* Mitigating "dependency confusion" attacks on Guix users
@ 2021-02-10 0:08 Ryan Prior
2021-02-10 7:48 ` Lars-Dominik Braun
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Ryan Prior @ 2021-02-10 0:08 UTC (permalink / raw)
To: Development of GNU Guix and the GNU System distribution
[-- Attachment #1: Type: text/plain, Size: 1739 bytes --]
Hi Guix! I've been digesting this piece, published hours ago, describing
dependency confusion attacks that revealed severe vulnerabilities at
many major organizations: https://medium.com/@alex.birsan/dependency-
confusion-4a5d60fec610
Guix users already have a few mitigations against this sort of attack.
Most importantly, no substitute servers or channels are installed by
default which allow arbitrary uploads by community contributors. That
feature of the affected public registries (npm, pypi, rubygems) is so
convenient, but contributes to this kind of attack. This is a great
motivation for people to move to Guix from those other package systems.
However, I'm still thinking about how to attack Guix users. Somebody who
adds an internal channel for their own packages could still be
vulnerable to a dependency confusion attack via a compromised or
manipulated Guix maintainer. The target of the attack could install
packages they believed would be provided by their internal channel but
actually get another package provided upstream.
The degree of vulnerability increases further with each channel used,
with each channel maintainer becoming another potential vector of
compromise. How can we make this kind of attack even more difficult?
What comes to my mind is that we should encourage (require?) people to
specify the channel name a package belongs to, if it's not the "guix"
channel. So instead of referring to "python-beautifulsoup4" (ambiguous:
is this from my channel or upstream Guix?) we say that "python-
beautifulsoup4" always means that package from the "guix" channel and a
version provided by my channel called "internal" needs to be called for
explicitly, like "@internal/python-beautifulsoup4".
Cheers,
Ryan
[-- Attachment #2: Type: text/html, Size: 4087 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: Mitigating "dependency confusion" attacks on Guix users 2021-02-10 0:08 Mitigating "dependency confusion" attacks on Guix users Ryan Prior @ 2021-02-10 7:48 ` Lars-Dominik Braun 2021-02-10 7:51 ` Christopher Baines 2021-02-10 11:28 ` zimoun 2 siblings, 0 replies; 6+ messages in thread From: Lars-Dominik Braun @ 2021-02-10 7:48 UTC (permalink / raw) To: Ryan Prior; +Cc: Development of GNU Guix and the GNU System distribution Hi, very interesting read. > However, I'm still thinking about how to attack Guix users. Somebody who > adds an internal channel for their own packages could still be > vulnerable to a dependency confusion attack via a compromised or > manipulated Guix maintainer. The target of the attack could install > packages they believed would be provided by their internal channel but > actually get another package provided upstream. Usually you’d use module imports and variable names inside your channel’s packages. Wouldn’t that defeat this attack? (Depending on Guix’/Guile’s module loading order of course.) What about substitute servers? As far as I understand as soon as they’re authorized they can deliver substitutes for *any* package. Lars ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Mitigating "dependency confusion" attacks on Guix users 2021-02-10 0:08 Mitigating "dependency confusion" attacks on Guix users Ryan Prior 2021-02-10 7:48 ` Lars-Dominik Braun @ 2021-02-10 7:51 ` Christopher Baines 2021-02-10 14:33 ` Jonathan Frederickson 2021-02-10 15:12 ` Efraim Flashner 2021-02-10 11:28 ` zimoun 2 siblings, 2 replies; 6+ messages in thread From: Christopher Baines @ 2021-02-10 7:51 UTC (permalink / raw) To: Ryan Prior; +Cc: guix-devel [-- Attachment #1: Type: text/plain, Size: 1555 bytes --] Ryan Prior <ryanprior@hey.com> writes: > However, I'm still thinking about how to attack Guix users. Somebody who > adds an internal channel for their own packages could still be > vulnerable to a dependency confusion attack via a compromised or > manipulated Guix maintainer. The target of the attack could install > packages they believed would be provided by their internal channel but > actually