SlideShare uma empresa Scribd logo
1 de 38
Cross-Build Injection Attacks
                 How safe is your Java build?




                       @Sander_Mak
About
Coding      at
                    (           )


  Writing              Blog @
                 branchandbound.net




   Speaking
Trust
         ‘Reflections on Trusting Trust’




Ken Thompson, 1984
UNIX co-creator
Trust
                            ‘Reflections on Trusting Trust’

Moral:
You can't trust code
that you did not
totally create yourself




                   Ken Thompson, 1984
                   UNIX co-creator
Trust
                          ‘Reflections on Trusting Trust’




                                               phpMyAdmin backdoor

                              ... SourceForge became aware of a
                              corrupted copy of phpMyAdmin being
Moral:                        served from the ‘cdnetworks-kr-1′ mirror
                              in Korea.
You can't trust code
that you did not
totally create yourself
Trust
                      ‘Reflections on Trusting Trust’

That was 30 years ago...
  With the C compiler...
   How is this relevant?




            Demo              / javac
Trust
                      ‘Reflections on Trusting Trust’

That was 30 years ago...        Could be any build system
                             with a central repository though!
  With the C compiler...
   How is this relevant?




            Demo               / javac
Maven Central
                 Internet

                            Maven
                            Central
                                      - Dependencies
                                      - Plugins

Local
                            Maven

                               uses
   Maven Local
                                                 javac
      Repo       maven-compiler-plugin
Maven Central
400k components               Maven
                              Central
7.5 billion req/year
60k organisations using Maven Central



       In short: a prime target


                             * source: Sonatype
Cross Build Injection
        Internet
                   Maven
                   Central




        Internet
                   MITM




Local
                   Maven




               Maven Local
                  Repo
Cross Build Injection
        Internet                     Internet               Internet
                   Maven                        Maven                  Hacker
                   Central                      Central                Central




        Internet                     Internet
                                      Local       DNS
                   MITM
                                                Poisoning




Local                        Local
                   Maven                         Maven



               Maven Local                  Maven Local
                  Repo                         Repo
Cross Build Injection
            Compromised Maven Central
        Internet
                   Maven
                   Central




Local
                   Maven




               Maven Local
                  Repo
Cross Build Injection
            Compromised Maven Central
        Internet
                   Maven
                   Central

                             Different attack vectors,
                             one result: compromised
                             binaries through

                             Cross-Build Injection
Local
                   Maven




               Maven Local
                  Repo
Countermeasures
                                    https


Maven Central http-only
 https for Sonatype customers
 ‘alternative’: https://oss.sonatype.org/
                 
Countermeasures
                                    https


Maven Central http-only
 https for Sonatype customers
 ‘alternative’: https://oss.sonatype.org/
                 
Countermeasures
                                      ‘Cutting all ties’
        Internet
                    Maven
                    Central



                                Internal Maven repo

Local
                   Repository    can be disconnected
                    Manager




                     Maven
                                Shortens XBI attack
                                window
               Maven Local
                  Repo
                                Manual verification?
Countermeasures
                                              Checksums
    Maven
                                      Maven
    Central
              .jar        .pom
              .jar.sha1   .pom.sha1
              .jar.md5    .pom.md5




Checksums only detect transport issues
Automatic check, but no failure error!
Use: <checksumPolicy>fail</checksumPolicy>

Note: MD5 is broken anyway...
Countermeasures
                                                                                      Checksums
               Maven
                                                                             Maven
               Central
                                  .jar               .pom
                                  .jar.sha1          .pom.sha1
                                  .jar.md5           .pom.md5



Downloading:	
  <snipped>/ws/spring-­‐ws/1.5.8/spring-­‐ws-­‐1.5.8.pom
     Checksums only detect transport issues
427b	
  downloaded	
  	
  (spring-­‐ws-­‐1.5.8.pom)
[WARNING]	
  ***	
  CHECKSUM	
  FAILED	
  -­‐	
  Checksum	
  failed	
  on	
  download:	
  local	
  =	
  
'14d6901e3f251f5d312b9be726c75a
     Automatic check, but no failure error!
68f78045ac';	
  remote	
  =	
  '659bbed2c2dae12e9dbb65f8cad8fce1a1ea0845'	
  -­‐	
  RETRYING
Downloading:	
  <snipped>/ws/spring-­‐ws/1.5.8/spring-­‐ws-­‐1.5.8.pom
427b	
  downloaded	
  	
  (spring-­‐ws-­‐1.5.8.pom)
     Use:      <checksumPolicy>fail</checksumPolicy>
[WARNING]	
  ***	
  CHECKSUM	
  FAILED	
  -­‐	
  Checksum	
  failed	
  on	
  download:	
  local	
  =	
  
'14d6901e3f251f5d312b9be726c75a
68f78045ac';	
  remote	
  =	
  '659bbed2c2dae12e9dbb65f8cad8fce1a1ea0845'	
  -­‐	
  IGNORING

     Note: MD5 is broken anyway...
     Ignorance is not bliss... Failure is an option!
Countermeasures
                         Signed artifacts
Pretty Good Privacy
 OpenPGP standard
 Encrypt or sign
 Popularized by email signing
Asymmetric pub/private keypair
GnuPG (GPG): free implementation
Countermeasures
                                     Signed artifacts
Maven
                                     Maven
Central
          .jar          .pom
          .jar.asc      .pom.asc
          (mandatory past 3 years)
Countermeasures
                                              Signed artifacts
         Maven
                                              Maven
         Central
                   .jar          .pom
                   .jar.asc      .pom.asc
                   (mandatory past 3 years)

.asc +




      Library                                 PGP Key
     Developer                                 Server
Manual verification
          Getting the signature
$	
  wget	
  http://repo1.maven.org/maven2/org/sonatype/plexus/plexus-­‐cipher/1.7/
plexus-­‐cipher-­‐1.7.jar.asc

$	
  cat	
  plexus-­‐cipher-­‐1.7.jar.asc
-­‐-­‐-­‐-­‐-­‐BEGIN	
  PGP	
  SIGNATURE-­‐-­‐-­‐-­‐-­‐
Version:	
  GnuPG	
  v1.4.10	
  (GNU/Linux)

iEYEABECAAYFAk4vAikACgkQA3TPLo3Rvf05hgCffG9+M1bAefuM5Kmu6IASNlPX
zhYAnAvI4VNXSFXH4nz6z/uXaWz9kpXz
=i6KI
-­‐-­‐-­‐-­‐-­‐END	
  PGP	
  SIGNATURE-­‐-­‐-­‐-­‐-­‐

$	
  gpg	
  -­‐-­‐verify	
  plexus-­‐cipher-­‐1.7.jar.asc	
  ~/repo/.../plexus-­‐chipher-­‐1.7.jar
gpg:	
  Signature	
  made	
  Tue	
  Jul	
  26	
  20:06:33	
  2011	
  CEST	
  using	
  DSA	
  key	
  ID	
  8DD1BDFD
gpg:	
  Can't	
  check	
  signature:	
  public	
  key	
  not	
  found
Manual verification
          Getting the signature
$	
  wget	
  http://repo1.maven.org/maven2/org/sonatype/plexus/plexus-­‐cipher/1.7/
plexus-­‐cipher-­‐1.7.jar.asc

$	
  cat	
  plexus-­‐cipher-­‐1.7.jar.asc
-­‐-­‐-­‐-­‐-­‐BEGIN	
  PGP	
  SIGNATURE-­‐-­‐-­‐-­‐-­‐
Version:	
  GnuPG	
  v1.4.10	
  (GNU/Linux)

iEYEABECAAYFAk4vAikACgkQA3TPLo3Rvf05hgCffG9+M1bAefuM5Kmu6IASNlPX
zhYAnAvI4VNXSFXH4nz6z/uXaWz9kpXz
=i6KI
-­‐-­‐-­‐-­‐-­‐END	
  PGP	
  SIGNATURE-­‐-­‐-­‐-­‐-­‐

$	
  gpg	
  -­‐-­‐verify	
  plexus-­‐cipher-­‐1.7.jar.asc	
  ~/repo/.../plexus-­‐chipher-­‐1.7.jar
gpg:	
  Signature	
  made	
  Tue	
  Jul	
  26	
  20:06:33	
  2011	
  CEST	
  using	
  DSA	
  key	
  ID	
  8DD1BDFD
gpg:	
  Can't	
  check	
  signature:	
  public	
  key	
  not	
  found
Manual verification
                    Getting the key
$	
  gpg	
  -­‐-­‐verify	
  plexus-­‐cipher-­‐1.7.jar.asc	
  ~/repo/.../plexus-­‐cipher-­‐1.7.jar
gpg:	
  Signature	
  made	
  Tue	
  Jul	
  26	
  20:06:33	
  2011	
  CEST	
  using	
  DSA	
  key	
  ID	
  8DD1BDFD
gpg:	
  Can't	
  check	
  signature:	
  public	
  key	
  not	
  found

$	
  gpg	
  -­‐-­‐keyserver	
  pgp.mit.edu	
  -­‐-­‐recv-­‐key	
  8DD1BDFD
gpg:	
  requesting	
  key	
  8DD1BDFD	
  from	
  hkp	
  server	
  pgp.mit.edu
gpg:	
  key	
  8DD1BDFD:	
  public	
  key	
  "Sonatype,	
  Inc.	
  (Sonatype	
  release	
  key)	
  
<dev@sonatype.com>"	
  imported
gpg:	
  no	
  ultimately	
  trusted	
  keys	
  found
gpg:	
  Total	
  number	
  processed:	
  1
gpg:	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  imported:	
  1

$	
  gpg	
  -­‐-­‐verify	
  plexus-­‐cipher-­‐1.7.jar.asc	
  ~/repo/.../plexus-­‐chipher-­‐1.7.jar	
  
gpg:	
  Signature	
  made	
  Tue	
  Jul	
  26	
  20:06:33	
  2011	
  CEST	
  using	
  DSA	
  key	
  ID	
  8DD1BDFD
gpg:	
  Good	
  signature	
  from	
  "Sonatype,	
  Inc.	
  (Sonatype	
  release	
  key)	
  
<dev@sonatype.com>"
gpg:	
  WARNING:	
  This	
  key	
  is	
  not	
  certified	
  with	
  a	
  trusted	
  signature!
gpg:	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  There	
  is	
  no	
  indication	
  that	
  the	
  signature	
  belongs	
  to	
  the	
  
owner.
Primary	
  key	
  fingerprint:	
  2BCB	
  DD0F	
  23EA	
  1CAF	
  CC11	
  	
  D486	
  0374	
  CF2E	
  8DD1	
  BDFD
Manual verification
                    Getting the key
$	
  gpg	
  -­‐-­‐verify	
  plexus-­‐cipher-­‐1.7.jar.asc	
  ~/repo/.../plexus-­‐cipher-­‐1.7.jar
gpg:	
  Signature	
  made	
  Tue	
  Jul	
  26	
  20:06:33	
  2011	
  CEST	
  using	
  DSA	
  key	
  ID	
  8DD1BDFD
gpg:	
  Can't	
  check	
  signature:	
  public	
  key	
  not	
  found

$	
  gpg	
  -­‐-­‐keyserver	
  pgp.mit.edu	
  -­‐-­‐recv-­‐key	
  8DD1BDFD
gpg:	
  requesting	
  key	
  8DD1BDFD	
  from	
  hkp	
  server	
  pgp.mit.edu
gpg:	
  key	
  8DD1BDFD:	
  public	
  key	
  "Sonatype,	
  Inc.	
  (Sonatype	
  release	
  key)	
  
<dev@sonatype.com>"	
  imported
gpg:	
  no	
  ultimately	
  trusted	
  keys	
  found
gpg:	
  Total	
  number	
  processed:	
  1
gpg:	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  imported:	
  1

$	
  gpg	
  -­‐-­‐verify	
  plexus-­‐cipher-­‐1.7.jar.asc	
  ~/repo/.../plexus-­‐chipher-­‐1.7.jar	
  
gpg:	
  Signature	
  made	
  Tue	
  Jul	
  26	
  20:06:33	
  2011	
  CEST	
  using	
  DSA	
  key	
  ID	
  8DD1BDFD
gpg:	
  Good	
  signature	
  from	
  "Sonatype,	
  Inc.	
  (Sonatype	
  release	
  key)	
  
<dev@sonatype.com>"
gpg:	
  WARNING:	
  This	
  key	
  is	
  not	
  certified	
  with	
  a	
  trusted	
  signature!
gpg:	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  There	
  is	
  no	
  indication	
  that	
  the	
  signature	
  belongs	
  to	
  the	
  
owner.
Primary	
  key	
  fingerprint:	
  2BCB	
  DD0F	
  23EA	
  1CAF	
  CC11	
  	
  D486	
  0374	
  CF2E	
  8DD1	
  BDFD
Manual verification
                    Getting the key
$	
  gpg	
  -­‐-­‐verify	
  plexus-­‐cipher-­‐1.7.jar.asc	
  ~/repo/.../plexus-­‐cipher-­‐1.7.jar
gpg:	
  Signature	
  made	
  Tue	
  Jul	
  26	
  20:06:33	
  2011	
  CEST	
  using	
  DSA	
  key	
  ID	
  8DD1BDFD
gpg:	
  Can't	
  check	
  signature:	
  public	
  key	
  not	
  found

$	
  gpg	
  -­‐-­‐keyserver	
  pgp.mit.edu	
  -­‐-­‐recv-­‐key	
  8DD1BDFD
gpg:	
  requesting	
  key	
  8DD1BDFD	
  from	
  hkp	
  server	
  pgp.mit.edu
gpg:	
  key	
  8DD1BDFD:	
  public	
  key	
  "Sonatype,	
  Inc.	
  (Sonatype	
  release	
  key)	
  
<dev@sonatype.com>"	
  imported
gpg:	
  no	
  ultimately	
  trusted	
  keys	
  found
gpg:	
  Total	
  number	
  processed:	
  1
gpg:	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  imported:	
  1

$	
  gpg	
  -­‐-­‐verify	
  plexus-­‐cipher-­‐1.7.jar.asc	
  ~/repo/.../plexus-­‐chipher-­‐1.7.jar	
  
gpg:	
  Signature	
  made	
  Tue	
  Jul	
  26	
  20:06:33	
  2011	
  CEST	
  using	
  DSA	
  key	
  ID	
  8DD1BDFD
gpg:	
  Good	
  signature	
  from	
  "Sonatype,	
  Inc.	
  (Sonatype	
  release	
  key)	
  
<dev@sonatype.com>"
gpg:	
  WARNING:	
  This	
  key	
  is	
  not	
  certified	
  with	
  a	
  trusted	
  signature!
gpg:	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  There	
  is	
  no	
  indication	
  that	
  the	
  signature	
  belongs	
  to	
  the	
  
owner.
Primary	
  key	
  fingerprint:	
  2BCB	
  DD0F	
  23EA	
  1CAF	
  CC11	
  	
  D486	
  0374	
  CF2E	
  8DD1	
  BDFD
Pretty Good Privacy
                                                      Web of Trust
  Sonatype                            Sonatype
Release key                         Release key




Brian F.                         Brian F.



