ソフトウェアサプライチェーンのこれから / Securing Software Supply Chain

ÉÉÆÈÃÇÇÈÄÂÉÁÅÈÄÀÂ
20@731$6983('#"%45&)!
bhfPcaeGYYcVWTRIHYX
EQcdFcgUeDYCBSGeeAS`
#"%45&"'$wfssst'69'cWq#"%45&6i

View Slide

© 2022 https://shift-js.info
ソフトウェアサプライチェーンセキュリティのこれから 1
$ whoami
米内貴志（よねうちたかし
取締役 CT
日本語ラップと綺麗な型が好
著
『Webブラウザセキュリティ
『詳解セキュリティコンテスト』
株式会社 Flatt Security

View Slide

&0'Ç0%)É2!$#(
%ÈÆ01ÅÄ Ã&Â"ÁÀ
u@qheewEytergdc)0&0XWUvT'RP$ÃGi
É2!$#9ÁÀ7Ã61543ÁV
1ÅPdf#4e
É2!$ml
§x«z¡¨¢ª§¬x¢
¦¨ z¥~|
{y}wv¤©u£t
1ÅPdf#4e
æãïâéÇÙ¢ËÔçÍ¡wÕàÒÌÊ½
Èåð×ÓÑÆÄÐ¡ëÁÏ¾í¼Å»Öº
¸·¶µ¡§x«zÅ¼¬xª¿ê±°
ò
ò
1ÅÄ Ã4e
ShishowCloudwÇシショ«§x«zÔçPolicywaswCodå¡取
組みÏ現ソê¿«ェアサ¬x チェ¢¡安Í
守Ì×ÓÑÆÄÐ¬xª¿ê±°
2
ソフトウェアサプライチェーンセキュリティのこれから © 2022 https://shift-js.info

View Slide

%6 98@532178)(&$'#4"!0 A
SRQIFPGDPEGCHFCHB
T CHpGwvrHsGCPÉiÂÉehdticÆÆa`YhÄÀitUcdÄÉ`
mGpIwnswFPiGqFdFCHBhÀiÂÉehdticÆÆa`YhÄÀitUcdÄÉ`
v sBHGpFYtiÄÀÄÀtdÄ~UhÉÄÀÂdicÆÆa`YhÄÀwÀÉtdÄÉ`
¹¨cdÀt`©¬cÄah¢Fps¶RQIFPPSpRrFRQIFiÂÉehdticÆÆa`YhÄÀ
º SÔFPÍvHvpFPÂiÂÉehdticÆÆa`YhÄÀitUcdÄÉ`

View Slide

%6 98@532178)(&$'#4"!0 A
FEDBC
iUfgUcdbDYUVa`DXbgXbdSUa`XEBEbgUCdEXdCEIScDHUdCWGGBRda`DgXdCUaWHgSQ
UfUXdSEEdUDHBRdSEdDqEGS

View Slide

© 2022 https://shift-js.info 5
Software Supply Chain Security

View Slide

Supply Chain
“
, each of which is an acquirer
that begins with the sourcing of products and services and
extends through the product and service life cycle”
the linked set of resources and processes between and among
multiple levels of an enterprise
NIST SP800.161 Revision 1

View Slide

Software Supply Chain
S LS A Ve rs i o n 1
“ T h e s e q u e n ce of ste ps re s u l t i n g i n t h e c reat i o n of a n a r t i fa ct ”

View Slide

%6 98@532178)(&$'#4"!0 A
QHFHGIHGCPBEHDD
HCFuBaqHCCiFgggrdBcyYtpebXxWUvfTvQR`RVtpebh

View Slide

Recap: Codecov Incident

View Slide

Incident: event-stream
https://www.npmjs.com/package/event-stream

View Slide

https://github.com/dominictarr/event-stream/issues/73

View Slide

https://github.com/dominictarr/event-stream/commit/e3163361fed01384c986b9b4c18feb1fc42b8285

