.NET Day 22 - Dependency confusion and its cure. A NuGet story. by Andrei Epure

Transcript

1. Dependency confusion
   and its cure.
   A NuGet story.
   Andrei EPURE
   30.08.2022
   

   View Slide

2. Kudos to sponsors
   2
   

   View Slide

3. the leader in Clean Code
   3
   

   View Slide

4. my talk, my opinions
   4
   

   View Slide

5. Andrei Epure
   5
   

   View Slide

6. Dependency Confusion
   ?!
   6
   

   View Slide

7. my promise
   7
   

   View Slide

8. questions
   8
   

   View Slide

9. Plan (1/3)
   explain some NuGet concepts
   9
   

   View Slide

10. Plan (2/3)
    typosquatting
    substitution attack
    10
    

    View Slide

11. Plan (3/3)
    Protect when
    - Consuming
    - Publishing
    11
    

    View Slide

12. Story
    12
    

    View Slide

13. SolarWinds breach (2020)
    Orion: Network Management System
    30K organizations
    13
    

    View Slide

14. SolarWinds breach (2020)
    attackers
    build machines (2019)
    injected malware in Orion (2020)
    14
    

    View Slide

15. SolarWinds breach (2020)
    malware to 18K customers
    US departments (e.g. Defense, State, etc)
    Microsoft, Intel, Cisco etc
    FireEye
    15
    

    View Slide

16. SolarWinds breach (2020)
    FireEye
    stolen credentials
    employee noticed
    investigation
    16
    

    View Slide

17. SolarWinds breach (2020)
    17
    

    View Slide

18. Supply chain attacks can be
    catastrophic.
    18
    

    View Slide

19. Plan (1/3)
    explain some NuGet concepts
    19
    

    View Slide

20. Who in this room…
    … uses NuGet?
    20
    

    View Slide

21. NuGet Concepts
    1. Software Supply Chain
    2. package
    3. targets
    4. version
    5. source
    6. resolution
    21
    

    View Slide

22. Software supply chain
    Source code
    Libraries
    NuGet for Dependency Management
    Build tools, CI/CD, etc
    22
    

    View Slide

23. NuGet
    > dotnet restore
    23
    

    View Slide

24. (2) NuGet Package
    compiled libraries
    metadata
    MSBuild target files
    24
    

    View Slide

25. (3) MSBuild targets
    Task = action
    Target = collection of tasks
    25
    

    View Slide

26. (4) NuGet Version
    fixed: 1.2.3
    range: (,1.2.3]
    floating: 1.2.*
    26
    

    View Slide

27. Who in this room…
    … changed a nuget.config file?
    27
    

    View Slide

28. (5) NuGet Package Source
    feed
    central storage
    28
    

    View Slide

29. Who in this room…
    … uses both public (nuget.org) and
    private package sources?
    29
    

    View Slide

30. (6) NuGet Package Resolution
    My Code
    NuGet
    .exe
    or
    dotnet
    restore
    build machine
    30
    

    View Slide

31. (6) NuGet Package Resolution
    My Code
    build machine
    31
    Nu
    Get
    .exe
    

    View Slide

32. (6) NuGet Package Resolution
    SOURCE 2
    SOURCE 1
    Foo
    5.3.0
    Foo
    5.3.1
    build machine network calls
    32
    My Code
    Nu
    Get
    .exe
    

    View Slide

33. SOURCE 2
    SOURCE 1
    Give me:
    - Foo
    5.3.*
    Foo
    5.3.0
    Foo
    5.3.1
    33
    (6) NuGet Package Resolution
    My Code
    Nu
    Get
    .exe
    

    View Slide

34. Nu
    Get
    .exe
    Foo
    5.3.1
    Best match
    from ALL
    sources is:
    - Foo 5.3.1
    Foo
    5.3.0
    SOURCE 1
    SOURCE 2
    34
    (6) NuGet Package Resolution
    My Code
    

    View Slide

35. SOURCE 1
    Foo
    5.3.1
    Foo
    5.3.1
    Give me:
    - Foo 5.3.*
    Give me:
    - Foo
    5.3.1 SOURCE 2
    35
    (6) NuGet Package Resolution
    My Code
    Nu
    Get
    .exe
    

    View Slide

36. Nu
    Get
    .exe
    SOURCE 1
    Foo
    5.3.1
    Foo
    5.3.1
    SOURCE 2
    36
    (6) NuGet Package Resolution
    My Code
    

    View Slide

37. Plan (2/3)
    typosquatting
    substitution attack
    37
    

    View Slide

38. Attacks
    Mr. Evil HACKER
    30.08.2022
    38
    

    View Slide

39. Why
    39
    

    View Slide

40. Typosquatting
    40
    

    View Slide

41. Typosquatting
    My Code
    Google.Protobuf
    5.3.2
    Give me:
    Gogle.Protobuf
    5.3.2
    NUGET.ORG
    Nu
    Get
    .exe
    41
    

    View Slide

42. Typosquatting
    My Code
    Google.Protobuf
    5.3.2
    Give me:
    Gogle.Protobuf
    5.3.2
    NUGET.ORG
    Nu
    Get
    .exe
    42
    

    View Slide

43. Typosquatting
    My Code
    Google.Protobuf
    5.3.2 Gogle.Protobuf
    5.3.2
    Give me:
    Gogle.Protobuf
    5.3.2
    NUGET.ORG
    Nu
    Get
    .exe
    43
    

    View Slide

44. Nu
    Get
    .exe
    Typosquatting
    My Code
    Here you are:
    Gogle.Protobuf
    5.3.2
    Gogle.Protobuf
    5.3.2
    NUGET.ORG
    44
    

