サプライチェーン攻撃に備える

Transcript

1. αϓϥΠνΣʔϯ߈ܸʹඋ͑Δ

2. Today's GOAL 1. ۀքͱͯ͠ͷऔΓ૊ΈΛ஌Δ 2. αϓϥΠνΣʔϯ߈ܸͷରࡦͷجຊΛ஌Δ 3. GradleͰରࡦ͢ΔࡍͷϙΠϯτΛ஌Δ

3. ⚠ Attention

4. ⚠ Attention

5. • About Supply Chain Attack • Supply Chain Attack Case

   Studies and Industry Response • Fundamental Prevention and Mitigation Strategies • How Gradle Veri fi es Artifacts • Let's Do Veri fi cation Outline

6. About Supply Chain Attack

7. About Supply Chain Attack

8. Supply Chain Attack Case Studies • ࣮ྫ঺հ • Poly fi

   ll.io • CDNܦ༝ͰόοΫυΞͷ͋Δίʔυ͕഑෍͞ΕΔΑ͏ʹͳͬͨ • XZ Utils • ੬ऑੑͷ͋ΔίʔυΛϝϯςφʔʹ৴པͤͯࠞ͞ೖͤͨ͞ • Log4Shell • ϥΠϒϥϦʹ͋Δ੬ऑੑΛར༻ͯ͠ϦϞʔτίʔυΛ࣮ߦͰ͖ͯ͠·͏ • https://blog.gradle.org/log4j-vulnerability

9. Gradle Wrapper Attack • MinecraftOnlineͷҰ෦ͷϦϙδτϦͰൃݟ • Discordͷೝূ৘ใࡡऔ • ೚ҙίʔυ࣮ߦ •

   jarϑΝΠϧͷsha256 checksum͕Ұக͠ͳ͍͜ͱ͔Β൑໌ ❌ 8449b6955690ec956c8ecfe1ae01e10a2aa76ddf18969985c070e345605acce1 ❌ 8e129181710bdc045423ddde59244586d7acbc0b2c5e2ddfc098559da559cf85

10. Suddenly... ීஈαϓϥΠνΣʔϯ߈ܸΛҙࣝͯ͠·͔͢ʁ🖐

11. SLSA(Supply chain Levels for Software Artifacts) • Ϩϕϧ෼͚͞ΕͨαϓϥΠνΣʔϯηΩϡϦςΟͷΨΠυϥΠϯ • Google

    ͷࣾ಺ϑϨʔϜϫʔΫ͕ݩͱͳͬͯఏএ͞Εͨ • v1.0Ͱ͸ιʔε؅ཧʹ͸৮ΕͣϏϧυϑΣʔζʹϑΥʔΧε • L1: Exists Provenance • L2: Signed Provenance, Hosted Builder • L3: Signed Provenance, Isolated Builder • Veri fi able Provenanceͱ׬શʹಠཱͨ͠Ϗϧυ؀ڥΛߏங͢Δ͜ͱͰϏϧυͷ׬શੑΛ୲ อ͢Δ

12. SLSA(Supply chain Levels for Software Artifacts)

13. SLSA(Supply chain Levels for Software Artifacts)

14. SBOM(Software Bill of Materials) ͜ͷϘλϯΛΈͨ͜ͱ͋Δํ͍·͔͢ʁ🖐

15. SBOM(Software Bill of Materials) • ϥΠηϯεɺόʔδϣϯɺґଘؔ܎͕هࡌ͞ΕΔ • ͍͔ͭ͘ϑΥʔϚοτ͕͋Δ • SPDX(Software

    Package Data Exchange), OWASP CycloneDX, SWID Tags(Software Identi fi cation Tags)ͳͲ • GitHubͷSBOM΍JetBrains/KotlinܥͰ͸SPDXܗࣜͷSBOMఏڙͯ͠ ͍Δ

