Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Mitigate Attacks on your PHP Supply Chain

Kévin Dunglas
May 12, 2023
Programming
2
1.5k

Mitigate Attacks on your PHP Supply Chain

When you install a JavaScript library, it usually comes with hundreds of transitive dependencies, i.e. libraries that are installed as a side effect because they are essential to the operation of the library you want to use.

This proliferation of dependencies opens the door to supply chain attacks. All it takes is for one of the repositories hosting one of these hundreds of libraries, or one of the maintainers, to be malicious, and it becomes possible to inject malware into yours, which can target you or your organization, and even the end users of your software.

As I explained back in 2018, the PHP ecosystem is slightly less susceptible to this type of attack than the JavaScript ecosystem, because maintainers of popular libraries and frameworks are relatively careful not to rely on too many third-party dependencies, which limits the problem... but doesn't totally prevent it though.

What if we could do better with our favorite library management software: Composer? During this talk, I present how supply chain attacks work, outline some organizational methods that could limit the problem, and finally, explain how to take back full control of your vendor/ folder thanks to a Composer patch I crafted for this occasion.

Kévin Dunglas

May 12, 2023
Tweet

More Decks by Kévin Dunglas

See All by Kévin Dunglas
How to debug Xdebug... or any other weird bug in PHP
dunglas
2
1.8k
API Platform for Laravel
dunglas
1
1.7k
Containerization Tips and Tricks for PHP apps
dunglas
3
6.6k
Front-end application development, Symfony-style(s)
dunglas
2
3.3k
Running Laravel Apps With FrankenPHP
dunglas
5
3.6k
PHP and Symfony Apps As Standalone Binaries
dunglas
3
9.6k
Webperf: boost your PHP apps with 103 Early Hints
dunglas
2
4.4k
The PHP Revolution Is Underway: FrankenPHP 1.0 Beta
dunglas
1
14k
Symfony ImportMaps: Manage Your JavaScript Dependencies Without Node
dunglas
2
4k

Other Decks in Programming

See All in Programming
Macとオーディオ再生 2024/11/02
yusukeito
0
370
Amazon Qを使ってIaCを触ろう!
maruto
0
400
Webの技術スタックで マルチプラットフォームアプリ開発を可能にするElixirDesktopの紹介
thehaigo
2
1k
ふかぼれ!CSSセレクターモジュール / Fukabore! CSS Selectors Module
petamoriken
0
150
AI時代におけるSRE、
あるいはエンジニアの生存戦略
pyama86
6
1.1k
Hotwire or React? ~アフタートーク・本編に含めなかった話~ / Hotwire or React? after talk
harunatsujita
1
120
Content Security Policy入門 セキュリティ設定と 違反レポートのはじめ方 / Introduction to Content Security Policy Getting Started with Security Configuration and Violation Reporting
uskey512
1
530
RubyLSPのマルチバイト文字対応
notfounds
0
120
Creating a Free Video Ad Network on the Edge
mizoguchicoji
0
120
.NET のための通信フレームワーク MagicOnion 入門 / Introduction to MagicOnion
mayuki
1
1.4k
レガシーシステムにどう立ち向かうか 複雑さと理想と現実/vs-legacy
suzukihoge
14
2.2k
WebフロントエンドにおけるGraphQL(あるいはバックエンドのAPI)との向き合い方 / #241106_plk_frontend
izumin5210
4
1.4k

Featured

See All Featured
GitHub's CSS Performance
jonrohan
1030
460k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
27
840
Done Done
chrislema
181
16k
The World Runs on Bad Software
bkeepers
PRO
65
11k
How to Think Like a Performance Engineer
csswizardry
20
1.1k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
364
24k
How GitHub (no longer) Works
holman
310
140k
Why You Should Never Use an ORM
jnunemaker
PRO
54
9.1k
[RailsConf 2023] Rails as a piece of cake
palkan
52
4.9k
The Pragmatic Product Professional
lauravandoore
31
6.3k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
28
2k
Optimizing for Happiness
mojombo
376
70k

Transcript

  1. Mitigate Attacks on your PHP Supply Chain

  2. What Is a Supply Chain Attack? 02 03 OUTLINE 04

    01 The Scope of the Problem Mastering Composer to Mitigate Attacks Long-Term Solutions

  3. Kévin Dunglas ➔ Creator of API Platform / FrankenPHP /

    Mercure ➔ Symfony Core Team ➔ Co-founder of Les-Tilleuls.coop @dunglas

  4. ➔ PHP, JS and Cloud experts ➔ 100% employee-owned co-op

    ✊ ➔ Democratically managed 💬 ➔ [email protected] 💌 12 YEARS OF EXPERTISE 70 COOPERATORS 300 CUSTOMERS 50 PROJECTS/YEAR

  5. 02 03 04 01 What Is a Supply Chain Attack?

