Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Cross-Build Injection Attacks
                 How safe is your Java build?




                       @Sander_Mak
About
Coding      at
                    (           )


  Writing              Blog @
                 branchandbound.net...
Trust
         ‘Reflections on Trusting Trust’




Ken Thompson, 1984
UNIX co-creator
Trust
                            ‘Reflections on Trusting Trust’

Moral:
You can't trust code
that you did not
totally cre...
Trust
                          ‘Reflections on Trusting Trust’




                                               phpMyAdm...
Trust
                      ‘Reflections on Trusting Trust’

That was 30 years ago...
  With the C compiler...
   How is th...
Trust
                      ‘Reflections on Trusting Trust’

That was 30 years ago...        Could be any build system
    ...
Maven Central
                 Internet

                            Maven
                            Central
           ...
Maven Central
400k components               Maven
                              Central
7.5 billion req/year
60k organisat...
Cross Build Injection
        Internet
                   Maven
                   Central




        Internet
          ...
Cross Build Injection
        Internet                     Internet               Internet
                   Maven       ...
Cross Build Injection
            Compromised Maven Central
        Internet
                   Maven
                   C...
Cross Build Injection
            Compromised Maven Central
        Internet
                   Maven
                   C...
Countermeasures
                                    https


Maven Central http-only
 https for Sonatype customers
 ‘altern...
Countermeasures
                                    https


Maven Central http-only
 https for Sonatype customers
 ‘altern...
Countermeasures
                                      ‘Cutting all ties’
        Internet
                    Maven
      ...
Countermeasures
                                              Checksums
    Maven
                                      Ma...
Countermeasures
                                                                                      Checksums
          ...
Countermeasures
                         Signed artifacts
Pretty Good Privacy
 OpenPGP standard
 Encrypt or sign
 Populari...
Countermeasures
                                     Signed artifacts
Maven
                                     Maven
Cen...
Countermeasures
                                              Signed artifacts
         Maven
                            ...
Manual verification
          Getting the signature
$	
  wget	
  http://repo1.maven.org/maven2/org/sonatype/plexus/plexus-­...
Manual verification
          Getting the signature
$	
  wget	
  http://repo1.maven.org/maven2/org/sonatype/plexus/plexus-­...
Manual verification
                    Getting the key
$	
  gpg	
  -­‐-­‐verify	
  plexus-­‐cipher-­‐1.7.jar.asc	
  ~/repo...
Manual verification
                    Getting the key
$	
  gpg	
  -­‐-­‐verify	
  plexus-­‐cipher-­‐1.7.jar.asc	
  ~/repo...
Manual verification
                    Getting the key
$	
  gpg	
  -­‐-­‐verify	
  plexus-­‐cipher-­‐1.7.jar.asc	
  ~/repo...
Pretty Good Privacy
                                                      Web of Trust
  Sonatype                         ...
Pretty Good Privacy
                                                                 Web of Trust
  Sonatype              ...
Pretty Good Privacy
             Web of Trust
Manual Verification
  Getting the key automatically
$	
  	
  gpg	
  -­‐-­‐auto-­‐key-­‐locate	
  keyserver	
  -­‐-­‐keyserv...
Manual Verification
  Getting the key automatically
$	
  	
  gpg	
  -­‐-­‐auto-­‐key-­‐locate	
  keyserver	
  -­‐-­‐keyserv...
Automatic Verification




            Demo

     repository manager
Defense in Depth
                           If all else fails...
Security/pen-testing
Scan binaries (incl. dependencies!)
...
Build Security
                        Recommendations




Introduce a repository manager

Audit dep’cies: no blind downlo...
Build Security
       Secure tools - future




+                   ?
    verification
Build Security
               Secure tools - future




