yarn-contained
A tool for mitigating supply chain attacks
5 August 2022
James Ralphs
Supply chain attack - what is it?
A type of cyber attack that works by targeting less secure upstream elements from your application.
This sounds abstract, but in software development, this happens. Dependencies and compilers are ideal targets for this.
"Write once, exploit many times!"
We will look specifically at dependencies for a front-end part of a
project, where the packages are delivered from the JavaScript package
registry npmjs.com and installed through the yarn command line tool.
npm package registry
In the past, you may have only had a handful of software dependencies, and you would completely trust them.
Some organisation might even do an audit and the whole industry could trust it.
Nowadays, we have npm! Each dependency has dependencies, and so on...
Let's look at a small project
This is from the package.json of a small project:
"bootstrap": "^5.1.3", "font-awesome": "^4.7.0", "leaflet": "^1.8.0", "react": "^18.1.0", "react-dom": "^18.1.0", "react-query": "^3.38.0", "react-redux": "^8.0.1", "react-router-dom": "^6.3.0", "react-select": "^5.3.1", "react-thunk": "^1.0.0", "recharts": "^2.1.9", "redux": "^4.2.0", "redux-thunk": "^2.4.1"
How many dependencies, including dependencies of these, do you think get installed?
4Great, but why is this a problem?
It is no longer possible to audit each package you install. And, some of these packages may turn out to be malicious:
- Maleficent - an NPM package that harvests your environment variables, OS details, Network information, AWS Credentials, NPM Credentials and SSH keys
- Malicious npm postinstall scripts
- NPM supply-chain attack impacts hundreds of websites and apps
Some of these packages act on the JavaScript client, directly on the end-users computer. Others read environment variables and files on the developer or build machine and send them off somewhere.
They work by running their code when the library functions is called, or in the case of npm can also be run in the postinstall stage of installing the library.
What can we do about it?
A 3 pronged defence:
- Setting the
Content-Security-PolicyHTTP Header on the client - a useful complement to building in a container. Means your application might be trying to send requests to badsite.com, but is restricted from doing so. - Docker networking rules - for launching a container you don't fully trust to not be able to access the internet.
- Preventing from data from the developer/build machine being exfiltrated while running
yarncommands.
The first two won't be convered in this talk. However, we will cover the third one.
6Introducing yarn-contained!
yarn-contained is a drop-in program that runs yarn inside a docker container.
It shares the project folder as a docker volume, but nothing more - no e.g. SSH keys to steal. It doesn't carry through any environment variables - no e.g. AWS tokens to steal.
Therefore, it massively decreases the amount of "stuff" on offer for the attacker to steal.
7yarn-contained in action!
This is not perfect
- Some keys will probably be supplied to the container anyway, to connect to other services.
- Source code could still be stolen, since it is in the container.
Further reading
Project site: https://github.com/jamesrr39/yarn-contained
- Content-Security-Policy HTTP Header
- Docker networking rules - for launching a container you don't fully trust to not be able to access the internet.
- Qubes OS - "everything as a container"
Questions?
10Thank you
James Ralphs