                                            John C.          Other
           John C.                                           people
                                                             in web
                                                             of trust
                     Damian B.                  Damian B.
Pretty Good Privacy
                                                                 Web of Trust
  Sonatype                            Sonatype
Release key                         Release key



                                                                    ru   st
                                                             n   &t
                                                           ig
                                                 o  r t, s                    Sander M.
                                              Imp

Brian F.                         Brian F.



                                            John C.                            Other
           John C.                                                             people
                                                                               in web
                                                                               of trust
                     Damian B.                  Damian B.
Pretty Good Privacy
             Web of Trust
Manual Verification
  Getting the key automatically
$	
  	
  gpg	
  -­‐-­‐auto-­‐key-­‐locate	
  keyserver	
  -­‐-­‐keyserver	
  pgp.mit.edu	
  
	
  	
  	
  	
  	
  	
  	
  -­‐-­‐keyserver-­‐options	
  auto-­‐key-­‐retrieve	
  
	
  	
  	
  	
  	
  	
  	
  -­‐-­‐verify	
  plexus-­‐cipher-­‐1.7.jar.asc	
  ~/repo/.../plexus-­‐chipher-­‐1.7.jar
	
  
gpg:	
  Signature	
  made	
  Tue	
  Jul	
  26	
  20:06:33	
  2011	
  CEST	
  using	
  DSA	
  key	
  ID	
  8DD1BDFD
gpg:	
  requesting	
  key	
  8DD1BDFD	
  from	
  hkp	
  server	
  pgp.mit.edu
gpg:	
  key	
  8DD1BDFD:	
  public	
  key	
  "Sonatype,	
  Inc.	
  (Sonatype	
  release	
  key)	
  
<dev@sonatype.com>"	
  imported
gpg:	
  3	
  marginal(s)	
  needed,	
  1	
  complete(s)	
  needed,	
  PGP	
  trust	
  model
gpg:	
  depth:	
  0	
  	
  valid:	
  	
  	
  1	
  	
  signed:	
  	
  	
  1	
  	
  trust:	
  0-­‐,	
  0q,	
  0n,	
  0m,	
  0f,	
  1u
gpg:	
  depth:	
  1	
  	
  valid:	
  	
  	
  1	
  	
  signed:	
  	
  	
  1	
  	
  trust:	
  0-­‐,	
  0q,	
  0n,	
  0m,	
  1f,	
  0u
gpg:	
  depth:	
  2	
  	
  valid:	
  	
  	
  1	
  	
  signed:	
  	
  	
  0	
  	
  trust:	
  1-­‐,	
  0q,	
  0n,	
  0m,	
  0f,	
  0u
gpg:	
  Total	
  number	
  processed:	
  1
gpg:	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  imported:	
  1
gpg:	
  Good	
  signature	
  from	
  "Sonatype,	
  Inc.	
  (Sonatype	
  release	
  key)	
  
<dev@sonatype.com>"
Manual Verification
  Getting the key automatically
$	
  	
  gpg	
  -­‐-­‐auto-­‐key-­‐locate	
  keyserver	
  -­‐-­‐keyserver	
  pgp.mit.edu	
  
	
  	
  	
  	
  	
  	
  	
  -­‐-­‐keyserver-­‐options	
  auto-­‐key-­‐retrieve	
  
	
  	
  	
  	
  	
  	
  	
  -­‐-­‐verify	
  plexus-­‐cipher-­‐1.7.jar.asc	
  ~/repo/.../plexus-­‐chipher-­‐1.7.jar
	
  
gpg:	
  Signature	
  made	
  Tue	
  Jul	
  26	
  20:06:33	
  2011	
  CEST	
  using	
  DSA	
  key	
  ID	
  8DD1BDFD
gpg:	
  requesting	
  key	
  8DD1BDFD	
  from	
  hkp	
  server	
  pgp.mit.edu
gpg:	
  key	
  8DD1BDFD:	
  public	
  key	
  "Sonatype,	
  Inc.	
  (Sonatype	
  release	
  key)	
  
<dev@sonatype.com>"	
  imported
gpg:	
  3	
  marginal(s)	
  needed,	
  1	
  complete(s)	
  needed,	
  PGP	
  trust	
  model
gpg:	
  depth:	
  0	
  	
  valid:	
  	
  	
  1	
  	
  signed:	
  	
  	
  1	
  	
  trust:	
  0-­‐,	
  0q,	
  0n,	
  0m,	
  0f,	
  1u
gpg:	
  depth:	
  1	
  	
  valid:	
  	
  	
  1	
  	
  signed:	
  	
  	
  1	
  	
  trust:	
  0-­‐,	
  0q,	
  0n,	
  0m,	
  1f,	
  0u
gpg:	
  depth:	
  2	
  	
  valid:	
  	
  	
  1	
  	
  signed:	
  	
  	
  0	
  	
  trust:	
  1-­‐,	
  0q,	
  0n,	
  0m,	
  0f,	
  0u
gpg:	
  Total	
  number	
  processed:	
  1
gpg:	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  imported:	
  1
gpg:	
  Good	
  signature	
  from	
  "Sonatype,	
  Inc.	
  (Sonatype	
  release	
  key)	
  
<dev@sonatype.com>"
                                     Web of Trust in action
Automatic Verification




            Demo

     repository manager
Defense in Depth
                           If all else fails...
Security/pen-testing
Scan binaries (incl. dependencies!)
 Fortify
 AppScan
Sandbox app @ runtime
 Java2Security
 Network topology
Build Security
                        Recommendations




Introduce a repository manager

Audit dep’cies: no blind downloading

Verify PGP signatures

Audit your build process
Build Security
       Secure tools - future




+                   ?
    verification
Build Security
               Secure tools - future




      +                     ?
           verification


Make your voice heard!
Build Security




Are we safe now?
Questions




Article: bit.ly/javaone-xbi



                    branchandbound.net

                    @Sander_Mak

Mais conteúdo relacionado

Destaque

Hibernate Performance Tuning (JEEConf 2012)
Hibernate Performance Tuning (JEEConf 2012)Hibernate Performance Tuning (JEEConf 2012)
Hibernate Performance Tuning (JEEConf 2012)Sander Mak (@Sander_Mak)
 
Estudio Del Movimiento Por Jose Manuel Berrio
Estudio Del Movimiento Por Jose Manuel BerrioEstudio Del Movimiento Por Jose Manuel Berrio
Estudio Del Movimiento Por Jose Manuel Berriojombe403
 
How to setup the printing preferences
How to setup the printing preferencesHow to setup the printing preferences
How to setup the printing preferencesWarren Yip
 
Linked In Transaction Offer
Linked In Transaction OfferLinked In Transaction Offer
Linked In Transaction OfferVincent_Mills
 
Chris Thorngate evaluation
Chris Thorngate evaluationChris Thorngate evaluation
Chris Thorngate evaluationguestd7608fd
 
Dialogbaseret Aftalestyring Powerpoint øKonomiudvalget 4. December 07
Dialogbaseret Aftalestyring   Powerpoint øKonomiudvalget 4. December 07Dialogbaseret Aftalestyring   Powerpoint øKonomiudvalget 4. December 07
Dialogbaseret Aftalestyring Powerpoint øKonomiudvalget 4. December 07ibsis
 
Altitude #Users meeting in Spain ASES2015
Altitude #Users meeting in Spain ASES2015Altitude #Users meeting in Spain ASES2015
Altitude #Users meeting in Spain ASES2015Raquel1704
 
Prism Capabilities Overview
Prism Capabilities OverviewPrism Capabilities Overview
Prism Capabilities Overviewseandbrady
 
Interior Design: Easy Ways to Add Flash Without Wasting Cash
Interior Design: Easy Ways to Add Flash Without Wasting Cash Interior Design: Easy Ways to Add Flash Without Wasting Cash
Interior Design: Easy Ways to Add Flash Without Wasting Cash Crystal Henson
 

Destaque (20)

Modular JavaScript
Modular JavaScriptModular JavaScript
Modular JavaScript
 
Modularity in the Cloud
Modularity in the CloudModularity in the Cloud
Modularity in the Cloud
 
Scala & Lift (JEEConf 2012)
Scala & Lift (JEEConf 2012)Scala & Lift (JEEConf 2012)
Scala & Lift (JEEConf 2012)
 
Hibernate Performance Tuning (JEEConf 2012)
Hibernate Performance Tuning (JEEConf 2012)Hibernate Performance Tuning (JEEConf 2012)
Hibernate Performance Tuning (JEEConf 2012)
 
Innovation prezi
Innovation preziInnovation prezi
Innovation prezi
 
Estudio Del Movimiento Por Jose Manuel Berrio
Estudio Del Movimiento Por Jose Manuel BerrioEstudio Del Movimiento Por Jose Manuel Berrio
Estudio Del Movimiento Por Jose Manuel Berrio
 
Windows XP
Windows XPWindows XP
Windows XP
 
How to setup the printing preferences
How to setup the printing preferencesHow to setup the printing preferences
How to setup the printing preferences
 
Unenclosable
UnenclosableUnenclosable
Unenclosable
 
Linked In Transaction Offer
Linked In Transaction OfferLinked In Transaction Offer
Linked In Transaction Offer
 
Chris Thorngate evaluation
Chris Thorngate evaluationChris Thorngate evaluation
Chris Thorngate evaluation
 
Teenager
TeenagerTeenager
Teenager
 
Dialogbaseret Aftalestyring Powerpoint øKonomiudvalget 4. December 07
Dialogbaseret Aftalestyring   Powerpoint øKonomiudvalget 4. December 07Dialogbaseret Aftalestyring   Powerpoint øKonomiudvalget 4. December 07
Dialogbaseret Aftalestyring Powerpoint øKonomiudvalget 4. December 07
 
Openrules prezi
Openrules preziOpenrules prezi
Openrules prezi
 
Altitude #Users meeting in Spain ASES2015
Altitude #Users meeting in Spain ASES2015Altitude #Users meeting in Spain ASES2015
Altitude #Users meeting in Spain ASES2015
 
Prism Capabilities Overview
Prism Capabilities OverviewPrism Capabilities Overview
Prism Capabilities Overview
 
Unenclosable
UnenclosableUnenclosable
Unenclosable
 
張望 佛門攝影
張望   佛門攝影張望   佛門攝影
張望 佛門攝影
 
Teaterbygningen 125 år
Teaterbygningen 125 årTeaterbygningen 125 år
Teaterbygningen 125 år
 
Interior Design: Easy Ways to Add Flash Without Wasting Cash
Interior Design: Easy Ways to Add Flash Without Wasting Cash Interior Design: Easy Ways to Add Flash Without Wasting Cash
Interior Design: Easy Ways to Add Flash Without Wasting Cash
 

Semelhante a Cross-Build Injection attacks: how safe is your Java build?

Optimising Productivity with AWS Developer Tools
Optimising Productivity with AWS Developer ToolsOptimising Productivity with AWS Developer Tools
Optimising Productivity with AWS Developer ToolsAmazon Web Services
 
The future of the php development environment
The future of the php development environmentThe future of the php development environment
The future of the php development environmentJeremy Quinton
 
Rock-solid Magento Development and Deployment Workflows
Rock-solid Magento Development and Deployment WorkflowsRock-solid Magento Development and Deployment Workflows
Rock-solid Magento Development and Deployment WorkflowsAOE
 
JSUG - Maven by Michael Greifeneder
JSUG - Maven by Michael GreifenederJSUG - Maven by Michael Greifeneder
JSUG - Maven by Michael GreifenederChristoph Pickl
 
Cloud Best Practices
Cloud Best PracticesCloud Best Practices
Cloud Best PracticesEric Bottard
 
SF DevOps: Introducing Vagrant
SF DevOps: Introducing VagrantSF DevOps: Introducing Vagrant
SF DevOps: Introducing VagrantMitchell Hashimoto
 
Architecting for continuous delivery (33rd Degree)
Architecting for continuous delivery (33rd Degree)Architecting for continuous delivery (33rd Degree)
Architecting for continuous delivery (33rd Degree)Axel Fontaine
 
Building cloud-tools-for-netflix-code mash2012
Building cloud-tools-for-netflix-code mash2012Building cloud-tools-for-netflix-code mash2012
Building cloud-tools-for-netflix-code mash2012Carl Quinn
 
Next Generation Development Infrastructure: Maven, m2eclipse, Nexus & Hudson ...
Next Generation Development Infrastructure: Maven, m2eclipse, Nexus & Hudson ...Next Generation Development Infrastructure: Maven, m2eclipse, Nexus & Hudson ...
Next Generation Development Infrastructure: Maven, m2eclipse, Nexus & Hudson ...EclipseDayParis
 
Vagrant for Development
Vagrant for DevelopmentVagrant for Development
Vagrant for DevelopmentJacky Chan
 
Jenkins & Selenium
Jenkins & SeleniumJenkins & Selenium
Jenkins & Seleniumadamcarmi
 
An Introduction to Maven
An Introduction to MavenAn Introduction to Maven
An Introduction to MavenVadym Lotar
 
CRaSH the shell for the JVM
CRaSH the shell for the JVMCRaSH the shell for the JVM
CRaSH the shell for the JVMjviet
 
CSA Presentation 26th May Virtualization securityv2
CSA Presentation 26th May Virtualization securityv2CSA Presentation 26th May Virtualization securityv2
CSA Presentation 26th May Virtualization securityv2vivekbhat
 
Pitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisTamas K Lengyel
 
Virtualization securityv2
Virtualization securityv2Virtualization securityv2
Virtualization securityv2vivekbhat
 

Semelhante a Cross-Build Injection attacks: how safe is your Java build? (20)

Optimising Productivity with AWS Developer Tools
Optimising Productivity with AWS Developer ToolsOptimising Productivity with AWS Developer Tools
Optimising Productivity with AWS Developer Tools
 
The future of the php development environment
The future of the php development environmentThe future of the php development environment
The future of the php development environment
 
Manen Ant SVN
Manen Ant SVNManen Ant SVN
Manen Ant SVN
 
Rock-solid Magento Development and Deployment Workflows
Rock-solid Magento Development and Deployment WorkflowsRock-solid Magento Development and Deployment Workflows
Rock-solid Magento Development and Deployment Workflows
 
JSUG - Maven by Michael Greifeneder
JSUG - Maven by Michael GreifenederJSUG - Maven by Michael Greifeneder
JSUG - Maven by Michael Greifeneder
 
Cloud Best Practices
Cloud Best PracticesCloud Best Practices
Cloud Best Practices
 
Maven
MavenMaven
Maven
 
SF DevOps: Introducing Vagrant
SF DevOps: Introducing VagrantSF DevOps: Introducing Vagrant
SF DevOps: Introducing Vagrant
 
Architecting for continuous delivery (33rd Degree)
Architecting for continuous delivery (33rd Degree)Architecting for continuous delivery (33rd Degree)
Architecting for continuous delivery (33rd Degree)
 
Maven
MavenMaven
Maven
 
Building cloud-tools-for-netflix-code mash2012
Building cloud-tools-for-netflix-code mash2012Building cloud-tools-for-netflix-code mash2012
Building cloud-tools-for-netflix-code mash2012
 
Maven 3.0 by jason - fossa2010
Maven 3.0 by jason - fossa2010Maven 3.0 by jason - fossa2010
Maven 3.0 by jason - fossa2010
 
Next Generation Development Infrastructure: Maven, m2eclipse, Nexus & Hudson ...
Next Generation Development Infrastructure: Maven, m2eclipse, Nexus & Hudson ...Next Generation Development Infrastructure: Maven, m2eclipse, Nexus & Hudson ...
Next Generation Development Infrastructure: Maven, m2eclipse, Nexus & Hudson ...
 
Vagrant for Development
Vagrant for DevelopmentVagrant for Development
Vagrant for Development
 
Jenkins & Selenium
Jenkins & SeleniumJenkins & Selenium
Jenkins & Selenium
 
An Introduction to Maven
An Introduction to MavenAn Introduction to Maven
An Introduction to Maven
 
CRaSH the shell for the JVM
CRaSH the shell for the JVMCRaSH the shell for the JVM
CRaSH the shell for the JVM
 
CSA Presentation 26th May Virtualization securityv2
CSA Presentation 26th May Virtualization securityv2CSA Presentation 26th May Virtualization securityv2
CSA Presentation 26th May Virtualization securityv2
 
Pitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysis
 
Virtualization securityv2
Virtualization securityv2Virtualization securityv2
Virtualization securityv2
 

Mais de Sander Mak (@Sander_Mak)

TypeScript: coding JavaScript without the pain
TypeScript: coding JavaScript without the painTypeScript: coding JavaScript without the pain
TypeScript: coding JavaScript without the painSander Mak (@Sander_Mak)
 
The Ultimate Dependency Manager Shootout (QCon NY 2014)
The Ultimate Dependency Manager Shootout (QCon NY 2014)The Ultimate Dependency Manager Shootout (QCon NY 2014)
The Ultimate Dependency Manager Shootout (QCon NY 2014)Sander Mak (@Sander_Mak)
 
Java 7: Fork/Join, Invokedynamic and the future
Java 7: Fork/Join, Invokedynamic and the futureJava 7: Fork/Join, Invokedynamic and the future
Java 7: Fork/Join, Invokedynamic and the futureSander Mak (@Sander_Mak)
 

Mais de Sander Mak (@Sander_Mak) (20)

Scalable Application Development @ Picnic
Scalable Application Development @ PicnicScalable Application Development @ Picnic
Scalable Application Development @ Picnic
 
Coding Your Way to Java 13
Coding Your Way to Java 13Coding Your Way to Java 13
Coding Your Way to Java 13
 
Coding Your Way to Java 12
Coding Your Way to Java 12Coding Your Way to Java 12
Coding Your Way to Java 12
 
Java Modularity: the Year After
Java Modularity: the Year AfterJava Modularity: the Year After
Java Modularity: the Year After
 
Desiging for Modularity with Java 9
Desiging for Modularity with Java 9Desiging for Modularity with Java 9
Desiging for Modularity with Java 9
 
Modules or microservices?
Modules or microservices?Modules or microservices?
Modules or microservices?
 
Migrating to Java 9 Modules
Migrating to Java 9 ModulesMigrating to Java 9 Modules
Migrating to Java 9 Modules
 
Java 9 Modularity in Action
Java 9 Modularity in ActionJava 9 Modularity in Action
Java 9 Modularity in Action
 
Java modularity: life after Java 9
Java modularity: life after Java 9Java modularity: life after Java 9
Java modularity: life after Java 9
 
Provisioning the IoT
Provisioning the IoTProvisioning the IoT
Provisioning the IoT
 
Event-sourced architectures with Akka
Event-sourced architectures with AkkaEvent-sourced architectures with Akka
Event-sourced architectures with Akka
 
TypeScript: coding JavaScript without the pain
TypeScript: coding JavaScript without the painTypeScript: coding JavaScript without the pain
TypeScript: coding JavaScript without the pain
 
The Ultimate Dependency Manager Shootout (QCon NY 2014)
The Ultimate Dependency Manager Shootout (QCon NY 2014)The Ultimate Dependency Manager Shootout (QCon NY 2014)
The Ultimate Dependency Manager Shootout (QCon NY 2014)
 
Akka (BeJUG)
Akka (BeJUG)Akka (BeJUG)
Akka (BeJUG)
 
Fork Join (BeJUG 2012)
Fork Join (BeJUG 2012)Fork Join (BeJUG 2012)
Fork Join (BeJUG 2012)
 
Fork/Join for Fun and Profit!
Fork/Join for Fun and Profit!Fork/Join for Fun and Profit!
Fork/Join for Fun and Profit!
 
Kscope11 recap
Kscope11 recapKscope11 recap
Kscope11 recap
 
Java 7: Fork/Join, Invokedynamic and the future
Java 7: Fork/Join, Invokedynamic and the futureJava 7: Fork/Join, Invokedynamic and the future
Java 7: Fork/Join, Invokedynamic and the future
 
Scala and Lift
Scala and LiftScala and Lift
Scala and Lift
 
Elevate your webapps with Scala and Lift
Elevate your webapps with Scala and LiftElevate your webapps with Scala and Lift
Elevate your webapps with Scala and Lift
 

Último

AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 

Último (20)

AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 

Cross-Build Injection attacks: how safe is your Java build?

