Unclear difference between dependency and package threats #1039
Comments
|
Agreed on the confusion. Thanks for pointing it out. We should address this. (D) is really all of the other threats (A)-(H) recursively, from a different frame of reference. It is saying that a given package could be compromised by doing (A)-(H) from one of its dependencies. Maybe an example would help. Consider |
|
I also agree that the name of (H) could be improved. We originally said "Trick user into using bad package", which sounded limited to typosquatting, but we really also intend things like modification in transit (e.g. MitM). The current name "Use compromised package" sounds recursive like (D), but that is not the intention. |
|
I also think some of the build threats are not relevant where they should be. For example, imo F and G should be under a "publication threat" rather than build threat. unrelated: Why do we have B about compromising a source repo, but we don't have the equivalent to compromising a builder? |
I don't think so. The idea is that we have three clusters of threats:
Package threats are not really distinct from build threats. The outcome and solutions are largely the same, so it's helpful to bundle them together. (I think we should do a better job of explaining this though.)
We do, see "Compromise build platform admin" under (E). |
- Explain that "dependency threats" are not distinct threats but
rather threats to other pieces of software that also affect this
one. In the diagram, the diagram to color (D) differently to show
this, mirroring the existing dashed lines.
- State that only "build dependencies" are in scope for the threat
model, matching existing diagram and terminology throughout SLSA.
- Rename "Use compromised dependency" to "Compromise build
dependency", both for consistency with other threats, which are from
the adversary's point of view, and to emphasize that this is
restricted to build dependencies.
- Expand the text about dependency threats and give examples.
Highlight both "include" and "build tool" types of dependencies, and
also include both an accidental vulnerability and a malicious
backdoor.
This partially addresses slsa-framework#1039 by fully explaining (D) and using
different phrasing and coloring between (D) and (H). That said, a future
PR should further refine (H).
Signed-off-by: Mark Lodato <lodato@google.com>
Refine the "dependency threats" of the Threats & Mitigations page to better explain the intent and to differentiate from (H), which sounded confusingly similar (slsa-framework#1039). More work is needed to refine (H), but that is left to a separate PR. - Explain that "dependency threats" are not distinct threats but rather threats to other pieces of software that also affect this one. In the diagram, the diagram to color (D) differently to show this, mirroring the existing dashed lines. - State that only "build dependencies" are in scope for the threat model, matching existing diagram and terminology throughout SLSA. - Rename "Use compromised dependency" to "Compromise build dependency", both for consistency with other threats, which are from the adversary's point of view, and to emphasize that this is restricted to build dependencies. - Expand the text about dependency threats and give examples. Highlight both "include" and "build tool" types of dependencies, and also include both an accidental vulnerability and a malicious backdoor. Signed-off-by: Mark Lodato <lodato@google.com>
|
I just sent out #1046. Please take a look to see if that's on the right track. I don't think it fully addresses this issue since it doesn't touch (H), but I wanted to keep the PR a manageable size. |
Not sure I agree with this. The process of publication can change a package, but an artifact is not a package until it's published. The process of publishing binds an artifact to a package URI. A build is just a blob of data with no meaning until it's bound to a package. The binding to me refers to some sort of policy / expectation verification which is somewhat unrelated to the build process itself. There is so much more to publication than build, including delegation of this verification policy (VSA), policy definition, etc... I would find it more intuitive if source threats were addressed by source track, build threats by build track, etc
+1, overlooked this. |
Your description of the threat clusters is clear and helpful. However, I believe we may need to clarify how to categorize threats that fall at the edges between these clusters. For instance, consider the threat (C) "Build from modified source." This scenario could be interpreted as a build threat since the package received does not match the source of truth. However, it's not necessarily that the source of truth itself is compromised. So, the question arises: is it a source or a build threat? Similarly, threats (H) and (D) are positioned at the edge between the group of build threats and consumption of packages. When intercepting the download of a package, is it a build threat or does it a problem for the consumer of the package? I believe addressing these edge cases will provide a clearer understanding of how to categorize threats within our framework. |
Yes, all of this is part of the "build track" and "build threats". Perhaps it's just a naming issue. Would "binary provenance threats" or "build & packaging threats" or "publication threats" resonate better?
That is the intent. All of these threats are intended to be solved by the build track. The main challenge is the verification story. Right now the "requirements" for build track are just about publishing provenance and we have this awkward separate page about verification. I want that to all be put together so that the entire track is about end-to-end guarantees. But that's a larger issue.
Yes, I completely agree! (C) can go either way:
👍👍👍 |
This comment feels related to #1041. I don't have a good solution since more precise names tend to be longer and a bit awkward. FWIW, I like "binary provenance threats" best of the listed options.
I see (A) as an attacker making unauthorized changes to the official source and (C) as building from unofficial source. I think we're having trouble classifying (C) because we're assuming some notion of official source that isn't a part of the SLSA model. The shape of my thinking is roughly:
(C) is an attack on that last mapping and only makes sense in a context where that mapping is explicit and maintained. In such a context, I might argue that it's an attack on the publication process rather than the build process or source repo. It also isn't clear to me how much this classification matters since perhaps this ambiguity is evidence that the source/build/dependencies/etc classification is breaking down. |
Refine the "dependency threats" of the Threats & Mitigations page to better explain the intent and to differentiate from (H), which sounded confusingly similar (slsa-framework#1039). More work is needed to refine (H), but that is left to a separate PR. - Explain that "dependency threats" are not distinct threats but rather threats to other pieces of software that also affect this one. In the diagram, the diagram to color (D) differently to show this, mirroring the existing dashed lines. - State that only "build dependencies" are in scope for the threat model, matching existing diagram and terminology throughout SLSA. - Rename "Use compromised dependency" to "Compromise build dependency", both for consistency with other threats, which are from the adversary's point of view, and to emphasize that this is restricted to build dependencies. - Expand the text about dependency threats and give examples. Highlight both "include" and "build tool" types of dependencies, and also include both an accidental vulnerability and a malicious backdoor. Signed-off-by: Mark Lodato <lodato@google.com>
Refine the "dependency threats" of the Threats & Mitigations page to better explain the intent and to differentiate from (H), which sounded confusingly similar (#1039). More work is needed to refine (H), but that is left to a separate PR. - Explain that "dependency threats" are not distinct threats but rather threats to other pieces of software that also affect this one. In the diagram, the diagram to color (D) differently to show this, mirroring the existing dashed lines, and add "(A-H recursively"). - State that only "build dependencies" are in scope for the threat model, matching existing diagram and terminology throughout SLSA. - Rename "Use compromised dependency" to "Compromise build dependency", both for consistency with other threats, which are from the adversary's point of view, and to emphasize that this is restricted to build dependencies. - Expand the text about dependency threats and give examples. Highlight both "include" and "build tool" types of dependencies, and also include both an accidental vulnerability and a malicious backdoor. Signed-off-by: Mark Lodato <lodato@google.com>
The difference between "(D): Use of compromised dependency" and "(H): Use of compromised package" is unclear.
There is no explanation of what make using a package as a dependency different from using it in any other form or way.
I suggest that we either clarify the difference or merge them into one threat.
https://slsa.dev/spec/v1.0/threats-overview
Below are some parts out of a conversation on Slack:
arewm:
nvolcz:
arewm:
The text was updated successfully, but these errors were encountered: