From 0da5e02d3fffec73e3a2f80cd112cc0956dc3c47 Mon Sep 17 00:00:00 2001 From: ryan Date: Wed, 18 Sep 2024 11:49:35 -0400 Subject: [PATCH] updates --- stagex/index.md | 294 +++++++++++++++++++++++++++--------- stagex/scripts/alpine.sh | 4 + stagex/scripts/archlinux.sh | 4 + stagex/scripts/debian.sh | 5 + stagex/scripts/fedora.sh | 4 + stagex/scripts/rust-deps.sh | 7 + 6 files changed, 249 insertions(+), 69 deletions(-) create mode 100644 stagex/scripts/alpine.sh create mode 100644 stagex/scripts/archlinux.sh create mode 100644 stagex/scripts/debian.sh create mode 100644 stagex/scripts/fedora.sh create mode 100644 stagex/scripts/rust-deps.sh diff --git a/stagex/index.md b/stagex/index.md index 4514934..0149524 100644 --- a/stagex/index.md +++ b/stagex/index.md @@ -10,17 +10,74 @@ backgroundColor: #fff # Bootstrapping Reproducibility with StageX +The steps involved in going from a 256 byte compiler to a deterministic +bit-for-bit reproducible Linux distribution. + + + --- -# Minimalism and security first repository +# The Problem: milk sad wage cup... -Approach the distribution of a toolchain by ensuring each component uses + + + + +```dockerfile +FROM rust +ADD . /app +WORKDIR /app +RUN cargo build --release && \ + mv target/release/mnemonicgen /usr/bin/mnemonicgen +ENTRYPOINT ["/usr/bin/mnemonicgen"] +``` + + + + + +--- + +# Minimalism and security first Linux distribution + +Approach the development of a secure toolchain by ensuring each component uses exactly what it needs to build - no more, no less. + + + + + + + + +--- + # A Rust Example ```dockerfile -FROM scratch AS build -COPY --from=stagex/busybox . / -COPY --from=stagex/rust . / -COPY --from=stagex/musl . / -COPY --from=stagex/gcc . / -COPY --from=stagex/llvm . / -COPY --from=stagex/binutils . / -COPY --from=stagex/libunwind . / -ADD < + --- -# OCI Images +# Multi-Signed OCI Images +Multiple maintainers can each sign individual images, with the container +runtime enforcing _multiple_ signatures by maintainers to ensure no individual +maintainer could have tampered with an image. + --- @@ -126,15 +237,16 @@ build the entire StageX toolchain for themselves. StageX comes with developer-loved tooling and languages, such as: -* `rust` -* `go` -* `python` -* `curl` -* `git` +- `rust` +- `go` +- `python` +- `curl` +- `git` -If you are interested in additionally software being added feel free to open a PR or let us know what you would like to see added. +If you are interested in additionally software being added feel free to open a +PR or let us know what you would like to see added. --- @@ -143,74 +255,120 @@ If you are interested in additionally software being added feel free to open a P StageX offers prebuilt containers including all the packages necessary to run some of our most used software, such as: -* `kubectl`, `kustomize`, `helm` -* `keyfork` -* `nginx` -* `redis` -* `postgres` +- `kubectl`, `kustomize`, `helm` +- `keyfork` +- `nginx` +- `redis` +- `postgres` + +We also ship pallets for building new images, such as the Rust pallet shown in +the previous example. --- -# **Full source bootstrapped from Stage 0** +# Full source bootstrapped from Stage 0 -The StageX compiler and all libraries necessary to build software are themselves fully bootstrapped and deterministic +From a 256-byte compiler written in hex, StageX bootstraps all the compiler +tools necessary to build the distribution, 100% deterministically. -Bootstrapped - built up from "nothing" in order to allow verification of how the compiler is built - ensuring there is no malicious code added to it at any point. + -Ken Thompson describes the risk of using a compiler which can't be verified to be trustworthy in his seminal paper "Reflections on Trusting Trust" +- Stage 0: Getting a basic C compiler on x86 +- Stage 1: Building GCC for x86 +- Stage 2: Upgrading GCC for x86_64 +- Stage 3: Building up-to-date toolchains +- Stage X: Shipping the software you know and love + + --- -# **OK, So What?