Bestand wählen
Merken

Hardening Open Source Development

Zitierlink des Filmsegments
Embed Code

Automatisierte Medienanalyse

Beta
Erkannte Entitäten
Sprachtranskript
the key to it
and the and the and the it simply give a warm welcome of employers to Stephen can will be talking to you in 1 minute few so high everybody and my name is
of England from on the surface of developers since about 15 years working so projects in larger teams in small teams so on mostly my developments that was JavaScript uh and you will find some of the 2 it's a dimension coming from those words uh but I'm very sure you can also find something for you project on that uh apply him on his name address my PGP key and so my favorite social programs um yeah so at this point what would happen today but I would come and talk about development process expectations so that means if you are developing the yourself there and somebody joint cities and since code for you review that it could happen uh that it executes code a new machine uh without your knowledge and there are a few things that are really hard to catch a all I find Hough hard to catch and I want to share and maybe you have the same problems and you you find that the same mitigation surprise EU project as well on the uh I would then continue and um let's start with this offer development process and that's a small cycle so 1st of all it starts with an operating system you need to have a computer to write the software and that's something you need to trust for off and if you um the yes so your operating system are contains piece conventions it contains the source code you want to develop and you tools that you have in place and the major risk is that 2 is of order room but to some expectation our all did you host is already compromised and you write a soft there uh committed to your co-workers and it is and what you intend to write on that so that a problem here I mean after you and start writing code the editor is kind of the interface that I have to right defies and edit the coat I find it kind of complex uh to use a to use it and so on the left you can see that many of the editors come with the package manager included by which is a good sign for the complexity that is to is have and and I don't know what was she but but they support you in development so it's very good to for example have Cortlandt us an order completion in place at to right but a code but at same time it can be a problem arm the other because they can execute coat unattended in we would see in a moment and the mitigation I came up with a foot part is that you have a virtualized environment where you run your edit so when something happens and and it is compromised not you root systems also compromises where and are you want to monitor all the config files that you have in the projects and you want to get of Venice what's ways that the atoms in the system when I run this code yeah and the next part you would probably use a social integration so as soon as you open your repository of some of the shares I saw but just that tell you what price you working and what's fights were changed and so on so that's something that comes very need a few developing our but it can be a risk as well um yeah so my opinion on the condition integrations mostly that it's made for softer development on your own system so in you right decoding you can trust that that is not a problem to users to it at all but as soon as you get uh sources from the foreign developers and it can be can be a problem so um which was it was wisely and uh don't uh execute code from other if uh voting devising system are that you commit to CO 2 is also very good choice and for example and gets entered um yeah it can execute talks about on different occasions for example when you check of new code if you commit and so on that means if you managed to clone repository and a date for this included or Hg photos included as it could mean that your operating system decides to execute whatever in the books it's not possible to store adopted photo within the git repository but it's possible to store it in a Mercurial repository or in their skin or something and then you should integration will know and what their origin and source was and we executed anyway and 1 thing that was introduced for example from which is saudi coat and get this October is that they know support kurtosis which is a great teacher on the mitigations against this a pretty easy I you can either said the different books path which is not within this project repository so that you don't execute the talks at all but all you can use the direct William but it just seems to for example check least that there is no fire that is that it took in within that folder of before you execute it's a very good choice if you want to protect yourself from from that the ability of so after you committed to decode and shattered to the voting some and you probably are going to build it automatically themselves some services like Travis uh we run it and would run it for you as so they would run tests that the compilers of them and also they do the packages package reasoning and deployment to some other places and it becomes a problem if she can reproduce the results from you and from the because it's and this system you don't control sometimes and as soon as you get the binary result from it there if you compile suffered a compressed binary you need to check that results from all because somebody could test altered it without your knowledge and the new which of the 2 users and also problem on money this bit workers as you want have this process very fast so that means you don't want to wait until all the dependencies are installed in the great services that you have cashing in between this projects on this means that for example if somebody managed to inject devotion to the catch of some of the CI system
