Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cross-Build Injection attacks: how safe is your Java build?

6,093 views

Published on

Cross-Build Injection attacks are a completely new class of attacks that take place at build time. In this presentation (which was presented at JavaOne 2012) I show what the problem is and what can be done about. As always, security doesn't come for free: you'll have to work to get it right!

(unfortunately, some graphics got mangled by the SlideShare conversion. Sorry!)

Published in: Technology
  • Be the first to comment

Cross-Build Injection attacks: how safe is your Java build?

  1. 1. Cross-Build Injection Attacks How safe is your Java build? @Sander_Mak
  2. 2. AboutCoding at ( ) Writing Blog @ branchandbound.net Speaking
  3. 3. Trust ‘Reflections on Trusting Trust’Ken Thompson, 1984UNIX co-creator
  4. 4. Trust ‘Reflections on Trusting Trust’Moral:You cant trust codethat you did nottotally create yourself Ken Thompson, 1984 UNIX co-creator
  5. 5. Trust ‘Reflections on Trusting Trust’ phpMyAdmin backdoor ... SourceForge became aware of a corrupted copy of phpMyAdmin beingMoral: served from the ‘cdnetworks-kr-1′ mirror in Korea.You cant trust codethat you did nottotally create yourself
  6. 6. Trust ‘Reflections on Trusting Trust’That was 30 years ago... With the C compiler... How is this relevant? Demo / javac
  7. 7. Trust ‘Reflections on Trusting Trust’That was 30 years ago... Could be any build system with a central repository though! With the C compiler... How is this relevant? Demo / javac
  8. 8. Maven Central Internet Maven Central - Dependencies - PluginsLocal Maven uses Maven Local javac Repo maven-compiler-plugin
  9. 9. Maven Central400k components Maven Central7.5 billion req/year60k organisations using Maven Central In short: a prime target * source: Sonatype
  10. 10. Cross Build Injection Internet Maven Central Internet MITMLocal Maven Maven Local Repo
  11. 11. Cross Build Injection Internet Internet Internet Maven Maven Hacker Central Central Central Internet Internet Local DNS MITM PoisoningLocal Local Maven Maven Maven Local Maven Local Repo Repo
  12. 12. Cross Build Injection Compromised Maven Central Internet Maven CentralLocal Maven Maven Local Repo
  13. 13. Cross Build Injection Compromised Maven Central Internet Maven Central Different attack vectors, one result: compromised binaries through Cross-Build InjectionLocal Maven Maven Local Repo
  14. 14. Countermeasures httpsMaven Central http-only https for Sonatype customers ‘alternative’: https://oss.sonatype.org/  
  15. 15. Countermeasures httpsMaven Central http-only https for Sonatype customers ‘alternative’: https://oss.sonatype.org/  
  16. 16. Countermeasures ‘Cutting all ties’ Internet Maven Central Internal Maven repoLocal Repository can be disconnected Manager Maven Shortens XBI attack window Maven Local Repo Manual verification?
  17. 17. Countermeasures Checksums Maven Maven Central .jar .pom .jar.sha1 .pom.sha1 .jar.md5 .pom.md5Checksums only detect transport issuesAutomatic check, but no failure error!Use: <checksumPolicy>fail</checksumPolicy>Note: MD5 is broken anyway...
