---
title: CI threat model
...
Sorry
CI in the abstract
STRIDE
Threats
---
# Sorry
* RelEng is de-scoping the new CI project to only continuous
integration, dropping delivery and deployment. For now.
* This is a recent change (last week), and may come as a surprise. This
presentation has a butchered threat model that hasn't been reviewed by
other parties yet.
---
~~~dot
digraph "abstract2" {
labelloc=b
developer [shape=octagon label="Developer"];
deployer [shape=octagon label="Reviewer"];
gerrit [label="Gerrit"];
subgraph cluster_ci {
label="CI"
build [label="Untrusted build \n worker"];
build2 [label="Trusted build \n worker"];
arts [label="Artifact store"];
}
developer -> gerrit [headlabel="push \n patchset"];
gerrit -> build [label="trigger"];
deployer -> gerrit [taillabel="CR+2"];
gerrit -> build2 [label="merge and \n upload"];
build2 -> arts [label="upload"];
}
~~~
---
~~~dot
digraph "ci-threat" {
labelloc=b
dev [label="Developer"]
vcs [label="Code review\nsystem", style=filled]
dep [label="Deployer"]
# Developers can submit patches to the VCS system
dev -> vcs [label="patch",color="blue"]
# Deployers can merge patches in the codebase
dep -> vcs [label="+2",color="red"]
# This graph includes all of the "untrusted" environments
subgraph cluster_untrusted {
node [style=filled]
label = "Untrusted environents"
color=blue
subgraph cluster_unt_ci {
label="CI"
style="dashed"
ci [label="CI system"]
ciui [label="CI RO web UI"]
tempartifacts [label="Artifact store\n for temporary blobs\nincl. build logs"]
}
subgraph cluster_testing {
node [style=filled]
testenv [label="test cluster"]
label = "deployment-prep"
style = "dashed"
}
}
subgraph cluster_trusted {
node [style=filled]
label = "Trusted environents"
color=red
subgraph cluster_tr_ci {
label="Trusted CI"
style = "dashed"
trustedci [label="Secure CI component"]
trustedciui [label="Admin CI UI"]
artifacts [label="Artifact store\n for persistent blobs"]
# the trusted CI component can upload artifacts to the store(s)
trustedci -> artifacts
# The admin CI interface can submit and view jobs in the secure ci
trustedciui -> trustedci [label="submit/view"]
}
subgraph cluster_prod {
label = "Production"
style = "dashed"
prodenv [label="Production nodes"]
deployment [label="Deployment nodes"]
# The deployment nodes can deploy artifacts to production
deployment -> prodenv
}
# The artifact store
deployment -> artifacts [style="dashed",label="pull"]
}
# The admin CI interface can submit jobs to the untrusted CI
trustedciui -> ci [label="submit"]
# Merging a patch generates a trusted job
vcs -> trustedci [label="+2/gns",color="red"]
# The developer can view the results of builds
dev -> ciui [style="dashed"]
ciui -> ci [style="dashed"]
ciui -> tempartifacts [style="dashed"]
vcs -> ci [label="PS", color="blue"]
# The insecure ci can upload artifacts to the temporary store
ci -> tempartifacts
testenv -> tempartifacts [style="dashed",label="pull"]
# Deployers can deploy the resulting artifacts
dep -> deployment [label="deploy"]
# The deployer can submit/view jobs on the trusted CI
dep -> trustedciui [label="submit/view"]
subgraph cluster_legend {
labelloc=t
label="Legend"
{
key [label=<>,shape=plaintext]
dest [label=<>,shape=plaintext]
key:rw:e -> dest:rw:w
key:ro:e -> dest:ro:w [style="dashed"]
rankdir=RL
rank=same
}
}
}
~~~
---
# STRIDE
**S**poofing
**T**ampering
**R**epudiation
**I**nformation disclosure
**D**enial of service
**E**levation of privilege
---
# Threats: Low severity
* Deny service by
* using all build node capacity
* service by filling Gerrit storage
* service by filling temporary artifact storage
* service by filling persistent artifact storage
* service by filling production node storage
* service by using all test environment capacity
* service by using all production node capacity
# Medium severity
* Spoof
* developer to Gerrit web UI
* developer to test environment, via HTTP
* developer to CI web UI
# High severity
* Tamper
* with code modifying it in Gerrit
* with code operating the build node itself
* Disclose
* information about production site users
* secrets from build nodes, e.g., credentials
* security fixes under embargo, from prod
* Elevate privilege by impersonating SRE/admin
* on Gerrit host (shell), over ssh
* on Gerrit UI/API, over HTTP
* on test environment, over ssh
* on test environment, over HTTP
* on CI web UI node, over ssh
* on CI web UI node, over HTTP
* on build nodes, over ssh
* by breaking out of build sandbox on build nodes