      +                     ?
           verification


Make your v...
Build Security




Are we safe now?
Questions




Article: bit.ly/javaone-xbi



                    branchandbound.net

                    @Sander_Mak
Upcoming SlideShare
Loading in …5
×

of

Cross-Build Injection attacks: how safe is your Java build? Slide 1 Cross-Build Injection attacks: how safe is your Java build? Slide 2 Cross-Build Injection attacks: how safe is your Java build? Slide 3 Cross-Build Injection attacks: how safe is your Java build? Slide 4 Cross-Build Injection attacks: how safe is your Java build? Slide 5 Cross-Build Injection attacks: how safe is your Java build? Slide 6 Cross-Build Injection attacks: how safe is your Java build? Slide 7 Cross-Build Injection attacks: how safe is your Java build? Slide 8 Cross-Build Injection attacks: how safe is your Java build? Slide 9 Cross-Build Injection attacks: how safe is your Java build? Slide 10 Cross-Build Injection attacks: how safe is your Java build? Slide 11 Cross-Build Injection attacks: how safe is your Java build? Slide 12 Cross-Build Injection attacks: how safe is your Java build? Slide 13 Cross-Build Injection attacks: how safe is your Java build? Slide 14 Cross-Build Injection attacks: how safe is your Java build? Slide 15 Cross-Build Injection attacks: how safe is your Java build? Slide 16 Cross-Build Injection attacks: how safe is your Java build? Slide 17 Cross-Build Injection attacks: how safe is your Java build? Slide 18 Cross-Build Injection attacks: how safe is your Java build? Slide 19 Cross-Build Injection attacks: how safe is your Java build? Slide 20 Cross-Build Injection attacks: how safe is your Java build? Slide 21 Cross-Build Injection attacks: how safe is your Java build? Slide 22 Cross-Build Injection attacks: how safe is your Java build? Slide 23 Cross-Build Injection attacks: how safe is your Java build? Slide 24 Cross-Build Injection attacks: how safe is your Java build? Slide 25 Cross-Build Injection attacks: how safe is your Java build? Slide 26 Cross-Build Injection attacks: how safe is your Java build? Slide 27 Cross-Build Injection attacks: how safe is your Java build? Slide 28 Cross-Build Injection attacks: how safe is your Java build? Slide 29 Cross-Build Injection attacks: how safe is your Java build? Slide 30 Cross-Build Injection attacks: how safe is your Java build? Slide 31 Cross-Build Injection attacks: how safe is your Java build? Slide 32 Cross-Build Injection attacks: how safe is your Java build? Slide 33 Cross-Build Injection attacks: how safe is your Java build? Slide 34 Cross-Build Injection attacks: how safe is your Java build? Slide 35 Cross-Build Injection attacks: how safe is your Java build? Slide 36 Cross-Build Injection attacks: how safe is your Java build? Slide 37 Cross-Build Injection attacks: how safe is your Java build? Slide 38
Upcoming SlideShare
Modular JavaScript
Next

2 Likes

Share

Cross-Build Injection attacks: how safe is your Java build?

Cross-Build Injection attacks are a completely new class of attacks that take place at build time. In this presentation (which was presented at JavaOne 2012) I show what the problem is and what can be done about. As always, security doesn't come for free: you'll have to work to get it right!

(unfortunately, some graphics got mangled by the SlideShare conversion. Sorry!)

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

Cross-Build Injection attacks: how safe is your Java build?

  1. 1. Cross-Build Injection Attacks How safe is your Java build? @Sander_Mak
  2. 2. About Coding at ( ) Writing Blog @ branchandbound.net Speaking
  3. 3. Trust ‘Reflections on Trusting Trust’ Ken Thompson, 1984 UNIX co-creator
  4. 4. Trust ‘Reflections on Trusting Trust’ Moral: You can't trust code that you did not totally create yourself Ken Thompson, 1984 UNIX co-creator
  5. 5. Trust ‘Reflections on Trusting Trust’ phpMyAdmin backdoor ... SourceForge became aware of a corrupted copy of phpMyAdmin being Moral: served from the ‘cdnetworks-kr-1′ mirror in Korea. You can't trust code that you did not totally create yourself
  6. 6. Trust ‘Reflections on Trusting Trust’ That was 30 years ago... With the C compiler... How is this relevant? Demo / javac
  7. 7. Trust ‘Reflections on Trusting Trust’ That was 30 years ago... Could be any build system with a central repository though! With the C compiler... How is this relevant? Demo / javac
  8. 8. Maven Central Internet Maven Central - Dependencies - Plugins Local Maven uses Maven Local javac Repo maven-compiler-plugin
  9. 9. Maven Central 400k components Maven Central 7.5 billion req/year 60k organisations using Maven Central In short: a prime target * source: Sonatype
  10. 10. Cross Build Injection Internet Maven Central Internet MITM Local Maven Maven Local Repo
  11. 11. Cross Build Injection Internet Internet Internet Maven Maven Hacker Central Central Central Internet Internet Local DNS MITM Poisoning Local Local Maven Maven Maven Local Maven Local Repo Repo
  12. 12. Cross Build Injection Compromised Maven Central Internet Maven Central Local Maven Maven Local Repo
  13. 13. Cross Build Injection Compromised Maven Central Internet Maven Central Different attack vectors, one result: compromised binaries through Cross-Build Injection Local Maven Maven Local Repo
  14. 14. Countermeasures https Maven Central http-only https for Sonatype customers ‘alternative’: https://oss.sonatype.org/  
  15. 15. Countermeasures https Maven Central http-only https for Sonatype customers ‘alternative’: https://oss.sonatype.org/  
  16. 16. Countermeasures ‘Cutting all ties’ Internet Maven Central Internal Maven repo Local Repository can be disconnected Manager Maven Shortens XBI attack window Maven Local Repo Manual verification?
  17. 17. Countermeasures Checksums Maven Maven Central .jar .pom .jar.sha1 .pom.sha1 .jar.md5 .pom.md5 Checksums only detect transport issues Automatic check, but no failure error! Use: <checksumPolicy>fail</checksumPolicy> Note: MD5 is broken anyway...
  18. 18. Countermeasures Checksums Maven Maven Central .jar .pom .jar.sha1 .pom.sha1 .jar.md5 .pom.md5 Downloading:  <snipped>/ws/spring-­‐ws/1.5.8/spring-­‐ws-­‐1.5.8.pom Checksums only detect transport issues 427b  downloaded    (spring-­‐ws-­‐1.5.8.pom) [WARNING]  ***  CHECKSUM  FAILED  -­‐  Checksum  failed  on  download:  local  =   '14d6901e3f251f5d312b9be726c75a Automatic check, but no failure error! 68f78045ac';  remote  =  '659bbed2c2dae12e9dbb65f8cad8fce1a1ea0845'  -­‐  RETRYING Downloading:  <snipped>/ws/spring-­‐ws/1.5.8/spring-­‐ws-­‐1.5.8.pom 427b  downloaded    (spring-­‐ws-­‐1.5.8.pom) Use: <checksumPolicy>fail</checksumPolicy> [WARNING]  ***  CHECKSUM  FAILED  -­‐  Checksum  failed  on  download:  local  =   '14d6901e3f251f5d312b9be726c75a 68f78045ac';  remote  =  '659bbed2c2dae12e9dbb65f8cad8fce1a1ea0845'  -­‐  IGNORING Note: MD5 is broken anyway... Ignorance is not bliss... Failure is an option!