and then it will eventually shop other projects as well and you can pivot across across a project on usually if you have a bit environment it has access to some kind of development keep mostly if you get progressed from external so that the keys are stored encrypted and you don't have access to them but as soon as somebody has write access to repository but also the keys that could be let's make an example you have somebody offering yourself there and you don't have permission to edit the master branch of the repository on but as soon as you open open a branch anywhere and make a progressed a travesty I father be runners uh we use that and decrepit pass was for you and give you access to the credentials which you can then print on the whatever you you intend to and yet and for me the best option you would be to have reproducible boats because then you can use different and off to travel after bed workers In competitive results some also that you see 1 it's compromise other 2 would tell you hate and that's a different result having a piece that would be great and and also the bit steps that I mentioned building testing and packaging this of them that are totally different steps so what you can do is you can have 1 compartment for the per that so this you can have a desert at a finer level and and see what happens in mn after you had to suffer you better self there are you need to ship it to the user some home so I the stored in your answer them all and most often you use a CD and you just put it there and it says that that's that's lying around users become around downloaded from you and executed so out what is the problem you the problem is that if you have in your it's very hard to prove that it's actually from the from the re maintain and if you call yourself they're like it if it if you call your account like a different project 10 people you won't be able to to notice the difference somehow which you can do to mitigate this is to publish the you're restituted entity using on and also sign your so that users can check is that something that the developer intended to give me or is it something that is really are that is really intended so all of them yeah yes and and the next part is you need to reach out to users so you make it make people aware that there is a project they can check out and the control and usually you have the package registries out a few slides back you sort of the package uh and managers are also included in editors so um that's also something way kinship the soft them um but the package meant is I was mostly looking at was for example and PM that there was an interesting occasion was somebody had a project called kick and the company cake and then try to take it down and the person just for the moment on but then kick reach out to NPM directly and they deleted to repository and in consequence the developer removed all his projects from the but so in a few hours later they were showed up with the same product names so that means if you have a self that it uses that the tendencies and somebody freed up names and it would affect your repository as well and compromises and that's something that its litigation I think the best ideas to not only identify the projects by by a unique identifier but also have a GUI the urine and or a unique identifier per project and that doesn't change acidity can make a difference and that's something that's up to the package registries to implement and that's not something we can do is a user but it's a very common case 2 and it's a very common case that this package is a fluctuate for example a from somebody these it you don't have a backup of the very good ideas also to store often backups of every package that you check out and that you install to soft them because it's it's very bad if you ever want to maintain a soft them in you figure out there's something and the something missing in country cover the costs deleted um yes and suffer developers have some needs and during the work and I would like to to perform and if my coordinate of for example synovium and the the so that's something that's annoying and all of order process so under the then on the other hand and the velocity is something that you manager will cry from you if you write commercials suffer all year you 8 you try to get something done and and you you can spend all day to work ensures prefer repository versioning and so on so that's something that you need to deal with and another big factor for me is to raise the reliability so assume this is offer goes down and you in holiday or something and any barriers from company or from it you should be able to recover the what was of the form and also known as the boss effect and and yeah chef convenience like for some rule reweights gives you it's and it gives you a very good and very easy start in the project and that's something you don't want a break by making too complicated with a development environment and and also something I found that to be more annoying than and then helpful is if you want to pay program and you have a very compartment environment is very hard to shared resources that you need to talk about with other developers expect you not in the same room at working remotely what to say for me most often the case as yes yeah and a large problem that the soul is if you and underhand somebody cold and if you go ahead and and and check of core from the anyone and resources it's and sometimes very hard to tell if the code that you see in your for some get this uh is what you really would expect to see and have some examples here uh which can show how this could work and how this could look like if you if somebody tries to inject go to Europe was very that you don't seem uh 1st of all let's start with something easy that's fishing on
