on omitting commits and preventing git metadata tampering ... · on omitting commits and committing...
TRANSCRIPT
![Page 1: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/1.jpg)
On Omitting Commits and Committing Omissions:
Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities
Santiago Torres-Arias†, Anil Kumar Ammula‡,Reza Curtmola‡, Justin Cappos†
†New York University ‡New Jersey Institute of Technology
USENIX Security ‘16, Austin TX.1
![Page 2: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/2.jpg)
2
Santiago Torres-AriasNew York University
Reza CurtmolaNew Jersey Institute of Technology
Justin CapposNew York University
Anil Kumar AmmulaNew Jersey Institute of Technology
![Page 3: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/3.jpg)
The scenario
3
![Page 4: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/4.jpg)
A central repository and two Devs
4
Repo
DevDev
master
![Page 5: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/5.jpg)
Git is a distributed version control system
5
Repo
DevDev
master
![Page 6: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/6.jpg)
Git is a distributed version control system
6
Repo
DevDev
master
A A’
![Page 7: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/7.jpg)
Git is a distributed version control system
7
Repo
DevDev
master
work!
![Page 8: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/8.jpg)
Git is a distributed version control system
8
Repo
DevDev
push! Feature
master
![Page 9: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/9.jpg)
Git is a distributed version control system
9
Repo
DevDev
master
Featurepull!
![Page 10: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/10.jpg)
Git is a distributed version control system
10
Repo
DevDev
master
Featuremerge!
![Page 11: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/11.jpg)
Git is a distributed version control system
11
Repo
DevDev
master
Featurepush!
![Page 12: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/12.jpg)
Git is a distributed version control system
12
Repo
DevDev
master
Featurepull!
![Page 13: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/13.jpg)
Git is a distributed version control system
13
Repo
DevDev
master
FeatureTag!
![Page 14: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/14.jpg)
Git is a distributed version control system
14
Repo
DevDev
master
FeaturePush!
v1.0
![Page 15: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/15.jpg)
user
Git repositories can be compromised
15
Repo
DevDev
master
Feature
![Page 16: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/16.jpg)
user
Git repositories can be compromised
16
Repo
DevDev
master
Feature
Wants to Watch theWorld burn
![Page 17: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/17.jpg)
While we were having chips and guacamole...
17
![Page 18: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/18.jpg)
Repository compromises happen
18
![Page 19: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/19.jpg)
Repository compromises happen
19
![Page 20: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/20.jpg)
Repository compromises happen
20
![Page 21: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/21.jpg)
Repository compromises happen
21
![Page 22: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/22.jpg)
Repository compromises happen
22
![Page 23: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/23.jpg)
Repository compromises happen
23
![Page 24: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/24.jpg)
Repository compromises happen
24
![Page 25: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/25.jpg)
Repository compromises happen
25
![Page 26: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/26.jpg)
Repository compromises happen
26
![Page 27: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/27.jpg)
Repository compromises happen
27
![Page 28: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/28.jpg)
Luckily, we have git’s security features
28
master
![Page 29: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/29.jpg)
Luckily, we have
● Hash chaining
29
master
Luckily, we have git’s security features
![Page 30: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/30.jpg)
Luckily, we have
● Hash chaining
● Git commit and tag signatures
30
master
GPGdev
GPGdev
Luckily, we have git’s security features
![Page 31: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/31.jpg)
Luckily, we have
● Hash chaining
● Git commit and tag signatures
● Push certificates (more on them later).
31
master
GPGdev
GPGdev
Pushdev
Luckily, we have git’s security features
![Page 32: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/32.jpg)
Luckily, we have
● Hash chaining
● Git commit and tag signatures
● Push certificates (more on them later).
● What could go wrong?32
master
GPGdev
GPGdev
Pushdev
Luckily, we have git’s security features
![Page 33: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/33.jpg)
Example
33
![Page 34: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/34.jpg)
What happened here?
santiago at ~ ✔: pip install -e git+https://github.com/santiagotorres/django/@1.9.3#egg=djangoObtaining django from git+https://github.com/santiagotorres/django/@1.9.3#egg=django[...] Successfully installed djangosantiago at ~ ✔: django-admin.py --version1.4.11
34
I want to install django 1.9.3
![Page 35: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/35.jpg)
What happened here?
