-
Notifications
You must be signed in to change notification settings - Fork 213
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Trustworthiness of provenances in Build L2 #863
Comments
So the way I read it, and maybe we can make it clearer here is the build is not the same as the build platform. The build platform should always be secured against tampering from the build itself. Build L3 focuses on builds tampering with each other. |
I was thinking about this , IMHO untrusted build platform may mean many things . For example , But does not prevent secret material used to sign the provenance from being accessible to the user-defined build steps. In this case if you trust the developers who have access to a specific project you can still trust the prov was not effected by the other projects users and builds. You can also further harden access to users using commit signatures restriction users to specific files. Another approach compare the prov details with the build platform API directly. Verifing prov against the rekor transparency. Another thing I was thinking about is basic key management tricks, rolling keys, replacing keys (past and future protection), As well a range of key management tools services that you may want to use instead of the untrusted build platform one.. The same goes for separating between builds, hardware features allowing to separate trusted and untrusted code (vm, SGX, namespaces, using simply seperate build machines. |
@behnazh-w I'm not sure how to interpret your comment. Do you mean:
|
Comparing the requirements in Build L2 and Build L3, L2 asks for trustworthiness of a provenance without giving any details. L3 makes it more concrete by stating:
Now, I would argue that the above property should also be required at Build L2 if we really want to trust the provenance and prevent Forge values of the provenance attacks. So, my suggestion is to add this requirement to Build L2, and come up with a stronger requirement for Build L3, e.g.,
This would be achievable in build platforms, such as GitHub Actions when they supports OpenID Connect tokens, and keyless signing as a result.
To me the specification first needs to clarify the main differences between Build L2 and L3 in terms if trustworthiness of a provenance. Next, having a Build Platform Operations track in future would help to assess whether the requirements are met. |
Perhaps a way to think of the differences is "who do you need to trust?"
|
I agree with @sudo-bmitch's description. From https://slsa.dev/spec/v1.0/levels#build-l2:
|
Discussed at the 2023-08-14 spec meeting. Next steps:
|
Thanks for summarising @MarkLodato! I think we should move the (excellent) longer term idea into a separate issue and track only the short term item in this issue. @behnazh-w, would the proposed short-term fix resolve this issue for you? |
The plan to have a short-term and a long-term fix sounds good to me. I'm not sure though what the short-term fix would look like. @MarkLodato can you please clarify what "resists tampering by the developer" means in terms of "who/what to trust" and how the requirement would look like after the fix? |
I'll send out a PR to discuss potential wording. @joshuagl do you mind filing a separate issue for the long-term fix (presumably for v1.1)? |
Update levels.md to align with requirements.md and to make it more clear how the requirements on the build platform differ between levels: Build L1: - Problem: levels.md incorrectly implied that that the *platform* must generate the provenance. - Fix: Update levels.md to say that provenance must simply "exist", matching the wording on requirements.md. Also simplify the wording while we're at it. Build L2: - Problem: The phrase "ensures the trustworthiness of the provenance" could be misread as being a general requirement for L2 builds, whereas the intention was just as a qualifier on "some equivalent platform." Also, the intent of the build platform generating and signing the provenance was unclear, further exacerbating the problem above. - Fix: Simplify this bullet to focus on the intent of (a) builds running on dedicated infrastructure and (b) tying the provenance to that infrastructure. Fixes slsa-framework#863. Signed-off-by: Mark Lodato <lodato@google.com>
Sent #948 for review. |
Update levels.md to align with requirements.md and to make it more clear how the requirements on the build platform differ between levels: Build L1: - Problem: levels.md incorrectly implied that that the *platform* must generate the provenance. - Fix: Update levels.md to say that provenance must simply "exist", matching the wording on requirements.md. Also simplify the wording while we're at it. Build L2: - Problem: The phrase "ensures the trustworthiness of the provenance" could be misread as being a general requirement for L2 builds, whereas the intention was just as a qualifier on "some equivalent platform." Also, the intent of the build platform generating and signing the provenance was unclear, further exacerbating the problem above. - Fix: Simplify this bullet to focus on the intent of (a) builds running on dedicated infrastructure and (b) tying the provenance to that infrastructure. Partially addresses #863. Signed-off-by: Mark Lodato <lodato@google.com>
Open comment from #948 (comment) by @behnazh-w:
|
Upon further reflection (background), I think the main issue is that the security objective of Build L2 is too fuzzy. Currently we have:
The requirements "authentic" and "hosted" are wishy-washy with no clear security bar. Quote (emphasis added):
What if we simplify the ladder by moving "unforgeable" to L2 and drop/merge the redundant requirements? Then we'd have:
In other words:
I think this might make things more clear for everyone. Thoughts? If we agree that this is indeed better, the question is then, how disruptive would this be? It would definitely require a v2.0 since it's not backwards compatible. But I'm more wondering how many systems would this change affect, i.e. how many have already implemented something that passes v1.0's Build L2 but would not pass v2.0's? |
My experiences with build platforms would bias me toward |
I think |
@jkjell That's a good point. However, I think
I think the big question is, are there real-world build platforms that would meet What do you think? |
Yeah, that makes sense. I think I often conflate build and control plane isolation. Then I make the leap to the idea that if builds are not isolate, the control plane may not be either (viewing isolation as the prerequisite to each). I think many times the mechanism for this isolation (say containers or clusters per boundary) can be the same for each but, that's not generally true. I'm not sure that This is a long way to saying ➕ to better defining isolation requirements and possibly considering its relationship to build system control planes while doing so. |
I think its' a good idea to be more specific about unforgeable provenances:
I would also keep |
I'm all for moving unforgeable to L2 and merging with authentic. The hosted requirement causes a lot of confusion and I think it makes sense to remove it from L2. What happens to it then, though? I think we can all agree that we should be discouraging software producers from generating release products on users' workstations, for security and business continuity reasons. Perhaps we can make this more explicit in verifiying systems until such a time as we have a concrete control and outcome to document in the Build track?
The stated outcomes here reflect the focus areas we document on the levels page of the v1.0 spec:
Tekton chains and npm provenance come to mind as two solutions which claim SLSA Build L2. I believe if we merge provenance authenticated & provenance unforgeable that npm packages using the npm GitHub Action will still meet SLSA Build L2 (thanks to use of per-job workflow identities and Sigstore). I'm much less familiar with Tekton & Chains, but I think we have members of the community who can help us understand whether this change to the spec would be disruptive to those projects. |
I've seen a lot of that confusion. My own take is we should focus on the goal rather than a proxy for that goal. I believe we want to be sure the build server is relatively secure and maintained to reduce the likelihood of a compromised build host. Otherwise OSS purist that refuse to use a cloud service and instead run a reproducible build on an airgapped laptop in their basement that otherwise stays locked in a cabinet will feel excluded by a technicality. While the insert name of compromised cloud build service users with compromised credentials, or even someone with an unpatched Jenkins server listening on the internet, can keep checking the box. Perhaps phrasing it as "builds run on a well maintained and secured platform" with references to the CIS benchmarks, NIST, NSA, etc for the process to secure those hosts. |
The discussion of removing "Builds Hosted" from Build L2 may need to be forked into a separate issue. We keep coming back to this, so I think it's worth some attention. Can we articulate the concrete security outcome we want to achieve through a hosted builds, or similar, requirement? These don't feel very concrete, but some straw-person proposals:
|
While I am not a member of the Tekton/Chains community, based on my experience with them, it is possible to leverage them to achieve SLSA 1.0 Build L3+. Some of the challenges come down to ensuring that the ServiceAccount running the pipeline is not over-provisioned and to ensure that data transferred between the build Tasks and steps is properly protected from tampering. |
To consider this issue resolved, it should be clear to most readers how to answer #1002 and the related Slack thread. In particular:
In other words, the goal of the attacker is to say that output X was produced from a build of git repo/commit Y, which would not normally produce X. In this new threat, the attacker extracts the OIDC/x509 from a legitimate build of repo/commit Y and sign an attestation saying the output was X (which is false). But if the attacker had enough access to extract the OIDC/x509, couldn't they just have had the original build output X directly? Is that a substantially easier attack? I could go either way. |
The trustworthiness of provenances in Build L2 needs clarification. The requirement states that the trustworthiness of the provenance is ensured. However, without hardening the build platform, this requirement will not be possible. In other words, if an attacker can access the signing material by breaking out of the build environment the trustworthiness of provenances cannot be ensured for Build L2.
This problem makes the Forge values of the provenance (other than output digest) threat example hard to understand because without some level of hardening the build platform, I'm not sure how this attack can be prevented at level 2.
The text was updated successfully, but these errors were encountered: