►
Description
Visit the https://archive.devcon.org/ to gain access to the entire library of Devcon talks with the ease of filtering, playlists, personalized suggestions, decentralized access on Swarm, IPFS and more.
https://archive.devcon.org/archive/watch/6/the-attacker-is-inside-javascript-supplychain-security-and-lavamoat/
We all use open source, it is the wealth of the commons that forms the foundations we all build on. While this is incredibly empowering, we may be inviting the devil to dine with us. This talk examines software supplychain attacks in the javascript and crypto ecosystems and how to keep your app, wallet, and users safe. We'll look at the free and opensource tool LavaMoat that protects MetaMask.
Speaker(s): Kumavis, Naugtur
Skill level: Intermediate
Track: Security
Keywords: security,javascript,development
Follow us: https://twitter.com/efdevcon, https://twitter.com/ethereum
Learn more about devcon: https://www.devcon.org/
Learn more about ethereum: https://ethereum.org/
Devcon is the Ethereum conference for developers, researchers, thinkers, and makers.
Devcon 6 was held in Bogotá, Colombia on Oct 11 - 14, 2022.
Devcon is organized and presented by the Ethereum Foundation, with the support of our sponsors. To find out more, please visit https://ethereum.foundation/
A
A
Hi
everyone
I'm
kumavis
I,
founded
metamask,
with
Dan
Finley
and
now
I
run
the
security
research
team
at
metamask.
Today's
talk
is
the
attacker
is
inside
JavaScript
supply,
chain
security
and
lava
mode,
so
yeah
love
mode.
This
is
what
I've
been
spending
the
past
couple
years.
Working
on.
First
and
foremost,
it
is
a
set
of
security
tools
for
any
JavaScript
application
to
mitigate
software
supply
chain
risks.
So
what
is
the
software
supply
chain?
It's
everything
that
touches
an
application
or
plays
a
role
in
its
development.
Sonotype
has
this
cool
website?
A
It's
a
timeline
of
supply
chain
attacks.
You
can
scroll
through
it
and
see
how
many
they
are
and
a
lot
of
them
are
from
Python
and
rust,
but
a
good
50
are
from
mpm
they're
from
the
JavaScript
ecosystem.
So
why
is
Javascript
supply
chain
targeted
so
so
frequently,
primarily
because
it's
really
popular?
This
is
from
the
stack
Overflow
user
survey
and
for
self-described
professional
developers
javascript's
way
at
the
top
and
there's
typescript
in
node.js
not
far
behind.
So
when
we're
talking
about
JavaScript
supply
chain,
we're
primarily
talking
about
npm
dependencies.
A
So
this
is
your
apps
dependencies,
your
dependencies
dependencies.
Your
build
systems
dependencies
any
other
tools
you
might
be
using.
You
might
think
that
these
are
your
dependencies,
just
the
dependencies
listed
and
packaged
Json
in
your
app,
but
that's
just
like
an
inner
ring
around
your
application
in
part
of
a
constellation
of
your
whole
dependency
graph.
So
that's
why
there's
so
many
node
modules
in
the
node
modules
directory?
Okay,
so
to
understand
what
it
looks
like
when
it
goes
wrong.
A
A
An
attacker
got,
control
of
a
dependency
that
was
used
in
a
Bitcoin
wallet,
deployed
a
targeted
attack
against
that
wallet
and
stole
private
keys
and
digital
assets
from
the
users
of
that
wallet,
and
it
was
I
think
three
versions
of
the
wallet
that
had
the
attack
in
it
were
published.
So
they
didn't
even
know
it
was
in
there
for
a
while
okay.
So,
let's
look
at
the
the
build
pipeline
to
understand
how
it
got
in
there
now.
A
So
this
is
a
non-custodial
wallet,
so
the
keys
are
in
the
user's
application,
only
they're
not
on
a
server
or
something
like
this.
So
the
attack
happened
here
at
runtime.
That's
where
the
secrets
were
here:
that's
where
the
private
keys
were,
but
the
evil
dependency
wasn't
even
part
of
the
front-end
application.
