Slide 1
Slide 1 text
Dependency confusion
and its cure.
A NuGet story.
Andrei EPURE
30.08.2022
Slide 2
Slide 2 text
Kudos to sponsors
2
Slide 3
Slide 3 text
the leader in Clean Code
3
Slide 4
Slide 4 text
my talk, my opinions
4
Slide 5
Slide 5 text
Andrei Epure
5
Slide 6
Slide 6 text
Dependency Confusion
?!
6
Slide 7
Slide 7 text
my promise
7
Slide 8
Slide 8 text
questions
8
Slide 9
Slide 9 text
Plan (1/3)
explain some NuGet concepts
9
Slide 10
Slide 10 text
Plan (2/3)
typosquatting
substitution attack
10
Slide 11
Slide 11 text
Plan (3/3)
Protect when
- Consuming
- Publishing
11
Slide 12
Slide 12 text
Story
12
Slide 13
Slide 13 text
SolarWinds breach (2020)
Orion: Network Management System
30K organizations
13
Slide 14
Slide 14 text
SolarWinds breach (2020)
attackers
build machines (2019)
injected malware in Orion (2020)
14
Slide 15
Slide 15 text
SolarWinds breach (2020)
malware to 18K customers
US departments (e.g. Defense, State, etc)
Microsoft, Intel, Cisco etc
FireEye
15
Slide 16
Slide 16 text
SolarWinds breach (2020)
FireEye
stolen credentials
employee noticed
investigation
16
Slide 17
Slide 17 text
SolarWinds breach (2020)
17
Slide 18
Slide 18 text
Supply chain attacks can be
catastrophic.
18
Slide 19
Slide 19 text
Plan (1/3)
explain some NuGet concepts
19
Slide 20
Slide 20 text
Who in this room…
… uses NuGet?
20
Slide 21
Slide 21 text
NuGet Concepts
1. Software Supply Chain
2. package
3. targets
4. version
5. source
6. resolution
21
Slide 22
Slide 22 text
Software supply chain
Source code
Libraries
NuGet for Dependency Management
Build tools, CI/CD, etc
22
Slide 23
Slide 23 text
NuGet
> dotnet restore
23
Slide 24
Slide 24 text
(2) NuGet Package
compiled libraries
metadata
MSBuild target files
24
Slide 25
Slide 25 text
(3) MSBuild targets
Task = action
Target = collection of tasks
25
Slide 26
Slide 26 text
(4) NuGet Version
fixed: 1.2.3
range: (,1.2.3]
floating: 1.2.*
26
Slide 27
Slide 27 text
Who in this room…
… changed a nuget.config file?
27
Slide 28
Slide 28 text
(5) NuGet Package Source
feed
central storage
28
Slide 29
Slide 29 text
Who in this room…
… uses both public (nuget.org) and
private package sources?
29
Slide 30
Slide 30 text
(6) NuGet Package Resolution
My Code
NuGet
.exe
or
dotnet
restore
build machine
30
Slide 31
Slide 31 text
(6) NuGet Package Resolution
My Code
build machine
31
Nu
Get
.exe
Slide 32
Slide 32 text
(6) NuGet Package Resolution
SOURCE 2
SOURCE 1
Foo
5.3.0
Foo
5.3.1
build machine network calls
32
My Code
Nu
Get
.exe
Slide 33
Slide 33 text
SOURCE 2
SOURCE 1
Give me:
- Foo
5.3.*
Foo
5.3.0
Foo
5.3.1
33
(6) NuGet Package Resolution
My Code
Nu
Get
.exe
Slide 34
Slide 34 text
Nu
Get
.exe
Foo
5.3.1
Best match
from ALL
sources is:
- Foo 5.3.1
Foo
5.3.0
SOURCE 1
SOURCE 2
34
(6) NuGet Package Resolution
My Code
Slide 35
Slide 35 text
SOURCE 1
Foo
5.3.1
Foo
5.3.1
Give me:
- Foo 5.3.*
Give me:
- Foo
5.3.1 SOURCE 2
35
(6) NuGet Package Resolution
My Code
Nu
Get
.exe
Slide 36
Slide 36 text
Nu
Get
.exe
SOURCE 1
Foo
5.3.1
Foo
5.3.1
SOURCE 2
36
(6) NuGet Package Resolution
My Code
Slide 37
Slide 37 text
Plan (2/3)
typosquatting
substitution attack
37
Slide 38
Slide 38 text
Attacks
Mr. Evil HACKER
30.08.2022
38
Slide 39
Slide 39 text
Why
39
Slide 40
Slide 40 text
Typosquatting
40
Slide 41
Slide 41 text
Typosquatting
My Code
Google.Protobuf
5.3.2
Give me:
Gogle.Protobuf
5.3.2
NUGET.ORG
Nu
Get
.exe
41
Slide 42
Slide 42 text
Typosquatting
My Code
Google.Protobuf
5.3.2
Give me:
Gogle.Protobuf
5.3.2
NUGET.ORG
Nu
Get
.exe
42
Slide 43
Slide 43 text
Typosquatting
My Code
Google.Protobuf
5.3.2 Gogle.Protobuf
5.3.2
Give me:
Gogle.Protobuf
5.3.2
NUGET.ORG
Nu
Get
.exe
43
Slide 44
Slide 44 text
Nu
Get
.exe
Typosquatting
My Code
Here you are:
Gogle.Protobuf
5.3.2
Gogle.Protobuf
5.3.2
NUGET.ORG
44
Slide 45
Slide 45 text
Demo 0
45
Slide 46
Slide 46 text
Substitution attack
46
Slide 47
Slide 47 text
PRIVATE SOURCE
Substitution attack
My Code
Corporate.Private.Library
5.3.1
Give me:
- Foo 5.3.*
Give me:
Corporate.Private.Library
