Using Delegations to Protect Community Repositories. Trishank Karthik Kuppusamy, Santiago Torres- Arias, Vladimir Diaz, Justin Cappos

Size: px

Start display at page:

Download "Using Delegations to Protect Community Repositories. Trishank Karthik Kuppusamy, Santiago Torres- Arias, Vladimir Diaz, Justin Cappos"

Claribel Jenkins
5 years ago
Views:

1 Diplomat Using Delegations to Protect Community Repositories Trishank Karthik Kuppusamy, Santiago Torres- Arias, Vladimir Diaz, Justin Cappos

2 Community repositories 2

3 Community repositories: examples 3

4 Community repositories: definition All software by 3rd-party developers. Software organized by. A project may release many packages. > 10K, 100K packages (e.g., on PyPI). A new project/package added every few minutes (e.g., on PyPI). Projects Django Scapy Packages Django tar.gz Django tar.gz Scapy zip 4

5 Great! What is the problem? 5

6 What do these organizations share? 6

7 Users were attacked via software updates. 7

8 Repository compromise: impact High impact: malware can be installed by millions of unsuspecting users. Microsoft Windows Update (2012): Flame malware spread via MitM attack. South Korea cyberattack (2013): $756,000,000 USD in economic damage due to malware spread partly via automatic software updates. 8

9 Goal: compromise-resilience Cannot prevent a compromise. But must at least limit its impact. Attackers can compromise as few users as possible. 9

10 Previous security systems 10

11 Overview (a) repository administrators project developers packages (b) repository administrators project developers packages foo-2.0 foo-2.1 foo foo-2.0 foo-2.1 bar-1.0 GPG bar bar-1.0 (c) (d) foo foo-2.0 foo-2.1 foo foo-2.0 foo-2.1 bar bar-1.0 bar bar-1.0 legend delegates packages to signs for packages online keys offline keys developer keys package 11

12 (a) Repos sign packages with online keys Repositories sign packages with a transport mechanism (e.g., TLS, CUP). Signing private keys kept online. Not compromise-resilient. (a) repository administrators online keys project developers packages foo-2.0 foo-2.1 bar

13 (b) Devs sign packages with offline keys Developers sign packages with (e.g., GPG, RSA) offline private keys. Compromise-resilient! But, unusable key distribution & revocation. (b) repository administrators GPG project developers foo bar developer keys packages foo-2.0 foo-2.1 bar

14 Interlude: Delegations with TUF TUF (our previous system) uses delegations. Bind public keys to. Survivable key compromise in software update systems, Samuel et. al., CCS delegates packages to Django- Scapy- Metadata Alice Sue signs for packages.tar.gz Bob developer keys Django tar.gz Django tar.gz Administratormanaged Developermanaged Scapy zip Packages 14

15 Interlude: Delegations with TUF How to sign Administratormanaged Developermanaged delegations? Use online or Django- Scapy- Alice Sue.tar.gz Bob Django tar.gz Django tar.gz Scapy zip Metadata Packages offline keys? delegates packages to signs for packages developer keys 15

16 (c) Repos delegate with online keys Repositories delegate to developers with online keys. Immediate project registration! But, not compromiseresilient. (c) repository administrators delegates packages to signs for packages project developers foo bar online keys packages foo-2.0 foo-2.1 bar-1.0 developer keys 16

17 (d) Admins delegate with offline keys Administrators delegate to developers with offline keys. Compromise-resilient! But, no immediate project registration. (d) delegates packages to repository administrators signs for packages project developers foo bar offline keys packages foo-2.0 foo-2.1 bar-1.0 developer keys 17

18 Either or Previous systems force community repositories to choose either compromise-resilience, or immediate project registration. 18

19 Diplomat: a new security system 19

20 New idea What if. (e) repository administrators project developers foo bar offline keys developer keys 20

21 New idea: a middle way? What if. Sign delegations to most with offline keys... (e) repository administrators claimed project developers foo bar offline keys developer keys 21

22 New idea: a middle way? What if. Sign delegations to most with offline keys. Sign only delegations to new with online keys. (e) repository administrators online keys claimed new offline keys developer keys project developers foo bar 22

23 New idea: a middle way? Both compromiseresilience and immediate project registration via multiple delegations. (e) repository administrators claimed new project developers foo bar online keys offline keys developer keys 23

24 Ambiguous delegations What if A delegates the bar project to both B and C? Should a package manager trust B or C for the bar project? A bar- B C backtracking delegation bar-1.0 bar-1.0 bar-1.1 ambiguous delegations 24

25 Ambiguous delegations: ordering problem What if both B and C sign the same bar-1.0 package? A bar- B C bar-1.0 bar-1.0 backtracking delegation ambiguous delegations 25

26 Ambiguous delegations: failover problem What if B does not sign the bar-1.1 package, but C does? A bar- B C bar-1.1 backtracking delegation ambiguous delegations 26

27 Ambiguous delegations No clear answer. How does A say what it really means? Only trust B for bar, and C for everything else. A bar- B C backtracking delegation bar-1.0 bar-1.0 bar-1.1 ambiguous delegations 27

28 Prioritized delegations: ordering problem A prioritizes delegation to B before C. Package manager will check B before C. A (1) bar- (2) B C bar-1.0 bar-1.0 prioritized, backtracking delegation ambiguous delegations 28

