最近的高调供应链和依赖性混乱攻击是对影响广度和深度的跨行业唤醒呼叫,这些价值链或第三方攻击可能对客户,业务运营和品牌声誉有关。安全团队知道供应链攻击并不是新的 - 他们已经过了几十年。但是,曾经考虑过的主要威胁现在普遍存在和复杂程度的威胁。恶意演员现在正在为软件应用程序和代码存储库中的广泛使用技术进行景点,以妥协毫无戒心的供应商。

那么我们如何保护客户和产品?manbetx体育客户端3.0

We're doing deep dives and making improvements across our product, processes, and practices as well as the controls we have in place for our partner and third-party vendor ecosystem to fortify the security of our supply chain. This blog post details our early steps to ensure packages and registries operate the way we expect them to and are continually monitored and secured.

Back in December of 2020, we talked about the work ourSecurity Research团队正在通过发展来识别恶意包工具称为包猎人。包Hunter使用动态行为分析来识别尝试抵消敏感数据或运行意外代码的恶意软件包。它目前在Gitlab的内部管道中运行,在审查依赖性更新时,为我们的代码审阅者提供有价值的信息。我们目前计划在不久的将来开源包亨特(观看这个空间!)并将其与Gitlab CI集成,以便您可以在自己的管道中运行它。通过将包捕猎者提供给更广泛的社区,我们希望将用户放入主动检测意外的依赖行为,例如在最近依赖混淆攻击中表现出的行为,并有助于CI环境的安全性。

GitLab包管理器简介

GitLabhas anopen corebusiness model and is proud to ship open and source-available source code which has been built in part by members of the GitLab community.

To help our customers in their development process, GitLab offers several package managers, but we mainly use three programming languages:

我们还为不同类型的包管理器提供包注册,以下是最流行的:

以及容器注册表(存储Docker Images)和常用的Docker图像的存储代理。

如何发生依赖性混乱

As we saw in the recenthigh-profile novel supply chain attacks, dependency confusion attacks are a logic flaw in the default way that software development tools pull in third-party packages from public and private repositories. Malicious actors can exploit this issue and "trick" an environment into pulling in a malicious package instead of the intended custom package.

For a dependency confusion to happen, there are some conditions that need to be met, like:

While controlling the user environment is challenging, we can and should make sure that the behavior of our GitLab package registries is as intended and secure.

调查包裹注册机构的行为

为了调查,我们开了一个issueto review the behavior of our package registries and also some more dangerous aspects like the ability to run pre/post install scripts, override packages that are supported by package managers or using- Extra-Index-URLwith PyPi. Check out these instructions on如何安装PYPI包

The TL;DR on our package registry checks

长话短说:多包Gitlab提供,只有NPM包注册表检查官方包注册表,npmjs.org.,这是在验证gitlab.com上是否存在包之后进行的。这意味着我们的包管理器的实现遵循最佳实践!

另一个有趣的区域我们更深入地探索的是各种方式可以恶意使用包来互动或从系统获取信息。值得庆幸的是,我们已经检查了与包猎人这样的可疑行为。

Beyond registry investigation

我们的Ruby Codebase的依赖关系

审查我们的注册表还不够。我们有一个重要的Ruby项目列表(约300),并验证我们是否受到影响相对容易。感谢我的队友和高级安全工程师开发的工具,Michael Henriksen., I was able to quickly grab the Gemfiles to check and extract the source to make sure we are using the officialhttps://rubygems.org。Our investigation indicates this was the case.

验证和更新NPM

JavaScript是第二个最常用的编程语言,因此我们需要确保所有我们的包(大约160左右)存在于NPMJS.ORG上。这次调查显示我们不存在一个包裹:@conventionalcomments/cc-parse, a package that was developed by a previous team member. While we do use it internally, we had no reason to keep it only on gitlab.com. To ensure this didn't become an issue in the future we decided topublish the package在npmjs.org上。

Referencing Go

由于GO模块的工作方式,不可能混淆攻击。然而,其他类型的攻击是可能的,而且我建议阅读Michael Henriksen.博文总结了他的研究,“寻找邪恶的包装”

Referencing Go packages is very simple: You just need to provide the package URL such asimport "github.com/stretchr/testify"and that's it. Any URL can be provided, which makes evaluating legitimate Go packages difficult. Nevertheless, we're looking at how we can close the gap and better protect customers using Go packages.

How do we avoid confusion attacks?

目前只有npm包注册中心支持在gitlab.com上找不到任何东西时将请求转发到npmjs.org,这是一个enabled by defaultfor self-managed users and currently enabled on our SaaS offering. Implementation of new package registries will make sure we always check first on GitLab prior to searching in public official registries.

控制混乱

我们最近发布了一个博客帖子Gitlab有助于防止供应链攻击, including ways that customers can combine our powerful DevSecOps platform with a holistic security program to quickly gain control and visibility of their software supply chain.

在2021年,我们的计划是介绍一个恰当地称为依赖性防火墙的新产品类别。manbetx体育客户端3.0我们认为,这一计划的功能将帮助用户防止可疑依赖性下载。正如它所致的那样,预期的新产品将包括以下能力:manbetx体育客户端3.0

感谢蒂姆丽丽他们对本节的贡献。

Supply chain attacks are ongoing and increasing. So too then must be the work, vigilance and research of our security teams. We'll continue sharing information about the ways we're making our product stronger and more secure, but if you've got a specific question or topic area that you'd like to hear from us about, leave us a comment or get in touch with me on Twitter@muffinbox33

覆盖图像Gabriel Sollmann.Unsplash

尝试所有Gitlab功能 - 免费30天

GitLabis more than just source code management or CI/CD. It is a full software development lifecycle & DevOps tool in a single application.

1Manbetx
manbetx客户端打不开

Try2019新万博appmanbetⅩ risk-free for 30 days.

不需要信用卡。有问题吗?联系我们。

Gitlab x icon svg