Upgrade to Pro — share decks privately, control downloads, hide ads and more …

サプライチェーン攻撃に備える

Avatar for RyuNen344 RyuNen344
September 12, 2024

 サプライチェーン攻撃に備える

近年サプライチェーン攻撃が増加しています。本セッションでは、Gradleを用いたandroidプロジェクトにおけるライブラリの安全な運用と脆弱性管理について以下の内容を中心に解説します。

1. Gradleにおけるライブラリの署名検証
- 依存関係の検証設定方法
- Dependency LockingとTransitive Versionの管理
2. 実際に攻撃に対応するための備え
- DependabotやRenovateなどの外部ツールを使ったライブラリの管理と脆弱性通知
- GitHub Actionsを活用した備え方

本セッションを通して、Gradleを用いたandroidプロジェクトの具体的な対策について習得することをゴールとします

キーワード: Gradle, PGP, signature, SLSA, SBOM

Avatar for RyuNen344

RyuNen344

September 12, 2024
Tweet

More Decks by RyuNen344

Other Decks in Technology

Transcript

  1. • About Supply Chain Attack • Supply Chain Attack Case

    Studies and Industry Response • Fundamental Prevention and Mitigation Strategies • How Gradle Veri fi es Artifacts • Let's Do Veri fi cation Outline
  2. Supply Chain Attack Case Studies • ࣮ྫ঺հ • Poly fi

    ll.io • CDNܦ༝ͰόοΫυΞͷ͋Δίʔυ͕഑෍͞ΕΔΑ͏ʹͳͬͨ • XZ Utils • ੬ऑੑͷ͋ΔίʔυΛϝϯςφʔʹ৴པͤͯࠞ͞ೖͤͨ͞ • Log4Shell • ϥΠϒϥϦʹ͋Δ੬ऑੑΛར༻ͯ͠ϦϞʔτίʔυΛ࣮ߦͰ͖ͯ͠·͏ • https://blog.gradle.org/log4j-vulnerability
  3. Gradle Wrapper Attack • MinecraftOnlineͷҰ෦ͷϦϙδτϦͰൃݟ • Discordͷೝূ৘ใࡡऔ • ೚ҙίʔυ࣮ߦ •

    jarϑΝΠϧͷsha256 checksum͕Ұக͠ͳ͍͜ͱ͔Β൑໌ ❌ 8449b6955690ec956c8ecfe1ae01e10a2aa76ddf18969985c070e345605acce1 ❌ 8e129181710bdc045423ddde59244586d7acbc0b2c5e2ddfc098559da559cf85
  4. SLSA(Supply chain Levels for Software Artifacts) • Ϩϕϧ෼͚͞ΕͨαϓϥΠνΣʔϯηΩϡϦςΟͷΨΠυϥΠϯ • Google

    ͷࣾ಺ϑϨʔϜϫʔΫ͕ݩͱͳͬͯఏএ͞Εͨ • v1.0Ͱ͸ιʔε؅ཧʹ͸৮ΕͣϏϧυϑΣʔζʹϑΥʔΧε • L1: Exists Provenance • L2: Signed Provenance, Hosted Builder • L3: Signed Provenance, Isolated Builder • Veri fi able Provenanceͱ׬શʹಠཱͨ͠Ϗϧυ؀ڥΛߏங͢Δ͜ͱͰϏϧυͷ׬શੑΛ୲ อ͢Δ
  5. SBOM(Software Bill of Materials) • ϥΠηϯεɺόʔδϣϯɺґଘؔ܎͕هࡌ͞ΕΔ • ͍͔ͭ͘ϑΥʔϚοτ͕͋Δ • SPDX(Software

