.NET Day 22 - Dependency confusion and its cure. A NuGet story. by Andrei Epure

Transcript

1. Dependency confusion and its cure. A NuGet story. Andrei EPURE

   30.08.2022

2. Kudos to sponsors 2

3. the leader in Clean Code 3

4. my talk, my opinions 4

5. Andrei Epure 5

6. Dependency Confusion ?! 6

7. my promise 7

8. questions 8

9. Plan (1/3) explain some NuGet concepts 9

10. Plan (2/3) typosquatting substitution attack 10

11. Plan (3/3) Protect when - Consuming - Publishing 11

12. Story 12

13. SolarWinds breach (2020) Orion: Network Management System 30K organizations 13

14. SolarWinds breach (2020) attackers build machines (2019) injected malware in

    Orion (2020) 14

15. SolarWinds breach (2020) malware to 18K customers US departments (e.g.

    Defense, State, etc) Microsoft, Intel, Cisco etc FireEye 15

16. SolarWinds breach (2020) FireEye stolen credentials employee noticed investigation 16

17. SolarWinds breach (2020) 17

18. Supply chain attacks can be catastrophic. 18

19. Plan (1/3) explain some NuGet concepts 19

20. Who in this room… … uses NuGet? 20

21. NuGet Concepts 1. Software Supply Chain 2. package 3. targets

    4. version 5. source 6. resolution 21

22. Software supply chain Source code Libraries NuGet for Dependency Management

    Build tools, CI/CD, etc 22

23. NuGet > dotnet restore 23

24. (2) NuGet Package compiled libraries metadata MSBuild target files 24

25. (3) MSBuild targets Task = action Target = collection of

    tasks 25

26. (4) NuGet Version fixed: 1.2.3 range: (,1.2.3] floating: 1.2.* 26

27. Who in this room… … changed a nuget.config file? 27

28. (5) NuGet Package Source feed central storage 28

29. Who in this room… … uses both public (nuget.org) and

    private package sources? 29

30. (6) NuGet Package Resolution My Code NuGet .exe or dotnet

    restore build machine 30

31. (6) NuGet Package Resolution My Code build machine 31 Nu

    Get .exe

32. (6) NuGet Package Resolution SOURCE 2 SOURCE 1 Foo 5.3.0

    Foo 5.3.1 build machine network calls 32 My Code Nu Get .exe

33. SOURCE 2 SOURCE 1 Give me: - Foo 5.3.* Foo

    5.3.0 Foo 5.3.1 33 (6) NuGet Package Resolution My Code Nu Get .exe

34. Nu Get .exe Foo 5.3.1 Best match from ALL sources

    is: - Foo 5.3.1 Foo 5.3.0 SOURCE 1 SOURCE 2 34 (6) NuGet Package Resolution My Code

35. SOURCE 1 Foo 5.3.1 Foo 5.3.1 Give me: - Foo

    5.3.* Give me: - Foo 5.3.1 SOURCE 2 35 (6) NuGet Package Resolution My Code Nu Get .exe

