Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Mitigate Attacks on your PHP Supply Chain

Kévin Dunglas
May 12, 2023
Programming
2
1.3k

Mitigate Attacks on your PHP Supply Chain

When you install a JavaScript library, it usually comes with hundreds of transitive dependencies, i.e. libraries that are installed as a side effect because they are essential to the operation of the library you want to use.

This proliferation of dependencies opens the door to supply chain attacks. All it takes is for one of the repositories hosting one of these hundreds of libraries, or one of the maintainers, to be malicious, and it becomes possible to inject malware into yours, which can target you or your organization, and even the end users of your software.

As I explained back in 2018, the PHP ecosystem is slightly less susceptible to this type of attack than the JavaScript ecosystem, because maintainers of popular libraries and frameworks are relatively careful not to rely on too many third-party dependencies, which limits the problem... but doesn't totally prevent it though.

What if we could do better with our favorite library management software: Composer? During this talk, I present how supply chain attacks work, outline some organizational methods that could limit the problem, and finally, explain how to take back full control of your vendor/ folder thanks to a Composer patch I crafted for this occasion.

Kévin Dunglas

May 12, 2023
Tweet

More Decks by Kévin Dunglas

See All by Kévin Dunglas
Front-end application development, Symfony-style(s)
dunglas
2
1.9k
Running Laravel Apps With FrankenPHP
dunglas
4
1.6k
PHP and Symfony Apps As Standalone Binaries
dunglas
2
7.6k
Webperf: boost your PHP apps with 103 Early Hints
dunglas
2
3.3k
The PHP Revolution Is Underway: FrankenPHP 1.0 Beta
dunglas
1
13k
Symfony ImportMaps: Manage Your JavaScript Dependencies Without Node
dunglas
2
3.4k
Ne vous lamentez pas, organisez-vous !
dunglas
0
1k
FrankenPHP: a modern app server for PHP and Symfony apps
dunglas
1
12k
How can JSON-LD help you sell more?
dunglas
1
1.3k

Other Decks in Programming

See All in Programming
Ruby Function Composition
bkuhlmann
1
330
OpenAPIを中心に考えるAPI開発入門 / Introduction to API Development with a Focus on OpenAPI
seike460
PRO
2
110
入門 AWS Amplify Gen2 / Introduction to AWS Amplify Gen2
genkiogasawara
1
310
単体テストを書かない技術 #phpcon_odawara
o0h
PRO
25
7.8k
雑に思考を整理する技術と効能
konifar
55
25k
ONE WEDGE_company_guide
1wedge_one
0
380
VSCodeでのDatabricks開発もお勧めしたい/I would also recommend Databricks development with VSCode.
kazumain
0
240
Netty Chicago Java User Group 2024-04-17
sullis
0
110
9年開発を牽引して見えてきた、共通化すべきものと個別でつくるもの ~プログラム言語~
shinout
1
640
Ruby Pattern Matching
bkuhlmann
0
920
Zero Waste, Radical Magic, and Italian Graft – Quarkus Efficiency Secrets
hollycummins
0
220
PHP8.3の機能を振り返る / Review of PHP 8.3 features
seike460
PRO
1
110

Featured

See All Featured
Code Review Best Practice
trishagee
54
15k
Documentation Writing (for coders)
carmenintech
59
3.9k
Ruby is Unlike a Banana
tanoku
96
10k
10 Git Anti Patterns You Should be Aware of
lemiorhan
646
57k
How to Ace a Technical Interview
jacobian
272
22k
Faster Mobile Websites
deanohume
297
30k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
1
3.4k
A Modern Web Designer's Workflow
chriscoyier
689
190k
A Philosophy of Restraint
colly
196
16k
GraphQLの誤解/rethinking-graphql
sonatard
50
9.2k
Building Flexible Design Systems
yeseniaperezcruz
318
37k
The Mythical Team-Month
searls
215
42k

Transcript

  1. Mitigate Attacks on your PHP Supply Chain

  2. What Is a Supply Chain Attack? 02 03 OUTLINE 04

    01 The Scope of the Problem Mastering Composer to Mitigate Attacks Long-Term Solutions

  3. Kévin Dunglas ➔ Creator of API Platform / FrankenPHP /

    Mercure ➔ Symfony Core Team ➔ Co-founder of Les-Tilleuls.coop @dunglas

  4. ➔ PHP, JS and Cloud experts ➔ 100% employee-owned co-op

    ✊ ➔ Democratically managed 💬 ➔ [email protected] 💌 12 YEARS OF EXPERTISE 70 COOPERATORS 300 CUSTOMERS 50 PROJECTS/YEAR

  5. 02 03 04 01 What Is a Supply Chain Attack?