    Package Data Exchange), OWASP CycloneDX, SWID Tags(Software Identi fi cation Tags)ͳͲ • GitHubͷSBOM΍JetBrains/KotlinܥͰ͸SPDXܗࣜͷSBOMఏڙͯ͠ ͍Δ
  6. To sum up 2 • ৴པͰ͖ΔartifactΛऔಘͰ͖ΔΑ͏ʹ͢Δ → ૉੑΛ࢒͢ → վ᜵Λݕ஌͢Δ

    • 🆕 ґଘؔ܎ͷఆৗతͳ؂ࢹͱܧଓతͳߋ৽ • 🆕 ੬ऑੑͷ͋ΔΞϓϦΛࢭΊΔ࢓૊Έ
  7. How Veri fi es Gradle Wrapper • Gradle Wrapper͸Gradle distributionΛ؅ཧ͢Δ΋ͷ

    • gradlew, gradlew.bat, gradle-wrapper.properties, gradle-wrapper.jar ͕ηοτ • ݕূର৅ • gradle-wrapper.jar • Gradle Distribution
  8. How Veri fi es Gradle Distribution • release-checksums΋͘͠͸serviceαΠτͰެ։͞Ε͍ͯΔ checksumͱ߹க͍ͯ͠Δ͔νΣοΫ͢Δ •

    gradle-wrapper.propertiesʹchecksumݕূઃఆΛ௥Ճ͢Δ • Gradle Wrapper͕distributionΛμ΢ϯϩʔυ͢ΔࡍʹchecksumΛ ݕূ͢ΔΑ͏ʹͳΔ
  9. How Veri fi es Checksum • શͯͷartifactsʹରͯ͠checksumݕূΛߦ͏ • jar, aar,

    zip etc... • pom.xml, ivy.xml, .module(gradle module metadata) • metadataݕূ΋ߦ͏৔߹ • metadataͷchecksumݕূ΋߹֨͠ͳ͍ͱNG • pom.xml, ivy.xmlͱgradle module metadata͕྆ํଘࡏ͍ͯ͠Δ৔߹͸gradle module metadata͕༏ઌ͞ΕΔ͜ͱ͕ଟ͍
  10. How Veri fi es Checksum • ⚠ checksum͕සൟʹมΘΔͨΊSNAPSHOTϦϦʔεͱMavenLocal ʹϦϦʔε͞Ε͍ͯΔartifacts͸ݕূ͠ͳ͍ •

    ⚠ MD5, SHA1, SHA-256, SHA-512Λαϙʔτ͍ͯ͠Δ • ⚠ metadataͷchecksum͸ެ։͞Ε͍ͯͳ͍͜ͱ͕ଟ͍ͨΊෆศ
  11. How Veri fi es Signature • ascϑΝΠϧΛμ΢ϯϩʔυ • ඞཁͳެ։伴Λࣗಈతʹμ΢ϯϩʔυ •

    ެ։伴Ͱݕূޙɺ߹֨ͨ͠৔߹͸checksumݕূΛߦ͏ • ascϑΝΠϧ͕ͳ͍৔߹͸checksumݕূʹϑΥʔϧόοΫ
  12. About PGP(Pretty Good Privacy) with Gradle • σϑΥϧτͰ͸όʔδϣϯ͝ͱʹຒΊࠐ·ΕͨKey ServerΛࢀর͠ʹ ͍͘

    • 8.10Ͱ͸sks-keyservers, ubuntu, openpgp, mitͷ4ͭ • ޙ൒3ͭ͸maven centralʹϥΠϒϥϦΛެ։͢Δࡍ͸ެ։伴Λొ࿥͢ ΔΑ͏ʹקΊΒΕ͍ͯΔKey Server https://github.com/gradle/gradle/blob/v8.10.0/platforms/software/dependency-management/src/main/java/org/gradle/api/internal/ artifacts/ivyservice/ivyresolve/verification/DefaultKeyServers.java https://central.sonatype.org/publish/requirements/gpg/#distributing-your-public-key
  13. How Veri fi es Signature • MavenCentralɿͦ΋ͦ΋ॺ໊͍ͯ͠ͳ͍ͱެ։Ͱ͖ͳ͍ɺ υϝΠϯ ॴ༗ূ໌΋ඞཁ •