what you see on this slide on the on the on the left side maybe see because of that that's not the full path that is just the domain name the slashes in you are you a UTF-8 characters and that death in your results to host name and if you come control the cells you can get a certificate for its um and an example below you see how it would look like if you install it 1st I am have a host that's just running what someone put a T so that you can see the result on OK I was cheating it it but I was putting them the domain and the ETC hosted don't don't have to buy it for just showing that it's strange that dogs that this is the main action from but then if you installed at that you would see that yeah you can you can send somebody a very nice looking link which looks like a totally different project but it's pointing to use of is that and I found many of the package managers uh having the nice feature of executing PostScript talks and so that means if you have installed it if we run some commands of afterwards for you among you so
then and there is invisible code if you go on and somewhere find the forum or in the block you find an article and paid the decoder's actually solving the problem you go ahead and copy pasted sold on the left you see the source code holders would look like and I'm in each demand for a block on on the right that's the result so you can go ahead you can copy paste from it and if you pasted to a text area you will see that the result is something that you didn't expect so for example if you copy a large chunk of code you won't go ahead and review it and when you look at system again and it could be that the compromise for the project the so um and be another
example a here is you can then use ASCII characters the control characters to influence the output indeterminate so if you terminal also supports the legacy of asking control characters you can use that to just revert the line and override it with something you would expect what you see on top you that the scripts fire it's a little larger than you would expect for just occur full but and not something you would notice when you just see it and looking at it from accident so you can see that there is something more going on than just the food and if she actually executed it will not print something it will create a potent texts out which is a good example for you to to compromise that you host was compromised in this moment down another example of found online credit to areas and for this so there's a byte sequence you can use so that this even works and could differ so when you're working exclusively in your time and you're not doing reviews on on some graphical tools and it could be the case that you don't notice what was going on and what you can see in the left as I created empty repository mn I and editors small stripped and and the next step on him I had some improvement to district which is actually the malicious commit the sin that Our afterwards that I just trying negative on the coach and I see that there is only no better or sorry that should be OK and that the 2 sides and so you don't see the unit at this age that is executes as well if you're run that's something I consider very dangerous yeah yeah so at some
mitigations found the best thing you can do now is to make it expensive free attack us to to compromise try to do so as soon as you have the chance to notice what is going on uh also retrospectively as you can at least bond the capabilities and and 10 of us how we of project was attempted to compromise on and that's something that is in my opinion the best mitigation against this complexity on what you can also do is you can test yourself there from external services directly which would tell you if some compromise happened on phrase somebody and has a dual newly introduced as they would check your packages and the dependencies and we warn you about somebody abilities that are commonly known on the best competitor and the best thing you can do when you look at system this bit small compartments so that if some compromise happens it doesn't affect you for loss also not all your projects and that you have access to him and it's very important that you have backups on a different system will still working on and so if the compromise happens and you still have access to the original data and can compare it and the forensics this and yeah so the intrusion detection forensics and there are some great with available and for some i ferrets are the trace and open are you can we talk changes annexes on the file system or a new system at all and you can for example set some rules for your projects at a specific matching so I am not going to share some roots that match for projects and but you you would figure out what