summaryrefslogtreecommitdiff
path: root/ci-threats.md
diff options
context:
space:
mode:
authorLars Wirzenius <lwirzenius@wikimedia.org>2020-01-27 07:30:31 -0800
committerLars Wirzenius <lwirzenius@wikimedia.org>2020-01-27 07:30:31 -0800
commit51fb5817e215430d2a6a67a91449d03ae961c288 (patch)
tree0db6679731b4487a4ae7dd49f6e1306709c9c3d2 /ci-threats.md
parentf3473dcf81c5fca58534bcceddfb461a490e634f (diff)
downloadwmf-talks-51fb5817e215430d2a6a67a91449d03ae961c288.tar.gz
Add: first rough draft of slides about CI threat model
Diffstat (limited to 'ci-threats.md')
-rw-r--r--ci-threats.md205
1 files changed, 205 insertions, 0 deletions
diff --git a/ci-threats.md b/ci-threats.md
new file mode 100644
index 0000000..9ca2406
--- /dev/null
+++ b/ci-threats.md
@@ -0,0 +1,205 @@
+---
+title: CI threat model
+...
+
+Sorry
+
+CI in the abstract
+
+STRIDE
+
+Threats
+
+---
+
+# Sorry
+
+* RelEng is de-scoping the new CI project to only continuous
+integration, dropping delivery and deployment. For now.
+
+* This is a recent change (last week), and may come as a surprise. This
+presentation has a butchered threat model that hasn't been reviewed by
+other parties yet.
+
+---
+
+# CI in the abstract
+
+~~~dot
+digraph "abstract" {
+
+labelloc=b
+
+developer [shape=octagon label="Developer"];
+deployer [shape=octagon label="Deployer"];
+gerrit [label="Gerrit"];
+
+subgraph cluster_ci {
+label="CI"
+build [label="Untrusted build \n worker"];
+build2 [label="Trusted build \n worker"];
+}
+
+developer -> gerrit [label="push patch"];
+gerrit -> build [label="trigger"];
+deployer -> gerrit [label="CR+2"];
+gerrit -> gerrit [label="merge"];
+gerrit -> build2 [label="trigger"];
+}
+~~~
+
+---
+
+~~~dot
+digraph "ci-threat" {
+ labelloc=b
+
+ dev [label="Developer"]
+ vcs [label="Code review\nsystem", style=filled]
+ dep [label="Deployer"]
+
+ # Developers can submit patches to the VCS system
+ dev -> vcs [label="patch",color="blue"]
+ # Deployers can merge patches in the codebase
+ dep -> vcs [label="+2",color="red"]
+
+
+
+ # This graph includes all of the "untrusted" environments
+ subgraph cluster_untrusted {
+ node [style=filled]
+ label = "Untrusted environents"
+ color=blue
+
+ subgraph cluster_unt_ci {
+ label="CI"
+ style="dashed"
+ ci [label="CI system"]
+ ciui [label="CI RO web UI"]
+ tempartifacts [label="Artifact store\n for temporary blobs\nincl. build logs"]
+ }
+
+ subgraph cluster_testing {
+ node [style=filled]
+ testenv [label="test cluster"]
+ label = "deployment-prep"
+ style = "dashed"
+ }
+ }
+
+
+ subgraph cluster_trusted {
+ node [style=filled]
+ label = "Trusted environents"
+ color=red
+
+ subgraph cluster_tr_ci {
+ label="Trusted CI"
+ style = "dashed"
+ trustedci [label="Secure CI component"]
+ trustedciui [label="Admin CI UI"]
+ artifacts [label="Artifact store\n for persistent blobs"]
+ # the trusted CI component can upload artifacts to the store(s)
+ trustedci -> artifacts
+ # The admin CI interface can submit and view jobs in the secure ci
+ trustedciui -> trustedci [label="submit/view"]
+ }
+
+ subgraph cluster_prod {
+ label = "Production"
+ style = "dashed"
+ prodenv [label="Production nodes"]
+ deployment [label="Deployment nodes"]
+ # The deployment nodes can deploy artifacts to production
+ deployment -> prodenv
+ }
+ # The artifact store
+ deployment -> artifacts [style="dashed",label="pull"]
+ }
+ # The admin CI interface can submit jobs to the untrusted CI
+ trustedciui -> ci [label="submit"]
+ # Merging a patch generates a trusted job
+ vcs -> trustedci [label="+2/gns",color="red"]
+ # The developer can view the results of builds
+ dev -> ciui [style="dashed"]
+ ciui -> ci [style="dashed"]
+ ciui -> tempartifacts [style="dashed"]
+ vcs -> ci [label="PS", color="blue"]
+ # The insecure ci can upload artifacts to the temporary store
+ ci -> tempartifacts
+ testenv -> tempartifacts [style="dashed",label="pull"]
+ # Deployers can deploy the resulting artifacts
+ dep -> deployment [label="deploy"]
+ # The deployer can submit/view jobs on the trusted CI
+ dep -> trustedciui [label="submit/view"]
+
+ subgraph cluster_legend {
+ labelloc=t
+ label="Legend"
+ {
+ key [label=<<table border="0" cellspacing="0" cellpadding="2">
+ <tr><td align="right" port="rw">Read-Write</td></tr>
+ <tr><td align="right" port="ro">Read-Only</td></tr>
+ </table>>,shape=plaintext]
+ dest [label=<<table border="0" cellpadding="2" cellspacing="0" cellborder="0">
+ <tr><td port="rw">&nbsp;</td></tr>
+ <tr><td port="ro">&nbsp;</td></tr>
+ </table>>,shape=plaintext]
+ key:rw:e -> dest:rw:w
+ key:ro:e -> dest:ro:w [style="dashed"]
+ rankdir=RL
+ rank=same
+ }
+ }
+}
+~~~
+
+---
+
+# STRIDE
+
+**S**poofing
+**T**ampering
+**R**epudiation
+**I**nformation disclosure
+**D**enial of service
+**E**levation of privilege
+
+---
+
+# Threats: Low severity
+
+* Deny service by
+ * using all build node capacity
+ * service by filling Gerrit storage
+ * service by filling temporary artifact storage
+ * service by filling persistent artifact storage
+ * service by filling production node storage
+ * service by using all test environment capacity
+ * service by using all production node capacity
+
+# Medium severity
+
+* Spoof
+ * developer to Gerrit web UI
+ * developer to test environment, via HTTP
+ * developer to CI web UI
+
+# High severity
+
+* Tamper
+ * with code modifying it in Gerrit
+ * with code operating the build node itself
+* Disclose
+ * information about production site users
+ * secrets from build nodes, e.g., credentials
+ * security fixes under embargo, from prod
+* Elevate privilege by impersonating SRE/admin
+ * on Gerrit host (shell), over ssh
+ * on Gerrit UI/API, over HTTP
+ * on test environment, over ssh
+ * on test environment, over HTTP
+ * on CI web UI node, over ssh
+ * on CI web UI node, over HTTP
+ * on build nodes, over ssh
+ * by breaking out of build sandbox on build nodes