  18. 18. Countermeasures Checksums Maven Maven Central .jar .pom .jar.sha1 .pom.sha1 .jar.md5 .pom.md5Downloading:  <snipped>/ws/spring-­‐ws/1.5.8/spring-­‐ws-­‐1.5.8.pom Checksums only detect transport issues427b  downloaded    (spring-­‐ws-­‐1.5.8.pom)[WARNING]  ***  CHECKSUM  FAILED  -­‐  Checksum  failed  on  download:  local  =  14d6901e3f251f5d312b9be726c75a Automatic check, but no failure error!68f78045ac;  remote  =  659bbed2c2dae12e9dbb65f8cad8fce1a1ea0845  -­‐  RETRYINGDownloading:  <snipped>/ws/spring-­‐ws/1.5.8/spring-­‐ws-­‐1.5.8.pom427b  downloaded    (spring-­‐ws-­‐1.5.8.pom) Use: <checksumPolicy>fail</checksumPolicy>[WARNING]  ***  CHECKSUM  FAILED  -­‐  Checksum  failed  on  download:  local  =  14d6901e3f251f5d312b9be726c75a68f78045ac;  remote  =  659bbed2c2dae12e9dbb65f8cad8fce1a1ea0845  -­‐  IGNORING Note: MD5 is broken anyway... Ignorance is not bliss... Failure is an option!
  19. 19. Countermeasures Signed artifactsPretty Good Privacy OpenPGP standard Encrypt or sign Popularized by email signingAsymmetric pub/private keypairGnuPG (GPG): free implementation
  20. 20. Countermeasures Signed artifactsMaven MavenCentral .jar .pom .jar.asc .pom.asc (mandatory past 3 years)
  21. 21. Countermeasures Signed artifacts Maven Maven Central .jar .pom .jar.asc .pom.asc (mandatory past 3 years).asc + Library PGP Key Developer Server
  22. 22. Manual verification Getting the signature$  wget  http://repo1.maven.org/maven2/org/sonatype/plexus/plexus-­‐cipher/1.7/plexus-­‐cipher-­‐1.7.jar.asc$  cat  plexus-­‐cipher-­‐1.7.jar.asc-­‐-­‐-­‐-­‐-­‐BEGIN  PGP  SIGNATURE-­‐-­‐-­‐-­‐-­‐Version:  GnuPG  v1.4.10  (GNU/Linux)iEYEABECAAYFAk4vAikACgkQA3TPLo3Rvf05hgCffG9+M1bAefuM5Kmu6IASNlPXzhYAnAvI4VNXSFXH4nz6z/uXaWz9kpXz=i6KI-­‐-­‐-­‐-­‐-­‐END  PGP  SIGNATURE-­‐-­‐-­‐-­‐-­‐$  gpg  -­‐-­‐verify  plexus-­‐cipher-­‐1.7.jar.asc  ~/repo/.../plexus-­‐chipher-­‐1.7.jargpg:  Signature  made  Tue  Jul  26  20:06:33  2011  CEST  using  DSA  key  ID  8DD1BDFDgpg:  Cant  check  signature:  public  key  not  found
  23. 23. Manual verification Getting the signature$  wget  http://repo1.maven.org/maven2/org/sonatype/plexus/plexus-­‐cipher/1.7/plexus-­‐cipher-­‐1.7.jar.asc$  cat  plexus-­‐cipher-­‐1.7.jar.asc-­‐-­‐-­‐-­‐-­‐BEGIN  PGP  SIGNATURE-­‐-­‐-­‐-­‐-­‐Version:  GnuPG  v1.4.10  (GNU/Linux)iEYEABECAAYFAk4vAikACgkQA3TPLo3Rvf05hgCffG9+M1bAefuM5Kmu6IASNlPXzhYAnAvI4VNXSFXH4nz6z/uXaWz9kpXz=i6KI-­‐-­‐-­‐-­‐-­‐END  PGP  SIGNATURE-­‐-­‐-­‐-­‐-­‐$  gpg  -­‐-­‐verify  plexus-­‐cipher-­‐1.7.jar.asc  ~/repo/.../plexus-­‐chipher-­‐1.7.jargpg:  Signature  made  Tue  Jul  26  20:06:33  2011  CEST  using  DSA  key  ID  8DD1BDFDgpg:  Cant  check  signature:  public  key  not  found