16. SBOM(Software Bill of Materials)

17. SBOM(Software Bill of Materials)

18. To sum up • ৴པͰ͖ΔartifactΛऔಘͰ͖ΔΑ͏ʹ͢Δ → ૉੑΛ࢒͢ → վ᜵Λݕ஌͢Δ

19. Why More Careful for App Development?

20. To sum up 2 • ৴པͰ͖ΔartifactΛऔಘͰ͖ΔΑ͏ʹ͢Δ → ૉੑΛ࢒͢ → վ᜵Λݕ஌͢Δ

    • 🆕 ґଘؔ܎ͷఆৗతͳ؂ࢹͱܧଓతͳߋ৽ • 🆕 ੬ऑੑͷ͋ΔΞϓϦΛࢭΊΔ࢓૊Έ

21. Veri fi cation of Gradle

22. Veri fi cation of Gradle

23. How Veri fi es Gradle Wrapper • Gradle Wrapper͸Gradle distributionΛ؅ཧ͢Δ΋ͷ

    • gradlew, gradlew.bat, gradle-wrapper.properties, gradle-wrapper.jar ͕ηοτ • ݕূର৅ • gradle-wrapper.jar • Gradle Distribution

24. How Veri fi es Gradle Wrapper Jar • release-checksums(https://gradle.org/release-checksums/)΋͘͠͸ serviceαΠτ(https://services.gradle.org/distributions/)Ͱެ։͞Εͯ

    ͍Δchecksumͱ߹க͍ͯ͠Δ͔νΣοΫ͢Δ

25. How Veri fi es Gradle Distribution • release-checksums΋͘͠͸serviceαΠτͰެ։͞Ε͍ͯΔ checksumͱ߹க͍ͯ͠Δ͔νΣοΫ͢Δ •

    gradle-wrapper.propertiesʹchecksumݕূઃఆΛ௥Ճ͢Δ • Gradle Wrapper͕distributionΛμ΢ϯϩʔυ͢ΔࡍʹchecksumΛ ݕূ͢ΔΑ͏ʹͳΔ

26. How Gradle Veri fi es Artifacts

27. How Gradle Veri fi es Artifacts

28. How Gradle Veri fi es Artifacts

29. How Gradle Veri fi es Artifacts

30. How Veri fi es Checksum • શͯͷartifactsʹରͯ͠checksumݕূΛߦ͏ • jar, aar,

    zip etc... • pom.xml, ivy.xml, .module(gradle module metadata) • metadataݕূ΋ߦ͏৔߹ • metadataͷchecksumݕূ΋߹֨͠ͳ͍ͱNG • pom.xml, ivy.xmlͱgradle module metadata͕྆ํଘࡏ͍ͯ͠Δ৔߹͸gradle module metadata͕༏ઌ͞ΕΔ͜ͱ͕ଟ͍

31. How Veri fi es Checksum • ⚠ checksum͕සൟʹมΘΔͨΊSNAPSHOTϦϦʔεͱMavenLocal ʹϦϦʔε͞Ε͍ͯΔartifacts͸ݕূ͠ͳ͍ •

    ⚠ MD5, SHA1, SHA-256, SHA-512Λαϙʔτ͍ͯ͠Δ • ⚠ metadataͷchecksum͸ެ։͞Ε͍ͯͳ͍͜ͱ͕ଟ͍ͨΊෆศ

32. How Veri fi es Signature • ascϑΝΠϧΛμ΢ϯϩʔυ • ඞཁͳެ։伴Λࣗಈతʹμ΢ϯϩʔυ •

    ެ։伴Ͱݕূޙɺ߹֨ͨ͠৔߹͸checksumݕূΛߦ͏ • ascϑΝΠϧ͕ͳ͍৔߹͸checksumݕূʹϑΥʔϧόοΫ

33. About PGP(Pretty Good Privacy) with Gradle

34. About PGP(Pretty Good Privacy) with Gradle • σϑΥϧτͰ͸όʔδϣϯ͝ͱʹຒΊࠐ·ΕͨKey ServerΛࢀর͠ʹ ͍͘

    • 8.10Ͱ͸sks-keyservers, ubuntu, openpgp, mitͷ4ͭ • ޙ൒3ͭ͸maven centralʹϥΠϒϥϦΛެ։͢Δࡍ͸ެ։伴Λొ࿥͢ ΔΑ͏ʹקΊΒΕ͍ͯΔKey Server https://github.com/gradle/gradle/blob/v8.10.0/platforms/software/dependency-management/src/main/java/org/gradle/api/internal/ artifacts/ivyservice/ivyresolve/verification/DefaultKeyServers.java https://central.sonatype.org/publish/requirements/gpg/#distributing-your-public-key

