Skip to content

Latest commit

 

History

History
143 lines (106 loc) · 7.78 KB

mitigations.md

File metadata and controls

143 lines (106 loc) · 7.78 KB

Mitigation Strategies Analysis for leoafarias/fvm

Mitigation Strategy: Verify Flutter SDK Hashes (after fvm install)

Description:

  1. Install via fvm: Use the fvm install <version> command to download and install the desired Flutter SDK.
  2. Calculate Local Hash: After the fvm install command completes, use a command-line tool (e.g., sha256sum, Get-FileHash) to calculate the SHA-256 hash of the downloaded SDK directory (typically ~/.fvm/versions/<version>). It is crucial that this step happens after fvm has finished its work.
  3. Compare with Official Hash: Compare the calculated hash with the official SHA-256 hash for that specific Flutter version (obtained from the official Flutter documentation or release artifacts).
  4. Automate in CI/CD: Integrate this hash verification into your CI/CD pipeline as a script that runs immediately after the fvm install step. The build should fail if the hashes don't match.

Threats Mitigated:

  • Malicious Flutter SDK Versions: (Severity: Critical) - Prevents the use of a compromised SDK installed by fvm.
  • Supply Chain Attacks via Flutter SDK Mirrors: (Severity: High) - Detects altered SDKs even if fvm downloads from a compromised mirror.

Impact:

  • Malicious Flutter SDK Versions: Risk reduction: Very High.
  • Supply Chain Attacks via Flutter SDK Mirrors: Risk reduction: High.

Currently Implemented:

  • Manual hash verification is performed sporadically.
  • No automated hash verification in CI/CD.

Missing Implementation:

  • Full Automation (CI/CD): The automated hash verification script within the CI/CD pipeline is the most critical missing piece.
  • Standardized Procedure: A documented procedure for manual verification.

Mitigation Strategy: Pin fvm Version

Description:

  1. Select Stable Version: Choose a specific, stable version of fvm.
  2. Document: Document the chosen fvm version.
  3. Install Specific Version: Use pub global activate fvm --version <selected_version> to install the specified version.
  4. CI/CD Enforcement: In the CI/CD pipeline, explicitly install the pinned fvm version before any fvm commands are executed. This is a direct interaction with fvm.
  5. Regular Review: Periodically review and update the pinned fvm version.

Threats Mitigated:

  • Tampered fvm Executable: (Severity: High)
  • Dependency Confusion with fvm Itself: (Severity: Low)

Impact:

  • Tampered fvm Executable: Risk reduction: High.
  • Dependency Confusion with fvm Itself: Risk reduction: Moderate.

Currently Implemented:

  • fvm version mentioned in README, but not enforced.

Missing Implementation:

  • CI/CD Enforcement: The CI/CD pipeline does not install a specific fvm version.

Mitigation Strategy: Use .fvmrc and Enforce Project-Specific SDKs

Description:

  1. Create .fvmrc: Create a .fvmrc file at the project root.
  2. Specify Version: Inside .fvmrc, specify the desired Flutter SDK version (e.g., 3.16.0).
  3. CI/CD Usage: In the CI/CD pipeline, use the command fvm use (without a version argument) to activate the Flutter SDK version defined in .fvmrc. This is a direct fvm command. This should be followed by fvm install to ensure that version is installed.
  4. IDE configuration: Configure IDE to use fvm.

Threats Mitigated:

  • Misconfiguration Leading to Incorrect SDK Usage: (Severity: High)

Impact:

  • Misconfiguration Leading to Incorrect SDK Usage: Risk reduction: Very High.

Currently Implemented:

  • .fvmrc file exists.
  • Developers mostly use IDEs that respect .fvmrc.

Missing Implementation:

  • CI/CD Enforcement: The CI/CD pipeline does not use fvm use.

Mitigation Strategy: Regularly Audit fvm and Flutter SDK Installations

Description:

  1. Schedule Audits: Establish a regular audit schedule.
  2. List Installed SDKs: Run fvm list to display installed Flutter SDKs. This is a direct fvm command.
  3. Check fvm Version: Run fvm --version to verify the installed fvm version. This is a direct fvm command.
  4. Compare: Compare with an approved list.
  5. Investigate: Investigate discrepancies.
  6. Automate (Optional): Consider automation.

Threats Mitigated:

  • Malicious Flutter SDK Versions: (Severity: Medium)
  • Tampered fvm Executable: (Severity: Medium)
  • Misconfiguration Leading to Incorrect SDK Usage: (Severity: Medium)

Impact:

  • Malicious Flutter SDK Versions: Risk reduction: Moderate.
  • Tampered fvm Executable: Risk reduction: Moderate.
  • Misconfiguration Leading to Incorrect SDK Usage: Risk reduction: Moderate.

Currently Implemented:

  • No formal audit process.

Missing Implementation:

  • Formal Schedule: A regular schedule is needed.
  • Approved List: A maintained list of approved versions is required.
  • Automated Script (Optional): Automation would improve efficiency.

Mitigation Strategy: Use a Trusted Flutter SDK Mirror (If Necessary) - fvm Configuration

Description:

  1. Prefer Official Source: Prioritize the official Flutter download source.
  2. Vet Mirrors: If a mirror is absolutely necessary, thoroughly vet its security.
  3. Configure fvm (If Supported): If fvm supports configuring mirrors (via environment variables or configuration files), use this mechanism to specify the trusted mirror. This is a direct interaction with fvm's configuration.
  4. Regular Re-evaluation: Periodically re-evaluate the mirror.
  5. Hash Verification (Essential): Always perform hash verification after fvm install.

Threats Mitigated:

  • Supply Chain Attacks via Flutter SDK Mirrors: (Severity: High)

Impact:

  • Supply Chain Attacks via Flutter SDK Mirrors: Risk reduction: Moderate to High.

Currently Implemented:

  • The project uses the official Flutter download source.

Missing Implementation:

  • None, as no mirrors are used. Documentation should include guidelines for mirror configuration if it becomes necessary.

Mitigation Strategy: Secure fvm Installation and Permissions

Description:

  1. Official Installation: Install fvm following the official instructions.
  2. File Permissions: Ensure the fvm executable and its installation directory have appropriate file permissions, restricting write access.
  3. Avoid sudo (When Possible): Avoid running fvm commands with sudo unless absolutely necessary. This relates to how fvm is used.
  4. Global Installation (Careful Consideration): If installing globally, protect the installation directory.
  5. Regular Updates: Keep fvm updated (while adhering to version pinning).

Threats Mitigated:

  • Tampered fvm Executable: (Severity: Medium)
  • Local Privilege Escalation via fvm: (Severity: Low to Medium)

Impact:

  • Tampered fvm Executable: Risk reduction: Moderate.
  • Local Privilege Escalation via fvm: Risk reduction: Moderate.

Currently Implemented:

  • Developers generally follow official installation instructions.

Missing Implementation:

  • Formal Permission Checks: No automated checks for correct file permissions.
  • sudo Usage Guidance: Explicit guidance on avoiding unnecessary sudo usage.