From: Ryan Prior <ryanprior@hey.com>
To: Development of GNU Guix and the GNU System distribution
<guix-devel@gnu.org>
Subject: Mitigating "dependency confusion" attacks on Guix users
Date: Wed, 10 Feb 2021 00:08:51 +0000 [thread overview]
Message-ID: <461926c3d053474dd7196c9ed8f59a45b8c9c82f@hey.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 1739 bytes --]
Hi Guix! I've been digesting this piece, published hours ago, describing
dependency confusion attacks that revealed severe vulnerabilities at
many major organizations: https://medium.com/@alex.birsan/dependency-
confusion-4a5d60fec610
Guix users already have a few mitigations against this sort of attack.
Most importantly, no substitute servers or channels are installed by
default which allow arbitrary uploads by community contributors. That
feature of the affected public registries (npm, pypi, rubygems) is so
convenient, but contributes to this kind of attack. This is a great
motivation for people to move to Guix from those other package systems.
However, I'm still thinking about how to attack Guix users. Somebody who
adds an internal channel for their own packages could still be
vulnerable to a dependency confusion attack via a compromised or
manipulated Guix maintainer. The target of the attack could install
packages they believed would be provided by their internal channel but
actually get another package provided upstream.
The degree of vulnerability increases further with each channel used,
with each channel maintainer becoming another potential vector of
compromise. How can we make this kind of attack even more difficult?
What comes to my mind is that we should encourage (require?) people to
specify the channel name a package belongs to, if it's not the "guix"
channel. So instead of referring to "python-beautifulsoup4" (ambiguous:
is this from my channel or upstream Guix?) we say that "python-
beautifulsoup4" always means that package from the "guix" channel and a
version provided by my channel called "internal" needs to be called for
explicitly, like "@internal/python-beautifulsoup4".
Cheers,
Ryan
[-- Attachment #2: Type: text/html, Size: 4087 bytes --]
next reply other threads:[~2021-02-10 0:33 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-10 0:08 Ryan Prior [this message]
2021-02-10 7:48 ` Mitigating "dependency confusion" attacks on Guix users Lars-Dominik Braun
2021-02-10 7:51 ` Christopher Baines
2021-02-10 14:33 ` Jonathan Frederickson
2021-02-10 15:12 ` Efraim Flashner
2021-02-10 11:28 ` zimoun
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=461926c3d053474dd7196c9ed8f59a45b8c9c82f@hey.com \
--to=ryanprior@hey.com \
--cc=guix-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).