35. How Veri fi es Signature • ⚠ signatureͷݕূ͸publisher͕ެ։͔ͯ͠Βartifact͕վ͟Μ͞Εͯ ͍ͳ͍͜ͱΛอূ͢ΔͷΈͰॺ໊ऀ͕ਖ਼͍͜͠ͱ͸อূͰ͖ͳ͍ •

    🆖 伴͕౪೉͞ΕΔ • 🆖 ੬ऑੑ͕ຒΊࠐ·ΕΔ • ⚠ ͦ΋ͦ΋ެ։伴͕ެ։͞Ε͍ͯͳ͍Մೳੑ

36. How Veri fi es Signature • MavenCentralɿͦ΋ͦ΋ॺ໊͍ͯ͠ͳ͍ͱެ։Ͱ͖ͳ͍ɺ υϝΠϯ ॴ༗ূ໌΋ඞཁ •

    Google Mavenɿ2023೥6݄Ҏ߱ͷJetpack͸ॺ໊͞Ε͍ͯΔ͕ͦΕ Ҏ֎͸ରԠ͕·ͪ·ͪ • Gradle Plugin Portalɿ·ͪ·ͪ • Bintray, JCenter, JitPackɿॺ໊͍ΒͣͰެ։Մೳ

37. Repository Content Filtering • repository blockͰԿؚ͕·ΕΔؚ͔·Εͳ͍͔ΛઃఆͰ͖Δ • android studioͰ৽نϓϩδΣΫτ࡞Δͱgoogle maven΋ߜΔهड़

    ʹͳ͍ͬͯΔ • maven repositoryʹର৅ͷartifact͕࣮֬ʹؚ·Ε͍ͯͳ͍৔߹ʹ୳͠ ʹߦ͔ͳ͘ͳΔͳͲͷύϑΥʔϚϯεͷར఺͕͋ΔͷʹՃ͑ͯҙਤ͠ ͳ͍maven repository͔ΒͷartifactऔಘΛ๷͛Δ

38. Repository Content Filtering

39. Repository Content Filtering

40. Repository Content Filtering ҙਤͤͣv2.0.0͕ղܾ͞Εͯ͠·͏Մೳੑ

41. Let's Do Veri fi cation • ࣗ࡞ϥΠϒϥϦ(WebAuthnKt)ʹಋೖͯ͠ΈΔ • Google͔ΒWebAuthnͰ࢖༻͢ΔjsonͷserializationϥΠϒϥϦ͸ެ։͞Ε͍ͯΔ͕಺෦Ͱgson ͕࢖༻͞Ε͍ͯΔ

    • Moshi/kotlinx.serializationͰWebAuthnͷjsonΛserialize͢ΔͨΊͷϥΠϒϥϦ

42. Let's Do Veri fi cation • ΍Δ͜ͱ 1.Gradle WrapperͷVeri fi

    cation 2.Repository Content Filtering 3.Dependency Veri fi cationͷ༗ޮԽ 4.Dependency Reportͷ༗ޮԽͱDependabotͷઃఆ 5.Release࡞੒ͷSBOMͷੜ੒

43. Gradle Wrapper Veri fi cation • 0͔ΒηοτΞοϓ͢Δ 1. Gradle Distributionͷμ΢ϯϩʔυ

    2. Gradle Wrapperͷੜ੒ 3. gradle-wrapper.propertiesΛઃఆ

44. Gradle Wrapper Veri fi cation • Gradle WrapperΛੜ੒͢ΔͨΊʹGradle distributionΛμ΢ϯϩʔυ ͢Δ

    • serviceαΠτ͔Βbin΋͘͠͸all suf fi x͕͍͍ͭͯΔzipΛμ΢ϯϩʔ υ͢Δ • zipΛsha256sumίϚϯυͰνΣοΫͨ͋͠ͱɺద౰ͳ৔ॴʹղౚ͢ Δ