is what is for example important very good status for example to open new for ETC test BT and if there was some axis then you can for example said it's not something was of myself that would do and again it's very important to have to have the backups of this because in the moment where he executed to contrast use at all and then the idea chief this is if you have the emperor project for a some you let it run for half a year he don't approve the situation instead of having 1 system that you need up itself to a you need to update the afterwards order projects that you working on and frequently and that's something that's easy to forget so as dangerous if you assume that every time you run some command or every time you work in the project you spin up and use of entirely from scratch slaughter dependencies and so on that something and that's not a risk for him and also if you have for example a allows of environment you can't have memory dumps that all the air at any time you can monitor the network and you can also and if the file system for example if you stop the cell and just compared to previous versions the pay something that was changed it I didn't plan it's great you know young and very important is also to seperate you accounts for example if you see large data becomes people are making contributions every day since years and it so it shows that the people have access to various and too many projects from the same machine so and there the permission or from it up for example allows you to store in this chief of right but uh it automatically has access to all the repositories you control so the best that you you can have years to make a project to make a new bit of accounted for all to make a new account and that's a voting system that only has exclusive provide access to that singer repository and so when you walk and you compartmented system and you want to upload all and put it changes by you don't you can't influence other repositories that means that compromise doesn't spread across all your projects and so on on which would be an invitation from a work and somehow on 1 and you get a better permission of if you can created it organization and in this case you can also limit your your own axis in a better way so my recommendation is not working you know that a person and it's of account but create an organization fully project so there's something many projects and missing are defined and responsible persons for security for them them and to clearly communicate and what is the what is the plan for and for incident response and 1 example if you have a new project in defined of ability you would like to commit is and but you don't open issue publicly because then everybody every user would be affected you try to reach out to some developers and if you don't have any clue how to secure the hottest qt and achieved this and that can get you into trouble on and there are quite a few projects which don't communicate and some of them don't even respond to their security at the main which is on OK and so In this case as I told you what I saw from our from my experiences of working on the project so some that's basically my summary of what can be what can be harmful but can be good for a project a few and you we know more time that you in a in the room you can line up behind microphones and I can see we home any questions from the Internet already what about did assigned to comments any sort of that you so as soon as you have signed comments and I find that you also you know with the same PGP key but very interesting that you have to pay gpq under same most probably and uh then you have to get executable so if somebody executes give talks they can steal PGP keys from this and I didn't find any tutorial on line which explains you how to make it manually so that you don't use the uh get for signing the commits but I think it's it it can be very good to sign the comments on but it can be also dangerous and because the new company in human communication can be compromised microphone and the fall in the UK if he showed us there were some some control common uh characters I think keep this pipes still less by default so children they appear this summer noted just check for the latest version today so that's something that's the way that we can also click on block and see if there's to you available man yeah it
it is yeah it's very hard to show from from light how this works so this video animation such that this work the so most
often you back to less or you use accidental to review our then you would notice yes so some all remember that may be the only shows full longer reduced but I think when it therefore I can't scroll around 100 that's interesting thing I need to try in which run microphone number 1 only you mentioned um tried this having access to in hidden variables and so in you being able to those of variables during pull requests are what are your suggestions to mitigate that and don't give people right next to your repository not even 2 branches so that you don't trust so as soon as they have red X's they would also noted the secrets behind the variables in this case I like the security model because if you for example get contributions from outside nobody can trigger that and give you peace but as soon as embedded on your own branch of someone who has 3 changes ah yes but if you submit a pull request you don't necessarily have to have a right to access to that repository yes that's what I mean that if you come from outside and it's not within the same repository did their secrets not decrepit so you can't run the steps for somebody don't you would not like to deploy directly from from a foreign branch someone we have a question for microphone number full from you mentioned the problem on with the different compartments