santiago at ~ ✔: pip install -e git+https://github.com/santiagotorres/django/@1.9.3#egg=djangoObtaining django from git+https://github.com/santiagotorres/django/@1.9.3#egg=django[...] Successfully installed djangosantiago at ~ ✔: django-admin.py --version1.4.11
35
But I get django 1.4.11
![Page 36: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/36.jpg)
What happened here?
santiago at ~/django ✗ git verify-tag 1.9.3warning: Duplicated ref: refs/tags/1.5.11gpg: Signature made Wed 03 Sep 2014 01:10:58 AM EDT using RSA key ID 2D9266A6808FE067gpg: Good signature from "James Bennett <[email protected]>" [full]Primary key fingerprint: BD47 7E2E 05F7 EF63 71B6 E8EE 2D92 66A6 808F E067
36
I try to verify the tag...
![Page 37: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/37.jpg)
What happened here?
santiago at ~/django ✗ git verify-tag 1.9.3warning: Duplicated ref: refs/tags/1.5.11gpg: Signature made Wed 03 Sep 2014 01:10:58 AM EDT using RSA key ID 2D9266A6808FE067gpg: Good signature from "James Bennett <[email protected]>" [full]Primary key fingerprint: BD47 7E2E 05F7 EF63 71B6 E8EE 2D92 66A6 808F E067
37
pgp verification passes...
![Page 38: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/38.jpg)
What happened here?
38
santiago at ~/django ✔ git verify-tag --verbose 1.9.3object [...]tagger James Bennett <[email protected]> 1409721058 -0500[...]Tag 1.4.11gpg: Signature made Wed 03 Sep 2014 01:10:58 AM EDT using RSA key ID 2D9266A6808FE067gpg: Good signature from "James Bennett <[email protected]>" [full]Primary key fingerprint: BD47 7E2E 05F7 EF63 71B6 E8EE 2D92 66A6 808F E067
I ask for more detail...
![Page 39: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/39.jpg)
What happened here?
39
santiago at ~/django ✔ git verify-tag --verbose 1.9.3object [...]tagger James Bennett <[email protected]> 1409721058 -0500[...]Tag 1.4.11gpg: Signature made Wed 03 Sep 2014 01:10:58 AM EDT using RSA key ID 2D9266A6808FE067gpg: Good signature from "James Bennett <[email protected]>" [full]Primary key fingerprint: BD47 7E2E 05F7 EF63 71B6 E8EE 2D92 66A6 808F E067
It’s the wrong tag!
![Page 40: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/40.jpg)
What happened here?● Django 1.4.11 is vulnerable to 8+ RCE vulnerabilities
● But the GPG verification passed?
● Why did this happen?
40
![Page 41: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/41.jpg)
The problem
41
![Page 42: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/42.jpg)
Why did this happen?● Simply put, some Git metadata is not signed
42
![Page 43: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/43.jpg)
Why did this happen?● Simply put, some Git metadata is not signed
.git/├── branches├── COMMIT_EDITMSG├── hooks│ ├── applypatch-msg.sample….├── index├── info├── logs│ ├── HEAD...├── objects...└── refs... └── tags
43
![Page 44: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/44.jpg)
Why did this happen?● Simply put, some Git metadata is not signed
.git/├── branches├── COMMIT_EDITMSG├── hooks│ ├── applypatch-msg.sample….├── index├── info├── logs│ ├── HEAD...├── objects...└── refs... └── tags
Signed!
44
![Page 45: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/45.jpg)
Why did this happen?● Simply put, some Git metadata is not signed
.git/├── branches├── COMMIT_EDITMSG├── hooks│ ├── applypatch-msg.sample….├── index├── info├── logs│ ├── HEAD...├── objects...└── refs... └── tags
Signed!
Not signed
45
![Page 46: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/46.jpg)
Why did this happen?● Simply put, some Git metadata is not signed
.git/├── branches├── COMMIT_EDITMSG├── hooks│ ├── applypatch-msg.sample….├── index├── info├── logs│ ├── HEAD...├── objects...└── refs... └── tags
Signed!
This is our target
46
![Page 47: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/47.jpg)
Why did this happen?● Simply put, some Git metadata is not signed
○ References, pointers to Git tags and commits, are not signed
47
![Page 48: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/48.jpg)
Why did this happen?● Simply put, some Git metadata is not signed
○ References, pointers to Git tags and commits, are not signed
● An attacker with write access to the repository can modify this information.
