Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Attack scenarios #33

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Conversation

mnm678
Copy link
Contributor

@mnm678 mnm678 commented Aug 27, 2020

This reopens #16 on the new branch

scenarios.md Outdated
@@ -199,6 +199,26 @@ A deployment requires a mydb image. The mydb image is routinely updated for secu
- Multiple signatures, including signatures from multiple sources can be associated with a specific artifact.
- Original signatures are maintained, even if the artifact is re-tagged.

### Scenario 7: A mirror is compromised

An attacker compromises a server that is hosting a mirror and gains access as an administrator. The attacker is able to alter any files on the mirror and access all keys stored on the mirror.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should include a sentence to differentiate a mirror from a copy. The latter would include scenarios with ACME ingesting images from Wabbit Networks and adding their own signatures and policies on the images. I think the key difference between the two is what root key do the clients trust for verifying images. If they verify the upstream root, it acts as a mirror, and if it's a different root, we'd consider that a copy.

Copy link
Contributor

@sudo-bmitch sudo-bmitch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think scenario 8 gets trimmed down with containers (vs other secure artifact distribution) since most of us treat images as public (nothing sensitive in the binaries, secrets should be external to this) and we have digests for everything. As long as Notary can verify the first digest in the chain, the rest of the container runtime tooling already prevents any damage by a MitM modifying content on the wire.

scenarios.md Outdated
**Implications of this requirement:**

- All downloaded files and metadata files should be checked for integrity, even if they are downloaded from a known repository.
- Clients should only download a fixed amount of data for each file to prevent [endless data attacks](https://theupdateframework.io/security/).
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Similar to the discussion on #35, we should scope this to the signature verification, let the runtime handle the max manifest size, and signing of the manifest gets us signing on the size of every blob being pulled.

scenarios.md Outdated

- All downloaded files and metadata files should be checked for integrity, even if they are downloaded from a known repository.
- Clients should only download a fixed amount of data for each file to prevent [endless data attacks](https://theupdateframework.io/security/).
- Any proprietary or sensitive information in packages or metadata should not be sent in cleartext.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From the container side, we tend to recommend against ever putting secrets and similar content in images. For Notary, I think what we want to say is Notary itself will not store secret data like private keys in the registry. However, if a user decides to put their credentials inside of an image and push to a registry that isn't configured with TLS, I don't think there's anything in Notary that would prevent or secure that since we're signing the image after it's already been pushed.

scenarios.md Outdated

**Implications of this requirement:**

- All downloaded files and metadata files should be checked for integrity, even if they are downloaded from a known repository.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is something we already get with the manifest and blob digests. The missing piece being filled by Notary is verifying the first node of that digest tree. Once that is done, Notary delegates the validation of the content matching its digest to the runtime.

Signed-off-by: Marina Moore <[email protected]>
scenarios.md Outdated

**Implications of this requirement:**

- The first node in the digest tree should be checked for integrity, even if it is downloaded from a known registry. Using this first node, the runtime should check all manifest and blob digests.
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sudo-bmitch Does the wording for this point address your comment?

@mnm678
Copy link
Contributor Author

mnm678 commented Apr 12, 2021

Thanks @sudo-bmitch. I updated the scenarios.

scenarios.md Outdated Show resolved Hide resolved
Co-authored-by: Brandon Mitchell <[email protected]>
@yizha1
Copy link
Contributor

yizha1 commented Jun 22, 2023

@mnm678 Would you mind closing this PR since no activities for more than two years? You can create a new issue to describe the problem if needed. Thanks.

Copy link

This PR is stale because it has been open 45 days with no activity. Remove stale label or comment or this will be closed in 30 days.

@github-actions github-actions bot added the Stale label Nov 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants