$30 off During Our Annual Pro Sale. View Details »

.NET Day 22 - Dependency confusion and its cure. A NuGet story. by Andrei Epure

dotnetday
September 03, 2022

.NET Day 22 - Dependency confusion and its cure. A NuGet story. by Andrei Epure

Supply chain attacks are challenging to discover and can seriously affect the security and reputation of organizations. Alex Birsan described in February 2021 a novel supply chain attack: dependency confusion. Are you sure that the library you are using is from the correct source? Do you know how NuGet works behind the scenes? In this session, Andrei will present what a dependency confusion attack is, the risks it poses, and how .NET developers can guard against it in the NuGet ecosystem.

dotnetday

September 03, 2022
Tweet

More Decks by dotnetday

Other Decks in Technology

Transcript

  1. Dependency confusion
    and its cure.
    A NuGet story.
    Andrei EPURE
    30.08.2022

    View Slide

  2. Kudos to sponsors
    2

    View Slide

  3. the leader in Clean Code
    3

    View Slide

  4. my talk, my opinions
    4

    View Slide

  5. Andrei Epure
    5

    View Slide

  6. Dependency Confusion
    ?!
    6

    View Slide

  7. my promise
    7

    View Slide

  8. questions
    8

    View Slide

  9. Plan (1/3)
    explain some NuGet concepts
    9

    View Slide

  10. Plan (2/3)
    typosquatting
    substitution attack
    10

    View Slide

  11. Plan (3/3)
    Protect when
    - Consuming
    - Publishing
    11

    View Slide

  12. Story
    12

    View Slide

  13. SolarWinds breach (2020)
    Orion: Network Management System
    30K organizations
    13

    View Slide

  14. SolarWinds breach (2020)
    attackers
    build machines (2019)
    injected malware in Orion (2020)
    14

    View Slide

  15. SolarWinds breach (2020)
    malware to 18K customers
    US departments (e.g. Defense, State, etc)
    Microsoft, Intel, Cisco etc
    FireEye
    15

    View Slide

  16. SolarWinds breach (2020)
    FireEye
    stolen credentials
    employee noticed
    investigation
    16

    View Slide

  17. SolarWinds breach (2020)
    17

    View Slide

  18. Supply chain attacks can be
    catastrophic.
    18

    View Slide

  19. Plan (1/3)
    explain some NuGet concepts
    19

    View Slide

  20. Who in this room…
    … uses NuGet?
    20

    View Slide

  21. NuGet Concepts
    1. Software Supply Chain
    2. package
    3. targets
    4. version
    5. source
    6. resolution
    21

    View Slide

  22. Software supply chain
    Source code
    Libraries
    NuGet for Dependency Management
    Build tools, CI/CD, etc
    22

    View Slide

  23. NuGet
    > dotnet restore
    23

    View Slide

  24. (2) NuGet Package
    compiled libraries
    metadata
    MSBuild target files
    24

    View Slide

  25. (3) MSBuild targets
    Task = action
    Target = collection of tasks
    25

    View Slide

  26. (4) NuGet Version
    fixed: 1.2.3
    range: (,1.2.3]
    floating: 1.2.*
    26

    View Slide

  27. Who in this room…
    … changed a nuget.config file?
    27

    View Slide

  28. (5) NuGet Package Source
    feed
    central storage
    28

    View Slide

  29. Who in this room…
    … uses both public (nuget.org) and
    private package sources?
    29

    View Slide

  30. (6) NuGet Package Resolution
    My Code
    NuGet
    .exe
    or
    dotnet
    restore
    build machine
    30

    View Slide

  31. (6) NuGet Package Resolution
    My Code
    build machine
    31
    Nu
    Get
    .exe

    View Slide

  32. (6) NuGet Package Resolution
    SOURCE 2
    SOURCE 1
    Foo
    5.3.0
    Foo
    5.3.1
    build machine network calls
    32
    My Code
    Nu
    Get
    .exe