48
![Page 49: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/49.jpg)
Why did this happen?● Simply put, some Git metadata is not signed
○ References, pointers to Git tags and commits, are not signed
● An attacker with write access to the repository can modify this information.
● The resulting attack looks like regular git operation.
49
![Page 50: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/50.jpg)
Metadata Manipulation Attack Taxonomy
50
![Page 51: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/51.jpg)
Attack taxonomy● Teleport Attacks
○ Branch Teleport Attack○ Tag Teleport Attack
● Rollback Attacks○ Branch Rollback Attack○ Global Rollback Attack○ Effort Duplication Attack
● Deletion Attacks○ Branch Deletion Attack○ Tag Deletion Attack
51
![Page 52: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/52.jpg)
Attack taxonomy● Teleport Attacks
○ Branch Teleport Attack○ Tag Teleport Attack
● Rollback Attacks○ Branch Rollback Attack○ Global Rollback Attack○ Effort Duplication Attack
● Deletion Attacks○ Branch Deletion Attack○ Tag Deletion Attack
52
![Page 53: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/53.jpg)
user
Branch teleport attack
master
do_not_merge!
Dev
repository
53
![Page 54: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/54.jpg)
user
Branch teleport attack
master
do_not_merge!
Dev
repository
54
Apple’s duplicated goto
![Page 55: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/55.jpg)
user
Branch teleport attack
master
Dev
repository
what is the latest master?
55
do_not_merge!
![Page 56: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/56.jpg)
user
Branch teleport attack
master
Dev
repositoryUhh, just a sec
56
do_not_merge!
![Page 57: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/57.jpg)
user
Branch teleport attack
master
Dev
repository
57
do_not_merge!
![Page 58: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/58.jpg)
user
Branch teleport attack
master
Dev
repository
what!? ok, I better merge
58
do_not_merge!
![Page 59: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/59.jpg)
useruser
Branch teleport attack: result
master
repository
59
do_not_merge!
![Page 60: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/60.jpg)
user
Tag teleport attack
master
v1.1
user
repository
give me tag v1.1!v1.vuln
60
![Page 61: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/61.jpg)
user
Tag teleport attack
master
v1.1
user
repository
v1.vuln
You got it!
61
![Page 62: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/62.jpg)
user
Tag teleport attack
master
user
repository
v1.vulnv1.1
62
![Page 63: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/63.jpg)
user
Tag teleport attack
master
user
repository
v1.vulnv1.1 Neat!
less features!
63
![Page 64: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/64.jpg)
user
Branch rollback attack
master
Feature
Dev
repository
FIX
Dev
64
![Page 65: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/65.jpg)
user
Branch rollback attack
master
Feature
Dev
repository
FIX
Dev
Here’s the fix!Can you review?
65
![Page 66: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/66.jpg)
user
Branch rollback attack
master
Feature
Dev
repository
FIX
Dev
looks good!Ready to merge
66
![Page 67: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/67.jpg)
user
Branch rollback attack
master
Feature
Dev
repository
FIX
Dev
Just a sec
67
![Page 68: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/68.jpg)
user
Branch rollback attack
master
Feature
Dev
repository
FIX
Dev
68
![Page 69: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/69.jpg)
user
Branch rollback attack
master
Dev
repository
Dev
Feature
69
FIX
![Page 70: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/70.jpg)
user
Branch rollback attack
master
Dev
repository
FIX
Dev
Feature
70
Dev! You broke it!
![Page 71: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/71.jpg)
Attack taxonomy: summary● Teleport Attacks
○ Branch Teleport Attack○ Tag Teleport Attack
● Rollback Attacks○ Branch Rollback Attack○ Global Rollback Attack○ Effort Duplication Attack
● Deletion Attacks○ Branch Deletion Attack○ Tag Deletion Attack
❖➢ Buggy code inclusion➢ Wrong version retrieved
❖➢ Critical code omission➢ Critical code omission➢ Coding effort increased
❖➢ Missing branch➢ Missing tag
71
![Page 72: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/72.jpg)
How can we fix this?
72
![Page 73: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/73.jpg)
The problem with existing solutions● We could solve fork-consistency using existing solutions
73
![Page 74: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/74.jpg)
The problem with existing solutions● We could solve fork-consistency using existing solutions
● Consistency systems, like SUNDR, could solve this issue, but they disregard Git’s distributed nature.
