on omitting commits and preventing git metadata tampering ... · on omitting commits and committing...

On Omitting Commits and Committing Omissions:

Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities

Santiago Torres-Arias†, Anil Kumar Ammula‡,Reza Curtmola‡, Justin Cappos†

†New York University ‡New Jersey Institute of Technology

USENIX Security ‘16, Austin TX.1

2

Santiago Torres-AriasNew York University

Reza CurtmolaNew Jersey Institute of Technology

Justin CapposNew York University

Anil Kumar AmmulaNew Jersey Institute of Technology

The scenario

3

A central repository and two Devs

4

Repo

DevDev

master

Git is a distributed version control system

5

Repo

DevDev

master

Git is a distributed version control system

6

Repo

DevDev

master

A A’

Git is a distributed version control system

7

Repo

DevDev

master

work!

Git is a distributed version control system

8

Repo

DevDev

push! Feature

master

Git is a distributed version control system

9

Repo

DevDev

master

Featurepull!

Git is a distributed version control system

10

Repo

DevDev

master

Featuremerge!

Git is a distributed version control system

11

Repo

DevDev

master

Featurepush!

Git is a distributed version control system

12

Repo

DevDev

master

Featurepull!

Git is a distributed version control system

13

Repo

DevDev

master

FeatureTag!

Git is a distributed version control system

14

Repo

DevDev

master

FeaturePush!

v1.0

user

Git repositories can be compromised

15

Repo

DevDev

master

Feature

user

Git repositories can be compromised

16

Repo

DevDev

master

Feature

Wants to Watch theWorld burn

While we were having chips and guacamole...

17

Repository compromises happen

18

Repository compromises happen

19

Repository compromises happen

20

Repository compromises happen

21

Repository compromises happen

22

Repository compromises happen

23

Repository compromises happen

24

Repository compromises happen

25

Repository compromises happen

26

Repository compromises happen

27

Luckily, we have git’s security features

28

master

Luckily, we have

● Hash chaining

29

master

Luckily, we have git’s security features

Luckily, we have

● Hash chaining

● Git commit and tag signatures

30

master

GPGdev

GPGdev

Luckily, we have git’s security features

Luckily, we have

● Hash chaining

● Git commit and tag signatures

● Push certificates (more on them later).

31

master

GPGdev

GPGdev

Pushdev

Luckily, we have git’s security features

Luckily, we have

● Hash chaining

● Git commit and tag signatures

● Push certificates (more on them later).

● What could go wrong?32

master

GPGdev

GPGdev

Pushdev

Luckily, we have git’s security features

Example

33

What happened here?

santiago at ~ ✔: pip install -e git+https://github.com/santiagotorres/django/@1.9.3#egg=djangoObtaining django from git+https://github.com/santiagotorres/django/@1.9.3#egg=django[...] Successfully installed djangosantiago at ~ ✔: django-admin.py --version1.4.11

34

I want to install django 1.9.3

What happened here?

santiago at ~ ✔: pip install -e git+https://github.com/santiagotorres/django/@1.9.3#egg=djangoObtaining django from git+https://github.com/santiagotorres/django/@1.9.3#egg=django[...] Successfully installed djangosantiago at ~ ✔: django-admin.py --version1.4.11

35

But I get django 1.4.11

What happened here?

santiago at ~/django ✗ git verify-tag 1.9.3warning: Duplicated ref: refs/tags/1.5.11gpg: Signature made Wed 03 Sep 2014 01:10:58 AM EDT using RSA key ID 2D9266A6808FE067gpg: Good signature from "James Bennett <james@b-list.org>" [full]Primary key fingerprint: BD47 7E2E 05F7 EF63 71B6 E8EE 2D92 66A6 808F E067

36

I try to verify the tag...

What happened here?

santiago at ~/django ✗ git verify-tag 1.9.3warning: Duplicated ref: refs/tags/1.5.11gpg: Signature made Wed 03 Sep 2014 01:10:58 AM EDT using RSA key ID 2D9266A6808FE067gpg: Good signature from "James Bennett <james@b-list.org>" [full]Primary key fingerprint: BD47 7E2E 05F7 EF63 71B6 E8EE 2D92 66A6 808F E067

37

pgp verification passes...

