Upgrade to Pro — share decks privately, control downloads, hide ads and more …

.NET Day 22 - Dependency confusion and its cure. A NuGet story. by Andrei Epure

dotnetday
September 03, 2022

.NET Day 22 - Dependency confusion and its cure. A NuGet story. by Andrei Epure

Supply chain attacks are challenging to discover and can seriously affect the security and reputation of organizations. Alex Birsan described in February 2021 a novel supply chain attack: dependency confusion. Are you sure that the library you are using is from the correct source? Do you know how NuGet works behind the scenes? In this session, Andrei will present what a dependency confusion attack is, the risks it poses, and how .NET developers can guard against it in the NuGet ecosystem.

dotnetday

September 03, 2022
Tweet

More Decks by dotnetday

Other Decks in Technology

Transcript

  1. Dependency confusion and its cure. A NuGet story. Andrei EPURE

    30.08.2022
  2. Kudos to sponsors 2

  3. the leader in Clean Code 3

  4. my talk, my opinions 4

  5. Andrei Epure 5

  6. Dependency Confusion ?! 6

  7. my promise 7

  8. questions 8

  9. Plan (1/3) explain some NuGet concepts 9

  10. Plan (2/3) typosquatting substitution attack 10

  11. Plan (3/3) Protect when - Consuming - Publishing 11

  12. Story 12

  13. SolarWinds breach (2020) Orion: Network Management System 30K organizations 13

  14. SolarWinds breach (2020) attackers build machines (2019) injected malware in

    Orion (2020) 14
  15. SolarWinds breach (2020) malware to 18K customers US departments (e.g.

    Defense, State, etc) Microsoft, Intel, Cisco etc FireEye 15
  16. SolarWinds breach (2020) FireEye stolen credentials employee noticed investigation 16

  17. SolarWinds breach (2020) 17

  18. Supply chain attacks can be catastrophic. 18

  19. Plan (1/3) explain some NuGet concepts 19

  20. Who in this room… … uses NuGet? 20

  21. NuGet Concepts 1. Software Supply Chain 2. package 3. targets

    4. version 5. source 6. resolution 21
  22. Software supply chain Source code Libraries NuGet for Dependency Management

    Build tools, CI/CD, etc 22
  23. NuGet > dotnet restore 23

  24. (2) NuGet Package compiled libraries metadata MSBuild target files 24

  25. (3) MSBuild targets Task = action Target = collection of

    tasks 25
  26. (4) NuGet Version fixed: 1.2.3 range: (,1.2.3] floating: 1.2.* 26

  27. Who in this room… … changed a nuget.config file? 27

  28. (5) NuGet Package Source feed central storage 28

  29. Who in this room… … uses both public (nuget.org) and

    private package sources? 29
  30. (6) NuGet Package Resolution My Code NuGet .exe or dotnet

    restore build machine 30
  31. (6) NuGet Package Resolution My Code build machine 31 Nu

    Get .exe
  32. (6) NuGet Package Resolution SOURCE 2 SOURCE 1 Foo 5.3.0

    Foo 5.3.1 build machine network calls 32 My Code Nu Get .exe
  33. SOURCE 2 SOURCE 1 Give me: - Foo 5.3.* Foo

    5.3.0 Foo 5.3.1 33 (6) NuGet Package Resolution My Code Nu Get .exe
  34. Nu Get .exe Foo 5.3.1 Best match from ALL sources

    is: - Foo 5.3.1 Foo 5.3.0 SOURCE 1 SOURCE 2 34 (6) NuGet Package Resolution My Code
  35. SOURCE 1 Foo 5.3.1 Foo 5.3.1 Give me: - Foo

    5.3.* Give me: - Foo 5.3.1 SOURCE 2 35 (6) NuGet Package Resolution My Code Nu Get .exe
  36. Nu Get .exe SOURCE 1 Foo 5.3.1 Foo 5.3.1 SOURCE

    2 36 (6) NuGet Package Resolution My Code
  37. Plan (2/3) typosquatting substitution attack 37

  38. Attacks Mr. Evil HACKER 30.08.2022 38

  39. Why 39

  40. Typosquatting 40

  41. Typosquatting My Code Google.Protobuf 5.3.2 Give me: Gogle.Protobuf 5.3.2 NUGET.ORG

    Nu Get .exe 41
  42. Typosquatting My Code Google.Protobuf 5.3.2 Give me: Gogle.Protobuf 5.3.2 NUGET.ORG

    Nu Get .exe 42
  43. Typosquatting My Code Google.Protobuf 5.3.2 Gogle.Protobuf 5.3.2 Give me: Gogle.Protobuf