    Long-Term Solutions Mastering Composer to Mitigate Attacks The Scope of the Problem

  6. Supply Chain “A supply chain is a complex logistics system

    that consists of facilities that convert raw materials into finished products which are later distributed to end consumers.” - Wikipedia

  7. Software Supply Chain Anything that affects your software ➔ Your

    code ➔ Libraries and frameworks used by your code: Symfony, API Platform, Laravel, Doctrine… ➔ Package managers: Composer, NPM… ➔ Binaries: Linux distros, Docker containers… ➔ Build scripts ➔ Forges / CI/CD pipeline: GitHub, GitLab ➔ Hardware / Cloud Provider

  8. A Modern PHP App © Sebastian Bergmann - The PHP

    Stack’s Supply Chain

  9. Software Supply Chain: The Reality © xkcd/2347

  10. PHP Supply Chain: Going Further

  11. Supply Chain Attacks ➔ An attack that targets the less

    secure elements in the supply chain ➔ Can target any component of the chain • hardware: spying component • software: malware This talk will be focused on attacks targeting software, and especially PHP apps.

  12. ➔ The direct dependencies of your project • PHP libraries

    • JavaScript libraries • System binaries and libraries ➔ The transitive dependencies (dependencies of your dependencies) Most Common Supply Chain Attack Vectors

  13. Common Attack: Malicious Package

  14. Common Attack: TypoSquatting symfont/process © Sean Murphy, kernelmode.blog

  15. The event-stream incident ➔ event-stream is a popular NPM package

    ➔ Used by VSCode, Vue, Angular, Gatsby… ➔ Commit right has been granted to a new maintainer ➔ The new maintainer added a dependency to the package (= unknown code) ➔ The new dependency included a crypto-coin-stealing malware 💣 Common Attacks: Package Takeover

  16. Result

  17. Common Attack: ProtestWare © Sean Murphy, kernelmode.blog

  18. 02 03 04 01 What Is a Supply Chain Attack?

    The Scope of the Problem Long-Term Solutions Mastering Composer to Mitigate Attacks
  19. None

  20. Popular PHP frameworks ➔ Symfony (minimal): 30 packages, 2 vendors

    ➔ Symfony: 125 packages, 17 vendors ➔ API Platform (minimal): 38 packages, 5 vendors ➔ API Platform: 98 packages, 20 vendors ➔ Laravel: 107 packages, 35 vendors Popular JavaScript frameworks and libraries ➔ React (Next.js): 352 packages ➔ Angular: 940 packages ➔ Vue.js: 27 packages ➔ Nuxt.js: 1279 packages Dependencies In Numbers (May 2023)

  21. Who Do You Trust? “Installing 1 average npm package introduces

    an implicit trust on 79 third-party packages and 39 maintainers, creating a surprisingly large attack surface.” - Markus Zimmermann and Cristian-Alexandru Staicu, TU Darmstadt; Cam Tenny, r2c; Michael Pradel, TU Darmstadt

  22. 03 01 The Scope of the Problem Mastering Composer to

    Mitigate Attacks 02 04 What Is a Supply Chain Attack? Long-Term Solutions

  23. ➔ 85% of vulnerabilities in FOSS are disclosed with a

    patch already available ➔ Monitor your deps: • composer audit • npm audit • Trivy • Dependabot ➔ Update as soon as possible! The Biggest Threat: Unpatched Software

  24. composer audit

  25. Be Careful Who You Trust

  26. Carefully Choose Your Dependencies ➔ Is the package actively maintained?

    ➔ Does it have a code review process? ➔ Does it have a security policy? ➔ Is it managed by a company? By a team? By a well-known individual? ➔ Can I pay to ensure the maintenance is correctly done? ➔ Do I trust its maintainers? This matters even more for libraries, frameworks and popular projects.

  27. Can we improve the tooling?

  28. Install Only What You Trust

  29. Composer “Trusted” Packages

  30. Composer “Trusted” Dev Packages

  31. 03 01 Long-Term Solutions 02 04 The Scope of the

    Problem What Is a Supply Chain Attack? Mastering Composer to Mitigate Attacks

  32. Long Term Solutions © Tidelift

  33. Thanks for your attention! ➔ Any questions ? dunglas.dev @dunglas