View
13
Download
0
Category
Preview:
Citation preview
On Omitting Commits and Committing Omissions:
Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities
Santiago Torres-Arias†, Anil Kumar Ammula‡,Reza Curtmola‡, Justin Cappos†
†New York University ‡New Jersey Institute of Technology
USENIX Security ‘16, Austin TX.1
2
Santiago Torres-AriasNew York University
Reza CurtmolaNew Jersey Institute of Technology
Justin CapposNew York University
Anil Kumar AmmulaNew Jersey Institute of Technology
The scenario
3
A central repository and two Devs
4
Repo
DevDev
master
Git is a distributed version control system
5
Repo
DevDev
master
Git is a distributed version control system
6
Repo
DevDev
master
A A’
Git is a distributed version control system
7
Repo
DevDev
master
work!
Git is a distributed version control system
8
Repo
DevDev
push! Feature
master
Git is a distributed version control system
9
Repo
DevDev
master
Featurepull!
Git is a distributed version control system
10
Repo
DevDev
master
Featuremerge!
Git is a distributed version control system
11
Repo
DevDev
master
Featurepush!
Git is a distributed version control system
12
Repo
DevDev
master
Featurepull!
Git is a distributed version control system
13
Repo
DevDev
master
FeatureTag!
Git is a distributed version control system
14
Repo
DevDev
master
FeaturePush!
v1.0
user
Git repositories can be compromised
15
Repo
DevDev
master
Feature
user
Git repositories can be compromised
16
Repo
DevDev
master
Feature
Wants to Watch theWorld burn
While we were having chips and guacamole...
17
Repository compromises happen
18
Repository compromises happen
19
Repository compromises happen
20
Repository compromises happen
21
Repository compromises happen
22
Repository compromises happen
23
Repository compromises happen
24
Repository compromises happen
25
Repository compromises happen
26
Repository compromises happen
27
Luckily, we have git’s security features
28
master
Luckily, we have
● Hash chaining
29
master
Luckily, we have git’s security features
Luckily, we have
● Hash chaining
● Git commit and tag signatures
30
master
GPGdev
GPGdev
Luckily, we have git’s security features
Luckily, we have
● Hash chaining
● Git commit and tag signatures
● Push certificates (more on them later).
31
master
GPGdev
GPGdev
Pushdev
Luckily, we have git’s security features
Luckily, we have
● Hash chaining
● Git commit and tag signatures
● Push certificates (more on them later).
● What could go wrong?32
master
GPGdev
GPGdev
Pushdev
Luckily, we have git’s security features
Example
33
What happened here?
santiago at ~ ✔: pip install -e git+https://github.com/santiagotorres/django/@1.9.3#egg=djangoObtaining django from git+https://github.com/santiagotorres/django/@1.9.3#egg=django[...] Successfully installed djangosantiago at ~ ✔: django-admin.py --version1.4.11
34
I want to install django 1.9.3
What happened here?
santiago at ~ ✔: pip install -e git+https://github.com/santiagotorres/django/@1.9.3#egg=djangoObtaining django from git+https://github.com/santiagotorres/django/@1.9.3#egg=django[...] Successfully installed djangosantiago at ~ ✔: django-admin.py --version1.4.11
35
But I get django 1.4.11
What happened here?
santiago at ~/django ✗ git verify-tag 1.9.3warning: Duplicated ref: refs/tags/1.5.11gpg: Signature made Wed 03 Sep 2014 01:10:58 AM EDT using RSA key ID 2D9266A6808FE067gpg: Good signature from "James Bennett <james@b-list.org>" [full]Primary key fingerprint: BD47 7E2E 05F7 EF63 71B6 E8EE 2D92 66A6 808F E067
36
I try to verify the tag...
What happened here?
santiago at ~/django ✗ git verify-tag 1.9.3warning: Duplicated ref: refs/tags/1.5.11gpg: Signature made Wed 03 Sep 2014 01:10:58 AM EDT using RSA key ID 2D9266A6808FE067gpg: Good signature from "James Bennett <james@b-list.org>" [full]Primary key fingerprint: BD47 7E2E 05F7 EF63 71B6 E8EE 2D92 66A6 808F E067
37
pgp verification passes...
What happened here?