  • 1. Cross-Build Injection Attacks How safe is your Java build? @Sander_Mak
  • 2. About Coding at ( ) Writing Blog @ branchandbound.net Speaking
  • 3. Trust ‘Reflections on Trusting Trust’ Ken Thompson, 1984 UNIX co-creator
  • 4. Trust ‘Reflections on Trusting Trust’ Moral: You can't trust code that you did not totally create yourself Ken Thompson, 1984 UNIX co-creator
  • 5. Trust ‘Reflections on Trusting Trust’ phpMyAdmin backdoor ... SourceForge became aware of a corrupted copy of phpMyAdmin being Moral: served from the ‘cdnetworks-kr-1′ mirror in Korea. You can't trust code that you did not totally create yourself
  • 6. Trust ‘Reflections on Trusting Trust’ That was 30 years ago... With the C compiler... How is this relevant? Demo / javac
  • 7. Trust ‘Reflections on Trusting Trust’ That was 30 years ago... Could be any build system with a central repository though! With the C compiler... How is this relevant? Demo / javac
  • 8. Maven Central Internet Maven Central - Dependencies - Plugins Local Maven uses Maven Local javac Repo maven-compiler-plugin
  • 9. Maven Central 400k components Maven Central 7.5 billion req/year 60k organisations using Maven Central In short: a prime target * source: Sonatype
  • 10. Cross Build Injection Internet Maven Central Internet MITM Local Maven Maven Local Repo
  • 11. Cross Build Injection Internet Internet Internet Maven Maven Hacker Central Central Central Internet Internet Local DNS MITM Poisoning Local Local Maven Maven Maven Local Maven Local Repo Repo
  • 12. Cross Build Injection Compromised Maven Central Internet Maven Central Local Maven Maven Local Repo
  • 13. Cross Build Injection Compromised Maven Central Internet Maven Central Different attack vectors, one result: compromised binaries through Cross-Build Injection Local Maven Maven Local Repo
  • 14. Countermeasures https Maven Central http-only https for Sonatype customers ‘alternative’: https://oss.sonatype.org/  
  • 15. Countermeasures https Maven Central http-only https for Sonatype customers ‘alternative’: https://oss.sonatype.org/  
  • 16. Countermeasures ‘Cutting all ties’ Internet Maven Central Internal Maven repo Local Repository can be disconnected Manager Maven Shortens XBI attack window Maven Local Repo Manual verification?
  • 17. Countermeasures Checksums Maven Maven Central .jar .pom .jar.sha1 .pom.sha1 .jar.md5 .pom.md5 Checksums only detect transport issues Automatic check, but no failure error! Use: <checksumPolicy>fail</checksumPolicy> Note: MD5 is broken anyway...
  • 18. Countermeasures Checksums Maven Maven Central .jar .pom .jar.sha1 .pom.sha1 .jar.md5 .pom.md5 Downloading:  <snipped>/ws/spring-­‐ws/1.5.8/spring-­‐ws-­‐1.5.8.pom Checksums only detect transport issues 427b  downloaded    (spring-­‐ws-­‐1.5.8.pom) [WARNING]  ***  CHECKSUM  FAILED  -­‐  Checksum  failed  on  download:  local  =   '14d6901e3f251f5d312b9be726c75a Automatic check, but no failure error! 68f78045ac';  remote  =  '659bbed2c2dae12e9dbb65f8cad8fce1a1ea0845'  -­‐  RETRYING Downloading:  <snipped>/ws/spring-­‐ws/1.5.8/spring-­‐ws-­‐1.5.8.pom 427b  downloaded    (spring-­‐ws-­‐1.5.8.pom) Use: <checksumPolicy>fail</checksumPolicy> [WARNING]  ***  CHECKSUM  FAILED  -­‐  Checksum  failed  on  download:  local  =   '14d6901e3f251f5d312b9be726c75a 68f78045ac';  remote  =  '659bbed2c2dae12e9dbb65f8cad8fce1a1ea0845'  -­‐  IGNORING Note: MD5 is broken anyway... Ignorance is not bliss... Failure is an option!
  • 19. Countermeasures Signed artifacts Pretty Good Privacy OpenPGP standard Encrypt or sign Popularized by email signing Asymmetric pub/private keypair GnuPG (GPG): free implementation
  • 20. Countermeasures Signed artifacts Maven Maven Central .jar .pom .jar.asc .pom.asc (mandatory past 3 years)
  • 21. Countermeasures Signed artifacts Maven Maven Central .jar .pom .jar.asc .pom.asc (mandatory past 3 years) .asc + Library PGP Key Developer Server
  • 22. Manual verification Getting the signature $  wget  http://repo1.maven.org/maven2/org/sonatype/plexus/plexus-­‐cipher/1.7/ plexus-­‐cipher-­‐1.7.jar.asc $  cat  plexus-­‐cipher-­‐1.7.jar.asc -­‐-­‐-­‐-­‐-­‐BEGIN  PGP  SIGNATURE-­‐-­‐-­‐-­‐-­‐ Version:  GnuPG  v1.4.10  (GNU/Linux) iEYEABECAAYFAk4vAikACgkQA3TPLo3Rvf05hgCffG9+M1bAefuM5Kmu6IASNlPX zhYAnAvI4VNXSFXH4nz6z/uXaWz9kpXz =i6KI -­‐-­‐-­‐-­‐-­‐END  PGP  SIGNATURE-­‐-­‐-­‐-­‐-­‐ $  gpg  -­‐-­‐verify  plexus-­‐cipher-­‐1.7.jar.asc  ~/repo/.../plexus-­‐chipher-­‐1.7.jar gpg:  Signature  made  Tue  Jul  26  20:06:33  2011  CEST  using  DSA  key  ID  8DD1BDFD gpg:  Can't  check  signature:  public  key  not  found
  • 23. Manual verification Getting the signature $  wget  http://repo1.maven.org/maven2/org/sonatype/plexus/plexus-­‐cipher/1.7/ plexus-­‐cipher-­‐1.7.jar.asc $  cat  plexus-­‐cipher-­‐1.7.jar.asc -­‐-­‐-­‐-­‐-­‐BEGIN  PGP  SIGNATURE-­‐-­‐-­‐-­‐-­‐ Version:  GnuPG  v1.4.10  (GNU/Linux) iEYEABECAAYFAk4vAikACgkQA3TPLo3Rvf05hgCffG9+M1bAefuM5Kmu6IASNlPX zhYAnAvI4VNXSFXH4nz6z/uXaWz9kpXz =i6KI -­‐-­‐-­‐-­‐-­‐END  PGP  SIGNATURE-­‐-­‐-­‐-­‐-­‐ $  gpg  -­‐-­‐verify  plexus-­‐cipher-­‐1.7.jar.asc  ~/repo/.../plexus-­‐chipher-­‐1.7.jar gpg:  Signature  made  Tue  Jul  26  20:06:33  2011  CEST  using  DSA  key  ID  8DD1BDFD gpg:  Can't  check  signature:  public  key  not  found
  • 24. Manual verification Getting the key $  gpg  -­‐-­‐verify  plexus-­‐cipher-­‐1.7.jar.asc  ~/repo/.../plexus-­‐cipher-­‐1.7.jar gpg:  Signature  made  Tue  Jul  26  20:06:33  2011  CEST  using  DSA  key  ID  8DD1BDFD gpg:  Can't  check  signature:  public  key  not  found $  gpg  -­‐-­‐keyserver  pgp.mit.edu  -­‐-­‐recv-­‐key  8DD1BDFD gpg:  requesting  key  8DD1BDFD  from  hkp  server  pgp.mit.edu gpg:  key  8DD1BDFD:  public  key  "Sonatype,  Inc.  (Sonatype  release  key)   <dev@sonatype.com>"  imported gpg:  no  ultimately  trusted  keys  found gpg:  Total  number  processed:  1 gpg:                              imported:  1 $  gpg  -­‐-­‐verify  plexus-­‐cipher-­‐1.7.jar.asc  ~/repo/.../plexus-­‐chipher-­‐1.7.jar   gpg:  Signature  made  Tue  Jul  26  20:06:33  2011  CEST  using  DSA  key  ID  8DD1BDFD gpg:  Good  signature  from  "Sonatype,  Inc.  (Sonatype  release  key)   <dev@sonatype.com>" gpg:  WARNING:  This  key  is  not  certified  with  a  trusted  signature! gpg:                    There  is  no  indication  that  the  signature  belongs  to  the   owner. Primary  key  fingerprint:  2BCB  DD0F  23EA  1CAF  CC11    D486  0374  CF2E  8DD1  BDFD
  • 25. Manual verification Getting the key $  gpg  -­‐-­‐verify  plexus-­‐cipher-­‐1.7.jar.asc  ~/repo/.../plexus-­‐cipher-­‐1.7.jar gpg:  Signature  made  Tue  Jul  26  20:06:33  2011  CEST  using  DSA  key  ID  8DD1BDFD gpg:  Can't  check  signature:  public  key  not  found $  gpg  -­‐-­‐keyserver  pgp.mit.edu  -­‐-­‐recv-­‐key  8DD1BDFD gpg:  requesting  key  8DD1BDFD  from  hkp  server  pgp.mit.edu gpg:  key  8DD1BDFD:  public  key  "Sonatype,  Inc.  (Sonatype  release  key)   <dev@sonatype.com>"  imported gpg:  no  ultimately  trusted  keys  found gpg:  Total  number  processed:  1 gpg:                              imported:  1 $  gpg  -­‐-­‐verify  plexus-­‐cipher-­‐1.7.jar.asc  ~/repo/.../plexus-­‐chipher-­‐1.7.jar   gpg:  Signature  made  Tue  Jul  26  20:06:33  2011  CEST  using  DSA  key  ID  8DD1BDFD gpg:  Good  signature  from  "Sonatype,  Inc.  (Sonatype  release  key)   <dev@sonatype.com>" gpg:  WARNING:  This  key  is  not  certified  with  a  trusted  signature! gpg:                    There  is  no  indication  that  the  signature  belongs  to  the   owner. Primary  key  fingerprint:  2BCB  DD0F  23EA  1CAF  CC11    D486  0374  CF2E  8DD1  BDFD
  • 26. Manual verification Getting the key $  gpg  -­‐-­‐verify  plexus-­‐cipher-­‐1.7.jar.asc  ~/repo/.../plexus-­‐cipher-­‐1.7.jar gpg:  Signature  made  Tue  Jul  26  20:06:33  2011  CEST  using  DSA  key  ID  8DD1BDFD gpg:  Can't  check  signature:  public  key  not  found $  gpg  -­‐-­‐keyserver  pgp.mit.edu  -­‐-­‐recv-­‐key  8DD1BDFD gpg:  requesting  key  8DD1BDFD  from  hkp  server  pgp.mit.edu gpg:  key  8DD1BDFD:  public  key  "Sonatype,  Inc.  (Sonatype  release  key)   <dev@sonatype.com>"  imported gpg:  no  ultimately  trusted  keys  found gpg:  Total  number  processed:  1 gpg:                              imported:  1 $  gpg  -­‐-­‐verify  plexus-­‐cipher-­‐1.7.jar.asc  ~/repo/.../plexus-­‐chipher-­‐1.7.jar   gpg:  Signature  made  Tue  Jul  26  20:06:33  2011  CEST  using  DSA  key  ID  8DD1BDFD gpg:  Good  signature  from  "Sonatype,  Inc.  (Sonatype  release  key)   <dev@sonatype.com>" gpg:  WARNING:  This  key  is  not  certified  with  a  trusted  signature! gpg:                    There  is  no  indication  that  the  signature  belongs  to  the   owner. Primary  key  fingerprint:  2BCB  DD0F  23EA  1CAF  CC11    D486  0374  CF2E  8DD1  BDFD
  • 27. Pretty Good Privacy Web of Trust Sonatype Sonatype Release key Release key Brian F. Brian F. John C. Other John C. people in web of trust Damian B. Damian B.
  • 28. Pretty Good Privacy Web of Trust Sonatype Sonatype Release key Release key ru st n &t ig o r t, s Sander M. Imp Brian F. Brian F. John C. Other John C. people in web of trust Damian B. Damian B.
  • 29. Pretty Good Privacy Web of Trust
  • 30. Manual Verification Getting the key automatically $    gpg  -­‐-­‐auto-­‐key-­‐locate  keyserver  -­‐-­‐keyserver  pgp.mit.edu                -­‐-­‐keyserver-­‐options  auto-­‐key-­‐retrieve                -­‐-­‐verify  plexus-­‐cipher-­‐1.7.jar.asc  ~/repo/.../plexus-­‐chipher-­‐1.7.jar   gpg:  Signature  made  Tue  Jul  26  20:06:33  2011  CEST  using  DSA  key  ID  8DD1BDFD gpg:  requesting  key  8DD1BDFD  from  hkp  server  pgp.mit.edu gpg:  key  8DD1BDFD:  public  key  "Sonatype,  Inc.  (Sonatype  release  key)   <dev@sonatype.com>"  imported gpg:  3  marginal(s)  needed,  1  complete(s)  needed,  PGP  trust  model gpg:  depth:  0    valid:      1    signed:      1    trust:  0-­‐,  0q,  0n,  0m,  0f,  1u gpg:  depth:  1    valid:      1    signed:      1    trust:  0-­‐,  0q,  0n,  0m,  1f,  0u gpg:  depth:  2    valid:      1    signed:      0    trust:  1-­‐,  0q,  0n,  0m,  0f,  0u gpg:  Total  number  processed:  1 gpg:                              imported:  1 gpg:  Good  signature  from  "Sonatype,  Inc.  (Sonatype  release  key)   <dev@sonatype.com>"
  • 31. Manual Verification Getting the key automatically $    gpg  -­‐-­‐auto-­‐key-­‐locate  keyserver  -­‐-­‐keyserver  pgp.mit.edu                -­‐-­‐keyserver-­‐options  auto-­‐key-­‐retrieve                -­‐-­‐verify  plexus-­‐cipher-­‐1.7.jar.asc  ~/repo/.../plexus-­‐chipher-­‐1.7.jar   gpg:  Signature  made  Tue  Jul  26  20:06:33  2011  CEST  using  DSA  key  ID  8DD1BDFD gpg:  requesting  key  8DD1BDFD  from  hkp  server  pgp.mit.edu gpg:  key  8DD1BDFD:  public  key  "Sonatype,  Inc.  (Sonatype  release  key)   <dev@sonatype.com>"  imported gpg:  3  marginal(s)  needed,  1  complete(s)  needed,  PGP  trust  model gpg:  depth:  0    valid:      1    signed:      1    trust:  0-­‐,  0q,  0n,  0m,  0f,  1u gpg:  depth:  1    valid:      1    signed:      1    trust:  0-­‐,  0q,  0n,  0m,  1f,  0u gpg:  depth:  2    valid:      1    signed:      0    trust:  1-­‐,  0q,  0n,  0m,  0f,  0u gpg:  Total  number  processed:  1 gpg:                              imported:  1 gpg:  Good  signature  from  "Sonatype,  Inc.  (Sonatype  release  key)   <dev@sonatype.com>" Web of Trust in action
  • 32. Automatic Verification Demo repository manager
  • 33. Defense in Depth If all else fails... Security/pen-testing Scan binaries (incl. dependencies!) Fortify AppScan Sandbox app @ runtime Java2Security Network topology
  • 34. Build Security Recommendations Introduce a repository manager Audit dep’cies: no blind downloading Verify PGP signatures Audit your build process
  • 35. Build Security Secure tools - future + ? verification
  • 36. Build Security Secure tools - future + ? verification Make your voice heard!
  • 38. Questions Article: bit.ly/javaone-xbi branchandbound.net @Sander_Mak