    Google Mavenɿ2023೥6݄Ҏ߱ͷJetpack͸ॺ໊͞Ε͍ͯΔ͕ͦΕ Ҏ֎͸ରԠ͕·ͪ·ͪ • Gradle Plugin Portalɿ·ͪ·ͪ • Bintray, JCenter, JitPackɿॺ໊͍ΒͣͰެ։Մೳ
  14. Repository Content Filtering • repository blockͰԿؚ͕·ΕΔؚ͔·Εͳ͍͔ΛઃఆͰ͖Δ • android studioͰ৽نϓϩδΣΫτ࡞Δͱgoogle maven΋ߜΔهड़

    ʹͳ͍ͬͯΔ • maven repositoryʹର৅ͷartifact͕࣮֬ʹؚ·Ε͍ͯͳ͍৔߹ʹ୳͠ ʹߦ͔ͳ͘ͳΔͳͲͷύϑΥʔϚϯεͷར఺͕͋ΔͷʹՃ͑ͯҙਤ͠ ͳ͍maven repository͔ΒͷartifactऔಘΛ๷͛Δ
  15. Let's Do Veri fi cation • ΍Δ͜ͱ 1.Gradle WrapperͷVeri fi

    cation 2.Repository Content Filtering 3.Dependency Veri fi cationͷ༗ޮԽ 4.Dependency Reportͷ༗ޮԽͱDependabotͷઃఆ 5.Release࡞੒ͷSBOMͷੜ੒
  16. Gradle Wrapper Veri fi cation • 0͔ΒηοτΞοϓ͢Δ 1. Gradle Distributionͷμ΢ϯϩʔυ

    2. Gradle Wrapperͷੜ੒ 3. gradle-wrapper.propertiesΛઃఆ
  17. Gradle Wrapper Veri fi cation • Gradle WrapperΛੜ੒͢ΔͨΊʹGradle distributionΛμ΢ϯϩʔυ ͢Δ

    • serviceαΠτ͔Βbin΋͘͠͸all suf fi x͕͍͍ͭͯΔzipΛμ΢ϯϩʔ υ͢Δ • zipΛsha256sumίϚϯυͰνΣοΫͨ͋͠ͱɺద౰ͳ৔ॴʹղౚ͢ Δ
  18. Gradle Wrapper Veri fi cation • distributionSha256Sumʹsha256Λ௥Ճ͢Δ • Gradleެ͕ࣜެ։͍ͯ͠Δsha256Λ࢖༻͢Δ •

    https://gradle.org/release-checksums/ • https://services.gradle.org/distributions/gradle-{version}-bin.zip.sha256
  19. Before •Google Maven : AGP •MavenCentral : KGPͱ֤ Gradle Plugin͕಺෦Ͱ࢖༻

    ͍ͯ͠ΔϥΠϒϥϦ •Gradle Plugin Portal Repository Content Filtering
  20. After •Google Maven : Google͕ެ։͠ ͍ͯΔgroup idͷΈʹઃఆ •Gradle Pluign Portal͔Β͸nexus

    publish pluginͱgradle develocity pluginͷΈΛऔಘ͢ΔΑ͏ʹઃఆ Repository Content Filtering
  21. After •Google Maven : Google͕ެ։͠ ͍ͯΔgroup idͷΈʹઃఆ •Gradle Pluign Portal͔Β͸nexus

    publish pluginͱgradle develocity pluginͷΈΛऔಘ͢ΔΑ͏ʹઃఆ Repository Content Filtering
  22. Enable Dependency Veri fi cation • $projectDir/gradle/veri fi cation-metadata.xmlͰઃఆΛߦ͏ •

