on omitting commits and preventing git metadata tampering ... · on omitting commits and committing...

On Omitting Commits and Committing Omissions:

Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities

Santiago Torres-Arias†, Anil Kumar Ammula‡,Reza Curtmola‡, Justin Cappos†

†New York University ‡New Jersey Institute of Technology

USENIX Security ‘16, Austin TX.1

2

Santiago Torres-AriasNew York University

Reza CurtmolaNew Jersey Institute of Technology

Justin CapposNew York University

Anil Kumar AmmulaNew Jersey Institute of Technology

The scenario

3

A central repository and two Devs

4

Repo

DevDev

master

Git is a distributed version control system

5

Repo

DevDev

master


6

Repo

DevDev

master

A A’


7

Repo

DevDev

master

work!


8

Repo

DevDev

push! Feature

master


9

Repo

DevDev

master

Featurepull!


10

Repo

DevDev

master

Featuremerge!


11

Repo

DevDev

master

Featurepush!


12

Repo

DevDev

master

Featurepull!


13

Repo

DevDev

master

FeatureTag!


14

Repo

DevDev

master

FeaturePush!

v1.0

user

Git repositories can be compromised

15

Repo

DevDev

master

Feature

user

Git repositories can be compromised

16

Repo

DevDev

master

Feature

Wants to Watch theWorld burn

While we were having chips and guacamole...

17

Repository compromises happen

18


19


20


21


22


23


24


25


26


27

Luckily, we have git’s security features

28

master

Luckily, we have

● Hash chaining

29

master


Luckily, we have

● Hash chaining

● Git commit and tag signatures

30

master

GPGdev

GPGdev


Luckily, we have

● Hash chaining


● Push certificates (more on them later).

31

master

GPGdev

GPGdev

Pushdev


Luckily, we have

● Hash chaining


● Push certificates (more on them later).

● What could go wrong?32

master

GPGdev

GPGdev

Pushdev


Example

33

What happened here?

santiago at ~ ✔: pip install -e git+https://github.com/santiagotorres/django/@1.9.3#egg=djangoObtaining django from git+https://github.com/santiagotorres/django/@1.9.3#egg=django[...] Successfully installed djangosantiago at ~ ✔: django-admin.py --version1.4.11

34

I want to install django 1.9.3

What happened here?

santiago at ~ ✔: pip install -e git+https://github.com/santiagotorres/django/@1.9.3#egg=djangoObtaining django from git+https://github.com/santiagotorres/django/@1.9.3#egg=django[...] Successfully installed djangosantiago at ~ ✔: django-admin.py --version1.4.11

35

But I get django 1.4.11

What happened here?

santiago at ~/django ✗ git verify-tag 1.9.3warning: Duplicated ref: refs/tags/1.5.11gpg: Signature made Wed 03 Sep 2014 01:10:58 AM EDT using RSA key ID 2D9266A6808FE067gpg: Good signature from "James Bennett <[email protected]>" [full]Primary key fingerprint: BD47 7E2E 05F7 EF63 71B6 E8EE 2D92 66A6 808F E067

36

I try to verify the tag...

What happened here?

santiago at ~/django ✗ git verify-tag 1.9.3warning: Duplicated ref: refs/tags/1.5.11gpg: Signature made Wed 03 Sep 2014 01:10:58 AM EDT using RSA key ID 2D9266A6808FE067gpg: Good signature from "James Bennett <[email protected]>" [full]Primary key fingerprint: BD47 7E2E 05F7 EF63 71B6 E8EE 2D92 66A6 808F E067

37

pgp verification passes...

What happened here?

38

santiago at ~/django ✔ git verify-tag --verbose 1.9.3object [...]tagger James Bennett <[email protected]> 1409721058 -0500[...]Tag 1.4.11gpg: Signature made Wed 03 Sep 2014 01:10:58 AM EDT using RSA key ID 2D9266A6808FE067gpg: Good signature from "James Bennett <[email protected]>" [full]Primary key fingerprint: BD47 7E2E 05F7 EF63 71B6 E8EE 2D92 66A6 808F E067

I ask for more detail...

What happened here?

39

santiago at ~/django ✔ git verify-tag --verbose 1.9.3object [...]tagger James Bennett <[email protected]> 1409721058 -0500[...]Tag 1.4.11gpg: Signature made Wed 03 Sep 2014 01:10:58 AM EDT using RSA key ID 2D9266A6808FE067gpg: Good signature from "James Bennett <[email protected]>" [full]Primary key fingerprint: BD47 7E2E 05F7 EF63 71B6 E8EE 2D92 66A6 808F E067

It’s the wrong tag!

What happened here?● Django 1.4.11 is vulnerable to 8+ RCE vulnerabilities

● But the GPG verification passed?

● Why did this happen?

40

The problem

41

Why did this happen?● Simply put, some Git metadata is not signed

42


.git/├── branches├── COMMIT_EDITMSG├── hooks│ ├── applypatch-msg.sample….├── index├── info├── logs│ ├── HEAD...├── objects...└── refs... └── tags

43



Signed!

44



Signed!

Not signed

45



Signed!

This is our target

46


○ References, pointers to Git tags and commits, are not signed

47



● An attacker with write access to the repository can modify this information.

48



● An attacker with write access to the repository can modify this information.

● The resulting attack looks like regular git operation.

49

Metadata Manipulation Attack Taxonomy

50

Attack taxonomy● Teleport Attacks

○ Branch Teleport Attack○ Tag Teleport Attack

● Rollback Attacks○ Branch Rollback Attack○ Global Rollback Attack○ Effort Duplication Attack

● Deletion Attacks○ Branch Deletion Attack○ Tag Deletion Attack

51

Attack taxonomy● Teleport Attacks




52

user

Branch teleport attack

master

do_not_merge!

Dev

repository

53

user


master

do_not_merge!

Dev

repository

54

Apple’s duplicated goto

user


master

Dev

repository

what is the latest master?

55

do_not_merge!

user


master

Dev

repositoryUhh, just a sec

56

do_not_merge!

user


master

Dev

repository

57

do_not_merge!

user


master

Dev

repository

what!? ok, I better merge

58

do_not_merge!

useruser

Branch teleport attack: result

master

repository

59

do_not_merge!

user

Tag teleport attack

master

v1.1

user

repository

give me tag v1.1!v1.vuln

60

user

Tag teleport attack

master

v1.1

user

repository

v1.vuln

You got it!

61

user

Tag teleport attack

master

user

repository

v1.vulnv1.1

62

user

Tag teleport attack

master

user

repository

v1.vulnv1.1 Neat!

less features!

63

user

Branch rollback attack

master

Feature

Dev

repository

FIX

Dev

64

user


master

Feature

Dev

repository

FIX

Dev

Here’s the fix!Can you review?

65

user


master

Feature

Dev

repository

FIX

Dev

looks good!Ready to merge

66

user


master

Feature

Dev

repository

FIX

Dev

Just a sec

67

user


master

Feature

Dev

repository

FIX

Dev

68

user


master

Dev

repository

Dev

Feature

69

FIX

user


master

Dev

repository

FIX

Dev

Feature

70

Dev! You broke it!

Attack taxonomy: summary● Teleport Attacks




❖➢ Buggy code inclusion➢ Wrong version retrieved

❖➢ Critical code omission➢ Critical code omission➢ Coding effort increased

❖➢ Missing branch➢ Missing tag

71

How can we fix this?

72

The problem with existing solutions● We could solve fork-consistency using existing solutions

73


● Consistency systems, like SUNDR, could solve this issue, but they disregard Git’s distributed nature.

74


● Consistency systems, like SUNDR, could solve this issue, but they disregard Git’s distributed nature.

● We require a solution that understands which files are meant to be synchronized

75

Defense assumptions● Developers communicate through other means

○ A complete fork attack will be noticed and discussed by side-channels

● A repository can be initialized with a root of trust

76

Our Solution

77

Defense goals: usability● Preserve current Git workflows

● Ensure backwards compatibility with older Git versions

● Provide increased security in partial adoption scenarios

78

Defense goals: security● Prevent modification of committed data

● Ensure consistent repository state

● Ensure repository state freshness

79

Defense: Overview➔ Provided by Git

➔ Reference State Log

➔ Nonce Bag

● Prevent modification of committed data



80

Defense: Overview➔ Provided by Git

➔ Reference State Log

➔ Nonce Bag

● Prevent modification of committed data



81

The Reference State Log

82

Repo

DevDev


83

Repo

DevDev

RSLdev

Push!