  19. 19. Countermeasures Signed artifacts Pretty Good Privacy OpenPGP standard Encrypt or sign Popularized by email signing Asymmetric pub/private keypair GnuPG (GPG): free implementation
  20. 20. Countermeasures Signed artifacts Maven Maven Central .jar .pom .jar.asc .pom.asc (mandatory past 3 years)
  21. 21. Countermeasures Signed artifacts Maven Maven Central .jar .pom .jar.asc .pom.asc (mandatory past 3 years) .asc + Library PGP Key Developer Server
  22. 22. Manual verification Getting the signature $  wget  http://repo1.maven.org/maven2/org/sonatype/plexus/plexus-­‐cipher/1.7/ plexus-­‐cipher-­‐1.7.jar.asc $  cat  plexus-­‐cipher-­‐1.7.jar.asc -­‐-­‐-­‐-­‐-­‐BEGIN  PGP  SIGNATURE-­‐-­‐-­‐-­‐-­‐ Version:  GnuPG  v1.4.10  (GNU/Linux) iEYEABECAAYFAk4vAikACgkQA3TPLo3Rvf05hgCffG9+M1bAefuM5Kmu6IASNlPX zhYAnAvI4VNXSFXH4nz6z/uXaWz9kpXz =i6KI -­‐-­‐-­‐-­‐-­‐END  PGP  SIGNATURE-­‐-­‐-­‐-­‐-­‐ $  gpg  -­‐-­‐verify  plexus-­‐cipher-­‐1.7.jar.asc  ~/repo/.../plexus-­‐chipher-­‐1.7.jar gpg:  Signature  made  Tue  Jul  26  20:06:33  2011  CEST  using  DSA  key  ID  8DD1BDFD gpg:  Can't  check  signature:  public  key  not  found
  23. 23. Manual verification Getting the signature $  wget  http://repo1.maven.org/maven2/org/sonatype/plexus/plexus-­‐cipher/1.7/ plexus-­‐cipher-­‐1.7.jar.asc $  cat  plexus-­‐cipher-­‐1.7.jar.asc -­‐-­‐-­‐-­‐-­‐BEGIN  PGP  SIGNATURE-­‐-­‐-­‐-­‐-­‐ Version:  GnuPG  v1.4.10  (GNU/Linux) iEYEABECAAYFAk4vAikACgkQA3TPLo3Rvf05hgCffG9+M1bAefuM5Kmu6IASNlPX zhYAnAvI4VNXSFXH4nz6z/uXaWz9kpXz =i6KI -­‐-­‐-­‐-­‐-­‐END  PGP  SIGNATURE-­‐-­‐-­‐-­‐-­‐ $  gpg  -­‐-­‐verify  plexus-­‐cipher-­‐1.7.jar.asc  ~/repo/.../plexus-­‐chipher-­‐1.7.jar gpg:  Signature  made  Tue  Jul  26  20:06:33  2011  CEST  using  DSA  key  ID  8DD1BDFD gpg:  Can't  check  signature:  public  key  not  found
  24. 24. Manual verification Getting the key $  gpg  -­‐-­‐verify  plexus-­‐cipher-­‐1.7.jar.asc  ~/repo/.../plexus-­‐cipher-­‐1.7.jar gpg:  Signature  made  Tue  Jul  26  20:06:33  2011  CEST  using  DSA  key  ID  8DD1BDFD gpg:  Can't  check  signature:  public  key  not  found $  gpg  -­‐-­‐keyserver  pgp.mit.edu  -­‐-­‐recv-­‐key  8DD1BDFD gpg:  requesting  key  8DD1BDFD  from  hkp  server  pgp.mit.edu gpg:  key  8DD1BDFD:  public  key  "Sonatype,  Inc.  (Sonatype  release  key)   <dev@sonatype.com>"  imported gpg:  no  ultimately  trusted  keys  found gpg:  Total  number  processed:  1 gpg:                              imported:  1 $  gpg  -­‐-­‐verify  plexus-­‐cipher-­‐1.7.jar.asc  ~/repo/.../plexus-­‐chipher-­‐1.7.jar   gpg:  Signature  made  Tue  Jul  26  20:06:33  2011  CEST  using  DSA  key  ID  8DD1BDFD gpg:  Good  signature  from  "Sonatype,  Inc.  (Sonatype  release  key)   <dev@sonatype.com>" gpg:  WARNING:  This  key  is  not  certified  with  a  trusted  signature! gpg:                    There  is  no  indication  that  the  signature  belongs  to  the   owner. Primary  key  fingerprint:  2BCB  DD0F  23EA  1CAF  CC11    D486  0374  CF2E  8DD1  BDFD
