From 51fb5817e215430d2a6a67a91449d03ae961c288 Mon Sep 17 00:00:00 2001 From: Lars Wirzenius Date: Mon, 27 Jan 2020 07:30:31 -0800 Subject: Add: first rough draft of slides about CI threat model --- ci-threats.md | 205 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 205 insertions(+) create mode 100644 ci-threats.md diff --git a/ci-threats.md b/ci-threats.md new file mode 100644 index 0000000..9ca2406 --- /dev/null +++ b/ci-threats.md @@ -0,0 +1,205 @@ +--- +title: CI threat model +... + +Sorry + +CI in the abstract + +STRIDE + +Threats + +--- + +# Sorry + +* RelEng is de-scoping the new CI project to only continuous +integration, dropping delivery and deployment. For now. + +* This is a recent change (last week), and may come as a surprise. This +presentation has a butchered threat model that hasn't been reviewed by +other parties yet. + +--- + +# CI in the abstract + +~~~dot +digraph "abstract" { + +labelloc=b + +developer [shape=octagon label="Developer"]; +deployer [shape=octagon label="Deployer"]; +gerrit [label="Gerrit"]; + +subgraph cluster_ci { +label="CI" +build [label="Untrusted build \n worker"]; +build2 [label="Trusted build \n worker"]; +} + +developer -> gerrit [label="push patch"]; +gerrit -> build [label="trigger"]; +deployer -> gerrit [label="CR+2"]; +gerrit -> gerrit [label="merge"]; +gerrit -> build2 [label="trigger"]; +} +~~~ + +--- + +~~~dot +digraph "ci-threat" { + labelloc=b + + dev [label="Developer"] + vcs [label="Code review\nsystem", style=filled] + dep [label="Deployer"] + + # Developers can submit patches to the VCS system + dev -> vcs [label="patch",color="blue"] + # Deployers can merge patches in the codebase + dep -> vcs [label="+2",color="red"] + + + + # This graph includes all of the "untrusted" environments + subgraph cluster_untrusted { + node [style=filled] + label = "Untrusted environents" + color=blue + + subgraph cluster_unt_ci { + label="CI" + style="dashed" + ci [label="CI system"] + ciui [label="CI RO web UI"] + tempartifacts [label="Artifact store\n for temporary blobs\nincl. build logs"] + } + + subgraph cluster_testing { + node [style=filled] + testenv [label="test cluster"] + label = "deployment-prep" + style = "dashed" + } + } + + + subgraph cluster_trusted { + node [style=filled] + label = "Trusted environents" + color=red + + subgraph cluster_tr_ci { + label="Trusted CI" + style = "dashed" + trustedci [label="Secure CI component"] + trustedciui [label="Admin CI UI"] + artifacts [label="Artifact store\n for persistent blobs"] + # the trusted CI component can upload artifacts to the store(s) + trustedci -> artifacts + # The admin CI interface can submit and view jobs in the secure ci + trustedciui -> trustedci [label="submit/view"] + } + + subgraph cluster_prod { + label = "Production" + style = "dashed" + prodenv [label="Production nodes"] + deployment [label="Deployment nodes"] + # The deployment nodes can deploy artifacts to production + deployment -> prodenv + } + # The artifact store + deployment -> artifacts [style="dashed",label="pull"] + } + # The admin CI interface can submit jobs to the untrusted CI + trustedciui -> ci [label="submit"] + # Merging a patch generates a trusted job + vcs -> trustedci [label="+2/gns",color="red"] + # The developer can view the results of builds + dev -> ciui [style="dashed"] + ciui -> ci [style="dashed"] + ciui -> tempartifacts [style="dashed"] + vcs -> ci [label="PS", color="blue"] + # The insecure ci can upload artifacts to the temporary store + ci -> tempartifacts + testenv -> tempartifacts [style="dashed",label="pull"] + # Deployers can deploy the resulting artifacts + dep -> deployment [label="deploy"] + # The deployer can submit/view jobs on the trusted CI + dep -> trustedciui [label="submit/view"] + + subgraph cluster_legend { + labelloc=t + label="Legend" + { + key [label=< + + +
Read-Write
Read-Only
>,shape=plaintext] + dest [label=< + + +
 
 
>,shape=plaintext] + key:rw:e -> dest:rw:w + key:ro:e -> dest:ro:w [style="dashed"] + rankdir=RL + rank=same + } + } +} +~~~ + +--- + +# STRIDE + +**S**poofing +**T**ampering +**R**epudiation +**I**nformation disclosure +**D**enial of service +**E**levation of privilege + +--- + +# Threats: Low severity + +* Deny service by + * using all build node capacity + * service by filling Gerrit storage + * service by filling temporary artifact storage + * service by filling persistent artifact storage + * service by filling production node storage + * service by using all test environment capacity + * service by using all production node capacity + +# Medium severity + +* Spoof + * developer to Gerrit web UI + * developer to test environment, via HTTP + * developer to CI web UI + +# High severity + +* Tamper + * with code modifying it in Gerrit + * with code operating the build node itself +* Disclose + * information about production site users + * secrets from build nodes, e.g., credentials + * security fixes under embargo, from prod +* Elevate privilege by impersonating SRE/admin + * on Gerrit host (shell), over ssh + * on Gerrit UI/API, over HTTP + * on test environment, over ssh + * on test environment, over HTTP + * on CI web UI node, over ssh + * on CI web UI node, over HTTP + * on build nodes, over ssh + * by breaking out of build sandbox on build nodes -- cgit v1.2.1