content: source track: update source threats for draft spec #1236
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
@@ -53,84 +53,64 @@ broadly adopted in an automated fashion, minimizing the chance of mistakes. | |||||||||||
|
|
||||||||||||
| A source integrity threat is a potential for an adversary to introduce a change | ||||||||||||
| to the source code that does not reflect the intent of the software producer. | ||||||||||||
| This includes modification of the source data at rest as well as insider threats, | ||||||||||||
| when an authorized individual introduces an unauthorized change. | ||||||||||||
|
|
||||||||||||
| The SLSA Source track mitigates these threats when the consumer | ||||||||||||
| [verifies source revisions](verifying-source.md) against expectations, confirming | ||||||||||||
| that the revision they received was produced in the expected manner. | ||||||||||||
|
|
||||||||||||
| ### (A) Producer | ||||||||||||
|
|
||||||||||||
| The producer of the software intentionally produces code that harms the | ||||||||||||
| consumer, or the producer otherwise uses practices that are not deserving of the | ||||||||||||
| consumer's trust. | ||||||||||||
|
|
||||||||||||
| <details><summary>Software producer intentionally creates a malicious revision of the source</summary> | ||||||||||||
|
|
||||||||||||
| *Threat:* A producer intentionally creates a malicious revision with the intent of harming their consumers. | ||||||||||||
|
There was a problem hiding this comment. @TomHennen what if we update this to cover both:
Suggested change
The mitigation for both is a clearer -- you cannot. |
||||||||||||
|
|
||||||||||||
| *Mitigation:* | ||||||||||||
| This kind of attack cannot be directly mitigated through SLSA controls. | ||||||||||||
| Trustworthiness scales with transparency, and consumers SHOULD push their vendors to follow transparency best-practices. | ||||||||||||
|
There was a problem hiding this comment. "Transparency" is unfortunately an overloaded word in our world. WDYM specifically in this context? There was a problem hiding this comment. oof, that's a good callout. I propose that I mean:
There was a problem hiding this comment. I'd be inclined to remove the sentence all together. Yes, transparency (visibility into the process that creates the software) is one way of increasing trustworthiness but there are other vectors too. "Does this organization have something to lose if they do a bad thing? Do I think that's enough of an incentive for them not to do the bad thing". Additionally, I don't think "Transparency best-practices" are well defined anywhere (or even vaguely agreed upon...). Perhaps the easiest way forward is
There was a problem hiding this comment. @TomHennen I think SLSA tooling gives you a way to unilaterally improve trust when the source and builds are open source. This is possible independently of whether or not the producer has something to lose. I agree though that this section needs to be reduced. There was a problem hiding this comment. I left two suggestions. wdyt @trishankatdatadog @TomHennen ? There was a problem hiding this comment. Left a comment down there... |
||||||||||||
| When transparency is not possible, consumers may choose not to consume the artifact, or may require additional evidence of correctness from a trusted third-party. | ||||||||||||
| Tools like the [OSSF Scorecard](https://github.com/ossf/scorecard) can help to quantify the risk of consuming artifacts from specific producers, but do not fully remove it. | ||||||||||||
| For example, a consumer may choose to only consume source artifacts from repositories that have a high score on the OSSF Scorecard. | ||||||||||||
|
Comment on lines
+75
to
+78
There was a problem hiding this comment.
Suggested change
We could redirect from here over to "verifying platforms". There was a problem hiding this comment. Sorry for late reply. Why do consumers even need to know which producers are trusted to produce artifacts (source code, I imagine, in this case)? Couldn't they just get away with the Source Track VSA from the issuer, and call it a day so long as its subjects/outputs (e.g., source code) matches the inputs to the next step (e.g., build)? |
||||||||||||
|
|
||||||||||||
| *Example:* A producer with an otherwise good reputation decides suddenly to produce a malicious artifact with the intent to harm their consumers. | ||||||||||||
|
|
||||||||||||
| </details> | ||||||||||||
|
|
||||||||||||
|
Comment on lines
-94
to
-96
There was a problem hiding this comment. we could add another section here like We could say this is when "the producer UNintentially ships bad code." |
||||||||||||
| ### (B) Modifying the source | ||||||||||||
|
|
||||||||||||
| An adversary without any special administrator privileges attempts to introduce a change counter to the declared intent of the source by following the producer's official source control process. | ||||||||||||
|
|
||||||||||||
| Threats in this category can be mitigated by following source control management best practices. | ||||||||||||
|
|
||||||||||||
| #### (B1) Submit change without review | ||||||||||||
|
|
||||||||||||
| <details><summary>Directly submit without review</summary> | ||||||||||||
|
|
||||||||||||
| *Threat:* Submit code to the source repository without another person reviewing. | ||||||||||||
|
|
||||||||||||
| *Mitigation:* The producer requires approval of all changes before they are accepted. | ||||||||||||
|
|
||||||||||||
| *Example:* Adversary directly pushes a change to a git repo's `main` branch. | ||||||||||||
| Solution: The producer can configure branch protection rules on the `main` branch. | ||||||||||||
|
There was a problem hiding this comment. I wonder if this can lean on the source track and point to the documented change management process piece for setting guardrails on submitting changes. There was a problem hiding this comment. I think in many ways this section is duplicative of other sections. We could just say: There was a problem hiding this comment. @adityasaky do you think we should just cut all these scenarios and redirect to the source track? There was a problem hiding this comment. Note that this page discusses lots of threats to the build and doesn't just defer to the SLSA Build Track. The general purpose of this page, AIUI, was to centralize all the various threats in one place and direct folks elsewhere as needed. There was a problem hiding this comment. Potentially then most of these examples should link to relevant sections of the relevant tracks. Maybe we'll take it as a todo. |
||||||||||||
| A best practice is to require approval of any changes via a change management tool before they are accepted into the source. | ||||||||||||
|
|
||||||||||||
| </details> | ||||||||||||
| <details><summary>Single actor controls multiple accounts</summary> | ||||||||||||
|
|
||||||||||||
| *Threat:* An actor is able to control multiple account and effectively approve their own code changes. | ||||||||||||
|
|
||||||||||||
| *Mitigation:* The producer must ensure that no actor is able to control or influence multiple accounts with review privileges. | ||||||||||||
|
|
||||||||||||
| *Example:* Adversary creates a pull request using a secondary account and approves it using their primary account. | ||||||||||||
|
|
||||||||||||
| Solution: The producer must require strongly authenticated user accounts and ensure that all accounts map to unique persons. | ||||||||||||
| A common vector for this attack is to take over a robot account with the permission to contribute code. | ||||||||||||
| Control of the robot and an actors own legitimate account is enough to exploit this vulnerability. | ||||||||||||
zachariahcox marked this conversation as resolved.
Show resolved
Hide resolved
trishankatdatadog marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||||||||
|
|
||||||||||||
| </details> | ||||||||||||
| <details><summary>Use a robot account to submit change</summary> | ||||||||||||
|
|
@@ -142,72 +122,72 @@ two-person review. | |||||||||||
| robots. | ||||||||||||
|
|
||||||||||||
| *Example:* A file within the source repository is automatically generated by a | ||||||||||||
| robot, which is allowed to submit without review. | ||||||||||||
| Adversary compromises the robot and submits a malicious change. | ||||||||||||
| Solution: Require review for such changes. | ||||||||||||
|
|
||||||||||||
| </details> | ||||||||||||
| <details><summary>Abuse of rule exceptions</summary> | ||||||||||||
|
|
||||||||||||
| *Threat:* Rule exceptions provide vector for abuse | ||||||||||||
|
|
||||||||||||
| *Mitigation:* Remove rule exceptions. | ||||||||||||
|
|
||||||||||||
| *Example:* The intent of a producer is to require two-person review on "all changes except for documentation changes," defined as those only modifying `.md` files. | ||||||||||||
| Adversary submits a malicious executable named `evil.md` and a code review is not required due to the exception. | ||||||||||||
| Technically, the intent of the producer was followed and the produced malicious revision meets all defined policies. | ||||||||||||
| Solution: The producer adjusts the rules to prohibit such exceptions. | ||||||||||||
|
|
||||||||||||
| </details> | ||||||||||||
|
|
||||||||||||
| <details><summary>Highly-permissioned actor bypasses or disables controls</summary> | ||||||||||||
|
|
||||||||||||
| *Threat:* Trusted actor with "admin" privileges in a repository submits code by disabling existing controls. | ||||||||||||
|
|
||||||||||||
| *Mitigation:* All actors must be subject to same controls, whether or not they have | ||||||||||||
| administrator privileges. | ||||||||||||
| Changes to the controls themselves should require their own review process. | ||||||||||||
|
|
||||||||||||
| *Example 1:* A GitHub repository-level admin pushes a change without review, even though GitHub branch protection is enabled. | ||||||||||||
| Solution: The producer can modify the rule to disallow bypass by administrators, or move the rule to an organization-level ruleset. | ||||||||||||
|
|
||||||||||||
| *Example 2:* GitHub repository-level admin removes a branch requirement, pushes their change, then re-enables the requirement to cover their tracks. | ||||||||||||
| Solution: The producer can configure higher-permission-level rules (such as organization-level GitHub Rulesets) to prevent repository-level tampering. | ||||||||||||
|
|
||||||||||||
| #### (B2) Evade change management process | ||||||||||||
|
|
||||||||||||
| <details><summary>Modify code after review</summary> | ||||||||||||
|
|
||||||||||||
| *Threat:* Modify the code after it has been reviewed but before submission. | ||||||||||||
|
|
||||||||||||
| *Mitigation:* Source control platform invalidates approvals whenever the proposed change is modified. | ||||||||||||
|
|
||||||||||||
| *Example:* Source repository requires two-person review on all changes. | ||||||||||||
| Adversary sends an initial "good" pull request to a peer, who approves it. | ||||||||||||
| Adversary then modifies their proposal to contain "bad" code. | ||||||||||||
|
|
||||||||||||
| Solution: Configure the code review rules to require review of the most recent revision before submission. | ||||||||||||
| Resetting or "dismissing" votes on a PR introduces substantial friction to the process. | ||||||||||||
| Depending on the security posture of the source, the producer has a few choices to deal with this situation. | ||||||||||||
| They may: | ||||||||||||
|
|
||||||||||||
| - Accept this risk. Code review is already expensive and the pros outweigh the cons here. | ||||||||||||
| - Dismiss reviews when new changes are added. This is a common outcome when expert code review is required. | ||||||||||||
| - Leave previous reviews intact, but require that "at least the last revision must be reviewed by someone." | ||||||||||||
|
|
||||||||||||
| </details> | ||||||||||||
| <details><summary>Submit a change that is unreviewable</summary> | ||||||||||||
|
|
||||||||||||
| *Threat:* Adversary crafts a change that is meaningless for a human to review that looks | ||||||||||||
| benign but is actually malicious. | ||||||||||||
|
|
||||||||||||
| *Mitigation:* Code review system ensures that all reviews are informed and | ||||||||||||
| meaningful. | ||||||||||||
|
|
||||||||||||
| *Example:* A proposed change updates a file, but the reviewer is only presented | ||||||||||||
| with a diff of the cryptographic hash, not of the file contents. Thus, the | ||||||||||||
| reviewer does not have enough context to provide a meaningful review. | ||||||||||||
| Solution: the code review system should present the reviewer with a content diff or some | ||||||||||||
| other information to make an informed decision. | ||||||||||||
|
|
||||||||||||
| </details> | ||||||||||||
|
|
@@ -221,43 +201,25 @@ different context. | |||||||||||
| *Example:* MyPackage's source repository requires two-person review. Adversary | ||||||||||||
| forks the repo, submits a change in the fork with review from a colluding | ||||||||||||
| colleague (who is not trusted by MyPackage), then merges the change back into | ||||||||||||
| the upstream repo. | ||||||||||||
| Solution: The merge should still require review, even though the fork was reviewed. | ||||||||||||
|
|
||||||||||||
| </details> | ||||||||||||
|
|
||||||||||||
| </details> | ||||||||||||
| <details><summary>Commit graph attacks</summary> | ||||||||||||
|
|
||||||||||||
| *Threat:* Request review for a series of two commits, X and Y, where X is bad and Y is good. | ||||||||||||
| Reviewer thinks they are approving only the final Y state but they are also implicitly approving X. | ||||||||||||
|
|
||||||||||||
| *Mitigation:* The producer declares that only the final delta is considered approved. | ||||||||||||
| Intermediate revisions don't count as being reviewed and are not added to the protected context (such as the `main` branch). | ||||||||||||
|
There was a problem hiding this comment.
Suggested change
|
||||||||||||
|
|
||||||||||||
| *Example:* Adversary sends a pull request containing malicious commit X and benign commit Y that undoes X. | ||||||||||||
| The produced diff of X + Y contains zero lines of changed code and the reviewer may not notice that X is malicious unless they review each commit in the request. | ||||||||||||
| If X is allowed to become reachable from the protected branch, the content may become available in secured environments such as developer machines. | ||||||||||||
|
|
||||||||||||
| Solution: The code review tool does not merge contributor-created commits, and instead merges a single new commit representing only the reviewed "changes from all commits." | ||||||||||||
|
|
||||||||||||
| </details> | ||||||||||||
|
|
||||||||||||
|
|
@@ -267,8 +229,10 @@ does not accept this because the version X is not considered reviewed. | |||||||||||
|
|
||||||||||||
| *Threat:* Two trusted persons collude to author and approve a bad change. | ||||||||||||
|
|
||||||||||||
|
There was a problem hiding this comment. I do not think we should use "two trusted persons" as a proxy for producer intent. We should probably say "the documented change process for the source" if we must, but I prefer just "the intent". |
||||||||||||
| *Mitigation:* The producer can arbitrarily increase friction of their policies to reduce risk, such as requiring additional, or more senior reviewers. | ||||||||||||
| The goal of policy here is to ensure that the approved changes match the intention of the producer for the source. | ||||||||||||
| Increasing the friction of the policies may make it harder to circumvent, but doing so has diminishing returns. | ||||||||||||
| Ultimately the producer will need to land upon a balanced risk profile that makes sense for their security posture. | ||||||||||||
|
|
||||||||||||
| </details> | ||||||||||||
| <details><summary>Trick reviewer into approving bad code</summary> | ||||||||||||
|
|
@@ -294,29 +258,6 @@ An adversary introduces a change to the source control repository through an | |||||||||||
| administrative interface, or through a compromise of the underlying | ||||||||||||
| infrastructure. | ||||||||||||
|
|
||||||||||||
| </details> | ||||||||||||
| <details><summary>Platform admin abuses privileges</summary> | ||||||||||||
|
|
||||||||||||
|
|
||||||||||||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this wording aligns better with the build integrity section below.