** +# OK, So What? -There is an entire family of supply chain vulnerabilities which can be eliminated by using StageX +By using stagex, an entire family of supply chain vulnerabilities can be +eliminated. Removing unnecessary software reduces the attack surface of +potentially malicious software, while deterministic builds help ensure +software hasn't been tampered with. -By reducing the number of dependencies needed to run and build software, we remove unnecessary software which can act as an entry point for malicious software such as malware -For example, if using Debian as a base for `rust`, one ends up using **232 dependencies**, where as StageX only requires **4 dependencies** +Because StageX can be used to build standalone Linux systems, it can also be +used to generate bootable images without needing to ship unnecessary tooling +such as a package manager or a compiler. --- -Additionally, there has not been a simple way to verify that a compiler is trusted. - -This is because compilers are used to build other compilers, and for a long time, we lost the ability to build up a compiler toolchain from "nothing" - -StageX allows us to bootstrap the compiler toolchain, making it easy to verify that no malicious code was introduced at any point, by reviewing the code, and it also does so in a deterministic manner, which makes it simple to further verify the integrity of the binary - ---- - -# Solar Winds +# _Solar Winds_ of Change According to: https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ -> * SUNSPOT is StellarParticle’s malware used to insert the SUNBURST backdoor into software builds of the SolarWinds Orion IT management product. -> * SUNSPOT monitors running processes for those involved in compilation of the Orion product and replaces one of the source files to include the SUNBURST backdoor code. -> * Several safeguards were added to SUNSPOT to avoid the Orion builds from failing, potentially alerting developers to the adversary’s presence. +> - SUNSPOT is StellarParticle’s malware used to insert the SUNBURST backdoor into software builds of the SolarWinds Orion IT management product. +> - SUNSPOT monitors running processes for those involved in compilation of the Orion product and replaces one of the source files to include the SUNBURST backdoor code. +> - Several safeguards were added to SUNSPOT to avoid the Orion builds from failing, potentially alerting developers to the adversary’s presence. + + + +--- + +# Key Takeaways + +* StageX packages the software you're already using, securely. +* By leveraging Docker, we avoid mixing package managers and build contexts. +* Your software, as well as your SBOM, can all be built deterministically. + + + +--- + +# What's Next? + +Packaging more software and updating existing software faster Adding additional container runtimes like Podman and Kaniko @@ -220,8 +378,6 @@ Adding additional chip architecture support such as ARM and RISC-V # **Links** -**Presenter**: - **Matrix Chat**: #stagex:matrix.org **Git Repo**: https://codeberg.org/stagex/stagex diff --git a/stagex/scripts/alpine.sh b/stagex/scripts/alpine.sh new file mode 100644 index 0000000..6c25105 --- /dev/null +++ b/stagex/scripts/alpine.sh @@ -0,0 +1,4 @@ +#!/bin/sh + +apk add cargo +printf "DEPS (Alpine): %s\n" $(apk list --installed | tail -n +2 | wc -l) diff --git a/stagex/scripts/archlinux.sh b/stagex/scripts/archlinux.sh new file mode 100644 index 0000000..c086afe --- /dev/null +++ b/stagex/scripts/archlinux.sh @@ -0,0 +1,4 @@ +#!/bin/sh + +pacman -Syu --noconfirm rust +printf "DEPS (Arch Linux): %s\n" $(pacman -Q | wc -l) diff --git a/stagex/scripts/debian.sh b/stagex/scripts/debian.sh new file mode 100644 index 0000000..42b2745 --- /dev/null +++ b/stagex/scripts/debian.sh @@ -0,0 +1,5 @@ +#!/bin/sh + +apt-get update +apt-get install -y cargo rustc +printf "DEPS (Debian): %s\n" $(dpkg --get-selections | wc -l) diff --git a/stagex/scripts/fedora.sh b/stagex/scripts/fedora.sh new file mode 100644 index 0000000..f0a0091 --- /dev/null +++ b/stagex/scripts/fedora.sh @@ -0,0 +1,4 @@ +#!/bin/sh + +yum install -y cargo +printf "DEPS (Fedora): %s\n" $(yum list installed | tail -n +2 | wc -l) diff --git a/stagex/scripts/rust-deps.sh b/stagex/scripts/rust-deps.sh new file mode 100644 index 0000000..1c49db7 --- /dev/null +++ b/stagex/scripts/rust-deps.sh @@ -0,0 +1,7 @@ +#!/bin/sh + +SCRIPTDIR="$(cd "$(dirname $0)"; pwd)" + +for distro in debian archlinux fedora alpine; do + docker run --rm -v "$SCRIPTDIR:/scripts:ro" $distro /bin/sh /scripts/$distro.sh | grep --color "^DEPS" +done