Notas do Editor

  1. Things I&amp;#x2019;d like to show:\n1) unknown dangers in software builds\n2) what you can do to improve build security\nThis talk is not about security flaws in libraries (CSRF or SQL injection etc), but rather deliberate injection of harmful code during the build process\n
  2. \n
  3. Tell the story about the self-modifying C-compiler. Compile perfectly legal code, and get trojan horses in your output... Even CPU microcode could be rigged! \n
  4. OpenSSH: OpenBSD&amp;#x2019;s port tool downloaded, compiled and installed tainted OpenSSH source code. Allowed hacker to connect with priviliges of installer\nSendmail: buildsystem was compromised, and trojan horse shipped with Sendmail distribution\n
  5. Demo consists of compiling and running a plain Java class with Maven, with surprising results. The &amp;#x2018;attack&amp;#x2019; is performed by introducing a malicious version of the maven-compiler-plugin.\n\nWe use Maven here, but the problems apply to any build tool that fetches dependencies from the internet.\n
  6. We warn our parents not to download and run arbitrary binaries. Yet we do this very thing ourselves everytime we run a build.\n\nExplain what just happened. Cross-build injection is about attackers targeting your build to introduce malicious code (remote code execution attack: game over).\nThe Maven install is uncompromised, as is the javac. The problem is introduced by a malicious version of maven-compiler-plugin. So how can this end up in your build?\nSo how could this malicious version of the maven-compiler-plugin end up in our local repository?\n
  7. Free service for community, first by Jason van Zyl, now Sonatype\n
  8. Possible attack vectors because of http. Maven Central not https accessible (only for Sonatype customers)\nAnother, more extreme possibility: Maven Central itself compromised.\n
  9. Term Crossbuild injection/XBI coined by Fortify in a whitepaper in 2007. Sounds like XSS/SQL injection.\nAnother, more extreme possibility: Maven Central itself compromised.\n
  10. Term Crossbuild injection/XBI coined by Fortify in a whitepaper in 2007. Sounds like XSS/SQL injection.\nAnother, more extreme possibility: Maven Central itself compromised.\n
  11. Using https prevents aforementioned attacks, but does nothing to ensure authenticity of dependency downloads per se. If Maven Central were somehow compromised, you wouldn&amp;#x2019;t know.\n\nThe alternative is not really an alternative: smaller selection of artifacts, and cannot withstand the load of Maven Central.\n\nOf course, you can also object how safe is https (Diginotar, Comodo). Security is always a continuum! (though this is pushing it...)\n
  12. Most extreme case: shun automatic dependency management all together (not practical). Alternative: introduce local repo-manager. Either disconnected and managed by hand (again not practical, and how good is the vetting process?) or directly proxying other public repos.\n\nStill, same attack vectors apply, only attack surface decreased by downloading once into local managed repo once.\n
  13. MD5/SHA-1 offers no authenticity check, only integrity. But since checksums are served from same http-repo as the binary, both can be replaced/faked. MD5/SHA-1 can be easily recalculated on malicious jars.\nStill, there&amp;#x2019;s no good reason to ignore checksum failures!\n
  14. PGP has many uses, here we focus on creating signatures for artifacts. Private key of author is used to create signature. End-user can obtain corresponding public key to verify authenticity and integrity of artifact. Problems: where to get the key, and can you trust the key/signer?\n
  15. Before library is synced to central, signature must be present and key distributed to Mit keyserver. Pom must be signed as well, it is equally important (otherwise adding transitive deps/repos would go undetected)\nSigning ensures both integrity (like checksums) and authenticity.\nMultiple keys because Maven Central filled by different contributors. Other systems like Windows/Apple update have it comparatively easy: they can use a single key because they control the client and all binaries that are pushed!\n
  16. \n
  17. PGP keys need to be in the keyring for succesful signature verification. Here example of manual key retrieval.\nNotice the warning though: even if the signature is valid, is it made by the person we think??\n
  18. PGP keys need to be in the keyring for succesful signature verification. Here example of manual key retrieval.\nNotice the warning though: even if the signature is valid, is it made by the person we think??\n
  19. PGP keys need to be in the keyring for succesful signature verification. Here example of manual key retrieval.\nNotice the warning though: even if the signature is valid, is it made by the person we think??\n
  20. PGP keys need to be in the keyring for succesful signature verification. Here example of manual key retrieval.\nNotice the warning though: even if the signature is valid, is it made by the person we think??\n
  21. So we have a way of obtaining the key, but how do we know that the key belongs to the stated identity? Hard problem, solved by PGP with the Web of Trust. You assign trust to a key based on &amp;#x2018;out-of-band&amp;#x2019; communication (fingerprints can be used for this). Not practical, so there is a notion of transitive trust. Public keys can be signed by different people. If you already trust a person who has signed the key you&amp;#x2019;re interested, you automatically trust this other key. \n\n-&gt; contrast with Certificate Authorities for SSL certificates: centralized vs. distributed trust.\n
  22. -&gt; Key signing party at Sonatype booth, get your web of trust started!\n\n
  23. Here, I have a trusted key from a Sonatype developer in my keyring. Then, I instruct PGP to automatically retrieve the necessary key from the keyserver to verify the .asc signature. Since I have the trusted developer in my keyring (who signed the Sonatype release key), the Sonatype release key is transitively trusted. Hence, the signature is deemed good.\n
  24. By now, you&amp;#x2019;re probably thinking to yourself: too much effort! Can&amp;#x2019;t this be automated? Unfortunately not using Maven itself.\nNexus Pro can download &amp; check PGP checks automatically, and ban dependencies which have no PGP-sig or where check fails. Still, which keys do you trust automatically?! \n
  25. Preventing XBI is one thing, but says nothing about the ultimate security of libs.\n\nThese measures are never enough by themselves, nor scalable, but offer another layer of defense to the systems security.\n
  26. We&amp;#x2019;ve seen some technical approaches to authenticity/integrity, but the solutions can&amp;#x2019;t only be technical. Just because you didn&amp;#x2019;t write the code doesn&amp;#x2019;t mean you&amp;#x2019;re not ultimately responsible! Be aware of what is happening with your code and what you&amp;#x2019;re putting into your applications.\n
  27. \n
  28. Small recap: all repository based tools have to face this problem. Solution is part technical, part process. There is a serious awareness issue!\n\nSecurity is not binary: secure/unsecure. Nothing is 100% secure, but the default used in many organizations is definitely insecure as shown in this talk. Applying PGP signing/verification is not a panacea. It has associated costs, but also increases security and safety of software development. There are countless high-profile, high-value builds that are potentially vulnerable.\n\nAgain, everything discussed applies not just to Maven: Perl CPAN, .Net NuGet, Ruby Gems all have the same underlying dangers. &amp;#x2018;Software is eating the world&amp;#x2019;, and it&amp;#x2019;s our duty to ensure it is as secure as possible.\n
  29. \n