View Slide

https://github.com/dominictarr/event-stream/issues/115

View Slide

%6 98@532178)(&$'#4"!0 BA
qdfaVXecURcp`QXiVfacpTIIGWcHdVUS
pXaIYbVeaFcHGVeeUPhVXU`RcbWcpDpgcQfVEai`fC
dXXIexxeGeVuFaxeIahxyusxXdfaVXe

View Slide

%6 98@532178)(&$'#4"!0 BA
SRQHFGPEGGDFCI
VeDbbRcFDGRWUPf`PTDGXb
XGGbwfeWQ`WGDCvHWbGXWvHfQHrbHFtQRG`RUFRuHUGHU

View Slide

%6 98@532178)(&$'#4"!0 BA
YcVa`TQRXIRRUQWHXFP`SbEPXF`UcHDU`TcRXCTDTcVTcQaTG
fuUHHasQURaScXvpXdURPH

View Slide

%6 98@532178)(&$'#4"!0 BA
dgaXeVSTcRTTYSbQcTPeUfGPcd`FEXSXTDHFYWfVcCVFVgaVgSXVI
pEYQQXwSYTXUgctchYTPQ
pqVSYFjcQVSSY`FxcuniemotpdDpCsyiewv

View Slide

72D@09!03C#2A313)5'B
%)C62$59"D3C6( @4C&"!)C638(D!54

View Slide

%6 98@532178)(&$'#4"!0 BA
QFWTSRPSGVIFUGEGDHC
phfTPcV
bGcHFWC
pcw
tcFCsCHGEC
Gc
QC
tDHGWWPCGC

View Slide

%6 98@532178)(&$'#4"!0 BA
IQPHRGHQFEDC
tqHFqHRxixpxhHtsgyieHtwddbfHcipxHtwepgf
aH`XbdYxgHsHYYepibHsgyieHsgxH
biWHgeixdiexfVHwUpxgHswHxHgHiTpbpgfHsHgHsgyieHgHepgHiggiWVHix`Hi`SwigHxgebHgHdeXxgH
giYdepxhHTfHYibppwHige
ntoywÈwuhmÄÉjÂÈÂÉetmwhÈwfdjÉwwfwmtwmÀwÀÉÄÈÄÉt
ÉÉwwfwmtwmÀwÀÉkÈtdÄÄÉjÉÆwmÂmÄÉÈumÄÉÄutÂhÀuÉÄÀÈ
ywmwÄÈtÆmwÈÈÄÀÀwwfÉÄÆwwÀÉmwmÄmhÈtÀfÆmwfÄuÉtdwwutÀÄÈÈÂm
wÀÈhmÄÀÉtÉÆmfhuÉÈÂhÀuÉÄÀÈwuhmwjtÀftÈÄÀÉwÀfwfywÈwuhmÄÉjtÀfÄÀÉwmÄÉjÂumÄÉÄutÈÂÉetmwÈÂÉetmw
ÉtÉÆwmÂmÈÂhÀuÉÄÀÈumÄÉÄutÉÉmhÈÉnÈhutÈtmfÄÀmmwhÄmÄÀwwtÉwfÈjÈÉwÆmÄÄwwÈmfÄmwuÉtuuwÈÈÉ
ÀwÉemÄÀtÀfuÆhÉÄÀmwÈhmuwÈoÄÈtÆtmÉÄuhtmuÀuwmÀuumfÄÀjÉwwfwmtwmÀwÀÉhÈÉÉtwtuÉÄÀÉ
mtÆÄfjÄÆmwÉwÈwuhmÄÉjtÀfÄÀÉwmÄÉjÂÉwÈÂÉetmwÈhÆÆjutÄÀeÄÉtÆmÄmÄÉjÀtffmwÈÈÄÀumÄÉÄutÈÂÉetmw

View Slide

#1: EO 14028 ― Tasks

View Slide

#1: EO 14028 ― SP 800-218 (NIST SSDF)

 Prepare the Organization (PO)
Related: preparation of people, processes, and tools

 Protect the Software (PS)
Rleated: artifact integrity

 Produce Well-Secured Software (PW)
Related: designing, writing, and testing of software