38
santiago at ~/django ✔ git verify-tag --verbose 1.9.3object [...]tagger James Bennett <james@b-list.org> 1409721058 -0500[...]Tag 1.4.11gpg: Signature made Wed 03 Sep 2014 01:10:58 AM EDT using RSA key ID 2D9266A6808FE067gpg: Good signature from "James Bennett <james@b-list.org>" [full]Primary key fingerprint: BD47 7E2E 05F7 EF63 71B6 E8EE 2D92 66A6 808F E067
I ask for more detail...
What happened here?
39
santiago at ~/django ✔ git verify-tag --verbose 1.9.3object [...]tagger James Bennett <james@b-list.org> 1409721058 -0500[...]Tag 1.4.11gpg: Signature made Wed 03 Sep 2014 01:10:58 AM EDT using RSA key ID 2D9266A6808FE067gpg: Good signature from "James Bennett <james@b-list.org>" [full]Primary key fingerprint: BD47 7E2E 05F7 EF63 71B6 E8EE 2D92 66A6 808F E067
It’s the wrong tag!
What happened here?● Django 1.4.11 is vulnerable to 8+ RCE vulnerabilities
● But the GPG verification passed?
● Why did this happen?
40
The problem
41
Why did this happen?● Simply put, some Git metadata is not signed
42
Why did this happen?● Simply put, some Git metadata is not signed
.git/├── branches├── COMMIT_EDITMSG├── hooks│ ├── applypatch-msg.sample….├── index├── info├── logs│ ├── HEAD...├── objects...└── refs... └── tags
43
Why did this happen?● Simply put, some Git metadata is not signed
.git/├── branches├── COMMIT_EDITMSG├── hooks│ ├── applypatch-msg.sample….├── index├── info├── logs│ ├── HEAD...├── objects...└── refs... └── tags
Signed!
44
Why did this happen?● Simply put, some Git metadata is not signed
.git/├── branches├── COMMIT_EDITMSG├── hooks│ ├── applypatch-msg.sample….├── index├── info├── logs│ ├── HEAD...├── objects...└── refs... └── tags
Signed!
Not signed
45
Why did this happen?● Simply put, some Git metadata is not signed
.git/├── branches├── COMMIT_EDITMSG├── hooks│ ├── applypatch-msg.sample….├── index├── info├── logs│ ├── HEAD...├── objects...└── refs... └── tags
Signed!
This is our target
46
Why did this happen?● Simply put, some Git metadata is not signed
○ References, pointers to Git tags and commits, are not signed
47
Why did this happen?● Simply put, some Git metadata is not signed
○ References, pointers to Git tags and commits, are not signed
● An attacker with write access to the repository can modify this information.
48
Why did this happen?● Simply put, some Git metadata is not signed
○ References, pointers to Git tags and commits, are not signed
● An attacker with write access to the repository can modify this information.
● The resulting attack looks like regular git operation.
49
Metadata Manipulation Attack Taxonomy
50
Attack taxonomy● Teleport Attacks
○ Branch Teleport Attack○ Tag Teleport Attack
● Rollback Attacks○ Branch Rollback Attack○ Global Rollback Attack○ Effort Duplication Attack
● Deletion Attacks○ Branch Deletion Attack○ Tag Deletion Attack
51
Attack taxonomy● Teleport Attacks
○ Branch Teleport Attack○ Tag Teleport Attack
● Rollback Attacks○ Branch Rollback Attack○ Global Rollback Attack○ Effort Duplication Attack
● Deletion Attacks○ Branch Deletion Attack○ Tag Deletion Attack
52
user
Branch teleport attack
master
do_not_merge!
Dev
repository
53
user
Branch teleport attack
master
do_not_merge!
Dev
repository
54
Apple’s duplicated goto
user
Branch teleport attack
master
Dev
repository
what is the latest master?
55
do_not_merge!
user
Branch teleport attack
master
Dev
repositoryUhh, just a sec
56
do_not_merge!
user
Branch teleport attack
master
Dev
repository
57
do_not_merge!
user
Branch teleport attack
master
Dev
repository
what!? ok, I better merge
58
do_not_merge!
useruser
Branch teleport attack: result
master
repository
59
do_not_merge!
user
Tag teleport attack
master
v1.1
user
repository
give me tag v1.1!v1.vuln
60
user
Tag teleport attack
master
v1.1
user
repository
v1.vuln
You got it!