and how to exchange those some environments about people having that problem has
already been sold with very government some kind of provisioning software like danceable and do have experience with checking those results of those surveyed in boxes that are automatically provisioned like having some some some respect software to to check posts and Mama's afterward so having some kind of hashing of how to find out if if they have been reproduced the same way and or if there had been any exploit use to do in that process of setting up the variable environment yeah so different levels you can look at this from there was some need way to find that is and you can for example a memory dump at any time if you have 2 hosts trying somewhere about all to question accepted it you want to check if your environment it was spun up that was not comprised yet yeah I know there has to be some some kind of process are hard to verify that there um produce environments are things once you expect them to be or if they have been compromise and the problem was some i of use those from environment and I tried to 1st tried bone folders encryption very boxes but some of the problems that was always the same um uh in work synchrony of the same people the hope for the encryption so that doesn't work and you as you mentioned you can have a memory dump so you can read out the key so there's no real possible to set up of a very books there can be some tampered with afterwards so they have to has to be some kind of some hash some to to compare those some produced results yeah so as soon as you have reproducible both in the results of the chip for example a script languages of many in much easier to achieve because then you can just this file system and directory and see if there was some change what I would do in the air in this case is to run them with a bacillus and cofounder results if that's possible for example you have to stop producing the goods than the run-of-the-mill on few sellers which are independent and think of how would you have we have 2 more questions for microphone number 1 and only a few minutes left like for number 1 so what's your weird commendation for handling credentials and application convolution pilots we need all whom some database user and possible or something like this in Springwood application white well things are good and is there any of best practice or any of the framework which can handle such things or but we need to work our experts at the and entrance of these credentials in this application and then the troops of parts of an application what the needs of the he's all yeah so and so the 1st thing that comes with the mechanism that codons been what which includes that with the with the pass-phrase that you can continue command as soon as you touch to testify for example if you want to run his been and it will ask you for a possible but starting up so if you want to share that has with you developers everybody has access to the same keys I would prefer to give everybody has so every person in the steam or even at every device a different key if that's possible somehow and that's what I was trying to mention with them to constant that if you don't use 1 become but use many of them on a few of them it we have 1 more question from like for number 1 in the question from the internet I here my question was more about and some of the year conditions or low hanging fruits but some of them it's like it's it's impossible where I mean it's not sustainable it's very hard to maintain and someone if you use all of them every day or just part of them more judiciously like immigrant years at all but the it it depends on the project so what I tried to on my development system is to have this compartment so that 1 compromise the project would not affect others because I don't person tracking and emerging code so I mean that's something that gets creaky too much for 1 person to review so I I country you or the codon and running currently on the computer that's true but I can try to mitigate and what impact of this will be and the question from the internet what tool would you recommend for they think a file system this when what for me so so far all would expect is the question about and maybe but you want to see if the of the hash change in the 5 so when you have for example the script file 1 is preferred b and they have a different has some and that's something that I would consider um something I would look up manually so as soon as I have an indication that there was something wrong I would look at of men union dues any 2 and there exit available but we have less than 1 minute left any final remarks thank in French SDI to and
you think that you and I and my thanks go it contained with paper
Dijkstra-Algorithmus
Open Source
Kollaboration <Informatik>
Software
Konsistenz <Informatik>
Dokumentenserver
Ruhmasse
Programmierumgebung
Schlüsselverwaltung
Datenmissbrauch
Momentenproblem
Desintegration <Mathematik>
Compiler
Phishing
Softwaretest
Vorzeichen <Mathematik>
Softwarewartung
Code
Kontrollstruktur
Auswahlaxiom
Schnittstelle
Feuchteleitung
Caching
Softwaretest
Vervollständigung <Mathematik>
