envoyproxy/envoy

Crypto-grade hashing for resource sharing

Open

#11.967 geöffnet am 8. Juli 2020

Auf GitHub ansehen
 (6 Kommentare) (0 Reaktionen) (0 zugewiesene Personen)C++ (5.373 Forks)batch import
area/securityarea/xdsbughelp wanted

Repository-Metriken

Stars
 (27.997 Stars)
PR-Merge-Metriken
 (Durchschn. Merge 8T) (378 gemergte PRs in 30 T)

Beschreibung

Currently, we use MesasgeUtil::hash in various places, e.g. SDS, to hash a config source (https://github.com/envoyproxy/envoy/blob/master/source/common/secret/secret_manager_impl.h#L82).

Since our threat model has the control plane as trusted, this isn't a huge issue. But if we make the control plane untrusted in the future, this can be somewhat scary. As an example, imagine an Envoy that has delegated listener config (with SDS) to TrustedControlPlane and another listener config (with SDS) to SuperScaryControlPlane. It's plausible that SuperScaryControlPlane is able to engineer a collision and steal secrets via the dynamic prover's dedupe algorithm, since we're only using the weak xxhash.

This is something we probably should fix before considering Envoy robust to untrusted control plane or ready for arbitrary federation.

CC @antoniovicente @kyessenov

Contributor Guide