Trust Issues

trouble in package paradise

@nietaki

whoami

Jacek Królikowski

whoami

Jacek Królikowski

 

@nietaki

Disclaimers

Prototyping

!= production

"Reasonable Security"

  • Infrastructure
  • SSL, auth
  • review our code
  • not review the libraries?

Why not to look into the libraries

The code gets peer-reviewed on GitHub!

=

?

I only use popular packages!

$ wc -l mix.lock
106 mix.lock
  "unicode_util_compat": {:hex, :unicode_util_compat, "0.3.1", "a1f612a7b512638634a603c8f401892afbf99b8ce93a45041f8aaca99cadb85e", [:rebar3], [], "hexpm"},
  "unsafe": {:hex, :unsafe, "1.0.0", "7c21742cd05380c7875546b023481d3a26f52df8e5dfedcb9f958f322baae305", [:mix], [], "hexpm"},
  "uuid": {:hex, :uuid, "1.1.8", "e22fc04499de0de3ed1116b770c7737779f226ceefa0badb3592e64d5cfb4eb9", [:mix], [], "hexpm"},

I'm too small to be a target!

iex(1)> :code.all_loaded() |>                                                     
...(1)> Enum.map(fn {module, _path} -> module end) |>                             
...(1)> Enum.filter(fn module ->                                                  
...(1)>   behaviours = Keyword.get(module.module_info[:attributes], :behaviour, [])
...(1)>   Ecto.Repo in behaviours                                                  
...(1)> end)

[MyApp.Repo]

I would spot it if I was getting hacked!

Attacks don't happen in practice!

MIT License (excerpt)

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, (...) INCLUDING BUT NOT LIMITED TO (...) FITNESS FOR A PARTICULAR PURPOSE (...).

 

IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY (...) ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE (...).

So what can we do?

Rule 6: Be proactively paranoid - paranoia does not work retroactively

What can we do?

  • Stop using external libraries 👎👎👎
  • Regularly read all our dependencies 👎👎
  • Get dependencies directly from git 👎
  • Force hex.pm to do the verification for us 👎
  • "Impound" all your dependencies 😐
  • Static analysis of dependencies 😶
  • Something else? 🤔

What do we need?

  • rely on manual reviews
  • balance risk vs effort
  • rely on community
  • explicit reviews
  • simple trust model
  • secure by design
  • OK for individual devs
  • OK for companies
  • generalizable (!)

What do we need?

Your own decentralized package security audit network of trust

Public key cryptography refresher

How does Hoplon work?

Demo

Technical details

  • No dependencies (!)
    • :public_key, :asn1ct, :httpc
  • ASN.1 DER message encoding
  • openssl-compatible 4096 bit, password protected, RSA keys

  • sha-256 key fingerprints

  • server: Raxx/Ace

🤘

Why should we trust you?

  • You shouldn't!
  • Can't the server withhold audits?
    • theoretically...
    • we can fix it
    • validate the workflow!

Follow-up work

  • cleanup
  • Erlang/rebar support
  • key revocation
  • features
    • utility APIs?
    • diffs between versions?
    • transitive trust?

Thank You!

Bonus slides...

I would spot it if I was getting hacked!

What can we do? (2018)

=

?

🤔

What's an audit?

  • package definition
    • ecosystem (hex.pm)
    • name
    • hash
    • version (for convenience)
  • key fingerprint
  • verdict (dangerous|suspicious|lgtm|safe)
  • timestamp
  • comment

How does Hoplon work?

  • Each of us has a public+private key pair
  • Each of us can publish a signed "audit" of a package
  • Each of us trusts a set of people (public keys, fingerprints)
  • You download (and verify!) audits for the packages you want to use, authored by the people you trust
  • It can run in CI