    5.3.2 NUGET.ORG Nu Get .exe 43
  44. Nu Get .exe Typosquatting My Code Here you are: Gogle.Protobuf

    5.3.2 Gogle.Protobuf 5.3.2 NUGET.ORG 44
  45. Demo 0 45

  46. Substitution attack 46

  47. PRIVATE SOURCE Substitution attack My Code Corporate.Private.Library 5.3.1 Give me:

    - Foo 5.3.* Give me: Corporate.Private.Library 5.3.1 NUGET.ORG Nu Get .exe 47
  48. PRIVATE SOURCE Substitution attack NUGET.ORG My Code Give me: Corporate.Private.Library

    5.3.1 Corporate.Private.Library 5.3.1 Nu Get .exe 48
  49. PRIVATE SOURCE Substitution attack Corporate.Private.Library 5.3.1 NUGET.ORG My Code Give

    me: Corporate.Private.Library 5.3.1 Corporate.Private.Library 5.3.1 Nu Get .exe 49
  50. PRIVATE SOURCE Substitution attack NUGET.ORG My Code Corporate.Private.Library 5.3.1 Corporate.Private.Library

    5.3.1 Nu Get .exe 50
  51. PRIVATE SOURCE Substitution attack Give me: - Foo 5.3.* Give

    me: Corporate.Private.Library 5.3.* NUGET.ORG My Code Corporate.Private.Library 5.3.1 Corporate.Private.Library 5.3.2 Nu Get .exe 51
  52. PRIVATE SOURCE Substitution attack NUGET.ORG My Code Corporate.Private.Library 5.3.1 Corporate.Private.Library

    5.3.2 Give me: Corporate.Private.Library 5.3.* Corporate.Private.Library 5.3.999 Nu Get .exe 52
  53. Nu Get .exe PRIVATE SOURCE Substitution attack Here you are:

    Corporate.Private.Library 5.3.999 NUGET.ORG My Code Corporate.Private.Library 5.3.1 Corporate.Private.Library 5.3.2 Corporate.Private.Library 5.3.999 53
  54. Demo 1 54

  55. Plan (3/3) Protect when - Consuming - Publishing 55

  56. Vulnerable Configurations (1) %AppData%\NuGet\NuGet.Config 56

  57. Vulnerable Configurations (2) 57

  58. As a consumer Protection 58

  59. Who in this room… … uses Package Source Mapping? 59

  60. Package Source Mapping protect against substitution attack 60

  61. Demo 2 61

  62. <trustedSigners> protect against typosquatting 62

  63. <trustedSigners> repository certificate accepted <owners> <owner> certificate 63

  64. Demo 3 64

  65. <clear> avoid unexpected behavior 65

  66. Do not let win! 1. Package Source Mapping 2. <trustedSigners>

    66
  67. As a publisher Protection 67

  68. Reserve Prefix public private 68 packages name prefix

  69. Reserve Prefix 69

  70. Reserve Prefix 70

  71. Sign Packages <author> certificate validation 71

  72. Demo 4 72

  73. Reserve prefixes on nuget.org 73 Do not let win! public

    private packages
  74. Sonar break 74

  75. We’re hiring! • .NET Developer Advocate • .NET Ecosystem Product

    Manager • C# Developers sonarsource.com/company/careers 75
  76. Want to talk? <placeholder for Sonar booth photo > 76

  77. Credits 77

  78. Credits In 2020, security researcher Alex Bîrsan 󰐬 used substitution

    attack to hack into: 78
  79. Credits 79 • Microsoft • Apple • Shopify • Paypal

    • … and another 31 big companies … In 2020, security researcher Alex Bîrsan 󰐬 used substitution attack to hack into:
  80. Credits 80 • Microsoft $ 40K • Apple $ 30K

    • Shopify $ 30K • Paypal $ 30K • … and another 31 big companies … Bug bounties In 2020, security researcher Alex Bîrsan 󰐬 used substitution attack to hack into:
  81. 1. Package Source Mapping 2. <trustedSigners> 3. Reserve prefixes on

    nuget.org 81 Do not let win!
  82. 📄🔗 andreiepure.ro 82

  83. Extra slides 83

  84. Deterministic Builds This allows mapping of a package to a

    specific commit: increase transparency and allow consumers to audit open-source code. 84
  85. Fixed Versions - it is safer to use fixed versions

    (have full knowledge and control over the supply chain) 85
  86. packages.lock.json - have control over all dependencies (direct and transitive)

    - extra mile: verify checksums (have full knowledge and control over the supply chain) 86
  87. packages.lock.json Source: https://docs.microsoft.com/en-us/nuget/what-is-nuget 87