    View Slide

  33. SOURCE 2
    SOURCE 1
    Give me:
    - Foo
    5.3.*
    Foo
    5.3.0
    Foo
    5.3.1
    33
    (6) NuGet Package Resolution
    My Code
    Nu
    Get
    .exe

    View Slide

  34. Nu
    Get
    .exe
    Foo
    5.3.1
    Best match
    from ALL
    sources is:
    - Foo 5.3.1
    Foo
    5.3.0
    SOURCE 1
    SOURCE 2
    34
    (6) NuGet Package Resolution
    My Code

    View Slide

  35. SOURCE 1
    Foo
    5.3.1
    Foo
    5.3.1
    Give me:
    - Foo 5.3.*
    Give me:
    - Foo
    5.3.1 SOURCE 2
    35
    (6) NuGet Package Resolution
    My Code
    Nu
    Get
    .exe

    View Slide

  36. Nu
    Get
    .exe
    SOURCE 1
    Foo
    5.3.1
    Foo
    5.3.1
    SOURCE 2
    36
    (6) NuGet Package Resolution
    My Code

    View Slide

  37. Plan (2/3)
    typosquatting
    substitution attack
    37

    View Slide

  38. Attacks
    Mr. Evil HACKER
    30.08.2022
    38

    View Slide

  39. Why
    39

    View Slide

  40. Typosquatting
    40

    View Slide

  41. Typosquatting
    My Code
    Google.Protobuf
    5.3.2
    Give me:
    Gogle.Protobuf
    5.3.2
    NUGET.ORG
    Nu
    Get
    .exe
    41

    View Slide

  42. Typosquatting
    My Code
    Google.Protobuf
    5.3.2
    Give me:
    Gogle.Protobuf
    5.3.2
    NUGET.ORG
    Nu
    Get
    .exe
    42

    View Slide

  43. Typosquatting
    My Code
    Google.Protobuf
    5.3.2 Gogle.Protobuf
    5.3.2
    Give me:
    Gogle.Protobuf
    5.3.2
    NUGET.ORG
    Nu
    Get
    .exe
    43

    View Slide

  44. Nu
    Get
    .exe
    Typosquatting
    My Code
    Here you are:
    Gogle.Protobuf
    5.3.2
    Gogle.Protobuf
    5.3.2
    NUGET.ORG
    44

    View Slide

  45. Demo 0
    45

    View Slide

  46. Substitution attack
    46

    View Slide

  47. PRIVATE SOURCE
    Substitution attack
    My Code
    Corporate.Private.Library
    5.3.1
    Give me:
    - Foo 5.3.*
    Give me:
    Corporate.Private.Library
    5.3.1
    NUGET.ORG
    Nu
    Get
    .exe
    47

    View Slide

  48. PRIVATE SOURCE
    Substitution attack
    NUGET.ORG
    My Code
    Give me:
    Corporate.Private.Library
    5.3.1
    Corporate.Private.Library
    5.3.1
    Nu
    Get
    .exe
    48

    View Slide

  49. PRIVATE SOURCE
    Substitution attack
    Corporate.Private.Library
    5.3.1
    NUGET.ORG
    My Code
    Give me:
    Corporate.Private.Library
    5.3.1
    Corporate.Private.Library
    5.3.1
    Nu
    Get
    .exe
    49

    View Slide

  50. PRIVATE SOURCE
    Substitution attack
    NUGET.ORG
    My Code
    Corporate.Private.Library
    5.3.1
    Corporate.Private.Library
    5.3.1
    Nu
    Get
    .exe

    50

    View Slide

  51. PRIVATE SOURCE
    Substitution attack
    Give me:
    - Foo 5.3.*
    Give me:
    Corporate.Private.Library
    5.3.* NUGET.ORG
    My Code
    Corporate.Private.Library
    5.3.1 Corporate.Private.Library
    5.3.2
    Nu
    Get
    .exe
    51

