content: source track: update source threats for draft spec #1236
Conversation
✅ Deploy Preview for slsa ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
There was a problem hiding this comment.
Copilot reviewed 1 out of 1 changed files in this pull request and generated no suggestions.
Comments skipped due to low confidence (2)
docs/spec/draft/threats.md:86
- [nitpick] The word 'SHOULD' should not be in all caps unless it is a specific requirement in a specification. Consider changing it to 'should'.
Trustworthiness scales with transparency, and consumers SHOULD push on their vendors to follow transparency best-practices.
docs/spec/draft/threats.md:86
- [nitpick] The phrase 'Trustworthiness scales with transparency' is unclear. Consider rephrasing it to 'Trustworthiness increases with transparency'.
Trustworthiness scales with transparency, and consumers SHOULD push on their vendors to follow transparency best-practices.
Tip: Turn on automatic Copilot reviews for this repository to get quick feedback on every pull request. Learn more
zachariahcox
requested review from
MarkLodato,
TomHennen,
lehors,
adityasaky and
arewm
docs/spec/draft/threats.md
Outdated
| <details><summary>Software producer intentionally submits bad code</summary> | ||
| *Mitigation:* | ||
| This kind of attack cannot be directly mitigated through SLSA controls. | ||
| Tools like the [OSSF Scorecard](https://github.com/ossf/scorecard) can help to quantify the risk of consuming artifacts from specific organizations, but do not fully remove it. |
There was a problem hiding this comment.
| Tools like the [OSSF Scorecard](https://github.com/ossf/scorecard) can help to quantify the risk of consuming artifacts from specific organizations, but do not fully remove it. | |
| Tools like the [OSSF Scorecard](https://github.com/ossf/scorecard) can help to quantify the risk of consuming artifacts from specific producers, but do not fully remove it. |
Also, can we point to some specific ways to use scorecard here? I think we want to be careful with what we say can help with something like the xz attack...
docs/spec/draft/threats.md
Outdated
| *Mitigation:* | ||
| This kind of attack cannot be directly mitigated through SLSA controls. | ||
| Tools like the [OSSF Scorecard](https://github.com/ossf/scorecard) can help to quantify the risk of consuming artifacts from specific organizations, but do not fully remove it. | ||
| Trustworthiness scales with transparency, and consumers SHOULD push their vendors to follow transparency best-practices. |
There was a problem hiding this comment.
"Transparency" is unfortunately an overloaded word in our world. WDYM specifically in this context?
There was a problem hiding this comment.
oof, that's a good callout.
I propose that I mean:
- open source
- open build
- open policies
- published "definitions of correctness."
There was a problem hiding this comment.
I'd be inclined to remove the sentence all together. Yes, transparency (visibility into the process that creates the software) is one way of increasing trustworthiness but there are other vectors too. "Does this organization have something to lose if they do a bad thing? Do I think that's enough of an incentive for them not to do the bad thing".
Additionally, I don't think "Transparency best-practices" are well defined anywhere (or even vaguely agreed upon...).
Perhaps the easiest way forward is
- to focus on the submission of bad source (so open builds don't apply here) and assume the other parts of the chain are protected (at the very least they're covered by other threats on this page).
- to be a bit more hand-wavy since this is a squishy subject:
**Mitigation**: Users must establish some basis to trust the organization they are consuming software from. That basis may be 1) that the code is open sourced **and** has a sufficiently large user-base that makes it more likely for malicious changes to be detected, 2) that the organization has sufficient incentives (legal, reputational, etc.) to dissuade it from making malicious changes. Ultimately this is a judgement call with no straightforward answer.
There was a problem hiding this comment.
@TomHennen I think SLSA tooling gives you a way to unilaterally improve trust when the source and builds are open source. This is possible independently of whether or not the producer has something to lose.
I agree though that this section needs to be reduced.
There was a problem hiding this comment.
I left two suggestions. wdyt @trishankatdatadog @TomHennen ?
There was a problem hiding this comment.
Left a comment down there...
There was a problem hiding this comment.
good ideas. I'll incorporate these.
docs/spec/draft/threats.md
Outdated
| *Mitigation:* | ||
| This kind of attack cannot be directly mitigated through SLSA controls. | ||
| Tools like the [OSSF Scorecard](https://github.com/ossf/scorecard) can help to quantify the risk of consuming artifacts from specific organizations, but do not fully remove it. | ||
| Trustworthiness scales with transparency, and consumers SHOULD push their vendors to follow transparency best-practices. |
There was a problem hiding this comment.
I'd be inclined to remove the sentence all together. Yes, transparency (visibility into the process that creates the software) is one way of increasing trustworthiness but there are other vectors too. "Does this organization have something to lose if they do a bad thing? Do I think that's enough of an incentive for them not to do the bad thing".
Additionally, I don't think "Transparency best-practices" are well defined anywhere (or even vaguely agreed upon...).
Perhaps the easiest way forward is
- to focus on the submission of bad source (so open builds don't apply here) and assume the other parts of the chain are protected (at the very least they're covered by other threats on this page).