get another package provided upstream. > > The degree of vulnerability increases further with each channel used, > with each channel maintainer becoming another potential vector of > compromise. How can we make this kind of attack even more difficult? > > What comes to my mind is that we should encourage (require?) people to > specify the channel name a package belongs to, if it's not the "guix" > channel. So instead of referring to "python-beautifulsoup4" (ambiguous: > is this from my channel or upstream Guix?) we say that "python- > beautifulsoup4" always means that package from the "guix" channel and a > version provided by my channel called "internal" needs to be called for > explicitly, like "@internal/python-beautifulsoup4". I'm not sure you can escape trusting the collection of channels you're using. Because channels are code that's expected to interact, I'm not sure it's easy to target a single package from a specific channel, and expect that this provides some security. A malicious channel could simply reach out and modify the state in modules from a different channel, which would circumvent the protection you're suggesting. [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 987 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Mitigating "dependency confusion" attacks on Guix users 2021-02-10 7:51 ` Christopher Baines @ 2021-02-10 14:33 ` Jonathan Frederickson 2021-02-10 15:12 ` Efraim Flashner 1 sibling, 0 replies; 6+ messages in thread From: Jonathan Frederickson @ 2021-02-10 14:33 UTC (permalink / raw) To: guix-devel On 2/10/21 2:51 AM, Christopher Baines wrote: > I'm not sure you can escape trusting the collection of channels you're > using. Because channels are code that's expected to interact, I'm not > sure it's easy to target a single package from a specific channel, and > expect that this provides some security. A malicious channel could > simply reach out and modify the state in modules from a different > channel, which would circumvent the protection you're suggesting. Not that it's necessarily possible to prevent at this moment with the tools available to us, but... is there any case in Guix's normal usage where the modules containing package definitions need to reach out and modify the state in other modules? ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Mitigating "dependency confusion" attacks on Guix users 2021-02-10 7:51 ` Christopher Baines 2021-02-10 14:33 ` Jonathan Frederickson @ 2021-02-10 15:12 ` Efraim Flashner 1 sibling, 0 replies; 6+ messages in thread From: Efraim Flashner @ 2021-02-10 15:12 UTC (permalink / raw) To: Christopher Baines; +Cc: guix-devel, Ryan Prior [-- Attachment #1: Type: text/plain, Size: 2051 bytes --] On Wed, Feb 10, 2021 at 07:51:23AM +0000, Christopher Baines wrote: > > Ryan Prior <ryanprior@hey.com> writes: > > > However, I'm still thinking about how to attack Guix users. Somebody who > > adds an internal channel for their own packages could still be > > vulnerable to a dependency confusion attack via a compromised or > > manipulated Guix maintainer. The target of the attack could install > > packages they believed would be provided by their internal channel but > > actually get another package provided upstream. > > > > The degree of vulnerability increases further with each channel used, > > with each channel maintainer becoming another potential vector of > > compromise. How can we make this kind of attack even more difficult? > > > > What comes to my mind is that we should encourage (require?) people to > > specify the channel name a package belongs to, if it's not the "guix" > > channel. So instead of referring to "python-beautifulsoup4" (ambiguous: > > is this from my channel or upstream Guix?) we say that "python- > > beautifulsoup4" always means that package from the "guix" channel and a > > version provided by my channel called "internal" needs to be called for > > explicitly, like "@internal/python-beautifulsoup4". > > I'm not sure you can escape trusting the collection of channels you're > using. Because channels are code that's expected to interact, I'm not > sure it's easy to target a single package from a specific channel, and > expect that this provides some security. A malicious channel could > simply reach out and modify the state in modules from