74
![Page 75: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/75.jpg)
The problem with existing solutions● We could solve fork-consistency using existing solutions
● Consistency systems, like SUNDR, could solve this issue, but they disregard Git’s distributed nature.
● We require a solution that understands which files are meant to be synchronized
75
![Page 76: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/76.jpg)
Defense assumptions● Developers communicate through other means
○ A complete fork attack will be noticed and discussed by side-channels
● A repository can be initialized with a root of trust
76
![Page 77: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/77.jpg)
Our Solution
77
![Page 78: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/78.jpg)
Defense goals: usability● Preserve current Git workflows
● Ensure backwards compatibility with older Git versions
● Provide increased security in partial adoption scenarios
78
![Page 79: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/79.jpg)
Defense goals: security● Prevent modification of committed data
● Ensure consistent repository state
● Ensure repository state freshness
79
![Page 80: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/80.jpg)
Defense: Overview➔ Provided by Git
➔ Reference State Log
➔ Nonce Bag
● Prevent modification of committed data
● Ensure consistent repository state
● Ensure repository state freshness
80
![Page 81: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/81.jpg)
Defense: Overview➔ Provided by Git
➔ Reference State Log
➔ Nonce Bag
● Prevent modification of committed data
● Ensure consistent repository state
● Ensure repository state freshness
81
![Page 82: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/82.jpg)
The Reference State Log
82
Repo
DevDev
![Page 83: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/83.jpg)
The Reference State Log
83
Repo
DevDev
RSLdev
Push!
![Page 84: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/84.jpg)
The Reference State Log
84
Repo
DevDev
RSLdev
Push!
regular push
![Page 85: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/85.jpg)
The Reference State Log
85
Repo
DevDev
RSLdev
Push!
regular push
signed statement
![Page 86: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/86.jpg)
The Reference State Log
86
Repo
DevDev
RSLdev
![Page 87: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/87.jpg)
The Reference State Log
87
Repo
DevDev
RSLdev
Fetch!
regular fetch
![Page 88: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/88.jpg)
The Reference State Log
88
Repo
DevDev
RSLdev
Pull!
regular fetch
reference consistency
![Page 89: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/89.jpg)
The RSL push entry
89
EntryEntry
...Entry
Branch: master
HEAD: 0xfe….ab
PREV_HASH: 0xac...89
Signature: Dev’s signature
...
...
...
...
![Page 90: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/90.jpg)
The RSL push entry
90
...
...
...
...
Branch: master
HEAD: 0xfe….ab
PREV_HASH: 0xac...89
Signature: Dev’s signature
...
...
...
...
➢ references changed➢ their updated locations➢ hash of previous RSL entry➢ authenticates whoever added this entry
![Page 91: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/91.jpg)
❖ ➢ Add an RSL entry and push➢ fetch, retrieve RSL, and verify
repository state
Implementation: prototype
● Two extensions to git○ git securepush○ git securefetch
● RSL lives in repo○ as a special branch○ sent in-band
91
![Page 92: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/92.jpg)
Synchronization
92
Repo
DevDev
master
![Page 93: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/93.jpg)
Synchronization
93
Repo
DevDev
master
work!
![Page 94: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/94.jpg)
Synchronization
94
Repo
DevDev
securepush! Feature
master
![Page 95: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/95.jpg)
Synchronization
95
Repo
DevDev
master
Feature
securepull!
✔
![Page 96: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/96.jpg)
Synchronization
96
Repo
DevDev
master
Featuremerge!
![Page 97: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/97.jpg)
Synchronization
97
Repo
DevDev
master
Feature
secure push!
![Page 98: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/98.jpg)
Synchronization
98
Repo
DevDev
master
Featuresecure pull!
98✔
![Page 99: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/99.jpg)
Verification1. Is the entry signed by a trusted party?
