应用生命周期威胁
Tauri 应用由在应用生命周期的不同时间点的许多部分组成。这里我们描述经典威胁以及你应该如何应对它们。
🌐 Tauri applications are composed of many pieces at different points in time of the application lifecycle. Here we describe classical threats and what you SHOULD do about them.
所有这些不同的步骤都在以下部分中描述。
🌐 All of these distinct steps are described in the following sections.
🌐 Upstream Threats
Tauri 是你项目的直接依赖,我们严格控制提交、审查、拉取请求和发布的作者权限。我们尽最大努力保持依赖的最新状态,并采取措施更新或分叉修复。其他项目可能没有如此良好的维护,甚至可能从未经过审计。
🌐 Tauri is a direct dependency on your project, and we maintain strict authorial control of commits, reviews, pull requests, and releases. We do our best to maintain up-to-date dependencies and take action to either update or fork and fix. Other projects may not be so well maintained, and may not even have ever been audited.
在整合他们时请考虑他们的健康,否则,你可能在不知情的情况下就引入了架构债务。
🌐 Please consider their health when integrating them, otherwise, you may have adopted architectural debt without even knowing it.
🌐 Keep Your Applications Up-To-Date
当将你的应用发布到公共环境中时,你实际上也在分发包含 Tauri 的软件包。
影响 Tauri 的漏洞可能会影响你应用的安全性。
通过将 Tauri 更新到最新版本,你可以确保关键漏洞已经被修补,无法在你的应用中被利用。
同时,请确保保持编译器(rustc)和转译器(nodejs)的更新,因为通常会有安全问题需要解决。
这一点对于你的开发系统整体也是适用的。
🌐 When releasing your app into the wild, you are also shipping a bundle that has Tauri in it.
Vulnerabilities affecting Tauri may impact the security of your application.
By updating Tauri to the latest version, you ensure that critical vulnerabilities
are already patched and cannot be exploited in your application.
Also be sure to keep your compiler (rustc) and transpilers (nodejs) up to date,
because there are often security issues that are resolved.
This also is true for your development system in general.
🌐 Evaluate Your Dependencies
虽然 NPM 和 Crates.io 提供了许多方便的包,但选择值得信赖的第三方库是你的责任——或者用 Rust 重写它们。如果你使用了受已知漏洞影响或已不再维护的过时库,你的应用安全和安稳的夜晚都可能受到威胁。
🌐 While NPM and Crates.io provide many convenient packages, it is your responsibility to choose trustworthy third-party libraries - or rewrite them in Rust. If you do use outdated libraries which are affected by known vulnerabilities or are unmaintained, your application security and good night’s sleep could be in jeopardy.
使用像 npm audit 和 cargo audit 这样的工具来自动化此过程,并依赖安全社区的重要工作。
🌐 Use tooling like npm audit
and cargo audit to automate this process,
and lean on the security community’s important work.
Rust 生态系统的最新趋势,如 cargo-vet 或 cargo crev,可以进一步减少供应链攻击的可能性。要了解你站在谁的肩膀上,你可以使用 cargo supply chain 工具。
🌐 Recent trends in the rust ecosystem like cargo-vet
or cargo crev can
help to further reduce likelihood of supply chain attacks.
To find out on whose shoulders you stand, you can use the cargo supply chain
tool.
我们强烈推荐的一个做法是,只通过使用哈希修订版获取关键依赖,最好是哈希修订版,次选是命名标签。从 Rust 到 Node 生态系统,这一点都适用。
🌐 One practice that we highly recommend, is to only ever consume critical dependencies from git using hash revisions at best or named tags as second best. This holds for Rust as well as the Node ecosystem.
🌐 Development Threats
我们假设你,作为开发者,会关心你的开发环境。确保你的操作系统、构建工具链以及相关依赖保持最新并得到合理的安全保护,这取决于你自己。
🌐 We assume that you, the developer, care for your development environment. It is on you to make sure that your operating system, build toolchains, and associated dependencies are kept up to date and reasonable secured.
