JAWS Pankration 2024 - Achieve software supply chain security using AWS Nitro Enclaves and GitHub Actions

Transcript

1. Achieve software supply chain security using AWS Nitro Enclaves and

   GitHub Actions Richard Fan AWS Security Hero

2. Where does the software come from? Source Developers Build Package

   Consumers Dependencies

3. How can things go wrong? Source Developers Build Package Consumers

   Dependencies Unauthorized code change Compromised repository Build from compromised source code Compromised build process Using compromised dependency Modified package Compromised package store Downloading compromised package

4. What is SLSA • Supply-chain Levels for Software Artifacts •

   Framework for software integrity • Build trust between software producer and consumer • Different levels of security assurance

5. SLSA Provenance Birth certificate of the software Software

6. Achieving SLSA on GitHub Actions

7. What is GitHub Actions • CI/CD platform • Workflow defined

   within code repo • Run on GitHub- / self-hosted runner

8. GitHub Actions workflow • name: Build and sign EIF •

   on: [push] • permissions: • contents: read • packages: write • id-token: write • attestations: write • jobs: • build_and_sign_artifact: • runs-on: ubuntu-latest • steps: # ... Build and push artifact • - name: GitHub attest • uses: actions/[email protected] Generate and sign provenance

9. GitHub Actions workflow

10. SLSA provenance Built by GitHub Actions Source code version Software

    build

11. Where does the software come from? Source Developers Build Package

    Consumers Dependencies SLSA

12. The software need to run somewhere Package Server End-users Deployment

    Downloading compromised package Compromised deployment process Unauthorized deployment Unauthorized access Accessing compromised API endpoint

13. AWS Nitro Enclaves • Isolated virtual machine • Run on

    EC2 instances • No admin access • No persistent storage • No external networking

14. Attestation document 1. Generate by Nitro Enclave at runtime 2.

    Present attestation document to client app 3. Client validates the document 4. Client validates enclave fingerprint (PCRs)

15. Where does the software come from? Source Build Package Fingerprint

    (PCRs) Enclave application Attest Enclave End-users Attestation document Verify with attested artifact Verify source code and build process

16. Demo … by yourself

17. Demo - How high (or low) is my salary? •

    This is a difficult question • I want to know how much you earn • But I don’t want you to know how much I earn

18. Demo - How high is my salary enclave app •

    Only tell you where is your salary ranked • Source code is open • Build process is open • Run on AWS Nitro Enclave • Proved by attestation document • Data encrypted between you and the enclave

19. Demo - How high is my salary enclave app •

    https://github.com/richardfan1126/how-high-is-my-salary-enclave-app • Easy setup (Terraform)

20. How to find me Richard Fan [email protected] 20 richardfan1126