Backdooring Git. John Menerick August 2015

Transcription

1 Backdooring Git John Menerick August 2015

2 Legal Disclaimer

3 Thank you for coming

4 What we are covering

5 What we are not covering

6 What we are not covering

7 Name the Quote Software is like sex; it is better when it is free Linus Torvalds #

8 Setting the Stage

9 Good luck!

10 Revision control vs. Source Control Source control == source code change management #

11 Wrong Tool for the Job

12 Right Tool for the Job

13 Distributed vs. Centralized

14 Helfe!

15 Trends

16 Git

17 Definition 1 While it works, angel sings and light shines from above - Global information tracker #

18 Definition 2 When it dies, fire erupts from under your feet - Goddamn idiot truckload of sh*t #

19 Hitler Uses Git

20 Rings of Trust

21 Name the Quote If you have ever done any security work - and it did not involve the concept of network of trust - it wasn t security work, it was - <insert word my mother would not approve me stating>. I don t know what you were doing. But trust me, it s the only way you can do security. it s the only way you can do development. Linus Torvalds #

22 Typical Trust Relationships

23 Morons Since you do not want everybody to write to the central repository because most people are morons, you create this class of people who are ostensibly not morons. And most of the time what happens is that you make that class too small, because it is really hard to know if a person is smart or not, and even if you make it too small, you will have problems. So this whole commit access issue, which some companies are able to ignore by just giving everybody commit access, is a huge psychological barrier and causes endless hours of politics in most open source projects #

24 Empircal Study

25 SVN

26 Git

27 Not Scientific CVE Search

28 GitLab

29 GitLab 0day

30 Functionality or Backdoor?

31 2003 Linux backdoor

32 2003 Linux backdoor

33 2003 Linux backdoor

34 Old School Cloud Repository Hacks

35 New School Cloud Repository Hacks

36 New School Cloud Repository Hacks

37 New School Cloud Repository Hacks

38 New School Cloud Repository Hacks

39 New School Cloud Repository Hacks

40 Story Time

41 Sit back and relax

42 Corruption

43 It wasn t me

44 It wasn t me

45 It wasn t me

46 Feelings

47 Trust

48 Crypto to the rescue

49 Crypto to the rescue

50 My voice is my passport Verify me

51 GPG Trust Model

52 GPG Trust Model

53 Embedded Signatures

54 No More Than One Signature Per Commit

55 Backdooring

56 Simple Scenario * User "Alice" clones the canonical repo so they can work on a bugfix. They branch locally, and then push their local branch to a branch on a public repository somewhere. * User "Alice" does not have direct commit access to the canonical repository, so they contact a committer, "Bob". "Bob" adds a remote in his working copy pointing to Alice's remote; after review of the changes, Bob merges the branch to their development branch. * Later, Bob pushes his development branch to the canonical repository. The question that arises is: how do we know that Alice has signed a CLA? How does Bob know that Alice has signed a CLA? #

57 Danger Zone

58 Ambiguity

59 Transitive Policy Checks

60 Transitive Policy Checks

61 Trust your peer? trusting the pushing client's assertions as to the signature status is meaningless from a security perspective. #

62 Demo

63 Has this been seen in the wild?

64 No? from hashlib import sha1 def githash(data): s = sha1() s.update("blob %u\0" % len(data)) s.update(data) return s.hexdigest() #

65 No? If all 6.5 billion humans on Earth were programming, and every second, each one was producing code that was the equivalent of the entire Linux kernel history (3.6 million Git objects) and pushing it into one enormous Git repository, it would take roughly 2 years until that repository contained enough objects to have a 50% probability of a single SHA-1 object collision.. A higher probability exists that every member of your programming team will be attacked and killed by wolves in unrelated incidents on the same night. #

66 No?

67 Yes? #

68 Yes?

69 Yes?

70 Yes?

71 Signed commit metrics on the popular git services vs. not signed commits

72 Tools

73 CLI

74 To a close

75

76 One More Thing

77 One More Thing from RockStar import RockStar activity = RockStar(days=4061) activity.make_me_a_rockstar() #

78 One More Thing from RockStar import RockStar activity = RockStar(days=4061) activity.make_me_a_rockstar() #