sys crates are also mostly generated and lack a lot of eyeballs. Sneaking something into the build.rs of a sys crate would not be difficult and would land in the builds of everything downstream of it.
I had pondered the same thing about other package ecosystems in the past, in general. Now with the benefit of hindsight we can comfortably say that the absence of known (!) attacks doesn't really say anything about how relatively difficult an attack would be. Are -sys crates, or build script attacks, particularly potent? Who knows. When I did a cursory search, the only attempts I saw were at runtime rather than build time[1]. Which raises a good point; pwning a developer machine or CI box with a build script may be quite valuable, but if you might get that and prod with a runtime exploit, is the build time exploit that much more valuable? Guess it depends! (Of course, I personally think having at least optional build time sandboxing is even better than hoping it won't be valuable to attack.)
Of course, crates.io has surely had some malicious packages. (I'd assume it isn't all that unlikely there could be some undiscovered right now; it's definitely large enough for something like that to slip under the radar, even if it is relatively small compared to say, NPM.) But, I think it really hasn't had its XZ backdoor moment, its left-pad, where you really get to see how well it does or doesn't handle a serious challenge. Since I have actually not published on crates.io, I'm not really sure how the security posture is, but if it's more similar to other programming language repositories than it is to Linux repos, I dunno exactly why it would be hard to believe a high-level compromise is possible and could slip in (really, anywhere, be it a build script or otherwise.). Of course, "would not be difficult" is all relative. I'm sure many of these attacks are not really all that simple, but a lot of them aren't exactly groundbreaking either. It was well executed and took quite a lot of time, sure, but there wasn't all that much about the XZ backdoor that was novel. (Except maybe the slyness with which the payload was hidden in test files. That was pretty cool.)
ou can defend a claim that literally anything is a supply-chain risk from this logic. Don't use vim to edit your config files because you don't have any way to know that someone couldn't slip a "reflections on trusting trust" compiler attack into clang so that your MacOS binary distributed by homebrew detects when you're editing an npm.json and exfiltrates your ssh keys so that they can push rogue builds!
Yes. Your comment reads to me as a defense of the comment above the one you replied to:
>>> sys crates are also mostly generated and lack a lot of eyeballs. Sneaking something into the build.rs of a sys crate would not be difficult and would land in the builds of everything downstream of it.
>> Surely that's why we see evidence of all these build script attacks, since it's so easy?
> Now with the benefit of hindsight we can comfortably say that the absence of known (!) attacks doesn't really say anything about how relatively difficult an attack would be.
Given that you were responding to a critique of what seems to be fully conjecture with the argument that we don't know for sure that it's not feasible, it's not clear to me why that wouldn't be a sufficient defense of any claim of a potential vulnerability without regard for merit. You don't propose any alternative than ignoring the only hard evidence we have, so although you might not have intended it this way, it's not clear to me what discussion you could expect to happen with that standard of evidence other than throwing up our hands and saying everything is screwed.
> Given that you were responding to a critique of what seems to be fully conjecture with the argument that we don't know for sure that it's not feasible,
But wait, that isn't what's on the table. Inserting malware into a build script itself is absolutely feasible; you can demonstrate that part locally. Gaining sufficient access to a developer or CI machine that has credentials to publish such malware to package repositories is also, well, feasible. If you are using GitHub Actions, all it would take is literally any action you run in any CI script in a job leading up to publishing getting pwned, a task that is easy if you can compromise any one of them due to the lack of a real way to pin actions, and because of vectors like the ever-enduring pwn request.
The unknown quantity is how easy it is. That part is hard to say, and also inherently relative. For me pulling off such an attack would probably be hard. For the folks behind the XZ backdoor? Well, I do not wield a crystal ball, but it sure seems like what they accomplished for that was significantly more than what would've been needed to pwn the Rust ecosystem. They didn't even need temporary access to publish a crate, they flat-out took over an upstream the old fashioned way; found a weak link and worked their way up the chain with social engineering and good old hard work.
What exactly makes you think the feasibility of pwning a crate is somehow up for debate?
> it's not clear to me why that wouldn't be a sufficient defense of any claim of a potential vulnerability without regard for merit.
You have inverted my logic. What I said was that the absence of an attack is not evidence of difficulty (or infeasibility).
> You don't propose any alternative than ignoring the only hard evidence we have,
What you have isn't "hard evidence" at all. It's not evidence in the first place. It is the literal lack of evidence.
This shouldn't be comforting. I suggest it shouldn't be comforting, because there is a period of time from whence a package repository goes online to its first major supply chain attack attempt, and you never really know when it will be. Crates.io is currently vastly smaller and lower traffic than NPM for example, so if you are looking for a vast number of potentially easy targets it is the wrong place to look. That may not always be true and to some attacker it may not matter as much. It isn't just inherently safe.
> so although you might not have intended it this way, it's not clear to me what discussion you could expect to happen with that standard of evidence other than throwing up our hands and saying everything is screwed.
The main takeaway is that hope is not a strategy. Will crates.io get pwned like NPM does periodically now? Probably. Can we do anything about this? Sure, lots of things, although I'm not sure people will love them.
- You could abandon a unified namespace/central repository and mimic Go's approach. Doesn't prevent compromise, but it helps avoid issues like typosquatting.
- You could require secure attestation of the build process. Don't mistake this suggestion as me vouching for it, but Bazel has implemented this for BCR.
- You could... Have moderated, curated repositories, possibly with graduated release channels like Linux distros do. Again... Could, not should, but it absolutely helps enable more scrutiny and time for things to bake. It's feasible.
- You could enforce reproducible builds with provenance information. This would stop someone from publishing releases that don't match the actual source repo, a technique often used in these supply chain compromises.
As for what Crates.io should do, I don't know. All I know is it would be a huge mistake to just do nothing and assume it won't get pwned due to the absence of attacks. Security will never be perfect. Best we can do is acknowledge this and continue to iterate.
We do in fact see them a lot. Typically they target Python or Node because those ecosystems are much more popular than Rust. But build.rs provides exactly the same opportunities to attackers for Rust.
No, we don't. We see build system attacks, such as injecting malicious scripts into their CI and getting malicious code into the artifact for use at runtime. You don't see someone doing a drive-by PR to a `setup.py`.
Not a drive-by PR, but once a package is compromised it often does spread to its reverse-dependencies via mechanisms like setup.py at build time. There was case like this with setup.py less than two months ago: https://www.stepsecurity.io/blog/forcememo-hundreds-of-githu...
Lots of npm supply chain attacks propagate at build time via post-install hooks, too.