Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

content: draft: Add mitigation for malicious source platform admin. #1188

Merged
merged 5 commits into from
Oct 16, 2024
Merged

content: draft: Add mitigation for malicious source platform admin. #1188

merged 5 commits into from
Oct 16, 2024

Conversation

TomHennen
Copy link
Contributor

Add mitigation for malicious source platform admin.

We didn't have any guidance for this threat. There are a number of ways we may be able to address this in the future via the SLSA Source Track and/or tools like gittuf. However, SLSA doesn't currently address them. This entire section is already labeled as not being handled by SLSA but does still include other mitigations.

I'm using the same language we have for "Compromise build platform admin", which seems like the same sort of threat, and should work 'fine' until we have something better.

Filed #1187 to track

Fixes #1179.

@TomHennen
Add mitigation for malicious source platform admin.
ce02c32 
Using the same language we have for "Compromise build platform admin".

Filed slsa-framework#1187 to track

Fixes slsa-framework#1179.

Signed-off-by: Tom Hennen <[email protected]>
@netlify Netlify
Copy link

netlify bot commented Oct 14, 2024
edited
Loading

Deploy Preview for slsa ready!

Name Link
🔨 Latest commit 49cadd4
🔍 Latest deploy log https://app.netlify.com/sites/slsa/deploys/670fbd6d7841da0009aee79c
😎 Deploy Preview https://deploy-preview-1188--slsa.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@TomHennen TomHennen changed the title content: Add mitigation for malicious source platform admin. content: draft: Add mitigation for malicious source platform admin. Oct 14, 2024
@TomHennen TomHennen requested a review from lehors October 14, 2024 20:25
arewm
arewm approved these changes Oct 15, 2024
View reviewed changes
Copy link
Member

@arewm arewm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have a build platform operations track in the future directions: https://slsa.dev/spec/v1.0/future-directions

Should we make a reference to that?

@TomHennen
Copy link
Contributor Author

We have a build platform operations track in the future directions: https://slsa.dev/spec/v1.0/future-directions

Should we make a reference to that?

Done.

adityasaky
adityasaky reviewed Oct 15, 2024
View reviewed changes
docs/spec/draft/threats.md Outdated Show resolved Hide resolved
docs/spec/draft/threats.md Outdated Show resolved Hide resolved
@TomHennen
remove example solutions
69c9b86 
Signed-off-by: Tom Hennen <[email protected]>
adityasaky
adityasaky approved these changes Oct 15, 2024
View reviewed changes
Copy link
Member

@adityasaky adityasaky left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

zachariahcox
zachariahcox approved these changes Oct 15, 2024
View reviewed changes
Copy link
Contributor

@zachariahcox zachariahcox left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

great start.

any package registry admin prior art would be pretty applicable here.
We could also talk about use of externally verifiable data for certain use cases (like signed refs) or signed source provenance docs.

like two-set-of-eyes rules, it makes attacks more expensive and difficult to accomplish.

@TomHennen
Copy link
Contributor Author

great start.

any package registry admin prior art would be pretty applicable here. We could also talk about use of externally verifiable data for certain use cases (like signed refs) or signed source provenance docs.

like two-set-of-eyes rules, it makes attacks more expensive and difficult to accomplish.

FWIW the goal wasn't really to address this threat with SLSA, but just mention it as a thing folks should consider. That doesn't mean we can't address it in the future, just get rid of the TODO.

So, how complete did we want this to be for 1.1?

@lehors any thoughts

lehors
lehors reviewed Oct 16, 2024
View reviewed changes
docs/spec/draft/threats.md Outdated Show resolved Hide resolved
@lehors
Copy link
Member

lehors commented Oct 16, 2024

great start.
any package registry admin prior art would be pretty applicable here. We could also talk about use of externally verifiable data for certain use cases (like signed refs) or signed source provenance docs.
like two-set-of-eyes rules, it makes attacks more expensive and difficult to accomplish.

FWIW the goal wasn't really to address this threat with SLSA, but just mention it as a thing folks should consider. That doesn't mean we can't address it in the future, just get rid of the TODO.

So, how complete did we want this to be for 1.1?

@lehors any thoughts

As far as I'm concerned, I think what you're proposing is enough for 1.1. This can always be improved as we move forward.

@lehors
Update docs/spec/draft/threats.md
49cadd4 
Fix link

Signed-off-by: Arnaud J Le Hors <[email protected]>
@lehors lehors merged commit 8424fae into slsa-framework:main Oct 16, 2024
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zachariahcox zachariahcox zachariahcox approved these changes

@trishankatdatadog trishankatdatadog trishankatdatadog approved these changes

@arewm arewm arewm approved these changes

@adityasaky adityasaky adityasaky approved these changes

@lehors lehors lehors approved these changes

Assignees
No one assigned
Labels
None yet
Projects
Issue triage
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

TODO: Need mitigation description for "Platform admin abuses privileges" threat
6 participants
@TomHennen @lehors @adityasaky @arewm @trishankatdatadog @zachariahcox