What happened here?

38

santiago at ~/django ✔ git verify-tag --verbose 1.9.3object [...]tagger James Bennett <james@b-list.org> 1409721058 -0500[...]Tag 1.4.11gpg: Signature made Wed 03 Sep 2014 01:10:58 AM EDT using RSA key ID 2D9266A6808FE067gpg: Good signature from "James Bennett <james@b-list.org>" [full]Primary key fingerprint: BD47 7E2E 05F7 EF63 71B6 E8EE 2D92 66A6 808F E067

I ask for more detail...

What happened here?

39

santiago at ~/django ✔ git verify-tag --verbose 1.9.3object [...]tagger James Bennett <james@b-list.org> 1409721058 -0500[...]Tag 1.4.11gpg: Signature made Wed 03 Sep 2014 01:10:58 AM EDT using RSA key ID 2D9266A6808FE067gpg: Good signature from "James Bennett <james@b-list.org>" [full]Primary key fingerprint: BD47 7E2E 05F7 EF63 71B6 E8EE 2D92 66A6 808F E067

It’s the wrong tag!

What happened here?● Django 1.4.11 is vulnerable to 8+ RCE vulnerabilities

● But the GPG verification passed?

● Why did this happen?

40

The problem

41

Why did this happen?● Simply put, some Git metadata is not signed

42

Why did this happen?● Simply put, some Git metadata is not signed

.git/├── branches├── COMMIT_EDITMSG├── hooks│ ├── applypatch-msg.sample….├── index├── info├── logs│ ├── HEAD...├── objects...└── refs... └── tags

43

Why did this happen?● Simply put, some Git metadata is not signed

.git/├── branches├── COMMIT_EDITMSG├── hooks│ ├── applypatch-msg.sample….├── index├── info├── logs│ ├── HEAD...├── objects...└── refs... └── tags

Signed!

44

Why did this happen?● Simply put, some Git metadata is not signed

.git/├── branches├── COMMIT_EDITMSG├── hooks│ ├── applypatch-msg.sample….├── index├── info├── logs│ ├── HEAD...├── objects...└── refs... └── tags

Signed!

Not signed

45

Why did this happen?● Simply put, some Git metadata is not signed

.git/├── branches├── COMMIT_EDITMSG├── hooks│ ├── applypatch-msg.sample….├── index├── info├── logs│ ├── HEAD...├── objects...└── refs... └── tags

Signed!

This is our target

46

Why did this happen?● Simply put, some Git metadata is not signed

○ References, pointers to Git tags and commits, are not signed

47

Why did this happen?● Simply put, some Git metadata is not signed

○ References, pointers to Git tags and commits, are not signed

● An attacker with write access to the repository can modify this information.

48

Why did this happen?● Simply put, some Git metadata is not signed

○ References, pointers to Git tags and commits, are not signed

● An attacker with write access to the repository can modify this information.

● The resulting attack looks like regular git operation.

49

Metadata Manipulation Attack Taxonomy

50

Attack taxonomy● Teleport Attacks

○ Branch Teleport Attack○ Tag Teleport Attack

● Rollback Attacks○ Branch Rollback Attack○ Global Rollback Attack○ Effort Duplication Attack

● Deletion Attacks○ Branch Deletion Attack○ Tag Deletion Attack

51

Attack taxonomy● Teleport Attacks

○ Branch Teleport Attack○ Tag Teleport Attack

● Rollback Attacks○ Branch Rollback Attack○ Global Rollback Attack○ Effort Duplication Attack

● Deletion Attacks○ Branch Deletion Attack○ Tag Deletion Attack

52

user

Branch teleport attack

master

do_not_merge!

Dev

repository

53

user

Branch teleport attack

master

do_not_merge!

Dev

repository

54

Apple’s duplicated goto

user

Branch teleport attack

master

Dev

repository

what is the latest master?

55

do_not_merge!

user

Branch teleport attack

master

Dev

repositoryUhh, just a sec

56

do_not_merge!

user

Branch teleport attack

master

Dev

repository

57

do_not_merge!

user

Branch teleport attack

master

Dev

repository

what!? ok, I better merge

58

do_not_merge!

useruser

Branch teleport attack: result

master

repository

59

do_not_merge!

user

Tag teleport attack

master

v1.1

user

repository

give me tag v1.1!v1.vuln

60

user

Tag teleport attack

master

v1.1

user

repository

v1.vuln

You got it!