  25. 25. Manual verification Getting the key $  gpg  -­‐-­‐verify  plexus-­‐cipher-­‐1.7.jar.asc  ~/repo/.../plexus-­‐cipher-­‐1.7.jar gpg:  Signature  made  Tue  Jul  26  20:06:33  2011  CEST  using  DSA  key  ID  8DD1BDFD gpg:  Can't  check  signature:  public  key  not  found $  gpg  -­‐-­‐keyserver  pgp.mit.edu  -­‐-­‐recv-­‐key  8DD1BDFD gpg:  requesting  key  8DD1BDFD  from  hkp  server  pgp.mit.edu gpg:  key  8DD1BDFD:  public  key  "Sonatype,  Inc.  (Sonatype  release  key)   <dev@sonatype.com>"  imported gpg:  no  ultimately  trusted  keys  found gpg:  Total  number  processed:  1 gpg:                              imported:  1 $  gpg  -­‐-­‐verify  plexus-­‐cipher-­‐1.7.jar.asc  ~/repo/.../plexus-­‐chipher-­‐1.7.jar   gpg:  Signature  made  Tue  Jul  26  20:06:33  2011  CEST  using  DSA  key  ID  8DD1BDFD gpg:  Good  signature  from  "Sonatype,  Inc.  (Sonatype  release  key)   <dev@sonatype.com>" gpg:  WARNING:  This  key  is  not  certified  with  a  trusted  signature! gpg:                    There  is  no  indication  that  the  signature  belongs  to  the   owner. Primary  key  fingerprint:  2BCB  DD0F  23EA  1CAF  CC11    D486  0374  CF2E  8DD1  BDFD
  26. 26. Manual verification Getting the key $  gpg  -­‐-­‐verify  plexus-­‐cipher-­‐1.7.jar.asc  ~/repo/.../plexus-­‐cipher-­‐1.7.jar gpg:  Signature  made  Tue  Jul  26  20:06:33  2011  CEST  using  DSA  key  ID  8DD1BDFD gpg:  Can't  check  signature:  public  key  not  found $  gpg  -­‐-­‐keyserver  pgp.mit.edu  -­‐-­‐recv-­‐key  8DD1BDFD gpg:  requesting  key  8DD1BDFD  from  hkp  server  pgp.mit.edu gpg:  key  8DD1BDFD:  public  key  "Sonatype,  Inc.  (Sonatype  release  key)   <dev@sonatype.com>"  imported gpg:  no  ultimately  trusted  keys  found gpg:  Total  number  processed:  1 gpg:                              imported:  1 $  gpg  -­‐-­‐verify  plexus-­‐cipher-­‐1.7.jar.asc  ~/repo/.../plexus-­‐chipher-­‐1.7.jar   gpg:  Signature  made  Tue  Jul  26  20:06:33  2011  CEST  using  DSA  key  ID  8DD1BDFD gpg:  Good  signature  from  "Sonatype,  Inc.  (Sonatype  release  key)   <dev@sonatype.com>" gpg:  WARNING:  This  key  is  not  certified  with  a  trusted  signature! gpg:                    There  is  no  indication  that  the  signature  belongs  to  the   owner. Primary  key  fingerprint:  2BCB  DD0F  23EA  1CAF  CC11    D486  0374  CF2E  8DD1  BDFD
  27. 27. Pretty Good Privacy Web of Trust Sonatype Sonatype Release key Release key Brian F. Brian F. John C. Other John C. people in web of trust Damian B. Damian B.
  28. 28. Pretty Good Privacy Web of Trust Sonatype Sonatype Release key Release key ru st n &t ig o r t, s Sander M. Imp Brian F. Brian F. John C. Other John C. people in web of trust Damian B. Damian B.
  29. 29. Pretty Good Privacy Web of Trust