    View Slide

45. Demo 0
    45
    

    View Slide

46. Substitution attack
    46
    

    View Slide

47. PRIVATE SOURCE
    Substitution attack
    My Code
    Corporate.Private.Library
    5.3.1
    Give me:
    - Foo 5.3.*
    Give me:
    Corporate.Private.Library
    5.3.1
    NUGET.ORG
    Nu
    Get
    .exe
    47
    

    View Slide

48. PRIVATE SOURCE
    Substitution attack
    NUGET.ORG
    My Code
    Give me:
    Corporate.Private.Library
    5.3.1
    Corporate.Private.Library
    5.3.1
    Nu
    Get
    .exe
    48
    

    View Slide

49. PRIVATE SOURCE
    Substitution attack
    Corporate.Private.Library
    5.3.1
    NUGET.ORG
    My Code
    Give me:
    Corporate.Private.Library
    5.3.1
    Corporate.Private.Library
    5.3.1
    Nu
    Get
    .exe
    49
    

    View Slide

50. PRIVATE SOURCE
    Substitution attack
    NUGET.ORG
    My Code
    Corporate.Private.Library
    5.3.1
    Corporate.Private.Library
    5.3.1
    Nu
    Get
    .exe
    
    50
    

    View Slide

51. PRIVATE SOURCE
    Substitution attack
    Give me:
    - Foo 5.3.*
    Give me:
    Corporate.Private.Library
    5.3.* NUGET.ORG
    My Code
    Corporate.Private.Library
    5.3.1 Corporate.Private.Library
    5.3.2
    Nu
    Get
    .exe
    51
    

    View Slide

52. PRIVATE SOURCE
    Substitution attack
    NUGET.ORG
    My Code
    Corporate.Private.Library
    5.3.1 Corporate.Private.Library
    5.3.2
    Give me:
    Corporate.Private.Library
    5.3.*
    Corporate.Private.Library
    5.3.999
    Nu
    Get
    .exe
    52
    

    View Slide

53. Nu
    Get
    .exe
    PRIVATE SOURCE
    Substitution attack
    Here you are:
    Corporate.Private.Library
    5.3.999
    NUGET.ORG
    My Code
    Corporate.Private.Library
    5.3.1 Corporate.Private.Library
    5.3.2
    Corporate.Private.Library
    5.3.999
    53
    

    View Slide

54. Demo 1
    54
    

    View Slide

55. Plan (3/3)
    Protect when
    - Consuming
    - Publishing
    55
    

    View Slide

56. Vulnerable Configurations (1)
    %AppData%\NuGet\NuGet.Config
    56
    

    View Slide

57. Vulnerable Configurations (2)
    57
    

    View Slide

58. As a consumer
    Protection
    58
    

    View Slide

59. Who in this room…
    … uses Package Source Mapping?
    59
    

    View Slide

60. Package Source Mapping
    protect against substitution attack
    60
    

    View Slide

61. Demo 2
    61
    

    View Slide

62. 
    protect against typosquatting
    62
    

    View Slide

63. 
    repository certificate
    accepted
    certificate
    63
    

    View Slide

64. Demo 3
    64
    

    View Slide

65. 
    avoid unexpected behavior
    65
    

    View Slide

66. Do not let win!
    1. Package Source Mapping
    2.
    66
    

    View Slide

67. As a publisher
    Protection
    67
    

    View Slide

68. Reserve Prefix
    public
    private
    68
    packages name prefix
    

    View Slide

69. Reserve Prefix
    69
    

    View Slide

70. Reserve Prefix
    70
    

    View Slide

71. Sign Packages
    certificate validation
    71
    

    View Slide

72. Demo 4
    72
    

    View Slide

73. Reserve prefixes on nuget.org
    73
    Do not let win!
    public
    private
    packages
    

    View Slide

74. Sonar break
    74
    

    View Slide

75. We’re hiring!
    ● .NET Developer Advocate
    ● .NET Ecosystem Product Manager
    ● C# Developers
    sonarsource.com/company/careers
    75
    

    View Slide

76. Want to talk?
    
    76
    

    View Slide

77. Credits
    77
    

    View Slide

78. Credits
    In 2020, security researcher Alex Bîrsan 󰐬 used
    substitution attack to hack into:
    78
    

    View Slide

79. Credits
    79
    ● Microsoft
    ● Apple
    ● Shopify
    ● Paypal
    ● … and another 31 big companies …
    In 2020, security researcher Alex Bîrsan 󰐬 used
    substitution attack to hack into:
    

    View Slide

80. Credits
    80
    ● Microsoft $ 40K
    ● Apple $ 30K
    ● Shopify $ 30K
    ● Paypal $ 30K
    ● … and another 31 big companies …
    Bug
    bounties
    In 2020, security researcher Alex Bîrsan 󰐬 used
    substitution attack to hack into:
    

    View Slide

81. 1. Package Source Mapping
    2.
    3. Reserve prefixes on nuget.org
    81
    Do not let win!
    

    View Slide

82. 📄🔗
    andreiepure.ro
    82
    

    View Slide

83. Extra slides
    83
    

    View Slide

84. Deterministic Builds
    This allows mapping of a package to a specific
    commit: increase transparency and allow
    consumers to audit open-source code.
    84
    

    View Slide

85. Fixed Versions
    - it is safer to use fixed versions
    (have full knowledge and control over the
    supply chain)
    85
    

    View Slide

86. packages.lock.json
    - have control over all dependencies (direct
    and transitive)
    - extra mile: verify checksums
    (have full knowledge and control over the
    supply chain)
    86
    

    View Slide

87. packages.lock.json
    Source:
    https://docs.microsoft.com/en-us/nuget/what-is-nuget
    87
    

    View Slide