Securing Code with Govulncheck

Transcript

1. 1 Securing Code with Govulncheck Chin-Ming Huang & Mohit Pokharna

2. 2 Software engineer at Mercari since 2020, primarily focusing on

   ML-assisted Listing and Search backend. Chin-Ming Huang Software engineer at Mercari since 2019, primarily focusing on ML price and Search backend.
 Mohit Pokharna

3. 3 Why Security? Agenda Vulnerability Govulncheck Demo 02 03 04

   01

4. 4 Why Security?

5. 5 How Costly are Security Breaches? USD 4.45M (~663M JPY)

   Average Total Cost of a breach in 2023 277 days Time to identify and contain a data breach 17% Data breaches with known unpatched vulnerabilities or unknown (zero-day) vulnerabilities Ref: IBM Report

6. 6 Notable Security Incidents (2017) Equifax Data Breach (2019) Docker

   Hub Breach (2020) SolarWinds Supply Chain Attack (2021) Codecov Supply Chain Attack (2021) Log4Shell Vulnerability

7. 7 Notable Security Incidents (2017) Equifax Data Breach (2019) Docker

   Hub Breach (2020) SolarWinds Supply Chain Attack (2021) Codecov Supply Chain Attack (2021) Log4Shell Vulnerability • Mar 7th: security patch released by Apache Struts

8. 8 Notable Security Incidents (2017) Equifax Data Breach (2019) Docker

   Hub Breach (2020) SolarWinds Supply Chain Attack (2021) Codecov Supply Chain Attack (2021) Log4Shell Vulnerability • Mar 7th: security patch released by Apache Struts • Mar 12th: breach started at Equifax by hackers

9. 9 Notable Security Incidents (2017) Equifax Data Breach (2019) Docker

   Hub Breach (2020) SolarWinds Supply Chain Attack (2021) Codecov Supply Chain Attack (2021) Log4Shell Vulnerability • Mar 7th: security patch released by Apache Struts • Mar 12th: breach started at Equifax by hackers • Jul 29th (76 days later): breach was discovered by Equifax

10. 10 Notable Security Incidents (2017) Equifax Data Breach (2019) Docker

    Hub Breach (2020) SolarWinds Supply Chain Attack (2021) Codecov Supply Chain Attack (2021) Log4Shell Vulnerability • Mar 7th: security patch released by Apache Struts • Mar 12th: breach started at Equifax by hackers • Jul 29th (76 days later): breach was discovered by Equifax • Impacted over 147 million people including PII data

11. 11 Notable Security Incidents (2017) Equifax Data Breach (2019) Docker

    Hub Breach (2020) SolarWinds Supply Chain Attack (2021) Codecov Supply Chain Attack (2021) Log4Shell Vulnerability • Mar 7th: security patch released by Apache Struts • Mar 12th: breach started at Equifax by hackers • Jul 29th (76 days later): breach was discovered by Equifax • Impacted over 147 million people including PII data

12. 12 Vulnerability

13. 13 Vulnerability CVE defines a vulnerability as: (ref) "A weakness

    in the computational logic (e.g., code) found in software and hardware components that, when exploited, results in a negative impact to confidentiality, integrity, or availability. Mitigation of the vulnerabilities in this context typically involves coding changes, but could also include specification changes or even specification deprecations (e.g., removal of affected protocols or functionality in their entirety)."

14. 14 • The mission of the CVE® Program is to

    identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. • There is one CVE Record for each vulnerability in the catalog. • The vulnerabilities are discovered then assigned and published by organizations from around the world that have partnered with the CVE Program. CVE Program (ref)

15. 15 CNAs are vendor, researcher, open source, CERT, hosted service,

    bug bounty provider, and consortium organizations authorized by the CVE Program to assign CVE IDs to vulnerabilities and publish CVE Records within their own specific scopes of coverage. CVE Numbering Authorities (CNAs) (ref)

16. 16 CNA for Go: Go Project

17. 17 National Vulnerability Database (NVD) Dashboard Ref: https://nvd.nist.gov/general/nvd-dashboard @2024.3.17

