A lot of time and effort is put into writing security-focused software. Hardware vendors routinely add new features that help software developers increase the security of their software. Memory safe languages like Rust that help developers write safer code are becoming more and more popular. However, advancements in software security can be rendered useless if the supply chain for delivering software is compromised. As we’ve seen with the recent xz incident, a supply chain vulnerability can be exploited with malicious intent. In the LLVM project, we've been working to secure our own software supply chain to help protect against these kinds of attacks.
Managing commit access
LLVM is a collection of reusable libraries and tools for building compilers. It includes a C compiler (clang), fortran compiler (Flang), and C++ standard libraries (libc++) among other things. LLVM is a very large project. It has a single Git repository that contains several related subprojects. Overall, the llvm-project Git repository receives about 300 commits a day, and has over 600 unique committers each month. To facilitate this rapid pace of development, the project has granted commit access to about 1,600 contributors. Having so many contributors with commit access is beneficial to the project, allowing it to sustain a high rate of feature development. However, having so many committers does increase the risk of someone outside the project gaining commit access using compromised credentials.
To mitigate this risk, the LLVM Project has recently adopted a policy of removing commit access from any user with fewer than 5 interactions (either a commit, or PR review or comment) with the repository in the past year.
Users with few interactions don't need commit access. Infrequent contributors can submit pull requests, and it's not much effort for a patch review or someone else with commit access to merge the PR. Also, users that are no longer active in the project may be at a greater risk of having their credentials compromised, because they may not be monitoring their GitHub account (or access tokens) and may not be up on the latest security recommendations for the LLVM Project.
Overall, fewer committers means less chance for compromise, but there still needs to be a certain number of people with commit access to keep the project running efficiently. Limiting the number of committers to some small number may be best for security, but it may not be best for the project overall. It's important to balance security concerns with the other goals of any project.
Securing GitHub Actions
GitHub Actions is a framework allowing automation of various tasks for projects hosted on GitHub. The most common way projects use GitHub Actions is for continuous integration (CI) testing.
Typically, CI jobs are run when someone submits a pull request. This may seem harmless at first, but running a CI job for a pull request does come with some risks. Anyone with a GitHub account can submit a pull request, and it’s easy to modify CI tests to execute arbitrary code. So GitHub Actions jobs need to be hardened against running untrusted code from potentially malicious users.
Untrusted code could potentially steal login credentials from a machine, or take over a machine to use for Crypto mining, DDOS attacks, or some other kind of intensive task. GitHub has a number of best practices to help provide protections for projects Actions jobs. The LLVM project has been reviewing these and making changes to help ensure that our jobs are safe.
One safety feature we've enabled is to prevent GitHub Actions from running automatically for first-time contributors. Anyone contributing their first pull request to the project needs to have the GitHub Actions jobs started manually by someone with write access to the project. This helps protect against scripted attacks where attackers automatically create thousands of pull requests against various projects trying to find which ones are vulnerable. Requiring a manual step allows someone trusted in the project to review the PR to ensure it is legitimate.
Another best practice we've adopted is to ensure that all GitHub Actions jobs triggered by pull requests run with the fork's context, and not the context of the main llvm-project repo. When a job runs in the fork's context, it doesn't have access to any of the main repository's secrets, and is not permitted to modify code or issues in the repo. This is achieved by using the pull_request event for triggering PR jobs instead of the pull_request_target.
We also ensure that access tokens used by a GitHub Actions job has the least amount of permissions necessary to do its task. In most cases, our tokens have read-only access, so there's little to no damage that could be done with them even if they were to be compromised.
Release asset safety
We've also recently made some improvements to how the LLVM Project handles release assets (sources and binaries). For one, we've started using the artifact attestation feature from GitHub. This allows users to verify that the artifacts are legitimate, but also the exact GitHub Actions job used to generate the artifacts. This helps provide transparency, and makes it easier for a third-party to reproduce the artifacts.
We no longer host third-party binaries (with a few exceptions) on the official release page. In the past, we let any contributor upload release binaries to our release page, but we didn't have a good way to validate these binaries, so we created a different space for these kinds of uploads. Now on our official release page, we only host binaries that have been generated on the GitHub infrastructure, and have the artifact attestations to go with it (with one exception for Windows binaries).
Security is an ongoing process
Securing the supply-chain is never done. We always need to be aware of new threats, and also new technologies that can help protect projects. One way we keep track of how the project is doing is with the OpenSSF security scorecard. This monitors the repository and checks for common mistakes or other security issues. This scorecard is updated daily for our project, and displayed as a badge on the GitHub repository's landing page.
Having automated tools to help secure the repository is helpful, but not enough. It's up to every contributor to the project to do their part to help keep the repository safe. This means keeping their own login credentials safe, helping to review code before it's committed to the repo, and being vigilant for suspicious activity in the project. Given that LLVM is a compiler, it is especially important to keep it safe. Malicious code in compilers can be propagated into anything it builds, making it a potential access point for attackers to any software in a distribution.
As the software industry gets better at creating security-focused software, whether through hardware features, new languages, or compiler-based techniques, attackers are looking for other approaches to compromise software. The software supply-chain can be a weak point for even the most hardened software. It's vital that software developers (whether working on open source or proprietary software) understand supply-chain security and stay educated about the latest research and best practices.
Sull'autore
Altri risultati simili a questo
Ricerca per canale
Automazione
Novità sull'automazione IT di tecnologie, team e ambienti
Intelligenza artificiale
Aggiornamenti sulle piattaforme che consentono alle aziende di eseguire carichi di lavoro IA ovunque
Hybrid cloud open source
Scopri come affrontare il futuro in modo più agile grazie al cloud ibrido
Sicurezza
Le ultime novità sulle nostre soluzioni per ridurre i rischi nelle tecnologie e negli ambienti
Edge computing
Aggiornamenti sulle piattaforme che semplificano l'operatività edge
Infrastruttura
Le ultime novità sulla piattaforma Linux aziendale leader a livello mondiale
Applicazioni
Approfondimenti sulle nostre soluzioni alle sfide applicative più difficili
Serie originali
Raccontiamo le interessanti storie di leader e creatori di tecnologie pensate per le aziende
Prodotti
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Servizi cloud
- Scopri tutti i prodotti
Strumenti
- Formazione e certificazioni
- Il mio account
- Supporto clienti
- Risorse per sviluppatori
- Trova un partner
- Red Hat Ecosystem Catalog
- Calcola il valore delle soluzioni Red Hat
- Documentazione
Prova, acquista, vendi
Comunica
- Contatta l'ufficio vendite
- Contatta l'assistenza clienti
- Contatta un esperto della formazione
- Social media
Informazioni su Red Hat
Red Hat è leader mondiale nella fornitura di soluzioni open source per le aziende, tra cui Linux, Kubernetes, container e soluzioni cloud. Le nostre soluzioni open source, rese sicure per un uso aziendale, consentono di operare su più piattaforme e ambienti, dal datacenter centrale all'edge della rete.
Seleziona la tua lingua
Red Hat legal and privacy links
- Informazioni su Red Hat
- Opportunità di lavoro
- Eventi
- Sedi
- Contattaci
- Blog di Red Hat
- Diversità, equità e inclusione
- Cool Stuff Store
- Red Hat Summit