77 lines
3.6 KiB
Markdown
77 lines
3.6 KiB
Markdown
## Web Content Signing via Service Workers
|
|
- Implementation:
|
|
- M-of-n parties deterministically compile web interface bundle and sign it
|
|
- Interface installs service worker mandates all future updates are
|
|
- signed with m-of-n valid keys certified by a pinned CA
|
|
- newer timestamp than current version
|
|
- Protections
|
|
- Compromised insider tampering with frontends
|
|
- BGP attacks
|
|
- DNS takeover
|
|
- TLS MITM
|
|
- Resources
|
|
- https://developer.mozilla.org/en-US/docs/Web/API/Service_Worker_API/Using_Service_Workers
|
|
- https://arxiv.org/pdf/2105.05551
|
|
|
|
## Web Request Signing via WebAuthn
|
|
- Implementation:
|
|
- Collect WebAuthn public keys for one or more devices for all users
|
|
- External Authenticators: Yubikey, Nitrokey, Ledger, Trezor, Solokey, etc.
|
|
- Platform Authenticators: iOS 13+, Android 7+, Windows Hello, many Chromebooks
|
|
- Certify Webauthn public keys with trusted enclave
|
|
- Webauthn sign all impacting web requests like trades and transfers
|
|
- Private key enclaves validate request signatures before signing trades and transfers
|
|
- Protections:
|
|
- Compromised insider tampering with backends
|
|
- TLS MITM
|
|
- Resources:
|
|
- https://developers.yubico.com/WebAuthn/Concepts/Using_WebAuthn_for_Signing.html
|
|
|
|
## Internal Supply chain integrity
|
|
- Implementation
|
|
- Collect and certify asymmetric public keys from all engineers
|
|
- Have all engineers locally sign all code commits and reviews
|
|
- Multiple independently managed CI/CD systems are deployed
|
|
- CI/CD systems deterministically build only validly signed commits/reviews
|
|
- CI/CD systems sign resulting artifacts with well known/pinned keys
|
|
- Production systems only deploy artifacts signed by multiple CI/CD systems
|
|
- Protections
|
|
- Compromised insider impersonates commit as another engineer
|
|
- Compromised insider injects malicious code, bypassing review controls
|
|
- Compromised CI/CD system tampers with artifact generation
|
|
- Resources:
|
|
- https://github.com/distrust-foundation/sig
|
|
- https://github.com/hashbang/git-signatures
|
|
- https://github.com/hashbang/book/blob/master/content/docs/security/Commit_Signing.md
|
|
- https://blog.dbrgn.ch/2021/11/16/git-ssh-signatures/
|
|
|
|
## External Supply chain integrity
|
|
- Implementation
|
|
- Collect and pin asymmetric pubic keys from all code reviewers
|
|
- Review all third party dependencies used in transfer-critical codebases
|
|
- Have all reviewers sign reviews with certified public keys
|
|
- Publish reviews in well documented format to help crowd-source efforts
|
|
- Have CI/CD fail production builds when un-reviewed deps are present
|
|
- Protections
|
|
- Obvious malicious code injected into external software library-
|
|
- Resources:
|
|
- https://gist.github.com/lrvick/d4b87c600cc074dfcd00a01ee6275420
|
|
- https://gitlab.com/wiktor/lance-verifier
|
|
- https://github.com/in-toto/attestation/issues/77
|
|
|
|
## Accountable Airgapped Workflows
|
|
- Implementation
|
|
- Multiple parties compile deterministic airgap OS and firmware
|
|
- Multiple parties sign airgap os/firmware artifacts
|
|
- New laptop acquired by multiple parties
|
|
- Trusted firmware loaded, verifying signed hash with existing firmware
|
|
- CA key pinned into firmware, and external TPM verification device
|
|
- Laptop stored in highly tamper evident vault requiring multiple parties for access
|
|
- Laptop firmware verifies multi-party signature on flash-drive iso and any scripts
|
|
- Participants verify date and ensure it is the latest and expected version
|
|
- Protections
|
|
- Tampering by any single compromised insider
|
|
- Tampering by any single compiler or build system
|
|
- Resources:
|
|
- https://github.com/distrust-foundation/airgap
|
|
- https://github.com/hashbang/airgap |