61
user
Tag teleport attack
master
user
repository
v1.vulnv1.1
62
user
Tag teleport attack
master
user
repository
v1.vulnv1.1 Neat!
less features!
63
user
Branch rollback attack
master
Feature
Dev
repository
FIX
Dev
64
user
Branch rollback attack
master
Feature
Dev
repository
FIX
Dev
Here’s the fix!Can you review?
65
user
Branch rollback attack
master
Feature
Dev
repository
FIX
Dev
looks good!Ready to merge
66
user
Branch rollback attack
master
Feature
Dev
repository
FIX
Dev
Just a sec
67
user
Branch rollback attack
master
Feature
Dev
repository
FIX
Dev
68
user
Branch rollback attack
master
Dev
repository
Dev
Feature
69
FIX
user
Branch rollback attack
master
Dev
repository
FIX
Dev
Feature
70
Dev! You broke it!
Attack taxonomy: summary● Teleport Attacks
○ Branch Teleport Attack○ Tag Teleport Attack
● Rollback Attacks○ Branch Rollback Attack○ Global Rollback Attack○ Effort Duplication Attack
● Deletion Attacks○ Branch Deletion Attack○ Tag Deletion Attack
❖➢ Buggy code inclusion➢ Wrong version retrieved
❖➢ Critical code omission➢ Critical code omission➢ Coding effort increased
❖➢ Missing branch➢ Missing tag
71
How can we fix this?
72
The problem with existing solutions● We could solve fork-consistency using existing solutions
73
The problem with existing solutions● We could solve fork-consistency using existing solutions
● Consistency systems, like SUNDR, could solve this issue, but they disregard Git’s distributed nature.
74
The problem with existing solutions● We could solve fork-consistency using existing solutions
● Consistency systems, like SUNDR, could solve this issue, but they disregard Git’s distributed nature.
● We require a solution that understands which files are meant to be synchronized
75
Defense assumptions● Developers communicate through other means
○ A complete fork attack will be noticed and discussed by side-channels
● A repository can be initialized with a root of trust
76
Our Solution
77
Defense goals: usability● Preserve current Git workflows
● Ensure backwards compatibility with older Git versions
● Provide increased security in partial adoption scenarios
78
Defense goals: security● Prevent modification of committed data
● Ensure consistent repository state
● Ensure repository state freshness
79
Defense: Overview➔ Provided by Git
➔ Reference State Log
➔ Nonce Bag
● Prevent modification of committed data
● Ensure consistent repository state
● Ensure repository state freshness
80
Defense: Overview➔ Provided by Git
➔ Reference State Log
➔ Nonce Bag
● Prevent modification of committed data
● Ensure consistent repository state
● Ensure repository state freshness
81
The Reference State Log
82
Repo
DevDev
The Reference State Log
83
Repo
DevDev
RSLdev
Push!
The Reference State Log
84
Repo
DevDev
RSLdev
Push!
regular push
The Reference State Log
85
Repo
DevDev
RSLdev
Push!
regular push
signed statement
The Reference State Log
86
Repo
DevDev
RSLdev
The Reference State Log
87
Repo
DevDev
RSLdev
Fetch!
regular fetch
The Reference State Log
88
Repo
DevDev
RSLdev
Pull!
regular fetch
reference consistency
The RSL push entry
89
EntryEntry
...Entry
Branch: master
HEAD: 0xfe….ab
PREV_HASH: 0xac...89
Signature: Dev’s signature
...
...
...
...
The RSL push entry
90
...
...
...
...
Branch: master
HEAD: 0xfe….ab
PREV_HASH: 0xac...89
Signature: Dev’s signature
...
...
...
...
➢ references changed➢ their updated locations➢ hash of previous RSL entry➢ authenticates whoever added this entry
❖ ➢ Add an RSL entry and push➢ fetch, retrieve RSL, and verify
repository state
Implementation: prototype
● Two extensions to git○ git securepush○ git securefetch
● RSL lives in repo○ as a special branch○ sent in-band
91
Synchronization
92
Repo
DevDev
master
Synchronization
93
Repo
DevDev
master
work!
