Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Mitigate Attacks on your PHP Supply Chain

Mitigate Attacks on your PHP Supply Chain

When you install a JavaScript library, it usually comes with hundreds of transitive dependencies, i.e. libraries that are installed as a side effect because they are essential to the operation of the library you want to use.

This proliferation of dependencies opens the door to supply chain attacks. All it takes is for one of the repositories hosting one of these hundreds of libraries, or one of the maintainers, to be malicious, and it becomes possible to inject malware into yours, which can target you or your organization, and even the end users of your software.

As I explained back in 2018, the PHP ecosystem is slightly less susceptible to this type of attack than the JavaScript ecosystem, because maintainers of popular libraries and frameworks are relatively careful not to rely on too many third-party dependencies, which limits the problem... but doesn't totally prevent it though.

What if we could do better with our favorite library management software: Composer? During this talk, I present how supply chain attacks work, outline some organizational methods that could limit the problem, and finally, explain how to take back full control of your vendor/ folder thanks to a Composer patch I crafted for this occasion.

Kévin Dunglas

May 12, 2023
Tweet

More Decks by Kévin Dunglas

Other Decks in Programming

Transcript

  1. Mitigate Attacks
    on your
    PHP
    Supply Chain

    View Slide

  2. What Is a Supply
    Chain Attack?
    02
    03
    OUTLINE
    04
    01
    The Scope of the
    Problem
    Mastering Composer
    to Mitigate Attacks
    Long-Term Solutions

    View Slide

  3. Kévin Dunglas
    ➔ Creator of API Platform / FrankenPHP / Mercure
    ➔ Symfony Core Team
    ➔ Co-founder of Les-Tilleuls.coop
    @dunglas

    View Slide

  4. ➔ PHP, JS and Cloud experts
    ➔ 100% employee-owned co-op ✊
    ➔ Democratically managed 💬
    [email protected] 💌
    12
    YEARS OF EXPERTISE
    70
    COOPERATORS
    300
    CUSTOMERS
    50
    PROJECTS/YEAR

    View Slide

  5. 02
    03
    04
    01 What Is a Supply Chain Attack?
    Long-Term Solutions
    Mastering Composer to Mitigate Attacks
    The Scope of the Problem

    View Slide

  6. Supply Chain
    “A supply chain is a complex
    logistics system that consists of
    facilities that convert raw
    materials into finished
    products which are later
    distributed to end consumers.”
    - Wikipedia

    View Slide

  7. Software Supply Chain
    Anything that affects your software
    ➔ Your code
    ➔ Libraries and frameworks used by your code:
    Symfony, API Platform, Laravel, Doctrine…
    ➔ Package managers: Composer, NPM…
    ➔ Binaries: Linux distros, Docker containers…
    ➔ Build scripts
    ➔ Forges / CI/CD pipeline: GitHub, GitLab
    ➔ Hardware / Cloud Provider

    View Slide

  8. A Modern PHP App
    © Sebastian Bergmann - The PHP Stack’s Supply Chain

    View Slide

  9. Software Supply Chain: The Reality
    © xkcd/2347

    View Slide

  10. PHP Supply Chain: Going Further

    View Slide

  11. Supply Chain Attacks
    ➔ An attack that targets the less secure
    elements in the supply chain
    ➔ Can target any component of the chain
    ● hardware: spying component
    ● software: malware
    This talk will be focused on attacks targeting
    software, and especially PHP apps.

    View Slide

  12. ➔ The direct dependencies of your project
    ● PHP libraries
    ● JavaScript libraries
    ● System binaries and libraries
    ➔ The transitive dependencies
    (dependencies of your dependencies)
    Most Common Supply Chain Attack Vectors

    View Slide

  13. Common Attack: Malicious Package

    View Slide

  14. Common Attack: TypoSquatting
    symfont/process
    © Sean Murphy, kernelmode.blog

    View Slide

  15. The event-stream incident
    ➔ event-stream is a popular NPM package
    ➔ Used by VSCode, Vue, Angular, Gatsby…
    ➔ Commit right has been granted to a new
    maintainer
    ➔ The new maintainer added a dependency
    to the package (= unknown code)
    ➔ The new dependency included a
    crypto-coin-stealing malware 💣
    Common Attacks: Package Takeover

    View Slide

  16. Result

    View Slide

  17. Common Attack: ProtestWare
    © Sean Murphy, kernelmode.blog

    View Slide

  18. 02
    03
    04
    01 What Is a Supply Chain Attack?
    The Scope of the Problem
    Long-Term Solutions
    Mastering Composer to Mitigate Attacks

    View Slide

  19. View Slide

  20. Popular PHP frameworks
    ➔ Symfony (minimal): 30 packages, 2 vendors
    ➔ Symfony: 125 packages, 17 vendors
    ➔ API Platform (minimal): 38 packages, 5 vendors
    ➔ API Platform: 98 packages, 20 vendors
    ➔ Laravel: 107 packages, 35 vendors
    Popular JavaScript frameworks and libraries
    ➔ React (Next.js): 352 packages
    ➔ Angular: 940 packages
    ➔ Vue.js: 27 packages
    ➔ Nuxt.js: 1279 packages
    Dependencies In Numbers (May 2023)

    View Slide

  21. Who Do You Trust?
    “Installing 1 average npm
    package introduces an
    implicit trust on 79
    third-party packages and 39
    maintainers, creating a
    surprisingly large attack
    surface.”
    - Markus Zimmermann and Cristian-Alexandru Staicu, TU Darmstadt;
    Cam Tenny, r2c; Michael Pradel, TU Darmstadt

    View Slide

  22. 03
    01
    The Scope of the Problem
    Mastering Composer to Mitigate Attacks
    02
    04
    What Is a Supply Chain Attack?
    Long-Term Solutions

    View Slide

  23. ➔ 85% of vulnerabilities in FOSS are disclosed
    with a patch already available
    ➔ Monitor your deps:
    ● composer audit
    ● npm audit
    ● Trivy
    ● Dependabot
    ➔ Update as soon as possible!
    The Biggest Threat: Unpatched Software

    View Slide

  24. composer audit

    View Slide

  25. Be Careful Who You Trust

    View Slide

  26. Carefully Choose Your Dependencies
    ➔ Is the package actively maintained?
    ➔ Does it have a code review process?
    ➔ Does it have a security policy?
    ➔ Is it managed by a company? By a team?
    By a well-known individual?
    ➔ Can I pay to ensure the maintenance is
    correctly done?
    ➔ Do I trust its maintainers?
    This matters even more for libraries,
    frameworks and popular projects.

    View Slide

  27. Can we
    improve
    the tooling?

    View Slide

  28. Install Only What You Trust

    View Slide

  29. Composer “Trusted” Packages

    View Slide

  30. Composer “Trusted” Dev Packages

    View Slide

  31. 03
    01
    Long-Term Solutions
    02
    04
    The Scope of the Problem
    What Is a Supply Chain Attack?
    Mastering Composer to Mitigate Attacks

    View Slide

  32. Long Term Solutions
    © Tidelift

    View Slide

  33. Thanks for your
    attention!
    ➔ Any questions ?
    dunglas.dev
    @dunglas

    View Slide