What are the risks and possibilities or scenarios whereby someone sets up masquerades of maven repositories and/or ip streams to provide masqueraded library copies of the original but injected with malicious or harmful code.
What are the steps and practices to prevent such risks and possibilities?
Downloading a jar from a Maven repository is not less safe than downloading a jar from another location. In other words, Maven repositories don't really introduce a problem, the problem is your dependency on an external library.
MAVEN Security Technologies is rapidly becoming one of the nation's leading security companies, providing businesses the peace of mind they deserve. We provide our clients with cutting edge solutions to ensure the safety of their organizations by mitigating physical and biological threats continuously.
Maven makes easy to start project in different environments and one doesn't needs to handle the dependencies injection, builds, processing, etc. Adding a new dependency is very easy. One has to just write the dependency code in pom file.
I suppose a dedicated and resourceful attacker could perform an MITM attack and intercept all requests to public Maven repositories, carefully injecting malicious bytecode into the JAR artifacts, then recalculating and supplying the SHA1 hashes.
To the client, it would appear as a legitimate artifact: the binary JAR and the SHA1 match and will be the same even if they check alternate mirrors.
I suppose the only real solution is to request the central repos to support HTTPS (and trust that TLS itself hasn't been broken).
Alternatively, a practical approach might be to set up a Maven proxy (Artifactory or Nexus) served over HTTPS to internal clients. This reduces the attack surface and means that you'll just have to secure the communication lines from that server to the outside world. I would periodically double check that the JARs and hashes on the proxy match those on the public mirrors using a totally independent, trusted network.
If you really, really want to be secure you wouldn't be trusting binaries—instead, you'd be downloading all source code and reviewing them by hand before compiling them yourself—but that assumes you have enough qualified resources and time to conduct the reviews and trust your entire build tool chain to begin with.
Well, security in layers as they always say.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With