  30. 30. Manual Verification Getting the key automatically $    gpg  -­‐-­‐auto-­‐key-­‐locate  keyserver  -­‐-­‐keyserver  pgp.mit.edu                -­‐-­‐keyserver-­‐options  auto-­‐key-­‐retrieve                -­‐-­‐verify  plexus-­‐cipher-­‐1.7.jar.asc  ~/repo/.../plexus-­‐chipher-­‐1.7.jar   gpg:  Signature  made  Tue  Jul  26  20:06:33  2011  CEST  using  DSA  key  ID  8DD1BDFD gpg:  requesting  key  8DD1BDFD  from  hkp  server  pgp.mit.edu gpg:  key  8DD1BDFD:  public  key  "Sonatype,  Inc.  (Sonatype  release  key)   <dev@sonatype.com>"  imported gpg:  3  marginal(s)  needed,  1  complete(s)  needed,  PGP  trust  model gpg:  depth:  0    valid:      1    signed:      1    trust:  0-­‐,  0q,  0n,  0m,  0f,  1u gpg:  depth:  1    valid:      1    signed:      1    trust:  0-­‐,  0q,  0n,  0m,  1f,  0u gpg:  depth:  2    valid:      1    signed:      0    trust:  1-­‐,  0q,  0n,  0m,  0f,  0u gpg:  Total  number  processed:  1 gpg:                              imported:  1 gpg:  Good  signature  from  "Sonatype,  Inc.  (Sonatype  release  key)   <dev@sonatype.com>"
  31. 31. Manual Verification Getting the key automatically $    gpg  -­‐-­‐auto-­‐key-­‐locate  keyserver  -­‐-­‐keyserver  pgp.mit.edu                -­‐-­‐keyserver-­‐options  auto-­‐key-­‐retrieve                -­‐-­‐verify  plexus-­‐cipher-­‐1.7.jar.asc  ~/repo/.../plexus-­‐chipher-­‐1.7.jar   gpg:  Signature  made  Tue  Jul  26  20:06:33  2011  CEST  using  DSA  key  ID  8DD1BDFD gpg:  requesting  key  8DD1BDFD  from  hkp  server  pgp.mit.edu gpg:  key  8DD1BDFD:  public  key  "Sonatype,  Inc.  (Sonatype  release  key)   <dev@sonatype.com>"  imported gpg:  3  marginal(s)  needed,  1  complete(s)  needed,  PGP  trust  model gpg:  depth:  0    valid:      1    signed:      1    trust:  0-­‐,  0q,  0n,  0m,  0f,  1u gpg:  depth:  1    valid:      1    signed:      1    trust:  0-­‐,  0q,  0n,  0m,  1f,  0u gpg:  depth:  2    valid:      1    signed:      0    trust:  1-­‐,  0q,  0n,  0m,  0f,  0u gpg:  Total  number  processed:  1 gpg:                              imported:  1 gpg:  Good  signature  from  "Sonatype,  Inc.  (Sonatype  release  key)   <dev@sonatype.com>" Web of Trust in action
  32. 32. Automatic Verification Demo repository manager
  33. 33. Defense in Depth If all else fails... Security/pen-testing Scan binaries (incl. dependencies!) Fortify AppScan Sandbox app @ runtime Java2Security Network topology
  34. 34. Build Security Recommendations Introduce a repository manager Audit dep’cies: no blind downloading Verify PGP signatures Audit your build process
  35. 35. Build Security Secure tools - future + ? verification
  36. 36. Build Security Secure tools - future + ? verification Make your voice heard!
  37. 37. Build Security Are we safe now?
  38. 38. Questions Article: bit.ly/javaone-xbi branchandbound.net @Sander_Mak
  • er.sunilanand

    Dec. 22, 2016
  • TakeshiWatanabe2

    Oct. 3, 2012

Cross-Build Injection attacks are a completely new class of attacks that take place at build time. In this presentation (which was presented at JavaOne 2012) I show what the problem is and what can be done about. As always, security doesn't come for free: you'll have to work to get it right! (unfortunately, some graphics got mangled by the SlideShare conversion. Sorry!)

Views

Total views

6,787

On Slideshare

0

From embeds

0

Number of embeds

3,972

Actions

Downloads

0

Shares

0

Comments

0

Likes

2

×