 Respond to Vulnerabilities (RV)
Related: everything after software releases

View Slide

#1: EO 14028 ― SP 800-218 (NIST SSDF)
Quoted from SP 800-218 (NIST SSDF)

View Slide

#2: サイバーセキュリティ2022

View Slide

#3: Package Ecosystems ― Hardening of AuthN

View Slide

#3: Package Ecosystems ― Changing Its Nature

View Slide

#4: Sigstore

View Slide

#5: Alpha-Omega Projects (OpenSSF)

View Slide

#6: Allstar & Scorecard (OpenSSF)

View Slide

#7: Assured Open Source Software Service (Google)

View Slide

%6 98@532178)(&$'#4"!0 BA
HEGFEDGC
eGW`DFGUTSGaaGFR
QcYaFcPTcYTIIb
eGW`DFGU
y ccvT`aqGYaDQDarTcgTtfi
y ccvTDYaGfFDarTcgTtfU
`SPDUqGU fGPDEGFU
fGGYvUTCqDPGTFGW`DFDYf
y ccvT`aqGYaDQDarTcgTtfi
y ccvTDYaGfFDarTcgTtfU
I`cFaq
~DvGvTnPqwHGfTFclGQaUt
I`cFaq
~DvGvTnPPUaFt
cFtUTDaq
qcT
`SPDUqGU
qcT
fGPDEGFU
qcT
fGEGPc
THU
HGYII¡
TIGQ`FDarT
¦GYvcFU
`SPD±
IGQacFq
TªUGFU

View Slide

%6 98@532178)(&$'#4"!0 BA
GTWRUVPIQRUVPIRTVWHSFRERDWQC
`Y
sHiSpfR
TYfIWba
sPfP
wfWavaIYta
Yf
Ua
wdIYbbpaYa

View Slide

No Silver Bullet
(Recap: #seccamp2022b4)

View Slide

No Silver Bullet. Back to the Basics!
1 Identify your assets.
2 Know threats and risks.
3 Reduce risks.

View Slide

Least Privilege and Short-lived Credentials

View Slide

Minimization of Dependencies







Adding dependencies accelerates “dependency hell”!
yarn add foo

View Slide

Minimization of Dependencies
yarn add foo







Adding dependencies accelerates “dependency hell”
Take a step back before `yarn add ...` to minimize risks.

View Slide

$&'%#"!' #&
R SC'#%EPGPD9CHP1#"EPR S& &SP5P4E% A9' #&P@#%PR!22)HP1B9 &P$&'ES% 'H

View Slide

%6 98@532178)(&$'#4"!0 BA
WTIUTRIQSPHSWGEPRGESDPTIFIGCV
tIfiRUIVSbICCIUa
`PGCUPYSPGSXXq
tIfiRUIV
PPSiCIGCR`RCSPHSEx
PPSRGCIEURCSPHSEV
jibYRVIV oIYRTIUV
oIIGVSQRYISUIfiRURGE
PPSiCIGCR`RCSPHSEx
PPSRGCIEURCSPHSEV
XiPUCz
RISwYWFIESjUPuI`CV}
XiPUCz
RISwYYVCU}
PUVSRC
PS
jibYRVIV
PS
oIYRTIUV
PS
oITIYP
SWV
WIGXXª
SXI`iURCS
¯IGPUV
jibYRº
XI`CPUz
S³VIUV

View Slide

%6 98@532178)(&$'#4"!0 BA
TWGSPQIHRITGHUWGIFEGIDSVHWVGC
tGfigEGdIbGPPGEa
`HSPEHWIHSIXXq
tGfigEGd
HHCIiPGSPg`gPQIHRIUux
HHCIgSPGuEgPQIHRIUud
mHI
TibWgdGd
mHI
uGWgVGEd
mHI
uGVGWHU~
yI}Ud
}UGSXX
yIXG`iEgPQI
GSCHEd
TibWg
XG`PHE
yIdGEd

View Slide

Recap: No Silver Bullet. Back to the Basis!