    View Slide

  52. PRIVATE SOURCE
    Substitution attack
    NUGET.ORG
    My Code
    Corporate.Private.Library
    5.3.1 Corporate.Private.Library
    5.3.2
    Give me:
    Corporate.Private.Library
    5.3.*
    Corporate.Private.Library
    5.3.999
    Nu
    Get
    .exe
    52

    View Slide

  53. Nu
    Get
    .exe
    PRIVATE SOURCE
    Substitution attack
    Here you are:
    Corporate.Private.Library
    5.3.999
    NUGET.ORG
    My Code
    Corporate.Private.Library
    5.3.1 Corporate.Private.Library
    5.3.2
    Corporate.Private.Library
    5.3.999
    53

    View Slide

  54. Demo 1
    54

    View Slide

  55. Plan (3/3)
    Protect when
    - Consuming
    - Publishing
    55

    View Slide

  56. Vulnerable Configurations (1)
    %AppData%\NuGet\NuGet.Config
    56

    View Slide

  57. Vulnerable Configurations (2)
    57

    View Slide

  58. As a consumer
    Protection
    58

    View Slide

  59. Who in this room…
    … uses Package Source Mapping?
    59

    View Slide

  60. Package Source Mapping
    protect against substitution attack
    60

    View Slide

  61. Demo 2
    61

    View Slide


  62. protect against typosquatting
    62

    View Slide


  63. repository certificate
    accepted
    certificate
    63

    View Slide

  64. Demo 3
    64

    View Slide


  65. avoid unexpected behavior
    65

    View Slide

  66. Do not let win!
    1. Package Source Mapping
    2.
    66

    View Slide

  67. As a publisher
    Protection
    67

    View Slide

  68. Reserve Prefix
    public
    private
    68
    packages name prefix

    View Slide

  69. Reserve Prefix
    69

    View Slide

  70. Reserve Prefix
    70

    View Slide

  71. Sign Packages
    certificate validation
    71

    View Slide

  72. Demo 4
    72

    View Slide

  73. Reserve prefixes on nuget.org
    73
    Do not let win!
    public
    private
    packages

    View Slide

  74. Sonar break
    74

    View Slide

  75. We’re hiring!
    ● .NET Developer Advocate
    ● .NET Ecosystem Product Manager
    ● C# Developers
    sonarsource.com/company/careers
    75

    View Slide

  76. Want to talk?

    76

    View Slide

  77. Credits
    77

    View Slide

  78. Credits
    In 2020, security researcher Alex Bîrsan 󰐬 used
    substitution attack to hack into:
    78

    View Slide

  79. Credits
    79
    ● Microsoft
    ● Apple
    ● Shopify
    ● Paypal
    ● … and another 31 big companies …
    In 2020, security researcher Alex Bîrsan 󰐬 used
    substitution attack to hack into:

    View Slide

  80. Credits
    80
    ● Microsoft $ 40K
    ● Apple $ 30K
    ● Shopify $ 30K
    ● Paypal $ 30K
    ● … and another 31 big companies …
    Bug
    bounties
    In 2020, security researcher Alex Bîrsan 󰐬 used
    substitution attack to hack into:

    View Slide

  81. 1. Package Source Mapping
    2.
    3. Reserve prefixes on nuget.org
    81
    Do not let win!

    View Slide

  82. 📄🔗
    andreiepure.ro
    82

    View Slide

  83. Extra slides
    83

    View Slide

  84. Deterministic Builds
    This allows mapping of a package to a specific
    commit: increase transparency and allow
    consumers to audit open-source code.
    84

    View Slide

  85. Fixed Versions
    - it is safer to use fixed versions
    (have full knowledge and control over the
    supply chain)
    85

    View Slide

  86. packages.lock.json
    - have control over all dependencies (direct
    and transitive)
    - extra mile: verify checksums
    (have full knowledge and control over the
    supply chain)
    86

    View Slide

  87. packages.lock.json
    Source:
    https://docs.microsoft.com/en-us/nuget/what-is-nuget
    87

    View Slide