45. • javaίϚϯυΛ࢖ͬͯ௚઀GradleΛىಈͯ͠wrapperλεΫΛ࣮ߦ͢Δ • ࣮ߦ͢ΔͱGradle Wrapper͕ੜ੒͞ΕΔ • gradlew, gradlew.bat • gradle/gradle-wrapper.properties

    • gradle/gradle-wrapper.jar Gradle Wrapper Veri fi cation

46. Gradle Wrapper Veri fi cation

47. Gradle Wrapper Veri fi cation ⚠ distributionUrl͕ެࣜͷdistributionΛઃఆ͍ͯ͠Δ͜ͱΛ֬ೝ͢Δ

48. Gradle Wrapper Veri fi cation • distributionSha256Sumʹsha256Λ௥Ճ͢Δ • Gradleެ͕ࣜެ։͍ͯ͠Δsha256Λ࢖༻͢Δ •

    https://gradle.org/release-checksums/ • https://services.gradle.org/distributions/gradle-{version}-bin.zip.sha256

49. Gradle Wrapper Veri fi cation • ޡͬͨchecksumΛdistributionSha256Sumʹઃఆ͢Δͱɾɾɾ

50. Before •Google Maven : AGP •MavenCentral : KGPͱ֤ Gradle Plugin͕಺෦Ͱ࢖༻

    ͍ͯ͠ΔϥΠϒϥϦ •Gradle Plugin Portal Repository Content Filtering

51. After •Google Maven : Google͕ެ։͠ ͍ͯΔgroup idͷΈʹઃఆ •Gradle Pluign Portal͔Β͸nexus

    publish pluginͱgradle develocity pluginͷΈΛऔಘ͢ΔΑ͏ʹઃఆ Repository Content Filtering

52. After •Google Maven : Google͕ެ։͠ ͍ͯΔgroup idͷΈʹઃఆ •Gradle Pluign Portal͔Β͸nexus

    publish pluginͱgradle develocity pluginͷΈΛऔಘ͢ΔΑ͏ʹઃఆ Repository Content Filtering

53. Enable Dependency Veri fi cation •ݕূΤϥʔʹͳͬͨࡍɺσϑΥϧτͰ͸HTMLͱ؆қͳΤϥʔΛίϯ ιʔϧʹදࣔ͢Δ •CI্ͳͲͰΤϥʔ͕ग़ͨࡍʹHTMLΛऔಘ͢Δͷ͸Ұख͔͔ؒΔͷͰ ༗ޮԽ͢Δ

54. Enable Dependency Veri fi cation • $projectDir/gradle/veri fi cation-metadata.xmlͰઃఆΛߦ͏ •

    ϑΝΠϧ͕͋Δ͚ͩͰchecksumݕূ͕༗ޮʹͳΔ • 1ϑΝΠϧ͕ϓϩδΣΫτશମʹ೾ٴ͢Δ(buildSrc, root project, sub project)

55. Enable Dependency Veri fi cation • metadataɺsignatureݕূΛΦϑ • jar, aarͳͲͷchecksumͷΈ࣮ࢪ͢Δઃఆ

    Ұ୴Gradle SyncΛ࣮ߦ🐘

56. Enable Dependency Veri fi cation

57. Enable Dependency Veri fi cation

58. Enable Dependency Veri fi cation ಉ͡खॱͰશͯͷartifactͷ checksumΛઃఆ͍͚ͯ͠͹OK 🎉

59. Enable Dependency Veri fi cation ಉ͡खॱͰશͯͷartifactͷ checksumΛઃఆ͍͚ͯ͠͹OK 🎉 ͕͢͞ʹྔ͕ଟͯ͘ݫ͍͠ 😞

60. Enable Dependency Veri fi cation • λεΫʹඥͮ͘ґଘؔ܎Λղܾ͠ɺchecksumΛveri fi cation-metadata.xml ʹ௥ه͢Δ

    • λεΫʹඥ͍ͮͨґଘؔ܎Λղܾ͢ΔͷͰΑΓଟ͘ͷґଘ͕ղܾ͞ΕΔλ εΫͰ࣮ߦ͢Δͷ͕๬·͍͠ • e.g.) androidDependencies, assemble, test w w w w

61. Enable Dependency Veri fi cation

62. Enable Dependency Veri fi cation ⚠ originΛઃఆ͠ͳ͍ͱ--write-veri fi cation- metadataΦϓγϣϯͷ࣮ߦͰ্ॻ͖͞ΕΔ

63. Enable Dependency Veri fi cation Generated by Gradle͸ࣗಈੜ੒ϚʔΧʔ ͜ͷoriginʹͳ͍ͬͯΔ΋ͷΛத৺ʹνΣοΫ͍ͯ͘͠

64. Enable Dependency Veri fi cation ͋ͱ͸ͻͨ͢ΒΤϥʔ͕ͳ͘ͳΔ·Ͱ checksumΛ௥Ճ͢Δ😂

65. Enable Dependency Veri fi cation

66. Enable Dependency Veri fi cation ͜Ε΋ͻͨ͢ΒΤϥʔ͕ͳ͘ͳΔ·Ͱ checksumΛ௥Ճ͢Δ😂

67. Enable Dependency Veri fi cation

68. Enable Dependency Veri fi cation

69. Enable Dependency Veri fi cation

70. Enable Dependency Veri fi cation ಉ͡खॱͰશͯͷPGP Key IDΛ ઃఆ͍͚ͯ͠͹OK 🎉

71. Enable Dependency Veri fi cation ಉ͡खॱͰશͯͷPGP Key IDΛ ઃఆ͍͚ͯ͠͹OK 🎉

    ͕͢͞ʹྔ͕ଟͯ͘ݫ͍͠ 😞

72. Enable Dependency Veri fi cation • --write-veri fi cation-metadataΦϓγϣϯʹpgpͱsha256Λ౉͢ •

    Gradle͕ެ։伴αʔόʔ͔Β֘౰ͷ伴Λ୳͠ɺ伴͝ͱʹgroupingͳ ͲΛΑ͠ͳʹ΍্ͬͨͰveri fi cation-metadata.xmlΛߋ৽͢Δ

73. Enable Dependency Veri fi cation • --write-veri fi cation-metadataΦϓγϣϯʹpgpͱsha256Λ౉͢ •

    Gradle͕ެ։伴αʔόʔ͔Β֘౰ͷ伴Λ୳͠ɺ伴͝ͱʹgroupingͳ ͲΛΑ͠ͳʹ΍্ͬͨͰveri fi cation-metadata.xmlΛߋ৽͢Δ Key ID....?FingerPrint?... Ͳ͜...? 🤔

74. PGP with Jetpack https://developer.android.com/jetpack/getting-started

75. Enable Dependency Veri fi cation ͋ͱ͸ͻͨ͢ΒΤϥʔ͕ͳ͘ͳΔ·Ͱ Key ID, FingerprintΛ௥Ճ͢Δ😂 💡

    Gradle͸μ΢ϯϩʔυʹࣦഊͨ͠Key IDΛ24࣌ؒ͸cache͢ΔͷͰ --refresh-keysΦϓγϣϯͱ--export-keysΦϓγϣϯΛซ༻͢Δͷ͕Φεεϝ

76. Enable Dependency Veri fi cation • veri fi cation-metadata.xmlͷࢀߟ •

    https://github.com/elastic/elasticsearch • https://github.com/androidx/androidx • https://github.com/gradle/gradle

77. Dependabot with Gradle

78. Dependabot with Gradle • https://github.com/gradle/actions Λ࢖͏ • Cache؅ཧ • GitHub

    Dependency Submission APIݺͼग़͠ • Gradle Wrapper Jarͷchecksum veri fi cation

79. Dependabot with Gradle

80. Dependabot with Gradle ⚠ λεΫ࣮ߦ·Ͱղܾ͞Εͳ͍ґଘ͕ଘࡏ͢ΔͷͰ஫ҙ

81. Dependabot with Gradle https://docs.github.com/ja/actions/security-for-github-actions/security- guides/security-hardening-for-github-actions#using-third-party-actions actions͸commit hashͰࢦఆ͢Δ