View Slide

$"! #
I P@F#HBGDGA6@EG(#4BGI P3 3PG2G1BH 8!6F #3G7#HGI))"EG(96 3G%3FBPH FE

View Slide

%6 98@532178)(&$'#4"!0 BA
HCFEDG
HCFEDGeaXG`YaVDUbDbUaXYTSDQEISYaPCSGTDSR

View Slide

%6 98@532178)(&$'#4"!0 BA
VTRQPIEUSDGPHGFC
gD`FfPQTFPhGUUGYDfXW
IEUSDGPDCCEFCW
q
uFvQDwSRQF

QTRQPFCSvDFC
HPDfPRfP
d
d DC
lFjPgYfFv
d
m
d
m Gh
vD`RQFPlFj
m
m
EUDSPlFj
m
m
n
EUDSPlFj
m
m o HPQGrFfPhGv
HPDfPRfP
d
d z
DXfRQEvF

GhPRPSURDPDfPQTFPQGrFf

View Slide

How Fulcio Works
F3. Pass CSR + T F4. Fetch JWKS
F5. Return JWKS
F6. Verify T
F7. Return a Cert
F1. Request an ID token
F2. Issue the token T
Signer
Fulcio
IdP

View Slide

How Fulcio Works
Signer
Fulcio
IdP
\ You’re Taro! /
\ I’m Taro /

View Slide

%6 98@532178)(&$'#4"!0 BA
DSRPTGUEFSPQSHIC
TfcPaYCCPbWXPVP`
WFprqH
TGUEFS
vta
w
vhPYGqrFEYqtPYCP`YHSPFrPvtacPDqHqhCPPGgUFEPIq
PYrtPqPqyFtqrEqPSxPIqPSCCqCCFSrP
k

View Slide

%6 98@532178)(&$'#4"!0 BA
DSRPTGUEFSPQSHIC
TefPTcbEYPaQXV
TfPvcbGHqPaQXV
TfPcHFP
VFqcH
TGUEFS
ed
f
excPESqkHtcPSGxHcPpHSPpq}
SGxHcPbYcPSRqcHPSPbYcPjGwUFEPIci

View Slide

%6 98@532178)(&$'#4"!0 BA
DSRPTGUEFSPQSHIC
TefPb`XGHVPaPY`HX
iFpV`H
TGUEFS
vtu
vPFVPaVPvtu

FC
`PRV`H

S
uHFdaX`P`

uGoUFEP`

Y`HXFzEaX`
}
}

View Slide

with Fulcio
e.g. oauth2.sigstore.dev
F3. Pass CSR + T F4. Fetch JWKS
F5. Return JWKS
F6. Verify T
F7. Return a Cert
You
Fulcio
IdP

View Slide

%6 98@532178)(&$'#4"!0 BA
FVUQGXWTRUVIHSWEVUPWDGCRVI
DifWdbSSWe`aWYWc DfWDxURPWvrs`
DfWaxUGHWvrs`
DjfWxVfhWc
DufWaxUGHWbWexU
DfWaxGxSUWbHWxWUIxH
DfWxSSGxWUPxWUIxHWc
rIIE
DGCRVI
FQ
x¡d

View Slide

Exercise
Play with Fulcio

View Slide

#" !
H4I9E!"FCF@59DF'3"FH4I242IF1F0"!47&5E42F6!FH)((%DF'8542F$2E"I!4ED

View Slide

Rekor
Rekor: Immutable and Tamper-Resistant Metadata Ledger

View Slide

%6 98@532178)(&$'#4"!0 BA
TSRPIQEHFGIDFEC
hqÈgIPSEIiFaaFYqgXIqgWfPCV
tiGFxIyfasqFr

EGPqsRPE

PSRPIECsGqEC
pDIqgIRgIpi
q
q qC
yEwItYgEG
q
z
q
z Fi
iGq`RPEIyEw
z
z
ifaqsIyEw
z
z
IRgIPSEgICPFGECIPSEIqgWfPCIPFIGEsFGV
pDIqgIRgIpi
q
q XEgEGRPE
qXgRPfGE

