Datalog restrictions in blocks about biscuit HOT 8 CLOSED

as mentioned in #59, the authority block could be a special case for deserialization, containing configuration data that other blocks cannot hold, such as this option

from biscuit.

If the version at https://play-with-biscuit.cleverapps.io/ is up-to-date, the #authority and #ambient restrictions can easily be bypassed by any party able to create a new block.

This in turn allows to bypass any checks already present on the previous blocks or in the authority section. Conversely, with knowledge of the verifier code, one could craft a block that always grants passage.

from biscuit.

@svvac could you explain how it is easily bypassed? Wth the playground, you cannot create a token with authority or ambient facts in blocks other than block 0.

Sure, it is possible to manually create a token with the authority or ambient tag by tweaking the library, but verifier implementations are supposed to refuse them. There's even one of the samples that test for that: https://github.com/CleverCloud/biscuit/tree/master/samples/v1#invalid-block-fact-with-authority-tag-test7_invalid_block_fact_authoritybc

Though if you have specific concerns or vulnerabilities to demonstrate, I'm always interested, I'll make sure to fix them quickly

from biscuit.

@Geal Given the Files example, without touching the authority and first block, adding the following block results in Success for all values of resource(#ambient, *) and operation(#ambient, *) in the verifier:

// Bypass `check if operation(#ambient, #read)` from authority block
operation($ambient, #read) <- operation($ambient, $any);

// Bypass `check if resource(#ambient, $file), $file.starts_with("/folder1/")` from block #1
resource($ambient, "/folder1/") <- resource($ambient, $any);

// Add missing rights
right($authority, $file, $right) <- right($authority, $any1, $any2), resource(#ambient, $file), operation(#ambient, $right);

Also different issue (I think), but with the same effect : there seems to be a bug where leftover variables in the rule pattern matches the #authority symbol:

// Bypass `check if operation(#ambient, #read)` from authority block
operation($unbound, #read) <- operation($any1, $any2);

// Bypass `check if resource(#ambient, $file), $file.starts_with("/folder1/")` from block #1
resource($unbound, "/folder1/") <- resource($any1, $any2);

// Add missing rights
right($unbound, $file, #read) <- resource($any1, $file);

from biscuit.

Nice catch, thanks, I'll fix that and add a new sample to verify that behaviour

from biscuit.

@svvac the bugs were identified and fixed in the Rust and Java implementation, soon in the Go one, and I have prepared test samples to test that for future implementations. The fixes should be pushed soon. I'll announce the vulnerabilities and make a changelog. Do you want to be credited in the announcement?

from biscuit.

@Geal I don't mind, thanks for asking. Glad to hear it got fixed fast.

from biscuit.

I'm waiting on a few updates before publishing about it, but Rust and Java versions are available with the fix

from biscuit.