice!

https://github.com/dominictarr/event-stream/issues/116
https://arstechnica.com/information-technology/2018/11/hacker-backdoors-widely-used-open-source-software-to-steal-bitcoin/

MIT License (excerpt)

https://opensource.org/licenses/MIT
https://gist.github.com/dominictarr/9fd9c1024c94592bc7268d36b8d83b3a

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, (...) INCLUDING BUT NOT LIMITED TO (...) FITNESS FOR A PARTICULAR PURPOSE (...).

IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY (...) ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE (...).

So what can we do?

Rule 6: Be proactively paranoid - paranoia does not work retroactively

https://www.youtube.com/watch?v=S8GPTvq1m-w
(nsfw language)

What can we do?

Stop using external libraries 👎👎👎
Regularly read all our dependencies 👎👎
Get dependencies directly from git 👎
Force hex.pm to do the verification for us 👎
"Impound" all your dependencies 😐
Static analysis of dependencies 😶
Something else? 🤔

What do we need?

rely on manual reviews
balance risk vs effort
rely on community
explicit reviews
simple trust model
secure by design
OK for individual devs
OK for companies
generalizable (!)

What do we need?

Your own decentralized package security audit network of trust

Public key cryptography refresher

How does Hoplon work?

Demo

https://thispersondoesnotexist.com/

Technical details

No dependencies (!)
- :public_key, :asn1ct, :httpc
ASN.1 DER message encoding
openssl-compatible 4096 bit, password protected, RSA keys
sha-256 key fingerprints
server: Raxx/Ace

🤘

Why should we trust you?

You shouldn't!
Can't the server withhold audits?
- theoretically...
- we can fix it
- validate the workflow!

I need you!

Follow-up work

cleanup
Erlang/rebar support
key revocation
features
- utility APIs?
- diffs between versions?
- transitive trust?

Thank You!

github.com/nietaki/hoplon

slides.com/nietaki/trust-issues

Bonus slides...

I would spot it if I was getting hacked!

What can we do? (2018)

=

?

🤔

What's an audit?

package definition
- ecosystem (hex.pm)
- name
- hash
- version (for convenience)
key fingerprint
verdict (dangerous|suspicious|lgtm|safe)
timestamp
comment

https://github.com/nietaki/hoplon/blob/master/lib/HoplonMessages.asn1

How does Hoplon work?

Each of us has a public+private key pair
Each of us can publish a signed "audit" of a package
Each of us trusts a set of people (public keys, fingerprints)
You download (and verify!) audits for the packages you want to use, authored by the people you trust
It can run in CI