2. Are all the entries in the RSL correctly linked together?
3. Are all the references pointing to the right place?
99
![Page 100: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/100.jpg)
Evaluation
100
![Page 101: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/101.jpg)
How are attacks prevented● Teleport Attacks
○ Branch Teleport Attack○ Tag Teleport Attack
● Rollback Attacks○ Branch Rollback Attack○ Global Rollback Attack○ Effort Duplication Attack
● Deletion Attacks○ Branch Deletion Attack○ Tag Deletion Attack
101
![Page 102: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/102.jpg)
How are attacks prevented● Teleport Attacks
○ Branch Teleport Attack○ Tag Teleport Attack
● Rollback Attacks○ Branch Rollback Attack○ Global Rollback Attack○ Effort Duplication Attack
● Deletion Attacks○ Branch Deletion Attack○ Tag Deletion Attack
102
➔ Requires RSL entry with target: ◆ commit◆ tag
➔ Requires replaying RSL entry◆ Target commit must have been pushed◆ (prevented with Nonce Bag)◆ (Prevented with Nonce Bag)
➔ Requires valid RSL entry◆
![Page 103: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/103.jpg)
RSL + Nonce Bag VS other mechanismsFeature Commit signing Push Certificate RSL
Commit Tampering ✓ ✓ ✓
Branch Teleport X ✓ ✓
Branch Rollback X X ✓
Global Rollback X X ✓
Effort Duplication X X ✓
Tag Rollback X ✓ ✓
Minimum Git Version 1.7.9 2.2.0 1.7.9
Distribution Mechanism in-band (no default) in-band 103
![Page 104: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/104.jpg)
Partial adoption of our defense
Possible Attacks Time window of attack Vulnerable commit objects
Commit signing All attacks Any time Any object
RSL (full adoption) No attacks None No object
RSL (partial adoption) All attacks After latest RSL and before the next RSL entry
Objects added after the latest RSL entry
104
![Page 105: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/105.jpg)
Storage overhead
Repository No. of commits Number of pushes Repository size(MB)
Storage Overhead
Bootstrap 11,666 1,345 78.85 .4%
Angular.js 7,521 26 66.96 .009%
D3 3,510 255 32.91 .17%
jQuery 6,031 194 15.79 .22%
oh-my-zsh 3,841 1,170 3.52 6.5%
105
![Page 106: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/106.jpg)
Network overhead1. Additional ~25KB per push/fetch (less than 1% in some cases)
106
![Page 107: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/107.jpg)
Network overhead1. Additional ~25KB per push/fetch (less than 1% in some cases)
2. Double round trip time
107
![Page 108: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/108.jpg)
Network overhead1. Additional ~25KB per push/fetch (less than 1% in some cases)
2. Double round trip time
3. These issues go away when RSL becomes part Git’s pack protocol
108
![Page 109: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/109.jpg)
Turning Theory Into Practice
109
![Page 110: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/110.jpg)
Interaction with the Git community1. Refactored Git tag PGP verification code
110
![Page 111: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/111.jpg)
Interaction with the Git community1. Refactored Git tag PGP verification code
○ Yes, you are running our code starting on 2.9.0○ 6 patches, over 8 iterations
111
![Page 112: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/112.jpg)
Interaction with the Git community1. Refactored Git tag PGP verification code
2. Discussed a plan for the git-tag issue
112
![Page 113: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/113.jpg)
Interaction with the Git community
113
![Page 114: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/114.jpg)
Interaction with the Git community1. Refactored Git tag PGP verification code
2. Discussed a plan for the git-tag issue
3. Discussed the plan to address the rest
114
![Page 115: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/115.jpg)
Other version control systems
115
System Signed revisions (commits) prevents MM attacks
Git Yes No
Bitkeeper No No
Mercurial Yes (via plugin) Yes
Monotone Yes (mandatory) Yes
![Page 116: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/116.jpg)
Conclusions
116
![Page 117: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/117.jpg)
To wrap up1. Do not trust the infrastructure
117
![Page 118: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/118.jpg)
To wrap up1. Do not trust the infrastructure
2. GPG signatures on git objects is currently not enough...○ ...but do it anyway!○ Do not use references, but the object’s SHA1 when possible
118
![Page 119: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/119.jpg)
To wrap up1. Do not trust the infrastructure
2. GPG signatures on git objects is currently not enough...○ ...but do it anyway!○ Do not use references, but the object’s SHA1 when possible
3. Update Git!
119
![Page 120: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/120.jpg)
Questions?
Thanks
120
![Page 121: On Omitting Commits and Preventing Git Metadata Tampering ... · On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Vulnerabilities](https://reader034.vdocuments.mx/reader034/viewer/2022042621/5f607250b9ac90218e5efbe1/html5/thumbnails/121.jpg)
Questions?
Thanks
121