  24. 24. Manual verification Getting the key$  gpg  -­‐-­‐verify  plexus-­‐cipher-­‐1.7.jar.asc  ~/repo/.../plexus-­‐cipher-­‐1.7.jargpg:  Signature  made  Tue  Jul  26  20:06:33  2011  CEST  using  DSA  key  ID  8DD1BDFDgpg:  Cant  check  signature:  public  key  not  found$  gpg  -­‐-­‐keyserver  pgp.mit.edu  -­‐-­‐recv-­‐key  8DD1BDFDgpg:  requesting  key  8DD1BDFD  from  hkp  server  pgp.mit.edugpg:  key  8DD1BDFD:  public  key  "Sonatype,  Inc.  (Sonatype  release  key)  <dev@sonatype.com>"  importedgpg:  no  ultimately  trusted  keys  foundgpg:  Total  number  processed:  1gpg:                              imported:  1$  gpg  -­‐-­‐verify  plexus-­‐cipher-­‐1.7.jar.asc  ~/repo/.../plexus-­‐chipher-­‐1.7.jar  gpg:  Signature  made  Tue  Jul  26  20:06:33  2011  CEST  using  DSA  key  ID  8DD1BDFDgpg:  Good  signature  from  "Sonatype,  Inc.  (Sonatype  release  key)  <dev@sonatype.com>"gpg:  WARNING:  This  key  is  not  certified  with  a  trusted  signature!gpg:                    There  is  no  indication  that  the  signature  belongs  to  the  owner.Primary  key  fingerprint:  2BCB  DD0F  23EA  1CAF  CC11    D486  0374  CF2E  8DD1  BDFD
  25. 25. Manual verification Getting the key$  gpg  -­‐-­‐verify  plexus-­‐cipher-­‐1.7.jar.asc  ~/repo/.../plexus-­‐cipher-­‐1.7.jargpg:  Signature  made  Tue  Jul  26  20:06:33  2011  CEST  using  DSA  key  ID  8DD1BDFDgpg:  Cant  check  signature:  public  key  not  found$  gpg  -­‐-­‐keyserver  pgp.mit.edu  -­‐-­‐recv-­‐key  8DD1BDFDgpg:  requesting  key  8DD1BDFD  from  hkp  server  pgp.mit.edugpg:  key  8DD1BDFD:  public  key  "Sonatype,  Inc.  (Sonatype  release  key)  <dev@sonatype.com>"  importedgpg:  no  ultimately  trusted  keys  foundgpg:  Total  number  processed:  1gpg:                              imported:  1$  gpg  -­‐-­‐verify  plexus-­‐cipher-­‐1.7.jar.asc  ~/repo/.../plexus-­‐chipher-­‐1.7.jar  gpg:  Signature  made  Tue  Jul  26  20:06:33  2011  CEST  using  DSA  key  ID  8DD1BDFDgpg:  Good  signature  from  "Sonatype,  Inc.  (Sonatype  release  key)  <dev@sonatype.com>"gpg:  WARNING:  This  key  is  not  certified  with  a  trusted  signature!gpg:                    There  is  no  indication  that  the  signature  belongs  to  the  owner.Primary  key  fingerprint:  2BCB  DD0F  23EA  1CAF  CC11    D486  0374  CF2E  8DD1  BDFD
  26. 26. Manual verification Getting the key$  gpg  -­‐-­‐verify  plexus-­‐cipher-­‐1.7.jar.asc  ~/repo/.../plexus-­‐cipher-­‐1.7.jargpg:  Signature  made  Tue  Jul  26  20:06:33  2011  CEST  using  DSA  key  ID  8DD1BDFDgpg:  Cant  check  signature:  public  key  not  found$  gpg  -­‐-­‐keyserver  pgp.mit.edu  -­‐-­‐recv-­‐key  8DD1BDFDgpg:  requesting  key  8DD1BDFD  from  hkp  server  pgp.mit.edugpg:  key  8DD1BDFD:  public  key  "Sonatype,  Inc.  (Sonatype  release  key)  <dev@sonatype.com>"  importedgpg:  no  ultimately  trusted  keys  foundgpg:  Total  number  processed:  1gpg:                              imported:  1$  gpg  -­‐-­‐verify  plexus-­‐cipher-­‐1.7.jar.asc  ~/repo/.../plexus-­‐chipher-­‐1.7.jar  gpg:  Signature  made  Tue  Jul  26  20:06:33  2011  CEST  using  DSA  key  ID  8DD1BDFDgpg:  Good  signature  from  "Sonatype,  Inc.  (Sonatype  release  key)  <dev@sonatype.com>"gpg:  WARNING:  This  key  is  not  certified  with  a  trusted  signature!gpg:                    There  is  no  indication  that  the  signature  belongs  to  the  owner.Primary  key  fingerprint:  2BCB  DD0F  23EA  1CAF  CC11    D486  0374  CF2E  8DD1  BDFD
  27. 27. Pretty Good Privacy Web of Trust Sonatype SonatypeRelease key Release keyBrian F. Brian F. John C. Other John C. people in web of trust Damian B. Damian B.