29 Terminating delegations: failover problem A terminates the bar project at B. Package manager will search for bar only in B. A bar- B C bar-1.1 terminating delegation backtracking delegation ambiguous delegations 29

30 Prioritized & terminating delegations Conflict resolution with preorder DFS. If delegator signed for package, return that. Otherwise, visit delegatees in order of priority. If delegation is terminating, return after delegatee visit. A (1) bar- prioritized, backtracking delegation (2) B C terminating delegation bar-1.0 bar-1.0 bar-1.1 ambiguous delegations 30

31 Building usable security models 31

32 Usable security models Developed from collaboration with real-world community repositories. Legacy model (PEP 458). Maximum model (PEP 480). 32

33 Legacy/maximum security model administrators project developers packages claimed foo- foo Project foo-mac-1.2 foo-win-1.2 backtracking delegation Compromiseresilient foo-mac-1.3 terminating delegation online keys Projects at risk new zap- zap Project zap-1.0 zap-1.0 offline keys developer keys 33

34 Periodic task: claiming new administrators packages claimed foo- foo Project backtracking delegation Compromiseresilient terminating delegation online keys Projects at risk new zap- zap Project First, a new project will be delegated by the new- role. offline keys developer keys 34

35 Periodic task: claiming new administrators packages claimed Compromiseresilient foo- zap- foo Project zap Project Periodically, administrators will move new to the claimed role. backtracking delegation terminating delegation online keys Projects at risk new offline keys developer keys 35

36 Projects unsigned by developers Developers may not sign for various reasons e.g., project no longer actively maintained Idea: why not let administrators sign on behalf of developers? 36

37 Legacy security model administrators project developers packages claimed foo- foo Project foo-mac-1.2 foo-win-1.2 backtracking delegation Compromiseresilient foo-mac-1.3 Unclaimed are like rarely updated, but signed with online keys. terminating delegation online keys Projects at risk new zap- zap Project zap-1.0 zap-1.0 offline keys developer keys unclaimed soup

38 Legacy security model administrators project developers packages claimed foo- foo Project foo-mac-1.2 foo-win-1.2 backtracking delegation Compromiseresilient foo-mac-1.3 Unclaimed are like rarely updated, but signed with online keys. terminating delegation online keys Projects at risk new zap- zap Project zap-1.0 zap-1.0 offline keys developer keys unclaimed soup-0.1 soup

39 Maximum security model administrators project developers packages claimed Compromiseresilient soup-, nuts- rarelyupdated foo- foo Project foo-mac-1.2 foo-win-1.2 foo-mac-1.3 soup-0.1 backtracking delegation terminating delegation online keys Projects at risk new zap- zap Project zap-1.0 zap-1.0 offline keys developer keys Rarely updated are not actively maintained by developers, and signed by administrators instead. 39

40 Maximum security model administrators project developers packages claimed Compromiseresilient soup-, nuts- rarelyupdated foo- foo Project foo-mac-1.2 foo-win-1.2 foo-mac-1.3 soup-0.1 soup-0.2 backtracking delegation terminating delegation online keys Projects at risk new zap- zap Project zap-1.0 zap-1.0 offline keys developer keys Rarely updated are not actively maintained by developers, and signed by administrators instead. 40

41 Legacy vs maximum Legacy Maximum Claimed Compromise-resilient Compromise-resilient New Not compromiseresilient Not compromiseresilient online keys offline keys 41

42 Legacy vs maximum Legacy Maximum Claimed Compromise-resilient Compromise-resilient New Not compromiseresilient Not compromiseresilient Projects signed by administrators on behalf of developers Not compromiseresilient online keys offline keys 42

43 Legacy vs maximum Legacy Maximum Claimed Compromise-resilient Compromise-resilient New Not compromiseresilient Not compromiseresilient Projects signed by administrators on behalf of developers Not compromiseresilient Compromise-resilient online keys offline keys Cannot immediately release new packages 43

44 Usability UX for users, developers & administrators. Revoking/replacing project/developer keys. Smooth transition from legacy to maximum. Securely recovering from a repository compromise. Please see paper for details! 44

45 Evaluation on PyPI: TLS/GPG 1. What if PyPI was compromised undetected for a month? 2. Sanitized download log from >1m to 400K users. a. See paper for details. 3. What if PyPI had used only TLS/GPG (i.e., no compromise-resilience)? 45

46 Evaluation on PyPI: legacy (popular) 1. Claim top 1% popular : protect 73% users. 46

47 Evaluation on PyPI: legacy (hybrid) 1. Claim top 1% popular : protect 73% users. 2. Claim rarely updated : protect 75% users. 3. Claim on update: protect 94% users. 47

48 Evaluation on PyPI: maximum Protect >99% users. 48

49 Conclusion 49

50 Deployments & Integrations 50

51 Q & A Thanks! Questions? trishank@nyu.edu 51

Diplomat: Using Delegations to Protect Community Repositories

Diplomat: Using Delegations to Protect Community Repositories Trishank Karthik Kuppusamy, Santiago Torres-Arias, Vladimir Diaz, and Justin Cappos, New York University https://www.usenix.org/conference/nsdi16/technical-sessions/presentation/kuppusamy