- to be a bit more hand-wavy since this is a squishy subject:
**Mitigation**: Users must establish some basis to trust the organization they are consuming software from. That basis may be 1) that the code is open sourced **and** has a sufficiently large user-base that makes it more likely for malicious changes to be detected, 2) that the organization has sufficient incentives (legal, reputational, etc.) to dissuade it from making malicious changes. Ultimately this is a judgement call with no straightforward answer.
|
If we merge this before 1.1 goes out will that make it harder to remove this from the 1.1 release? Have we decided we want to include this in the 1.1 release (fine with me at this point)? @lehors thoughts? |
zachariahcox
changed the title
| be nice to resolve. For example, compromised developer credentials - is that (A) | ||
| or (B)? | ||
| --> | ||
| *Threat:* A producer intentionally creates a malicious revision with the intent of harming their consumers. |
There was a problem hiding this comment.
@TomHennen what if we update this to cover both:
| *Threat:* A producer intentionally creates a malicious revision with the intent of harming their consumers. | |
| *Threat:* A producer intentionally creates a malicious revision (or a VSA issuer intentionally creates a malicious attestation) with the intent of harming their consumers. |
The mitigation for both is a clearer -- you cannot.
docs/spec/draft/threats.md
Outdated
| Trustworthiness scales with transparency, and consumers SHOULD push their vendors to follow transparency best-practices. | ||
| When transparency is not possible, consumers may choose not to consume the artifact, or may require additional evidence of correctness from a trusted third-party. | ||
| Tools like the [OSSF Scorecard](https://github.com/ossf/scorecard) can help to quantify the risk of consuming artifacts from specific producers, but do not fully remove it. | ||
| For example, a consumer may choose to only consume source artifacts from repositories that have a high score on the OSSF Scorecard. |
There was a problem hiding this comment.
| Trustworthiness scales with transparency, and consumers SHOULD push their vendors to follow transparency best-practices. | |
| When transparency is not possible, consumers may choose not to consume the artifact, or may require additional evidence of correctness from a trusted third-party. | |
| Tools like the [OSSF Scorecard](https://github.com/ossf/scorecard) can help to quantify the risk of consuming artifacts from specific producers, but do not fully remove it. | |
| For example, a consumer may choose to only consume source artifacts from repositories that have a high score on the OSSF Scorecard. | |
| Ultimately, consumers must decide which producers are trusted to produce artifacts and which issuers are trusted to produce VSAs. |
We could redirect from here over to "verifying platforms".
There was a problem hiding this comment.
Sorry for late reply. Why do consumers even need to know which producers are trusted to produce artifacts (source code, I imagine, in this case)? Couldn't they just get away with the Source Track VSA from the issuer, and call it a day so long as its subjects/outputs (e.g., source code) matches the inputs to the next step (e.g., build)?
| **Source integrity:** Ensure that source revisions contain only changes submitted by | ||
| authorized contributors according to the process defined by the software producer and | ||
| that source revisions are not modified as they pass between development stages. |
There was a problem hiding this comment.
this wording aligns better with the build integrity section below.
There was a problem hiding this comment.
I think this is 'fine', but we do lose the introduction of the concept of 'intent' (which we reference later) which isn't quite the same as 'process'. I'd argue the process is one of the ways the producer tries to ensure their intent is tracked, but it's not really what the end user cares about.
I'd also probably argue that the build process is somewhat different and they don't need to mirror each other. To some extent the source is the closest approximation of the org's intent, and then we just rely on the build system to mechanically transform that source faithfully.
zachariahcox
changed the title
| @@ -267,8 +225,10 @@ does not accept this because the version X is not considered reviewed. | |||
|
|
|||
| *Threat:* Two trusted persons collude to author and approve a bad change. | |||
|
|
|||
| *Mitigation:* This threat is not currently addressed by SLSA. We use "two | |||
| trusted persons" as a proxy for "intent of the software producer". | |||
There was a problem hiding this comment.
I do not think we should use "two trusted persons" as a proxy for producer intent. We should probably say "the documented change process for the source" if we must, but I prefer just "the intent".