a different > channel, which would circumvent the protection you're suggesting. perhaps with module-set! ? Is that the one that lets you redefine a package in a different module, from, say, your os-config? -- Efraim Flashner <efraim@flashner.co.il> אפרים פלשנר GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Mitigating "dependency confusion" attacks on Guix users 2021-02-10 0:08 Mitigating "dependency confusion" attacks on Guix users Ryan Prior 2021-02-10 7:48 ` Lars-Dominik Braun 2021-02-10 7:51 ` Christopher Baines @ 2021-02-10 11:28 ` zimoun 2 siblings, 0 replies; 6+ messages in thread From: zimoun @ 2021-02-10 11:28 UTC (permalink / raw) To: Ryan Prior, Development of GNU Guix and the GNU System distribution Hi Ryan, On Wed, 10 Feb 2021 at 00:08, Ryan Prior <ryanprior@hey.com> wrote: > What comes to my mind is that we should encourage (require?) people to > specify the channel name a package belongs to, if it's not the "guix" > channel. So instead of referring to "python-beautifulsoup4" (ambiguous: > is this from my channel or upstream Guix?) we say that "python- > beautifulsoup4" always means that package from the "guix" channel and a > version provided by my channel called "internal" needs to be called for > explicitly, like "@internal/python-beautifulsoup4". Could you provide an concrete example of such attack? I am not able to imagine a scenario. Alice uses the official Guix channel and another custom channel. It is hard to compromise the official Guix channel, IMHO. Compromise the custom channel, well it depends on the custom channel. ;-) Since channels are Git repo, compromise a channel means more or less compromise a Git repo. IMHO. And Guix provides the tools for authenticate channels so it is up to Alice to trust or not a custom channel, i.e., the people behind such channel. Therefore, if Alice trusts the custom channel, your proposal only adds complexity, IMHO. If Alice does not trust the custom channel, there is 2 cases: a) she is already aware that installing packages from this channel should be done with care because she is not trusting and b) the packages in this custom channel cannot be used by other official packages because of modules, or Alice has to explicitly use “untrusted“ module. Well, below examples. From my understanding, the design of channels using Git repo with Guile modules is different from the PyPI&co repo where literally anyone has the right to upload packages without a strict DAG. Thus, the «dependency attack» seems defeated by Guix design, i.e., it is hard to find a scenario where Alice is really mislead and not explicitly shoot herself in her foot. But I could be wrong and just missing imagination. :-) Cheers, simon PS: Some details with a naive scenario. $ cd /tmp/ $ mkdir -p custom.git $ cd custom.git $ git init Dépôt Git vide initialisé dans /tmp/custom.git/.git/ $ mkdir -p gnu/packages $ cat gnu/packages/other-base.scm (define-module (gnu packages other-base) #:use-module (guix packages) #:use-module (guix build-system gnu) #:use-module (guix git-download) #:use-module (guix licenses)) (define-public hello (package (name "hello") (version "2.10") (source (origin (method git-fetch) (uri (git-reference (url "https://github.com/zimoun/hello-example.git") (commit "e1eefd033b8a2c4c81babc6fde08ebb116c6abb8"))) (sha256 (base32 "1im1gglfm4k10bh4mdaqzmx3lm3kivnsmxrvl6vyvmfqqzljq75l")))) (build-system gnu-build-system) (synopsis "Hello, GNU world: An example GNU package") (description "GNU Hello prints the message \"Hello, world!\" and then exits. It serves as an example of standard GNU coding practices. As such, it supports command-line arguments, multiple languages, and so on.") (home-page "https://www.gnu.org/software/hello/") (license gpl3+))) $ git add gnu/packages/other-base.scm $ git commit -m 'Add (gnu packages other-base)' [master (commit racine) 0eabc08] Add (gnu packages other-base) 1 file changed, 26 insertions(+) create mode 100644 gnu/packages/other-base.scm $ cat /tmp/channels.scm (list (channel (name 'guix) (url "https://git.savannah.gnu.org/git/guix.git") (introduction (make-channel-introduction "9edb3f66fd807b096b48283debdcddccfea34bad" (openpgp-fingerprint "BBB0 2DDF 2CEA F6A8 0D1D E643 A2A0 6DF2 A33A 54FA")))) (channel (name 'custom) (url "file:///tmp/custom.git"))) $ guix pull -C /tmp/channels.scm -p tmp/new Mise à jour du canal « guix » depuis le dépôt Git « https://git.savannah.gnu.or\ g/git/guix.git »... Mise à jour du canal « custom » depuis le dépôt Git « file:///tmp/custom.git ».