It
was
part
of
their
build
system,
so
it
actually
entered
in
here
and
then
it
went
on
the
disk
during
build
time
and
modified
a
dependency
that
ended
up
in
the
web
app.
A
A
A
What
about
don't
roll
your
own
crypto
like
how
does
that
fit
in
audit
all
your
dependencies,
always
yeah,
that's
a
great
idea,
but
how
many
dependencies
do
you
have
hundreds,
thousands,
tens
of
thousands
and
when
you
need
to
make
a
change,
are
you
going
to
be
able
to
wait
and
re-audit
all
those
things?
So
is
there
nothing
else?
What
else
do
we
have
here?
So
around
this
time,
I
I
met
agorik
and
learned
of
their
indo.gs
hardened
JavaScript
tool
set.
A
So
there's
a
couple
things
about
JavaScript
that
make
it
easy
to
attack.
One
is
everything
is
mutable
by
default,
all
the
built-in
functionality
and
everything,
so
you
can
just
go
in
and
modify
array
prototype
and
map
and
and
change
the
way
JavaScript
works.
This
can
also
give
you
access
to
objects
that
are
being
used
like
on
the
complete
other
side
of
the
application
of
where
you
got
your
attack
in.
So
you
want
to
lock
this
down
and
conveniently
CES
provides
a
function
called
lockdown.
A
That
does
exactly
this
by
calling
lockdown
you're
doing
what's
shown
here
at
the
bottom
of
the
screen.
Basically
calling
object,
freeze
on
all
the
prototypes,
all
the
built-in
parts
of
JavaScript,
okay,
that
was
simple
enough.
All
right.
There's
this
other
problem
called
ambient
Authority.
This
means
simply
by
being
able
to
run
some
JavaScript,
you
get
access
to
all
the
powers
of
that
platform,
network
access
or
disk
access,
so
say:
I
have
some
little
package.
I'm,
an
attacker
I've
gotten
a
hold
of
sub-package,
that's
deployed
in
my
victims
code.
A
Now
this
package
doesn't
do
very
much
it's
just
formatting
strings,
but
because
of
ambient
Authority
I
have
access
to
fetch
the
network.
Access
us
of
access
to
environment
variables
and
I
can
send
them
home
to
my
evil
layer
and
maybe
there's
some
API
keys
or
something
in
there.
So
just
because
I
get
to
provide
a
little
bit
of
code,
I
get
to
have
all
powers
of
the
platform
and
that's
quite
dangerous.
So
cess
provides
this
notion
of
a
compartment.
A
It
puts
a
little
container
around
the
JavaScript
and
limits
access
to
what
that
code
can
can
touch
or
modify
so,
for
example,
if
I
have
some
code
that
that
needs
to
make
Network
requests
and
it
needs
to
know
the
current
location
of
the
web
app
in
the
web
browser
or
something
I
can
give
it
just
those
things
and
not
give
it
disk
access
or
other
powerful
features
of
the
web
browser.
And
then
I
can
run
my
code
in
here,
and
it
will
only
get
access
to
those
things
as
well
as
the
basic
JavaScript
functionality.
A
You
don't
need
to
know
the
internals,
but
I
think
it's
really
fascinating
and
I've
been
working
with
JavaScript
for
a
long
time
before
I
saw
how
this
works
and
I
didn't
think
it
was
possible.
So,
let's
take
a
look,
it
relies
on
two
weird
parts
of
JavaScript
that
you
may
not
be
familiar
with.
One
is
the
with
statement
with
the
with
statement.
First,
you
have
an
object.
It
has
some
properties
on
it
and
you
can
you
have
the
with
keyword
and
then
you
put
the
object
as
the
target
of
The
Wiz
keyword.
A
Then
you
have
this
block
inside
the
block.
All
the
properties
on
the
object
can
be
accessed
as
if
they
were
variables
in
scope.
Well,
there.
It
is
it's
not
particularly
interesting,
but
that's
what
the
width
statement
does.
The
next
piece
is
the
proxy
if
you're
familiar
with
Getters
and
Setter
of
properties,
it's
like
that
for
the
whole
object
in
any
operation.