Schlüsselverwaltung
Güte der Anpassung
Softwareentwicklung
Kontextbezogenes System
Biprodukt
Dienst <Informatik>
Software
Injektivität
Benutzerschnittstellenverwaltungssystem
Einheit <Mathematik>
Konditionszahl
Client
Benutzerführung
Eindeutigkeit
Ordnung <Mathematik>
Programmierumgebung
Geschwindigkeit
Subtraktion
Kontrollstruktur
Softwareentwicklung
Mathematisierung
Ordinalzahl
Maßerweiterung
Virtuelle Maschine
Open Source
Quellcode
Erwartungswert
Bildschirmmaske
Verzeichnisdienst
Flächentheorie
Netzbetriebssystem
Konfigurationsraum
Soundverarbeitung
Raum-Zeit
Open Source
sinc-Funktion
Browser
Verzweigendes Programm
Schlussregel
Nabel <Mathematik>
CDN-Netzwerk
Gamecontroller
Wort <Informatik>
Geschwindigkeit
Resultante
Kurtosis
Bit
Punkt
Prozess <Physik>
Texteditor
Gemeinsamer Speicher
Virtuelle Realität
Atomarität <Informatik>
Dokumentenserver
Adressraum
NP-hartes Problem
Computer
Binärcode
Komplex <Algebra>
Datensicherung
Ähnlichkeitsgeometrie
Übergang
Datenmanagement
Konfigurationsdatenbank
Klon <Mathematik>
Softwareentwickler
Teilbarkeit
Dokumentenserver
Prozess <Informatik>
Quellcode
Programmierumgebung
Aliasing
Teilbarkeit
Konfiguration <Informatik>
Rechenschieber
Texteditor
Funktion <Mathematik>
Gruppenkeim
Projektive Ebene
Identifizierbarkeit
Schlüsselverwaltung
Beweistheorie
Message-Passing
Hausdorff-Dimension
Ablöseblase
Gebäude <Mathematik>
Code
Physikalisches System
Message-Passing
ASCII
Software
Digitale Photographie
Biprodukt
Softwareentwickler
Speicher <Informatik>
URL
Elektronische Publikation
Konfigurationsraum
Eindeutigkeit
Physikalisches System
Visuelles System
Quick-Sort
Integral
Dreiecksfreier Graph
Mereologie
Speicherabzug
Resultante
Sichtbarkeitsverfahren
Subtraktion
Digitales Zertifikat
Kontrollstruktur
Zellularer Automat
Phishing
Binder <Informatik>
Rechenschieber
Open Source
Domain-Name
Datenmanagement
ASCII
Injektivität
Code
Client
Projektive Ebene
URL
Resultante
Folge <Mathematik>
Momentenproblem
Dokumentenserver
Code
Open Source
Einheit <Mathematik>
Code
Total <Mathematik>
Radikal <Mathematik>
Skript <Programm>
Skript <Programm>
Funktion <Mathematik>
Demo <Programm>
Folge <Mathematik>
Sinusfunktion
Dokumentenserver
Browser
Indexberechnung
Physikalisches System
p-Block
Quellcode
Texteditor
Flächeninhalt
ATM
Gamecontroller
Hintertür <Informatik>
Benutzerführung
Projektive Ebene
Einfügungsdämpfung
Abstimmung <Frequenz>
Bit
Einfügungsdämpfung
Momentenproblem
Dokumentenserver
Versionsverwaltung
Kartesische Koordinaten
Komplex <Algebra>
Datensicherung
Inzidenzalgebra
Internetworking
Dämpfung
Code
Speicherabzug
Dateiverwaltung
Wurzel <Mathematik>
Computerforensik
Default
Gerade
Metropolitan area network
Softwaretest
Softwareentwickler
Teilbarkeit
Prozess <Informatik>
Dokumentenserver
Datennetz
Computersicherheit
Güte der Anpassung
p-Block
Programmierumgebung
Software
Dienst <Informatik>
Rechter Winkel
ATM
Projektive Ebene
Ordnung <Mathematik>
Schlüsselverwaltung
Programmierumgebung
Telekommunikation
Selbst organisierendes System
Softwareentwicklung
Mathematisierung
Ablöseblase
Automatische Handlungsplanung
Zellularer Automat
ROM <Informatik>
Datensicherung
Physikalisches System
Virtuelle Maschine
Open Source
Eindringerkennung
Datennetz
Endogene Variable
Softwareschwachstelle
Skript <Programm>
Speicher <Informatik>
Demo <Programm>
Eindringerkennung
Computerforensik
sinc-Funktion
Datenmodell
Indexberechnung
Schlussregel
Physikalisches System
Inverser Limes
Gamecontroller
Hintertür <Informatik>
Speicherabzug
Einfügungsdämpfung
Geschwindigkeit
Informationsmodellierung
Variable
Fluid
Dokumentenserver
Rechter Winkel
Computersicherheit
Mathematisierung
Verzweigendes Programm
Zahlenbereich
Verborgener Parameter
Videokonferenz
Resultante
Prozess <Physik>
Dokumentenserver
Kartesische Koordinaten
Computer
Synchronisierung
Internetworking
Übergang
Code
Speicherabzug
Dateiverwaltung
Skript <Programm>
Folge <Mathematik>
Kraftfahrzeugmechatroniker
Datenhaltung
Güte der Anpassung
Programmierumgebung
Chiffrierung
Konditionszahl
ATM
Projektive Ebene
Schlüsselverwaltung
Programmierumgebung
Verzeichnisdienst
Subtraktion
Quader
Mathematisierung
Zahlenbereich
ROM <Informatik>
Code
Framework <Informatik>
Physikalisches System
Open Source
Weg <Topologie>
Variable
Software
Datennetz
Hash-Algorithmus
Skript <Programm>
Indexberechnung
Softwareentwickler
Demo <Programm>
Expertensystem
Indexberechnung
Physikalisches System
Elektronische Publikation
Mereologie
Faltungsoperator
Speicherabzug
Hintertür <Informatik>
Einfügungsdämpfung
Hypermedia
Medianwert
Systemprogrammierung

Metadaten

Formale Metadaten

Titel Hardening Open Source Development
Serientitel 34th Chaos Communication Congress
Autor Grönke, Stefan
Lizenz CC-Namensnennung 4.0 International:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen.
DOI 10.5446/34902
Herausgeber Chaos Computer Club e.V.
Erscheinungsjahr 2017
Sprache Englisch

Inhaltliche Metadaten

Fachgebiet Informatik
Abstract As authors it is our responsibility to build secure software and give each other the chance to verify and monitor our work. Various flaws in development toolchains that allow code execution just by viewing or working in malicious repositories question the integrity of development environments and as such our projects as a whole. This talk will discuss practical solutions for both technical and social challenges of collaboration.
Schlagwörter Resilience

Zugehöriges Material

Video wird in der folgenden Ressource zitiert

Ähnliche Filme

Loading...
Feedback