61

user

Tag teleport attack

master

user

repository

v1.vulnv1.1

62

user

Tag teleport attack

master

user

repository

v1.vulnv1.1 Neat!

less features!

63

user

Branch rollback attack

master

Feature

Dev

repository

FIX

Dev

64

user

Branch rollback attack

master

Feature

Dev

repository

FIX

Dev

Here’s the fix!Can you review?

65

user

Branch rollback attack

master

Feature

Dev

repository

FIX

Dev

looks good!Ready to merge

66

user

Branch rollback attack

master

Feature

Dev

repository

FIX

Dev

Just a sec

67

user

Branch rollback attack

master

Feature

Dev

repository

FIX

Dev

68

user

Branch rollback attack

master

Dev

repository

Dev

Feature

69

FIX

user

Branch rollback attack

master

Dev

repository

FIX

Dev

Feature

70

Dev! You broke it!

Attack taxonomy: summary● Teleport Attacks

○ Branch Teleport Attack○ Tag Teleport Attack

● Rollback Attacks○ Branch Rollback Attack○ Global Rollback Attack○ Effort Duplication Attack

● Deletion Attacks○ Branch Deletion Attack○ Tag Deletion Attack

❖➢ Buggy code inclusion➢ Wrong version retrieved

❖➢ Critical code omission➢ Critical code omission➢ Coding effort increased

❖➢ Missing branch➢ Missing tag

71

How can we fix this?

72

The problem with existing solutions● We could solve fork-consistency using existing solutions

73

The problem with existing solutions● We could solve fork-consistency using existing solutions

● Consistency systems, like SUNDR, could solve this issue, but they disregard Git’s distributed nature.

74

The problem with existing solutions● We could solve fork-consistency using existing solutions

● Consistency systems, like SUNDR, could solve this issue, but they disregard Git’s distributed nature.

● We require a solution that understands which files are meant to be synchronized

75

Defense assumptions● Developers communicate through other means

○ A complete fork attack will be noticed and discussed by side-channels

● A repository can be initialized with a root of trust

76

Our Solution

77

Defense goals: usability● Preserve current Git workflows

● Ensure backwards compatibility with older Git versions

● Provide increased security in partial adoption scenarios

78

Defense goals: security● Prevent modification of committed data

● Ensure consistent repository state

● Ensure repository state freshness

79

Defense: Overview➔ Provided by Git

➔ Reference State Log

➔ Nonce Bag

● Prevent modification of committed data

● Ensure consistent repository state

● Ensure repository state freshness

80

Defense: Overview➔ Provided by Git

➔ Reference State Log

➔ Nonce Bag

● Prevent modification of committed data

● Ensure consistent repository state

● Ensure repository state freshness

81

The Reference State Log

82

Repo

DevDev

The Reference State Log

83

Repo

DevDev

RSLdev

Push!

The Reference State Log

84

Repo

DevDev

RSLdev

Push!

regular push

The Reference State Log

85

Repo

DevDev

RSLdev

Push!

regular push

signed statement

The Reference State Log

86

Repo

DevDev

RSLdev

The Reference State Log

87

Repo

DevDev

RSLdev

Fetch!

regular fetch

The Reference State Log

88

Repo

DevDev

RSLdev

Pull!

regular fetch

reference consistency

The RSL push entry

89

EntryEntry

...Entry

Branch: master

HEAD: 0xfe….ab

PREV_HASH: 0xac...89

Signature: Dev’s signature

...

...

...

...

The RSL push entry

90

...

...

...

...

Branch: master

HEAD: 0xfe….ab

PREV_HASH: 0xac...89

Signature: Dev’s signature

...

...

...

...

➢ references changed➢ their updated locations➢ hash of previous RSL entry➢ authenticates whoever added this entry

❖ ➢ Add an RSL entry and push➢ fetch, retrieve RSL, and verify

repository state

Implementation: prototype

● Two extensions to git○ git securepush○ git securefetch

● RSL lives in repo○ as a special branch○ sent in-band

91

Synchronization

92

Repo

DevDev

master

Synchronization

93

Repo

DevDev

master

work!