\ .. Construction depuis ces canaux : custom file:///tmp/custom.git 62a12ec guix https://git.savannah.gnu.org/git/guix.git 091ce05 [...] $ /tmp/new/bin/guix build hello guix build: warning: spécification du paquet « hello » ambiguë guix build: warning: choix de hello@2.10 à l'emplacement gnu/packages/base.scm:\ 77:2 /gnu/store/a462kby1q51ndvxdv3b6p0rsixxrgx1h-hello-2.10 $ touch README $ git add README $ git commit -m 'Tweak.' [master 69e2eac] Tweak. 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 README $ cat /tmp/channels.scm (list (channel (name 'custom) (url "file:///tmp/custom.git")) (channel (name 'guix) (url "https://git.savannah.gnu.org/git/guix.git") (introduction (make-channel-introduction "9edb3f66fd807b096b48283debdcddccfea34bad" (openpgp-fingerprint "BBB0 2DDF 2CEA F6A8 0D1D E643 A2A0 6DF2 A33A 54FA"))))) $ guix pull -C /tmp/channels.scm -p /tmp/new ise à jour du canal « custom » depuis le dépôt Git « file:///tmp/custom.git ».\ .. Mise à jour du canal « guix » depuis le dépôt Git « https://git.savannah.gnu.or\ g/git/guix.git »... Construction depuis ces canaux : guix https://git.savannah.gnu.org/git/guix.git 091ce05 custom file:///tmp/custom.git 69e2eac Computing Guix derivation for 'x86_64-linux'... [...] $ /tmp/new/bin/guix build hello guix build: warning: spécification du paquet « hello » ambiguë guix build: warning: choix de hello@2.10 à l'emplacement gnu/packages/base.scm:\ 77:2 /gnu/store/a462kby1q51ndvxdv3b6p0rsixxrgx1h-hello-2.10 At this point, Alice cannot be mislead because the 2 package 'hello' are in 2 different modules, one is (gnu packages base) and the is (gnu packages other-base). What happens if the corrupted 'hello' in the custom channel lives in a module named (gnu packages base). $ git show 90ee24f commit 90ee24f24b721cd73c4e2f86883da18a51ce0116 (HEAD -> master) Author: zimoun <zimon.toutoune@gmail.com> Date: Wed Feb 10 12:11:36 2021 +0100 (gnu packages other-base) -> (gnu packages base) diff --git a/gnu/packages/other-base.scm b/gnu/packages/base.scm similarity index 95% rename from gnu/packages/other-base.scm rename to gnu/packages/base.scm index 4a1e33f..c547df6 100644 --- a/gnu/packages/other-base.scm +++ b/gnu/packages/base.scm @@ -1,4 +1,4 @@ -(define-module (gnu packages other-base) +(define-module (gnu packages base) #:use-module (guix packages) #:use-module (guix build-system gnu) #:use-module (guix git-download) $ guix pull -C /tmp/channels.scm -p /tmp/new Mise à jour du canal « custom » depuis le dépôt Git « file:///tmp/custom.git ».\ .. Mise à jour du canal « guix » depuis le dépôt Git « https://git.savannah.gnu.or\ g/git/guix.git »... Construction depuis ces canaux : guix https://git.savannah.gnu.org/git/guix.git 091ce05 custom file:///tmp/custom.git 90ee24f [...] construction de /gnu/store/60ab9ayq6954g9aplmi0zdhg8rw24qh0-custom.drv... |builder for `/gnu/store/60ab9ayq6954g9aplmi0zdhg8rw24qh0-custom.drv' failed to\ produce output path `/gnu/store/bwfswna2mva90z66r1bsszj9wbhypakn-custom' la compilation de /gnu/store/60ab9ayq6954g9aplmi0zdhg8rw24qh0-custom.drv a écho\ ué Vous trouverez le journal de compilation dans « /var/log/guix/drvs/60/ab9ayq695\ 4g9aplmi0zdhg8rw24qh0-custom.drv.bz2 ». cannot build derivation `/gnu/store/byajgdx0xyy4ln8cgf5hg6mcc1yxlxfa-profile.dr\ v': 1 dependencies couldn't be built guix pull: error: build of `/gnu/store/byajgdx0xyy4ln8cgf5hg6mcc1yxlxfa-profile\ .drv' failed So I am lacking imagination to realize the «dependencies attack» because of the Guile modules. ^ permalink raw reply related [flat|nested] 6+ messages in thread
end of thread, other threads:[~2021-02-10 15:13 UTC | newest] Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-02-10 0:08 Mitigating "dependency confusion" attacks on Guix users Ryan Prior 2021-02-10 7:48 ` Lars-Dominik Braun 2021-02-10 7:51 ` Christopher Baines 2021-02-10 14:33 ` Jonathan Frederickson 2021-02-10 15:12 ` Efraim Flashner 2021-02-10 11:28 ` zimoun
Code repositories for project(s) associated with this public inbox https://git.savannah.gnu.org/cgit/guix.git This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).