36. Nu Get .exe SOURCE 1 Foo 5.3.1 Foo 5.3.1 SOURCE

    2 36 (6) NuGet Package Resolution My Code

37. Plan (2/3) typosquatting substitution attack 37

38. Attacks Mr. Evil HACKER 30.08.2022 38

39. Why 39

40. Typosquatting 40

41. Typosquatting My Code Google.Protobuf 5.3.2 Give me: Gogle.Protobuf 5.3.2 NUGET.ORG

    Nu Get .exe 41

42. Typosquatting My Code Google.Protobuf 5.3.2 Give me: Gogle.Protobuf 5.3.2 NUGET.ORG

    Nu Get .exe 42

43. Typosquatting My Code Google.Protobuf 5.3.2 Gogle.Protobuf 5.3.2 Give me: Gogle.Protobuf

    5.3.2 NUGET.ORG Nu Get .exe 43

44. Nu Get .exe Typosquatting My Code Here you are: Gogle.Protobuf

    5.3.2 Gogle.Protobuf 5.3.2 NUGET.ORG 44

45. Demo 0 45

46. Substitution attack 46

47. PRIVATE SOURCE Substitution attack My Code Corporate.Private.Library 5.3.1 Give me:

    - Foo 5.3.* Give me: Corporate.Private.Library 5.3.1 NUGET.ORG Nu Get .exe 47

48. PRIVATE SOURCE Substitution attack NUGET.ORG My Code Give me: Corporate.Private.Library

    5.3.1 Corporate.Private.Library 5.3.1 Nu Get .exe 48

49. PRIVATE SOURCE Substitution attack Corporate.Private.Library 5.3.1 NUGET.ORG My Code Give

    me: Corporate.Private.Library 5.3.1 Corporate.Private.Library 5.3.1 Nu Get .exe 49

50. PRIVATE SOURCE Substitution attack NUGET.ORG My Code Corporate.Private.Library 5.3.1 Corporate.Private.Library

    5.3.1 Nu Get .exe 50

51. PRIVATE SOURCE Substitution attack Give me: - Foo 5.3.* Give

    me: Corporate.Private.Library 5.3.* NUGET.ORG My Code Corporate.Private.Library 5.3.1 Corporate.Private.Library 5.3.2 Nu Get .exe 51

52. PRIVATE SOURCE Substitution attack NUGET.ORG My Code Corporate.Private.Library 5.3.1 Corporate.Private.Library

    5.3.2 Give me: Corporate.Private.Library 5.3.* Corporate.Private.Library 5.3.999 Nu Get .exe 52

53. Nu Get .exe PRIVATE SOURCE Substitution attack Here you are:

    Corporate.Private.Library 5.3.999 NUGET.ORG My Code Corporate.Private.Library 5.3.1 Corporate.Private.Library 5.3.2 Corporate.Private.Library 5.3.999 53

54. Demo 1 54

55. Plan (3/3) Protect when - Consuming - Publishing 55

56. Vulnerable Configurations (1) %AppData%\NuGet\NuGet.Config 56

57. Vulnerable Configurations (2) 57

58. As a consumer Protection 58

59. Who in this room… … uses Package Source Mapping? 59

60. Package Source Mapping protect against substitution attack 60

61. Demo 2 61

62. <trustedSigners> protect against typosquatting 62

63. <trustedSigners> repository certificate accepted <owners> <owner> certificate 63

64. Demo 3 64

65. <clear> avoid unexpected behavior 65

66. Do not let win! 1. Package Source Mapping 2. <trustedSigners>

    66

67. As a publisher Protection 67

68. Reserve Prefix public private 68 packages name prefix

69. Reserve Prefix 69

70. Reserve Prefix 70

71. Sign Packages <author> certificate validation 71

72. Demo 4 72

73. Reserve prefixes on nuget.org 73 Do not let win! public

    private packages

74. Sonar break 74

75. We’re hiring! • .NET Developer Advocate • .NET Ecosystem Product

    Manager • C# Developers sonarsource.com/company/careers 75

76. Want to talk? <placeholder for Sonar booth photo > 76

77. Credits 77

78. Credits In 2020, security researcher Alex Bîrsan 󰐬 used substitution

    attack to hack into: 78

79. Credits 79 • Microsoft • Apple • Shopify • Paypal

    • … and another 31 big companies … In 2020, security researcher Alex Bîrsan 󰐬 used substitution attack to hack into:

80. Credits 80 • Microsoft $ 40K • Apple $ 30K

    • Shopify $ 30K • Paypal $ 30K • … and another 31 big companies … Bug bounties In 2020, security researcher Alex Bîrsan 󰐬 used substitution attack to hack into:

81. 1. Package Source Mapping 2. <trustedSigners> 3. Reserve prefixes on

    nuget.org 81 Do not let win!

82. 📄🔗 andreiepure.ro 82

83. Extra slides 83

84. Deterministic Builds This allows mapping of a package to a

    specific commit: increase transparency and allow consumers to audit open-source code. 84

85. Fixed Versions - it is safer to use fixed versions

    (have full knowledge and control over the supply chain) 85

86. packages.lock.json - have control over all dependencies (direct and transitive)

    - extra mile: verify checksums (have full knowledge and control over the supply chain) 86

87. packages.lock.json Source: https://docs.microsoft.com/en-us/nuget/what-is-nuget 87