Fi
QECFfGsE

qXgRPfGE

Fi
QECFfGsE

w
iGq`RPEIyEw
z
z
QEHFGIÈGqECV

ifaqsIyEw
z
z qg
EGPqsRPE

ÈGqEC
qXgRPfGE

Fi
QECFfGsE

CfssECCifaaw

EGPqsRPE

qCIaEXqPqxRPE

View Slide

%6 98@532178)(&$'#4"!0 BA
WVUGSPGTVRHQGEFDIC
ScGbaG`aGSYX
f
f bQGtpu`hGPV
tGyUatR
f

f
V
XRb`PtGt

XufhbGt

b
otRPbq`Pt
t
t bQGhtwbPbv`Pt
otRPbq`Pt
t
t bQGhtwbPbv`Pt
ScGbaG`aGSYX
f
f bQGtpu`hGPV
tGyUatR
f

f
V
XRb`PtGt

XufhbGt

RVvG`GYtqabPbVaGVG`GtRPbq`PtGtRt~
¢PtRGtHVRGtRbqtQGPtGVhhVUbawGVhYQ~
Wtat~

View Slide

%6 98@532178)(&$'#4"!0 BA
WVUFSIFTVQGPFERDHC
`xIrQFhrGVQqPFirQcwadIcVpyFIfrFxVggVUcpYFfVgXP
Wrpar
frFxVggVUcpYFfVgXPFcpFYrprQdg
kifgcaFrg
l
l cp
prQIcwadIr
u
u irQcwrP
zcYpdIiQr

Vx
hrPViQar

PiaarPPxiggg
rgFUprQ

l

l Vx
kQcidIrFrg
l
l
kifgcaFrg
l
l iPIFfrFUfVFYrprQdIrX
zcYpdIiQr

Vx
hrPViQar

rgFUprQ

l

l Vx
kQcidIrFrg
l
l
kifgcaFrg
l
l iPIFfrFUfVFYrprQdIrX
zcYpdIiQr

Vx
hrPViQar

cx
kifgcaFrg
l
l adpFirQcxg
zcYpdIiQr

View Slide

How It Works (3/3)
From “How It Works (1/3)”:
From “How It Works (2/3)”:
Hence:
ID in an IdP

 is equal to
Key Owner



 of
Private Key


Public Key


Key Owner



 of
Private Key


Public Key

 must be who generated
Signature

 of
Resource


ID in an IdP

 generated
Signature

 of
Resource



View Slide

Exercise
Play with Rekor

View Slide

%6 98@532178)(&$'#4"!0 BA
SYVTRQIPUTWIHFEVDXIGXYC
pDcYiIWUYIqXEEXbDiaQ
HFEVDXIDCCFYCQ
wYxWDyVTWY

WUTWIYCVxDYC
eGIDiITiIe
f
f DC
nYlIibiYx
f
o
f
o Xq
xDcTWYInYl
o
o
FEDVInYl
o
o
p
FEDVInYl
o
o q eGIWXtYiIqXx
eGIDiITiIe
f
f |
DaiTWFxY

XqITIVETDIDiIWUYIWXtYi

View Slide

%6 98@532178)(&$'#4"!0 BA
QWTRPIGHSRUGQWFVEGDVWC
qtcWpGUSWGrVddVbtpaGtpPiUCI
wrEVGidTtVu

WEUtTRUW

USRUGWCTEtfWC
sDGtpGRpGsl
t
t tC
|WzGwbpWE
t
}
t
} Vr
lEtcRUWG|Wz
}
}
lifdtTG|Wz
}
}
GRpGUSWpGCUVEWCGUSWGtpPiUCGUVGEWTVEI
sDGtpGRpGsl
t
t aWpWERUW
tapRUiEW

Vr
QWCViETW

tapRUiEW

Vr
QWCViETW

fz
lEtcRUWG|Wz
}
}
QWFVEGcWEtWCI

lifdtTG|Wz
}
} tp
WEUtTRUW

cWEtWC
tapRUiEW

Vr
QWCViETW

CiTTWCCriddz

WEUtTRUW

tCGdWatUtRUW

View Slide

%6 98@532178)(&$'#4"!0 BA
gDSQd`VfeTXdRdPWcXHdFUSbfWEdIaCGY
h
xVbfTediWt
y
y
xHTSQWdiWt
y
y ddQXcWUdXH
ddTUdSUddfx
m
m n
PWEXVHeW
o
o
{VwwXEWdtXVdDSWv
`VfeTXdRdPWcXHdcWWwEv
|
WHQTeSQW