  28. 28. Pretty Good Privacy Web of Trust Sonatype SonatypeRelease key Release key ru st n &t ig o r t, s Sander M. ImpBrian F. Brian F. John C. Other John C. people in web of trust Damian B. Damian B.
  29. 29. Pretty Good Privacy Web of Trust
  30. 30. Manual Verification Getting the key automatically$    gpg  -­‐-­‐auto-­‐key-­‐locate  keyserver  -­‐-­‐keyserver  pgp.mit.edu                -­‐-­‐keyserver-­‐options  auto-­‐key-­‐retrieve                -­‐-­‐verify  plexus-­‐cipher-­‐1.7.jar.asc  ~/repo/.../plexus-­‐chipher-­‐1.7.jar  gpg:  Signature  made  Tue  Jul  26  20:06:33  2011  CEST  using  DSA  key  ID  8DD1BDFDgpg:  requesting  key  8DD1BDFD  from  hkp  server  pgp.mit.edugpg:  key  8DD1BDFD:  public  key  "Sonatype,  Inc.  (Sonatype  release  key)  <dev@sonatype.com>"  importedgpg:  3  marginal(s)  needed,  1  complete(s)  needed,  PGP  trust  modelgpg:  depth:  0    valid:      1    signed:      1    trust:  0-­‐,  0q,  0n,  0m,  0f,  1ugpg:  depth:  1    valid:      1    signed:      1    trust:  0-­‐,  0q,  0n,  0m,  1f,  0ugpg:  depth:  2    valid:      1    signed:      0    trust:  1-­‐,  0q,  0n,  0m,  0f,  0ugpg:  Total  number  processed:  1gpg:                              imported:  1gpg:  Good  signature  from  "Sonatype,  Inc.  (Sonatype  release  key)  <dev@sonatype.com>"
  31. 31. Manual Verification Getting the key automatically$    gpg  -­‐-­‐auto-­‐key-­‐locate  keyserver  -­‐-­‐keyserver  pgp.mit.edu                -­‐-­‐keyserver-­‐options  auto-­‐key-­‐retrieve                -­‐-­‐verify  plexus-­‐cipher-­‐1.7.jar.asc  ~/repo/.../plexus-­‐chipher-­‐1.7.jar  gpg:  Signature  made  Tue  Jul  26  20:06:33  2011  CEST  using  DSA  key  ID  8DD1BDFDgpg:  requesting  key  8DD1BDFD  from  hkp  server  pgp.mit.edugpg:  key  8DD1BDFD:  public  key  "Sonatype,  Inc.  (Sonatype  release  key)  <dev@sonatype.com>"  importedgpg:  3  marginal(s)  needed,  1  complete(s)  needed,  PGP  trust  modelgpg:  depth:  0    valid:      1    signed:      1    trust:  0-­‐,  0q,  0n,  0m,  0f,  1ugpg:  depth:  1    valid:      1    signed:      1    trust:  0-­‐,  0q,  0n,  0m,  1f,  0ugpg:  depth:  2    valid:      1    signed:      0    trust:  1-­‐,  0q,  0n,  0m,  0f,  0ugpg:  Total  number  processed:  1gpg:                              imported:  1gpg:  Good  signature  from  "Sonatype,  Inc.  (Sonatype  release  key)  <dev@sonatype.com>" Web of Trust in action
  32. 32. Automatic Verification Demo repository manager
  33. 33. Defense in Depth If all else fails...Security/pen-testingScan binaries (incl. dependencies!) Fortify AppScanSandbox app @ runtime Java2Security Network topology
  34. 34. Build Security RecommendationsIntroduce a repository managerAudit dep’cies: no blind downloadingVerify PGP signaturesAudit your build process
  35. 35. Build Security Secure tools - future+ ? verification
  36. 36. Build Security Secure tools - future + ? verificationMake your voice heard!
  37. 37. Build SecurityAre we safe now?
  38. 38. QuestionsArticle: bit.ly/javaone-xbi branchandbound.net @Sander_Mak

×