A
On
that
object,
you
get
various
handlers
to
intercept
what
those
things
do
now
by
combining
these
two
things
with
the
with
statement
and
then
a
proxy
in
here
we
control
all
the
scope
access
inside
this
block.
So
you
have
your
untrusted
code
here.
It's
trying
to
like
get
network
access
with
fetch,
it'll.
Look
it
up
here,
it'll,
go
to
the
proxy
it'll
say:
do
you
have
Fetch
and
your
proxy
can
throw
a
reference
error
return
undefined
whatever
you
want,
but
it
can
block
that
lookup.
A
Another
way
to
write
this,
which
is
easier
to
audit
it
may
be
easier
to
think
about,
is
with
two
statements:
one
here,
the
inner
one.
You
put
the
untrusted
code
here.
It's
trying
to
look
up
fetch
it'll,
look
up
inside
this
object
first
and
that's
the
object
we
gave
to
the
compartment
when
we
said
you
should
have
access
to
these
things
and
these
things
only
if
it's
in
there
it'll
it'll
just
get
it
it'll
get
whatever
value.
A
A
Okay,
so
SAS
gives
us
lockdown
and
compartment
and
I
compose
these
in
lava
mode,
lava
mode,
wraps
packages
inside
of
compartments
and
only
gives
them
what
they
need
to
run
so
that
little
string,
formatting
package
we
had
before
it
won't
have
access
to
network
and
I
won't
have
access
to
disk
another
powerful
features
how
you
use
it.
Sorry,
it's
a
little
small,
it's
kind
of
like
this.
Previously
you
might
run
node
index
for
your
little
server.
You
replace
that
with
love
mode
index
But.
A
First,
you
put
this
right
Auto
policy
API
and
that
will
generate
a
policy
file
of
what
the
packages
are
allowed
to
use,
and
then
you
just
run
you
just
replace
node
with
lava
mode
and
run
normally,
and
it
will
at
runtime
enforce
those
packages
only
get
what
they
need.
The
policy
looks
something
like
this:
this
is
a
policy
for
one
package:
you'll
have
a
bunch
of
them
in
your
policy
file.
This
is
all
automatically
generated
and
works
99
percent
of
the
time
without
any
additional
changes
here
in
the
built-ins.
A
These
are
built-in
packages
provided
from
node
we're
giving
them
just
exactly
what
they
need.
For
example,
we're
giving
it
just
read:
access
from
the
file
system
and
not
write
access
or
anything
else,
also
giving
some
Global
variable
access
and
they're
only
allowed
to
import
these
packages.
So
that's
just
an
example,
but
in
order
to
help
you
review
your
policy,
we
have
this
visualization
dashboard,
the
per
so
there's
the
list
of
your
dependencies
on
the
left
and
a
graph
of
your
dependencies
on
the
right.
A
The
purple
node
is
our
application
here
our
example
application
and
then
all
these
this
graph
coming
out
of
it,
are
all
the
dependencies
and
the
transitive
dependencies,
and
you
can.
You
can
dig
in
and
take
a
look
at
what
these
packages
are
and
what
their
policy
is.
And
the
point
of
this
is
to
help
you
prioritize
the
auditing
of
your
dependencies
and
to
review
your
policy
because
remember
with
without
lava
mode.
A
This
is
what
your
app
looks
like
every
single
package
has
is
maximally
dangerous,
whereas
with
lava
mode,
we
know
that
some
of
these
are
are
safe.
All
these
green
ones,
for
example,
are
not
importing
any
globals
or
any
built-ins
they're
only
composing
other
packages.
This
is
a
static
version.
In
case
the
internet.org
okay,
so
here's
the
build
pipeline
again
install
time,
build
time
and
then
runtime
on
your
users
machine.
A
So
we
have
in
lava
mode
tools
for
each
of
these
steps
for
depth
install.
We
have
lava
mode
allow
scripts.
This
me
this
will
prevent
all
these
dependencies
from
being
able
to
run
a
random
command
on
your
computer.
When
you
install
them
and
then
you
can
opt
into
just
the
ones
you
want
at
build
time,
you
want
to
run
your
build
process
in
lava
mode
node,
and
you
want
to
add
to
your
build
process,
a
plug-in
for
your
bundler.