Synchronization

94

Repo

DevDev

securepush! Feature

master

Synchronization

95

Repo

DevDev

master

Feature

securepull!

✔

Synchronization

96

Repo

DevDev

master

Featuremerge!

Synchronization

97

Repo

DevDev

master

Feature

secure push!

Synchronization

98

Repo

DevDev

master

Featuresecure pull!

98✔

Verification1. Is the entry signed by a trusted party?

2. Are all the entries in the RSL correctly linked together?

3. Are all the references pointing to the right place?

99

Evaluation

100

How are attacks prevented● Teleport Attacks

○ Branch Teleport Attack○ Tag Teleport Attack

● Rollback Attacks○ Branch Rollback Attack○ Global Rollback Attack○ Effort Duplication Attack

● Deletion Attacks○ Branch Deletion Attack○ Tag Deletion Attack

101

How are attacks prevented● Teleport Attacks

○ Branch Teleport Attack○ Tag Teleport Attack

● Rollback Attacks○ Branch Rollback Attack○ Global Rollback Attack○ Effort Duplication Attack

● Deletion Attacks○ Branch Deletion Attack○ Tag Deletion Attack

102

➔ Requires RSL entry with target: ◆ commit◆ tag

➔ Requires replaying RSL entry◆ Target commit must have been pushed◆ (prevented with Nonce Bag)◆ (Prevented with Nonce Bag)

➔ Requires valid RSL entry◆

RSL + Nonce Bag VS other mechanismsFeature Commit signing Push Certificate RSL

Commit Tampering ✓ ✓ ✓

Branch Teleport X ✓ ✓

Branch Rollback X X ✓

Global Rollback X X ✓

Effort Duplication X X ✓

Tag Rollback X ✓ ✓

Minimum Git Version 1.7.9 2.2.0 1.7.9

Distribution Mechanism in-band (no default) in-band 103

Partial adoption of our defense

Possible Attacks Time window of attack Vulnerable commit objects

Commit signing All attacks Any time Any object

RSL (full adoption) No attacks None No object

RSL (partial adoption) All attacks After latest RSL and before the next RSL entry

Objects added after the latest RSL entry

104

Storage overhead

Repository No. of commits Number of pushes Repository size(MB)

Storage Overhead

Bootstrap 11,666 1,345 78.85 .4%

Angular.js 7,521 26 66.96 .009%

D3 3,510 255 32.91 .17%

jQuery 6,031 194 15.79 .22%

oh-my-zsh 3,841 1,170 3.52 6.5%

105

Network overhead1. Additional ~25KB per push/fetch (less than 1% in some cases)

106

Network overhead1. Additional ~25KB per push/fetch (less than 1% in some cases)

2. Double round trip time

107

Network overhead1. Additional ~25KB per push/fetch (less than 1% in some cases)

2. Double round trip time

3. These issues go away when RSL becomes part Git’s pack protocol

108

Turning Theory Into Practice

109

Interaction with the Git community1. Refactored Git tag PGP verification code

110

Interaction with the Git community1. Refactored Git tag PGP verification code

○ Yes, you are running our code starting on 2.9.0○ 6 patches, over 8 iterations

111

Interaction with the Git community1. Refactored Git tag PGP verification code

2. Discussed a plan for the git-tag issue

112

Interaction with the Git community

113

Interaction with the Git community1. Refactored Git tag PGP verification code

2. Discussed a plan for the git-tag issue

3. Discussed the plan to address the rest

114

Other version control systems

115

System Signed revisions (commits) prevents MM attacks

Git Yes No

Bitkeeper No No

Mercurial Yes (via plugin) Yes

Monotone Yes (mandatory) Yes

Conclusions

116

To wrap up1. Do not trust the infrastructure

117

To wrap up1. Do not trust the infrastructure

2. GPG signatures on git objects is currently not enough...○ ...but do it anyway!○ Do not use references, but the object’s SHA1 when possible

118

To wrap up1. Do not trust the infrastructure

2. GPG signatures on git objects is currently not enough...○ ...but do it anyway!○ Do not use references, but the object’s SHA1 when possible

3. Update Git!

119

Questions?

Thanks

120

Questions?

Thanks

121