我们所有人都面临的一个真正风险是所谓的“供应链攻击”,通常被认为是对你项目直接依赖的攻击。然而,野外日益增长的一类攻击直接针对开发机器,你最好正面应对这一问题。
🌐 A genuine risk all of us face is what is known as “supply-chain attacks”, which are usually considered to be attacks on direct dependencies of your project. However, a growing class of attacks in the wild directly target development machines, and you would be well off to address this head-on.
🌐 Development Server
Tauri 应用的前端可以使用多种 Web 框架进行开发。每个框架通常都会自带自己的开发服务器,通过开放端口将前端资源暴露给本地系统或网络。这允许前端在 WebView 或浏览器中进行热重载和调试。
🌐 Tauri application frontends can be developed using a number of web frameworks. Each of these frameworks usually ship their own development server, which is exposing the frontend assets via an open port to the local system or network. This allows the frontend to be hot-reloaded and debugged in the WebView or Browser.
在实践中,这种连接默认情况下通常既不加密也不进行身份验证。这对于内置的 Tauri 开发服务器也是如此,它会将你的前端和资源暴露给本地网络。此外,这还允许攻击者将他们自己的前端代码推送到与攻击者处于同一网络的开发设备上。根据暴露的功能类型,这在最坏情况下可能导致设备被攻破。
🌐 In practice this connection is often neither encrypted nor authenticated by default. This is also the case for the built-in Tauri development server and exposes your frontend and assets to the local network. Additionally, this allows attackers to push their own frontend code to development devices in the same network as the attacker. Depending on what kind of functionality is exposed this could lead to device compromise in the worst case.
你应该仅在受信任的网络上进行开发,在这些网络上可以安全地暴露你的开发设备。如果这不可行,你必须确保你的开发服务器在与开发设备的连接中使用双向认证和加密(例如 mTLS)。
🌐 You should only develop on trusted networks where you can safely expose your development device. If this is not possible you MUST ensure that your development server uses mutual authentication and encryption (e.g. mTLS) for connections with your development devices.
🌐 Harden Development machines
加固你的开发系统取决于各种因素以及你的个人威胁模型,但我们建议遵循一些通用建议:
🌐 Hardening your development systems depends on various factors and on your personal threat model but some generic advice we recommend to follow:
- 切勿使用管理账户执行日常任务(如编码)
- 切勿在开发机器上使用生产密钥
- 防止将密钥签入源代码版本控制
- 使用安全硬件令牌或类似功能来减少受感染系统的影响
- 保持系统最新
- 将你安装的应用保持在最低限度
可以在超棒的安全加固集合中找到更实用的操作程序集合。
🌐 A more practical collection of procedures can be found in an awesome security hardening collection.
当然,你可以虚拟化你的开发环境来阻止攻击者,但这并不能保护你免受针对你的项目而不仅仅是你的机器的攻击。
🌐 You can of course virtualise your development environment to keep attackers at bay, but this won’t protect you from attacks that target your project rather than just your machine.
🌐 Ensure Source Control Authentication and Authorization
如果你像大多数开发者一样工作,使用源代码版本控制工具和服务提供商是开发过程中一个必要的步骤。
🌐 If you are working like the majority of developers, using source code version control tools and service providers is an essential step during development.
为了确保你的源代码不会被未经授权的人修改,理解并正确设置源代码版本控制系统的访问控制非常重要。
🌐 To ensure that your source code can not be modified by unauthorized actors it is important to understand and correctly set up up access control for your source code version control system.
此外,考虑要求所有(常规)贡献者对他们的提交进行签名,以防止恶意提交被归因于未被入侵或无恶意的贡献者。
🌐 Also, consider requiring all (regular) contributors to sign their commits to prevent situations where malicious commits are attributed to non-compromised or non-maliocious contributors.
🌐 Buildtime Threats
现代组织使用 CI/CD 来制造二进制工件。
🌐 Modern organizations use CI/CD to manufacture binary artifacts.
你需要能够完全信任这些远程(以及第三方拥有的)系统,因为它们可以访问源代码、机密,并能够修改构建,而你无法可验证地证明生成的二进制文件与你本地的代码相同。这意味着你要么信任一个信誉良好的提供商,要么在你自己控制的硬件上托管这些系统。
🌐 You need to be able to fully trust these remote (and third party owned) systems, as they have access to source code, secrets and are able to modify builds without you being able to verifiably prove that the produced binaries are the same as your local code. This means either you trust a reputable provider or host these systems on your own and controlled hardware.
在 Tauri,我们提供用于在多个平台上构建的 GitHub 工作流。如果你创建自己的 CI/CD 并依赖第三方工具,请注意那些版本未明确固定的操作。
🌐 At Tauri, we provide a GitHub Workflow for building on multiple platforms. If you create your own CI/CD and depend on third-party tooling, be wary of actions whose versions you have not explicitly pinned.
你应该为你发布的目标平台对二进制文件进行签名。虽然这可能比较复杂并且设置成本较高,但终端用户期望你的应用能够被验证为由你提供。
🌐 You should sign your binaries for the platform you are shipping to. While this can be complicated and somewhat costly to set up, end users expect that your app is verifiably from you.
如果加密密钥被正确地存储在硬件令牌上,被入侵的构建系统将无法泄露相关的签名密钥,但可能会使用它们来签署恶意版本。
🌐 If cryptographic secrets are properly stored on hardware tokens, a compromised build system won’t be able to leak involved signing keys, but could use them to sign malicious releases.
🌐 Reproducible Builds
为了在构建时防止后门注入,你需要确保构建是可重现的,这样你就可以验证在本地或在另一个独立提供商处构建时,构建的资源是否完全相同。
🌐 To combat backdoor injection at build time, you need your builds to be reproducible, so that you can verify that the build assets are exactly the same when you build them locally or on another independent provider.
第一个问题是,Rust 默认情况下并不能完全可靠地生成可重现的构建。理论上它支持这个功能,但仍然存在一些错误,而且最近在一个发布版本中出现了问题。
🌐 The first problem is that Rust is by default not fully reliably producing reproducible builds. It supports this in theory, but there are still bugs, and it recently broke on a release.
你可以在 Rust 项目的公共错误追踪器中跟踪当前状态。
🌐 You can keep track of the current state in the rust project’s public bug tracker.
你接下来会遇到的问题是,许多常见的前端打包工具也不会生成可重复的输出,因此打包后的资源也可能破坏可重复构建。
🌐 The next problem you will encounter is that many common frontend bundlers do not produce reproducible output either, so the bundled assets may also break reproducible builds.
这意味着你不能默认完全依赖可重现的构建,并且遗憾的是需要完全信任你的构建系统。
🌐 This means that you cannot fully rely on reproducible builds by default, and sadly need to fully trust your build systems.
🌐 Distribution Threats
我们已经尽最大努力让应用的热更新部署尽可能简单和安全。然而,如果你失去了对清单服务器、构建服务器或二进制托管服务的控制,一切保障都将不复存在。
🌐 We have done our best to make shipping hot updates to the app as straightforward and secure as possible. However, all bets are off if you lose control of the manifest server, the build server, or the binary hosting service.
如果你构建自己的系统,请咨询专业的 OPS 架构师并正确构建它。
🌐 If you build your own system, consult a professional OPS architect and build it properly.
如果你正在寻找另一种值得信赖的 Tauri 应用分发解决方案,我们的合作伙伴 CrabNebula 提供了一个选项:https://crabnebula.dev/cloud
🌐 If you are looking for another trusted distribution solution for Tauri apps our partner CrabNebula has an offering: https://crabnebula.dev/cloud
🌐 Runtime Threats
我们假设 webview 不安全,这导致 Tauri 实现了若干关于在加载不受信任的用户内容时 webview 访问系统 API 的保护措施。
🌐 We assume the webview is insecure, which has led Tauri to implement several protections regarding webview access to system APIs in the context of loading untrusted userland content.
使用内容安全策略将锁定Webview可以进行的通信类型。此外,功能可以防止不受信任的内容或脚本访问Webview中的API。
🌐 Using the Content Security Policy will lockdown types of communication that the Webview can undertake. Furthermore, Capabilities can prevent untrusted content or scripts from accessing the API within the Webview.
我们还建议设置一种简单且安全的方式来报告漏洞,类似于我们的流程。
🌐 We also recommend to setup an easy and secure way to report vulnerabilities similar to our process.
Tauri 中文网 - 粤ICP备13048890号
Nodejs.cn 旗下网站