TQD
xVbfTediWt
y
y QDSQdfWEeHTbWE
ddTUdSUddfx
m
m TE
iWtdUWH
m
y
m
y X
xHTSQWdiWt
y
y
xVbfTediWt
y
y
{TUSQVHW

X
PWEXVHeW
o
o bt
xHTSQWdiWt
y
y
«XdWUSbfWdVEdQXdHWeXHfv
|
ddTUdSUddfx
m
m WUWHSQWf
{TUSQVHW

X
PWEXVHeW
o
o

View Slide

%6 98@532178)(&$'#4"!0 BA
gETRdaWfeUYdSdQXcYIdGVTbfXFdPDCH`
h
xWbfUediXt
y
y
xIUTRXdiXt
y
y ddRYcXVdYI
ddUVdTVddfx
m
m n
QXFYWIeX
o
o
{WwwYFXdtYWdETXv
aWfeUYdSdQXcYIdcXXwFv
|
XIRUeTRX

URE
xWbfUediXt
y
y RETRdfXFeIUbXF
ddUVdTVddfx
m
m UF
iXtdVXI
m
y
m
y Y
xIUTRXdiXt
y
y
xWbfUediXt
y
y
{UVTRWIX

Y
QXFYWIeX
o
o bt
xIUTRXdiXt
y
y
|
ddUVdTVddfx
m
m XVXITRXf
{UVTRWIX

Y
QXFYWIeX
o
o
±d|dIXFYWIeXdFUVTRWIXdfUVcFdUREdTVdUfXVRURt¨dTFdXffdTFdTdcXt²

View Slide

%6 98@532178)(&$'#4"!0 BA
fDSQc`VedTXcRcPWbXHcFUSaeWEcIGCGY
g
wVaeTdchWs
x
x
wHTSQWchWs
x
x cQXbWUcXH
cTUcSUcew
l
l m
PWEXVHdW
n
n
c~XceXUwWHcUWWecQXcbWWrcScrHTSQWcbWscXHcSceXUwz
`VedTXcRcPWbXHcbWWrE

WHQTdSQW

TQD
wVaeTdchWs
x
x QDSQceWEdHTaWE
cTUcSUcew
l
l TE
hWsc¡UWH
l
x
l
x X
wHTSQWchWs
x
x
wVaeTdchWs
x
x §
¬TwUSQVHW
±
± X
PWEXVHdW
n
n as
wHTSQWchWs
x
x
ÀXcWUSaeWcVEcQXcHWdXHe

cTUcSUcew
l
l wWUWHSQWe
¬TwUSQVHW
±
± X
PWEXVHdW
n
n

View Slide

&0'Ç0%)É2!$#(
%ÈÆ01ÅÄ Ã&Â"ÁÀ
u@qheewEytergdc)0&0XWUvT'RP$ÃGi
É2!$#9ÁÀ7Ã61543ÁV
d6Æ
}twtqxrw
t~p{u~omzvy
|yksjqtihgfnel
heeey
ËÇ»µ}¹¸Ä·´ºpqxr¨
°À§¶}¦£¬¢~p¨°ÂÀ«¡z
Ê ¬¢¹¥mzvyw
ÌÌÌ
ÕàÐãâäßÝÜÛáâÙØÖÔ×ÓÞÒÑÏÎÚÍ õôñóññôðîîëíèììíðéçîæêíïéåçò

View Slide

ソフトウェアサプライチェーンのこれから / Securing Software Supply Chain

ソフトウェアサプライチェーンのこれから / Securing Software Supply Chain

Takashi Yoneuchi

More Decks by Takashi Yoneuchi

Other Decks in Programming

Featured

Transcript