82. Dependabot with Gradle

83. Generate SBOM • {aar|apk|aab}Λ࡞੒͢Δࡍͷ SBOMΛ࡞੒͢Δ • JetBrains/KotlinͰ࢖༻͞Ε͍ͯΔ spdx-gradle-pluginΛ࢖༻͢Δ

84. Generate SBOM

85. Generate SBOM 💡 con fi guration͕Θ͔Βͳ͘ͳͬͨΒ androidDependenciesλεΫͰ֬ೝ͢Δ

86. Generate SBOM

87. Finally... ηοτΞοϓ͕׬ྃͨ͠🎉

88. End? No, It's just beginning • ηοτΞοϓ͸׬ྃͰͳ͘ɺελʔτ • ґଘͷߋ৽ͷखؒ •

    Dependabot͸gradleΛ࣮ߦ͠ͳ͍ͨΊgradle wrapper, veri fi cation-metadataͷߋ ৽ΛߦΘͳ͍ • checksumݕূΛϝΠϯʹ࢖͏৔߹όʔδϣϯߋ৽ͷͨͼʹඞͣchecksumมߋ͕ൃ ੜ͢Δ • ಥવى͜Δॺ໊ෆҰக • ϥΠϒϥϦͷόʔδϣϯʹΑͬͯॺ໊ͨ͠伴͕ҧ͏͜ͱ͸··͋Δ͜ͱ

89. ·ͱΊ • Gradle͸checksumͱsignatureΛ࢖ͬͯartifactsͷݕূΛߦ͏ • ઃఆʹΑͬͯ͸ϥΠϒϥϦͷߋ৽؅ཧ͕େมʹͳΔͨΊɺঢ়گʹԠ͡ ͯઃఆΛௐ੔͢Δඞཁ͕͋Δ • GitHub ActionsͰ͸GradleެࣜͷactionΛ࢖͏ͱDependabot͕ΑΓ ༗ޮ׆༻Ͱ͖Δ

90. About Me • Bunjiro Miyoshi • ଟ෼5೥͘Β͍androidΞϓϦ։ൃऀ • KMP޷͖ •

    Kodee͘Μͷ͵͍͙ΔΈ͕ཉ͍͠

91. αϓϥΠνΣʔϯ߈ܸʹඋ͑Δ

92. Refs • https://blog.gradle.org/wrapper-attack-report • https://docs.gradle.org/current/userguide/ dependency_veri fi cation.html • https://blog.gradle.org/category/security

    • https://docs.gradle.org/current/userguide/ declaring_repositories_adv.html#sec:repository-content- fi ltering

93. ͓·͚(1) Store listing visibility • νΣοΫ͚ͭΔ͚ͩͰةݥͳσόΠεʢroot ݖݶऔಘ͕ͳ͞Εͨσό Πεɺෆਖ਼࢖༻͞ΕͨσόΠεɺΤϛϡϨʔλɺෆ໌ͳ؀ڥͳͲʣ΁ Google Play

    Store͔ΒͷΞϓϦͷެ։͕ϒϩοΫ͞ΕΔ • https://play.google.com/console/about/app-integrity/

94. ͓·͚(2) Automatic Integrity Protection • Google Play͕ࣗಈͰϥϯλΠϜνΣοΫΛΞϓϦʹ૊ΈࠐΜͰ͘Ε Δ • https://support.google.com/googleplay/android-developer/

    answer/10183279

95. ͓·͚(3) validateDistributionUrl • Gradle8.2͔Βgradle-wrapper.propertiesʹઃఆͰ͖Δ։ൃதͷϑϥ ά • distributionUrl͕ਖ਼͍͠৔߹ͷΈdistributionΛdownload͢ΔΑ͏ʹ νΣοΫͯ͘͠ΕΔ • https://docs.gradle.org/8.2/dsl/

    org.gradle.api.tasks.wrapper.Wrapper.html#org.gradle.api.tasks.wra pper.Wrapper:validateDistributionUrl

96. ͓·͚(4) GitHub Artifact Attestations • GitHub ActionsͰartifact attestationsͷੜ੒ͱݕূ͕Ͱ͖ΔΑ͏ʹ ͳͬͨ •

    SLSAͱಉ͡SigstoreΛ࢖͏ • https://docs.github.com/ja/actions/security-for-github-actions/ using-artifact-attestations/using-artifact-attestations-to-establish- provenance-for-builds

97. EOF