    ϑΝΠϧ͕͋Δ͚ͩͰchecksumݕূ͕༗ޮʹͳΔ • 1ϑΝΠϧ͕ϓϩδΣΫτશମʹ೾ٴ͢Δ(buildSrc, root project, sub project)
  23. Enable Dependency Veri fi cation • λεΫʹඥͮ͘ґଘؔ܎Λղܾ͠ɺchecksumΛveri fi cation-metadata.xml ʹ௥ه͢Δ

    • λεΫʹඥ͍ͮͨґଘؔ܎Λղܾ͢ΔͷͰΑΓଟ͘ͷґଘ͕ղܾ͞ΕΔλ εΫͰ࣮ߦ͢Δͷ͕๬·͍͠ • e.g.) androidDependencies, assemble, test w w w w
  24. Enable Dependency Veri fi cation • --write-veri fi cation-metadataΦϓγϣϯʹpgpͱsha256Λ౉͢ •

    Gradle͕ެ։伴αʔόʔ͔Β֘౰ͷ伴Λ୳͠ɺ伴͝ͱʹgroupingͳ ͲΛΑ͠ͳʹ΍্ͬͨͰveri fi cation-metadata.xmlΛߋ৽͢Δ
  25. Enable Dependency Veri fi cation • --write-veri fi cation-metadataΦϓγϣϯʹpgpͱsha256Λ౉͢ •

    Gradle͕ެ։伴αʔόʔ͔Β֘౰ͷ伴Λ୳͠ɺ伴͝ͱʹgroupingͳ ͲΛΑ͠ͳʹ΍্ͬͨͰveri fi cation-metadata.xmlΛߋ৽͢Δ Key ID....?FingerPrint?... Ͳ͜...? 🤔
  26. Enable Dependency Veri fi cation ͋ͱ͸ͻͨ͢ΒΤϥʔ͕ͳ͘ͳΔ·Ͱ Key ID, FingerprintΛ௥Ճ͢Δ😂 💡

    Gradle͸μ΢ϯϩʔυʹࣦഊͨ͠Key IDΛ24࣌ؒ͸cache͢ΔͷͰ --refresh-keysΦϓγϣϯͱ--export-keysΦϓγϣϯΛซ༻͢Δͷ͕Φεεϝ
  27. Enable Dependency Veri fi cation • veri fi cation-metadata.xmlͷࢀߟ •

    https://github.com/elastic/elasticsearch • https://github.com/androidx/androidx • https://github.com/gradle/gradle
  28. Dependabot with Gradle • https://github.com/gradle/actions Λ࢖͏ • Cache؅ཧ • GitHub

    Dependency Submission APIݺͼग़͠ • Gradle Wrapper Jarͷchecksum veri fi cation
  29. End? No, It's just beginning • ηοτΞοϓ͸׬ྃͰͳ͘ɺελʔτ • ґଘͷߋ৽ͷखؒ •

    Dependabot͸gradleΛ࣮ߦ͠ͳ͍ͨΊgradle wrapper, veri fi cation-metadataͷߋ ৽ΛߦΘͳ͍ • checksumݕূΛϝΠϯʹ࢖͏৔߹όʔδϣϯߋ৽ͷͨͼʹඞͣchecksumมߋ͕ൃ ੜ͢Δ • ಥવى͜Δॺ໊ෆҰக • ϥΠϒϥϦͷόʔδϣϯʹΑͬͯॺ໊ͨ͠伴͕ҧ͏͜ͱ͸··͋Δ͜ͱ
  30. ͓·͚(4) GitHub Artifact Attestations • GitHub ActionsͰartifact attestationsͷੜ੒ͱݕূ͕Ͱ͖ΔΑ͏ʹ ͳͬͨ •

    SLSAͱಉ͡SigstoreΛ࢖͏ • https://docs.github.com/ja/actions/security-for-github-actions/ using-artifact-attestations/using-artifact-attestations-to-establish- provenance-for-builds
  31. EOF