zachariahcox
force-pushed
the
users/zacox/orgthreat
branch
from
421ff2b to
97094b5
Compare
@TomHennen! Potentially I am off base -- is 1.1 going to be different from the /draft folder? |
zachariahcox
changed the title
I'm glad @TomHennen remembers that we need to get 1.1 finalized. I was going to bring that up myself looking at this PR. Unfortunately, we don't have a very clean way of working on several versions in parallel. The plan was to only work in the draft folder and when all 1.1 issues have been addressed to create a new folder for 1.1 selecting (manually) from the draft what is relevant. Of course this is really only practical if the differences are fairly coarse (like whole files to be left out). If the content of some files start changing in ways that are only relevant for the next version this operation becomes quite impractical. If we want to go ahead and merge this, I will need to create the 1.1 folder before, and from then on every change made for 1.1 will have to be made in both folders (1.1 and draft). Not ideal but doable. |
I wonder if at this point we can just wait and include the source track (and the build track if it's ready). We've waited this long, and there don't seem to be that many outstanding issues elsewhere. By trying to separate them now we'd probably just cause ourselves more work for less gain. WDYT? |
You mean to skip 1.1? That would solve the problem of course. It's true that the more time goes by the less relevant it is. |
Not so much "skip" as include the source track in 1.1. New tracks are supposed to go in minor releases |
|
We had a long, long, chat about tracks, threats pages, etc... at yesterday's meeting. Do we still like this PR or do we want to simplify it some? I have no opinion at this time. |
zachariahcox
force-pushed
the
users/zacox/orgthreat
branch
from
97094b5 to
433469c
Compare
| @@ -54,3 +54,14 @@ the basis for a future Build Platform Operations track: | |||
| </section> | |||
|
|
|||
| [draft version (v0.1)]: ../v0.1/requirements.md | |||
|
|
|||
|
|
|||
| ## Source Track | |||
There was a problem hiding this comment.
added the "objective" section from source-requirements.md, updated the verbs to be future tense.
this is to be the target of future-direction links.
| the fork was reviewed. | ||
| colleague (who is not trusted by MyPackage), then proposes the change to | ||
| the upstream repo. | ||
| Solution: The proposed change still requires two-person review in the upstream context even though it received two-person review in another context. |
There was a problem hiding this comment.
I updated the words to be a little more precise.
In general, I'd expect reviews to be transitive for some situations. but yeah, if your org thinks this is a problem, then this is how you'd fix it.
|
Howdy friends! I have updated this PR to reference only 1.1 legal concepts. There were a lot of structural changes to the repo and I ultimately rebased these smallish patches. cc: @TomHennen @adityasaky @lehors @trishankatdatadog @arewm |
zachariahcox
requested review from
TomHennen,
adityasaky,
trishankatdatadog and
Copilot
There was a problem hiding this comment.
Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.
| *Example:* Adversary creates a pull request using a secondary account and approves it using their primary account. | ||
|
|
||
| Solution: The producer must require strongly authenticated user accounts and ensure that all accounts map to unique persons. | ||
| A common vector for this attack is to take over a robot account with the permission to contribute code. |
There was a problem hiding this comment.
optional: Robot accounts are discussed below so this seems somewhat redundant. Suggest removing.
There was a problem hiding this comment.
That's probably fine. I think these are different threat models, but not sure if the difference is worth calling out, or if these two blurbs are doing so.
This one is about gaining access to two accounts with write and the robots one is about gaining access to an account with bypass.
The mitigation for the first is hard to execute and protect against. You'd have to somehow prevent account takeovers.
The mitigation for the robots one is easier to execute (just run some kind of automation with a poisoned payload, usually) and protect against-- just do not allow any account to bypass code review requirements.
There was a problem hiding this comment.
Right. I guess I'll leave it to you?
| review for these changes. | ||
| robot, which is allowed to submit without review. | ||
| Adversary compromises the robot and submits a malicious change. | ||
| Solution: Require review for such changes. |
There was a problem hiding this comment.
Optional:
| Solution: Require review for such changes. | |
| Solution: Require review for such changes or ensure all changes relevant to the robot's behavior require review. |
E.g. imagine if the Robot is a GHA that generates code. If the workflow that runs that code is reviewed, and the generation tool is reviewed, then it could be safe?
There was a problem hiding this comment.
(commented on the other thread)
There was a problem hiding this comment.
I suppose I think there are legitimate use cases for bypassing code review by robots, and I think it is possible to do safely?
I also don't think we have to address that here and now, especially if we don't have a fully fleshed out framework for doing so.
| **Source integrity:** Ensure that source revisions contain only changes submitted by | ||
| authorized contributors according to the process defined by the software producer and | ||
| that source revisions are not modified as they pass between development stages. |
There was a problem hiding this comment.
I think this is 'fine', but we do lose the introduction of the concept of 'intent' (which we reference later) which isn't quite the same as 'process'. I'd argue the process is one of the ways the producer tries to ensure their intent is tracked, but it's not really what the end user cares about.
I'd also probably argue that the build process is somewhat different and they don't need to mirror each other. To some extent the source is the closest approximation of the org's intent, and then we just rely on the build system to mechanically transform that source faithfully.
Co-authored-by: Tom Hennen <[email protected]> Signed-off-by: Zachariah Cox <[email protected]>
Co-authored-by: Tom Hennen <[email protected]> Signed-off-by: Zachariah Cox <[email protected]>
Co-authored-by: Tom Hennen <[email protected]> Signed-off-by: Zachariah Cox <[email protected]>
Co-authored-by: Tom Hennen <[email protected]> Signed-off-by: Zachariah Cox <[email protected]>
fixes: #1178
The threats.md file is intended to be a one-stop summary of all the threats mitigated by SLSA.
From this page, we should plan to redirect to other parts of the documentation.