    Long-Term Solutions Mastering Composer to Mitigate Attacks The Scope of the Problem

  6. Supply Chain “A supply chain is a complex logistics system

    that consists of facilities that convert raw materials into finished products which are later distributed to end consumers.” - Wikipedia

  7. Software Supply Chain Anything that affects your software ➔ Your

    code ➔ Libraries and frameworks used by your code: Symfony, API Platform, Laravel, Doctrine… ➔ Package managers: Composer, NPM… ➔ Binaries: Linux distros, Docker containers… ➔ Build scripts ➔ Forges / CI/CD pipeline: GitHub, GitLab ➔ Hardware / Cloud Provider

  8. A Modern PHP App © Sebastian Bergmann - The PHP

    Stack’s Supply Chain

  9. Software Supply Chain: The Reality © xkcd/2347

  10. PHP Supply Chain: Going Further

  11. Supply Chain Attacks ➔ An attack that targets the less

    secure elements in the supply chain ➔ Can target any component of the chain • hardware: spying component • software: malware This talk will be focused on attacks targeting software, and especially PHP apps.

  12. ➔ The direct dependencies of your project • PHP libraries

    • JavaScript libraries • System binaries and libraries ➔ The transitive dependencies (dependencies of your dependencies) Most Common Supply Chain Attack Vectors

  13. Common Attack: Malicious Package

  14. Common Attack: TypoSquatting symfont/process © Sean Murphy, kernelmode.blog

  15. The event-stream incident ➔ event-stream is a popular NPM package

    ➔ Used by VSCode, Vue, Angular, Gatsby… ➔ Commit right has been granted to a new maintainer ➔ The new maintainer added a dependency to the package (= unknown code) ➔ The new dependency included a crypto-coin-stealing malware 💣 Common Attacks: Package Takeover

  16. Result

  17. Common Attack: ProtestWare © Sean Murphy, kernelmode.blog

  18. 02 03 04 01 What Is a Supply Chain Attack?

    The Scope of the Problem Long-Term Solutions Mastering Composer to Mitigate Attacks
  19. None

  20. Popular PHP frameworks ➔ Symfony (minimal): 30 packages, 2 vendors

    ➔ Symfony: 125 packages, 17 vendors ➔ API Platform (minimal): 38 packages, 5 vendors ➔ API Platform: 98 packages, 20 vendors ➔ Laravel: 107 packages, 35 vendors Popular JavaScript frameworks and libraries ➔ React (Next.js): 352 packages ➔ Angular: 940 packages ➔ Vue.js: 27 packages ➔ Nuxt.js: 1279 packages Dependencies In Numbers (May 2023)

  21. Who Do You Trust? “Installing 1 average npm package introduces

    an implicit trust on 79 third-party packages and 39 maintainers, creating a surprisingly large attack surface.” - Markus Zimmermann and Cristian-Alexandru Staicu, TU Darmstadt; Cam Tenny, r2c; Michael Pradel, TU Darmstadt

  22. 03 01 The Scope of the Problem Mastering Composer to

    Mitigate Attacks 02 04 What Is a Supply Chain Attack? Long-Term Solutions

  23. ➔ 85% of vulnerabilities in FOSS are disclosed with a

    patch already available ➔ Monitor your deps: • composer audit • npm audit • Trivy • Dependabot ➔ Update as soon as possible! The Biggest Threat: Unpatched Software

  24. composer audit

  25. Be Careful Who You Trust

  26. Carefully Choose Your Dependencies ➔ Is the package actively maintained?

    ➔ Does it have a code review process? ➔ Does it have a security policy? ➔ Is it managed by a company? By a team? By a well-known individual? ➔ Can I pay to ensure the maintenance is correctly done? ➔ Do I trust its maintainers? This matters even more for libraries, frameworks and popular projects.

  27. Can we improve the tooling?

  28. Install Only What You Trust

  29. Composer “Trusted” Packages

  30. Composer “Trusted” Dev Packages

  31. 03 01 Long-Term Solutions 02 04 The Scope of the

    Problem What Is a Supply Chain Attack? Mastering Composer to Mitigate Attacks

  32. Long Term Solutions © Tidelift

  33. Thanks for your attention! ➔ Any questions ? dunglas.dev @dunglas