18. 18 Vulnerabilities Discovered Every Year Ref: National Vulnerability Database

19. 19 • Scan source code and binaries for vulnerabilities. •

    Keep your Go version and dependencies up to date. • Test with fuzzing to uncover edge-case exploits. • Check for race conditions with Go’s race detector. • Use Vet to examine suspicious constructs. • Subscribe to golang-announce for notification of security releases. Best Practices (ref)

20. 20 • Scan source code and binaries for vulnerabilities. •

    Keep your Go version and dependencies up to date. • Test with fuzzing to uncover edge-case exploits. • Check for race conditions with Go’s race detector. • Use Vet to examine suspicious constructs. • Subscribe to golang-announce for notification of security releases. Best Practices (ref)

21. 21 Govulncheck

22. 22 Vulnerability Management Ref: https://go.dev/doc/security/vuln/

23. 23 • National Vulnerability Database (NVD) (ref) • GitHub Advisory

    Database (ref) • Reported from package maintainers (ref) Data Sources

24. 24 • All reports in the database are reviewed and

    curated by the Go Security team. • Reports are formatted in the Open Source Vulnerability (OSV, Github) format and accessible through the API. Vulnerability Database

25. 25 https://pkg.go.dev/vuln/

26. 26 GO-2024-2631 (1/2)

27. 27 GO-2024-2631 (2/2)

28. 28 Default database URL: https://vuln.go.dev/ API (ref) API Description /index/db.json[.gz]

    The latest time the database should be considered to have been modified, as an RFC3339-formatted UTC timestamp ending in "Z". /index/modules.json[.gz] Returns a list containing metadata about each module in the database. /index/vulns.json[.gz] Returns a list containing metadata about each vulnerability in the database. /ID/$id.json[.gz] (e.g. /ID/GO-2022-0191.json) Returns the individual report for the vulnerability with ID $id, in OSV format. ID format: GO-<YEAR>-<ENTRYID>

29. 29 Govulncheck (doc) • Govulncheck reports known vulnerabilities that affect

    Go code. • It uses static analysis of source code or a binary's symbol table to narrow down reports to only those that could affect the application.

30. 30 Unless otherwise noted, the Go source files are distributed

    under the BSD-style license found in the LICENSE file. Database entries available at https://vuln.go.dev are distributed under the terms of the CC-BY 4.0 license. License (ref)

31. 31 • Govulncheck analyzes function pointer and interface calls conservatively,

    which may result in false positives or inaccurate call stacks in some cases. • Calls to functions made using package reflect are not visible to static analysis. Vulnerable code reachable only through those calls will not be reported. Use of the unsafe package may result in false negatives. • Because Go binaries do not contain detailed call information, govulncheck cannot show the call graphs for detected vulnerabilities. It may also report false positives for code that is in the binary but unreachable. Limitations

32. 32 • There is no support for silencing vulnerability findings.

    See https://go.dev/issue/61211 for updates. • Govulncheck only reads binaries compiled with Go 1.18 and later. • For binaries where the symbol information cannot be extracted, govulncheck reports vulnerabilities for all modules on which the binary depends. Limitations

33. 33 Demo

34. 34 • Install the latest version: go install golang.org/x/vuln/cmd/govulncheck@latest •

    Run govulncheck inside your module: (default: -mode=source) govulncheck ./… • Scan binary: govulncheck -mode=binary <BINARY> Install and Run

35. 35 • Add the following step to your workflow: Github

    Action (ref, src)

36. 36 Example (GO-2024-2610, #2610, #65697) go.mod

37. 37 Run: govulncheck ./...

38. 38 Vulnerability Report: GO-2024-2610

39. 39 • Vulnerable result: <script>var a = /* json: error

    calling MarshalJSON for type *main.beep: </script> */null </script> • Fixed result: <script>var a = /* json: error calling MarshalJSON for type *main.beep: \x3C/script> */null </script> Results:

40. 40 Q&A