84

Repo

DevDev

RSLdev

Push!

regular push


85

Repo

DevDev

RSLdev

Push!

regular push

signed statement


86

Repo

DevDev

RSLdev


87

Repo

DevDev

RSLdev

Fetch!

regular fetch


88

Repo

DevDev

RSLdev

Pull!

regular fetch

reference consistency

The RSL push entry

89

EntryEntry

...Entry

Branch: master

HEAD: 0xfe….ab

PREV_HASH: 0xac...89

Signature: Dev’s signature

...

...

...

...

The RSL push entry

90

...

...

...

...

Branch: master

HEAD: 0xfe….ab

PREV_HASH: 0xac...89

Signature: Dev’s signature

...

...

...

...

➢ references changed➢ their updated locations➢ hash of previous RSL entry➢ authenticates whoever added this entry

❖ ➢ Add an RSL entry and push➢ fetch, retrieve RSL, and verify

repository state

Implementation: prototype

● Two extensions to git○ git securepush○ git securefetch

● RSL lives in repo○ as a special branch○ sent in-band

91

Synchronization

92

Repo

DevDev

master

Synchronization

93

Repo

DevDev

master

work!

Synchronization

94

Repo

DevDev

securepush! Feature

master

Synchronization

95

Repo

DevDev

master

Feature

securepull!

✔

Synchronization

96

Repo

DevDev

master

Featuremerge!

Synchronization

97

Repo

DevDev

master

Feature

secure push!

Synchronization

98

Repo

DevDev

master

Featuresecure pull!

98✔

Verification1. Is the entry signed by a trusted party?

2. Are all the entries in the RSL correctly linked together?

3. Are all the references pointing to the right place?

99

Evaluation

100

How are attacks prevented● Teleport Attacks




101

How are attacks prevented● Teleport Attacks




102

➔ Requires RSL entry with target: ◆ commit◆ tag

➔ Requires replaying RSL entry◆ Target commit must have been pushed◆ (prevented with Nonce Bag)◆ (Prevented with Nonce Bag)

➔ Requires valid RSL entry◆

RSL + Nonce Bag VS other mechanismsFeature Commit signing Push Certificate RSL

Commit Tampering ✓ ✓ ✓

Branch Teleport X ✓ ✓

Branch Rollback X X ✓

Global Rollback X X ✓

Effort Duplication X X ✓

Tag Rollback X ✓ ✓

Minimum Git Version 1.7.9 2.2.0 1.7.9

Distribution Mechanism in-band (no default) in-band 103

Partial adoption of our defense

Possible Attacks Time window of attack Vulnerable commit objects

Commit signing All attacks Any time Any object

RSL (full adoption) No attacks None No object

RSL (partial adoption) All attacks After latest RSL and before the next RSL entry

Objects added after the latest RSL entry

104

Storage overhead

Repository No. of commits Number of pushes Repository size(MB)

Storage Overhead

Bootstrap 11,666 1,345 78.85 .4%

Angular.js 7,521 26 66.96 .009%

D3 3,510 255 32.91 .17%

jQuery 6,031 194 15.79 .22%

oh-my-zsh 3,841 1,170 3.52 6.5%

105

Network overhead1. Additional ~25KB per push/fetch (less than 1% in some cases)

106


2. Double round trip time

107


2. Double round trip time

3. These issues go away when RSL becomes part Git’s pack protocol

108

Turning Theory Into Practice

109

Interaction with the Git community1. Refactored Git tag PGP verification code

110


○ Yes, you are running our code starting on 2.9.0○ 6 patches, over 8 iterations

111


2. Discussed a plan for the git-tag issue

112

Interaction with the Git community

113


2. Discussed a plan for the git-tag issue

3. Discussed the plan to address the rest

114

Other version control systems

115

System Signed revisions (commits) prevents MM attacks

Git Yes No

Bitkeeper No No

Mercurial Yes (via plugin) Yes

Monotone Yes (mandatory) Yes

Conclusions

116

To wrap up1. Do not trust the infrastructure

117


2. GPG signatures on git objects is currently not enough...○ ...but do it anyway!○ Do not use references, but the object’s SHA1 when possible

118


2. GPG signatures on git objects is currently not enough...○ ...but do it anyway!○ Do not use references, but the object’s SHA1 when possible

3. Update Git!

119

Questions?

Thanks

120

Questions?

Thanks

121

on omitting commits and preventing git metadata tampering ... · on omitting commits and committing...

Documents