A
So
we
have
one
for
browserify
we're
working
on
one
for
webpack
for
react,
native
and
swc
switch,
so
this
is
in
production
in
metamask
we're
protecting
tens
of
millions
of
users
now.
So
we
know
this
can
scale.
You
can
use
it
too,
but
we
do
need
your
help.
It's
open
source,
it's
really!
It's
out!
There
find
it
on
GitHub.
Try
it
out.
Let
us
know
if
it
works.
A
A
C
Anyone
has
any
questions,
so
I
actually
worked
at
bitpay
on
a
different
team:
oh
cool,
it's
dirt,
overlapping,
the
time
of
the
copay
hack
and
yeah.
Like
you
said,
it's
it's
not
necessarily
that
that
company
had
bad
processes.
It's
sort
of
the
whole
ecosystem
doesn't
really
have
a
good
solution
since
that
time,
not
only
at
that
company
did
no
one
really
talk
about
lava.
C
I
mean
I
brought
it
up,
because
I
was
aware
of
it
at
the
time,
but
externally
any
side
projects
I've
been
on
I've,
really
never
had
anyone
propose
using
it.
So
do
you
think
there's
something
not
at
the
technical
level
but
like
at
the
social
level
that
we
should
be
doing
to
make
this
a
more
common
part
of
stacks
either
across
the
board
or
when
we're
working
on
applications
that
deal
with
private
Keys,
specifically
yeah.
A
Great
question:
so
what
you
know,
what
processes
should
we
put
in
place
of
what
tools
are
out
there?
There's
a
lot
of
projects
that
are
working
on
preventative
measures
like
Ci
flows
that
warn
you,
if
there's
known
vulnerabilities
or
some
code
scanning,
to
see
if
there's
something
funny
looking
like
eval
and
those
are
great
and
fantastic,
and
you
can
use
them
in
conjunction
here.
Like
one
example,
is
socket.dev,
that's
a
friend's
company
and
they're
doing
great
scanning
work,
but
it's
all
preventative
at
the
beginning.
A
That's
not
the
way
the
security
of
your
operating
system
works
right.
It's
it's,
making
sure
that
all
your
applications
are
are
safe.
I
mean
I
was
very
surprised
that
that
no
one
else
was
working
on
runtime
protections.
Besides
the
gorick
folks,
which
we
partner
on
on
building
lava
moon,
yeah
I.
Think
more
people
need
to
just
know
that
there's
a
solution
that
exists-
and
you
can
actually
do
something
about
this.
D
A
Bit
Yeah,
so
it
we
are
using
static
analysis
here
for
convenience
and
not
for
the
security
layer.
Static
analysis
is,
can
be
faulty
it'll,
it'll
miss
things,
and
it's
generally
imperfect,
but
here
we
use
it
to
generate
the
policy,
so
you
don't
have
to
write
it
all
by
hand,
and
then
we
enforce
it
with
the
law
of
moat
kernel,
which
is
not
relying
on
static
analysis
but
yeah.
Basically,
what
it's
doing
is
you
give
it
your
entry
point
it's
walking
through
all
the
requires
and
imports
and
walking
through
your
graph.
A
It's
you
know,
converts
the
code
to
an
AST.
It
looks
and
analyzes
it
for
references
sees
when
there's
Global
references
sees
when
there's
Imports
and
it'll
actually
follow
the
Imports
to
where
they're
used.
So
it
can
give
you
just
the
minimal
things
that
you
need
like
only
using
the
read
power
of
the
file
system
instead
of
the
right
power,
for
example,
I.
E
Was
wondering
if
you
can
talk
a
little
bit
about
like
the
limitations
of
lava
mode
specifically
like
if,
even
if
you
grant
access
to
like
a
specific
function
or
feature
to
a
package
like
they
can
still
I,
guess
use
that
feature
in
a
malicious
way?
Yeah
I
was
wondering
like
what
else
we
should
watch
out
for,
even
if
we
use
love
remote
yeah.
A
Absolutely
so
it
will
look
at
your
modules,
love
mode,
we'll
look
at
your
modules
and
generate
a
policy,
and
if
it
sees
that
you
know,
network
access
is
used.
There
it'll
put
that
in
the
policy.
But
if
it's
something
that's
not
supposed
to
have
network
access,
then
it
we
rely
on
the
user,
the
security
engineer
to
catch
that
now
it's
most
likely.
You
don't
have
a
supply
chain
attack
in
your
app
right
now,
but
you
might
have
one
in
the
future.
A
So
every
time
you
change
your
dependencies,
you
can
just
run
that
thing
generate
a
new
policy
and
you'll
see
the
diff
of
your
policy
and
that's
a
lot
less
to
review
some
other
things.
There
is
a
slight
performance
impact
for
compute,
but
if
you're
relying
on
network
or
disk,
which
is
usually
what
you're
bound
when
you're
Computing,
then
it
doesn't
make
a
difference
for
you.
It.
F
A
A
Yes,
when
you
use
oh
I'm,
not
up
on
the
screen,
we
we
have
a
lot
of
jargon
when
we're
talking
about
this
JavaScript
language
security
stuff,
but
we
use
this
term
realm
to
refer
to
like
a
window
frame,
and
so
an
iframe
is
another
realm
and
they're
different
in
a
couple
of
subtle
ways:
one
is
inside
of
the
VM
or
the
iframe
or
the
webworker
capital.
A
array
is
not
the
same
as
the
capital
array
on
the
outside.
A
We
call
this
problem,
the
identity,
discontinuity
problem
and
it
breaks
things
like
instance
of
so
an
array
from
the
inside
is
not
an
instance
of
array
on
the
outside,
and
so
this
is
fine.
You
can
deal
with
this
problem,
but
it
is
really
bad
for
backwards
compatibility,
and
that
was
a
primary
requirement
for
lava
mode,
because
this
was
not
built
into
metabouse
from
the
beginning,
I
built
it
afterwards
and
rewriting
the
app
from
scratch
was
not
an
option.
33.
B
A
Yeah
great
so
yeah
we're
trying
to
take
some
of
the
things
that
we
built
here
like
the
the
car
compartment
API
and
actually
get
it
standardized
into
the
JavaScript
language
at
the
tc39
JavaScript
standards,
body,
I,
I'm,
not
up
to
date
on
what
the
status
is,
but
it
seems
to
be
finding
its
way
in
via
the
loader
API,
so
that
when
you
load
modules,
you
load
them
in
a
special
compartment.
Thanks.
G
A
Oh
great
question:
we
have
not
detected
any
supply
chain
attacks.
The
the
day-to-day
battles
at
metamask
are
primarily
phishing,
but
the
problem
with
the
supply
chain
attack
is
even,
if
it's
more
rare,
a
little
less
common.
It
could
take
down
the
whole
wallet
and
that's
why
this
protect
this.
This
protective
system
is
so
important.
I.
H
D
A
A
I
A
Oh,
yes,
okay!
So
how
do
wasm
modules
connect
to
the
powers
they
need,
like
disk
access
and
network
access?
Great
question
so
much
like
with
the
compartments
you
have
to
pass
them
in
and
make
them
accessible
on
the
like
foreign
function
list
that
you
expose
to
the
awesome
I'm,
not
a
waslam
expert.
So
I
can't
answer
perfectly,
but
you
you
do
have
to
you
know:
go
in
and
put
them
there.
They
don't
get
it
by
default.
I
I
have
a
follow-up
question:
well,
not
directly
related,
but
we
were
hacking
on
snaps
over
the
weekend
and
I
was
just
wondering
like
the
interface
in
which
lava
mode
interacts
with
ses
and
and
that
JavaScript
engine,
because
no
I
mean
just
on
the
high
level.
I
was
having
a
hard
time,
differentiating
where
lava
mode
ended
and
SES
started.
Yeah.
A
A
This
is
a
plug-in
system,
we're
building
for
metamask
to
extend
the
functionality
and
create
new
user
experiences
for
minimaz,
but
because
we're
putting
outside
code
inside
the
wallet
we
have
to
make
sure
it's
safe
and
so
we're
also
using
SAS
compartments
to
limit
their
powers
like
limiting
network
access.
Etc.