5.3.1
NUGET.ORG
Nu
Get
.exe
47
Slide 48
Slide 48 text
PRIVATE SOURCE
Substitution attack
NUGET.ORG
My Code
Give me:
Corporate.Private.Library
5.3.1
Corporate.Private.Library
5.3.1
Nu
Get
.exe
48
Slide 49
Slide 49 text
PRIVATE SOURCE
Substitution attack
Corporate.Private.Library
5.3.1
NUGET.ORG
My Code
Give me:
Corporate.Private.Library
5.3.1
Corporate.Private.Library
5.3.1
Nu
Get
.exe
49
Slide 50
Slide 50 text
PRIVATE SOURCE
Substitution attack
NUGET.ORG
My Code
Corporate.Private.Library
5.3.1
Corporate.Private.Library
5.3.1
Nu
Get
.exe
50
Slide 51
Slide 51 text
PRIVATE SOURCE
Substitution attack
Give me:
- Foo 5.3.*
Give me:
Corporate.Private.Library
5.3.* NUGET.ORG
My Code
Corporate.Private.Library
5.3.1 Corporate.Private.Library
5.3.2
Nu
Get
.exe
51
Slide 52
Slide 52 text
PRIVATE SOURCE
Substitution attack
NUGET.ORG
My Code
Corporate.Private.Library
5.3.1 Corporate.Private.Library
5.3.2
Give me:
Corporate.Private.Library
5.3.*
Corporate.Private.Library
5.3.999
Nu
Get
.exe
52
Slide 53
Slide 53 text
Nu
Get
.exe
PRIVATE SOURCE
Substitution attack
Here you are:
Corporate.Private.Library
5.3.999
NUGET.ORG
My Code
Corporate.Private.Library
5.3.1 Corporate.Private.Library
5.3.2
Corporate.Private.Library
5.3.999
53
Slide 54
Slide 54 text
Demo 1
54
Slide 55
Slide 55 text
Plan (3/3)
Protect when
- Consuming
- Publishing
55
Slide 56
Slide 56 text
Vulnerable Configurations (1)
%AppData%\NuGet\NuGet.Config
56
Slide 57
Slide 57 text
Vulnerable Configurations (2)
57
Slide 58
Slide 58 text
As a consumer
Protection
58
Slide 59
Slide 59 text
Who in this room…
… uses Package Source Mapping?
59
Slide 60
Slide 60 text
Package Source Mapping
protect against substitution attack
60
Slide 61
Slide 61 text
Demo 2
61
Slide 62
Slide 62 text
protect against typosquatting
62
Slide 63
Slide 63 text
repository certificate
accepted
certificate
63
Slide 64
Slide 64 text
Demo 3
64
Slide 65
Slide 65 text
avoid unexpected behavior
65
Slide 66
Slide 66 text
Do not let win!
1. Package Source Mapping
2.
66
Slide 67
Slide 67 text
As a publisher
Protection
67
Slide 68
Slide 68 text
Reserve Prefix
public
private
68
packages name prefix
Slide 69
Slide 69 text
Reserve Prefix
69
Slide 70
Slide 70 text
Reserve Prefix
70
Slide 71
Slide 71 text
Sign Packages
certificate validation
71
Slide 72
Slide 72 text
Demo 4
72
Slide 73
Slide 73 text
Reserve prefixes on nuget.org
73
Do not let win!
public
private
packages
Slide 74
Slide 74 text
Sonar break
74
Slide 75
Slide 75 text
We’re hiring!
● .NET Developer Advocate
● .NET Ecosystem Product Manager
● C# Developers
sonarsource.com/company/careers
75
Slide 76
Slide 76 text
Want to talk?
76
Slide 77
Slide 77 text
Credits
77
Slide 78
Slide 78 text
Credits
In 2020, security researcher Alex Bîrsan used
substitution attack to hack into:
78
Slide 79
Slide 79 text
Credits
79
● Microsoft
● Apple
● Shopify
● Paypal
● … and another 31 big companies …
In 2020, security researcher Alex Bîrsan used
substitution attack to hack into:
Slide 80
Slide 80 text
Credits
80
● Microsoft $ 40K
● Apple $ 30K
● Shopify $ 30K
● Paypal $ 30K
● … and another 31 big companies …
Bug
bounties
In 2020, security researcher Alex Bîrsan used
substitution attack to hack into:
Slide 81
Slide 81 text
1. Package Source Mapping
2.
3. Reserve prefixes on nuget.org
81
Do not let win!
Slide 82
Slide 82 text
📄🔗
andreiepure.ro
82
Slide 83
Slide 83 text
Extra slides
83
Slide 84
Slide 84 text
Deterministic Builds
This allows mapping of a package to a specific
commit: increase transparency and allow
consumers to audit open-source code.
84
Slide 85
Slide 85 text
Fixed Versions
- it is safer to use fixed versions
(have full knowledge and control over the
supply chain)
85
Slide 86
Slide 86 text
packages.lock.json
- have control over all dependencies (direct
and transitive)
- extra mile: verify checksums
(have full knowledge and control over the
supply chain)
86
Slide 87
Slide 87 text
packages.lock.json
Source:
https://docs.microsoft.com/en-us/nuget/what-is-nuget
87