Overview
On January 10, I presented a modestly revised version of my “Systems Thinking + Web Security” talk to the attendees of the Boston Clojure Meetup on an approach to web security based on system safety. Based on the presentation, some rough notes, and a somewhat more polished accompanying handout, the attendees and I examined some of the hierarchical control structure for one of the main clojure code distribution sites, clojars.org.
Here’s what we came up with…
System Diagram
Use cases
- Get dependent library
- Upload lib
- Browse repo
- Delete a jar
- Advertise a dependent library
- Join the site
- Link to source (GPL)
Accidents
- Get the wrong lib
- Dep resolution fails
- Site down
- Redirect to evil.com
- Evil upload
- Upload an old version by accident
- Leak download history?
- Fail to record download history?
- Subpoenaed?
- Replacement of signature files.
Goals
- Availability of jars & indexes & login
- Authentication of publishers
- End-to-end authentication of jars from publishers to receivers
- Authorization to publish a jar with coordinates FOO
- Permit retractions / undo mistakes
Powers
- Spam jars
- Read ssh keys
- Mirror site
- Spoof DNS
- DOS DNS
- Write malicious lein plugins
- Contribute source to a library
- Issue an SSL cert for clojars.org
- Typo squat jars
- Cosmic rays
- Corrupt a disk
- Corrupt bits on the wire
- Cause typos while uploading
- Manipulate power
Control system
- SSH
- SSL
- GPG
- Friend
- DNSSEC?
- OCSP?
- The Cert
- Local mirror?