Synchronization
94
Repo
DevDev
securepush! Feature
master
Synchronization
95
Repo
DevDev
master
Feature
securepull!
✔
Synchronization
96
Repo
DevDev
master
Featuremerge!
Synchronization
97
Repo
DevDev
master
Feature
secure push!
Synchronization
98
Repo
DevDev
master
Featuresecure pull!
98✔
Verification1. Is the entry signed by a trusted party?
2. Are all the entries in the RSL correctly linked together?
3. Are all the references pointing to the right place?
99
Evaluation
100
How are attacks prevented● Teleport Attacks
○ Branch Teleport Attack○ Tag Teleport Attack
● Rollback Attacks○ Branch Rollback Attack○ Global Rollback Attack○ Effort Duplication Attack
● Deletion Attacks○ Branch Deletion Attack○ Tag Deletion Attack
101
How are attacks prevented● Teleport Attacks
○ Branch Teleport Attack○ Tag Teleport Attack
● Rollback Attacks○ Branch Rollback Attack○ Global Rollback Attack○ Effort Duplication Attack
● Deletion Attacks○ Branch Deletion Attack○ Tag Deletion Attack
102
➔ Requires RSL entry with target: ◆ commit◆ tag
➔ Requires replaying RSL entry◆ Target commit must have been pushed◆ (prevented with Nonce Bag)◆ (Prevented with Nonce Bag)
➔ Requires valid RSL entry◆
RSL + Nonce Bag VS other mechanismsFeature Commit signing Push Certificate RSL
Commit Tampering ✓ ✓ ✓
Branch Teleport X ✓ ✓
Branch Rollback X X ✓
Global Rollback X X ✓
Effort Duplication X X ✓
Tag Rollback X ✓ ✓
Minimum Git Version 1.7.9 2.2.0 1.7.9
Distribution Mechanism in-band (no default) in-band 103
Partial adoption of our defense
Possible Attacks Time window of attack Vulnerable commit objects
Commit signing All attacks Any time Any object
RSL (full adoption) No attacks None No object
RSL (partial adoption) All attacks After latest RSL and before the next RSL entry
Objects added after the latest RSL entry
104
Storage overhead
Repository No. of commits Number of pushes Repository size(MB)
Storage Overhead
Bootstrap 11,666 1,345 78.85 .4%
Angular.js 7,521 26 66.96 .009%
D3 3,510 255 32.91 .17%
jQuery 6,031 194 15.79 .22%
oh-my-zsh 3,841 1,170 3.52 6.5%
105
Network overhead1. Additional ~25KB per push/fetch (less than 1% in some cases)
106
Network overhead1. Additional ~25KB per push/fetch (less than 1% in some cases)
2. Double round trip time
107
Network overhead1. Additional ~25KB per push/fetch (less than 1% in some cases)
2. Double round trip time
3. These issues go away when RSL becomes part Git’s pack protocol
108
Turning Theory Into Practice
109
Interaction with the Git community1. Refactored Git tag PGP verification code
110
Interaction with the Git community1. Refactored Git tag PGP verification code
○ Yes, you are running our code starting on 2.9.0○ 6 patches, over 8 iterations
111
Interaction with the Git community1. Refactored Git tag PGP verification code
2. Discussed a plan for the git-tag issue
112
Interaction with the Git community
113
Interaction with the Git community1. Refactored Git tag PGP verification code
2. Discussed a plan for the git-tag issue
3. Discussed the plan to address the rest
114
Other version control systems
115
System Signed revisions (commits) prevents MM attacks
Git Yes No
Bitkeeper No No
Mercurial Yes (via plugin) Yes
Monotone Yes (mandatory) Yes
Conclusions
116
To wrap up1. Do not trust the infrastructure
117
To wrap up1. Do not trust the infrastructure
2. GPG signatures on git objects is currently not enough...○ ...but do it anyway!○ Do not use references, but the object’s SHA1 when possible
118
To wrap up1. Do not trust the infrastructure
2. GPG signatures on git objects is currently not enough...○ ...but do it anyway!○ Do not use references, but the object’s SHA1 when possible
3. Update Git!
119
Questions?
Thanks
120
Questions?
Thanks
121
Recommended