unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
* Mitigating "dependency confusion" attacks on Guix users
@ 2021-02-10  0:08 Ryan Prior
  2021-02-10  7:48 ` Lars-Dominik Braun
                   ` (2 more replies)
  0 siblings, 3 replies; 6+ messages in thread
From: Ryan Prior @ 2021-02-10  0:08 UTC (permalink / raw)
  To: Development of GNU Guix and the GNU System distribution

[-- Attachment #1: Type: text/plain, Size: 1739 bytes --]

Hi Guix! I've been digesting this piece, published hours ago, describing
dependency confusion attacks that revealed severe vulnerabilities at
many major organizations: https://medium.com/@alex.birsan/dependency-
confusion-4a5d60fec610

Guix users already have a few mitigations against this sort of attack.
Most importantly, no substitute servers or channels are installed by
default which allow arbitrary uploads by community contributors. That
feature of the affected public registries (npm, pypi, rubygems) is so
convenient, but contributes to this kind of attack. This is a great
motivation for people to move to Guix from those other package systems.

However, I'm still thinking about how to attack Guix users. Somebody who
adds an internal channel for their own packages could still be
vulnerable to a dependency confusion attack via a compromised or
manipulated Guix maintainer. The target of the attack could install
packages they believed would be provided by their internal channel but
actually get another package provided upstream.

The degree of vulnerability increases further with each channel used,
with each channel maintainer becoming another potential vector of
compromise. How can we make this kind of attack even more difficult?

What comes to my mind is that we should encourage (require?) people to
specify the channel name a package belongs to, if it's not the "guix"
channel. So instead of referring to "python-beautifulsoup4" (ambiguous:
is this from my channel or upstream Guix?) we say that "python-
beautifulsoup4" always means that package from the "guix" channel and a
version provided by my channel called "internal" needs to be called for
explicitly, like "@internal/python-beautifulsoup4".

Cheers,
Ryan

[-- Attachment #2: Type: text/html, Size: 4087 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2021-02-10 15:13 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-02-10  0:08 Mitigating "dependency confusion" attacks on Guix users Ryan Prior
2021-02-10  7:48 ` Lars-Dominik Braun
2021-02-10  7:51 ` Christopher Baines
2021-02-10 14:33   ` Jonathan Frederickson
2021-02-10 15:12   ` Efraim Flashner
2021-02-10 11:28 ` zimoun

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).