Skip to content

feat: add in-flight checksumming to prevent TOCTU attacks on build artifacts #243

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 6 commits into
base: leo/cache-verification-when-downloading
Choose a base branch
from
Open

feat: add in-flight checksumming to prevent TOCTU attacks on build artifacts #243

wants to merge 6 commits into from

Conversation

leodido
Copy link

@leodido leodido commented Sep 26, 2025
edited
Loading

Description

Implements in-flight checksumming functionality to prevent Time-of-Check-Time-of-Use (TOCTU) attacks on build artifacts. This security enhancement validates cache artifacts during download to detect tampering between initial verification and actual use.

Key Changes:

  • Added downloadResult struct to capture both file content and checksum validation results
  • Enhanced downloadFileAsync to perform checksumming during download with structured error reporting
  • Updated downloadBothParallel to collect and validate checksums from both download operations
  • Added --in-flight-checksums CLI flag to enable the feature (disabled by default for backward compatibility)
  • Integrated with existing WithInFlightChecksums build option system

The implementation maintains full backward compatibility while providing users with an opt-in security enhancement for production builds.

Merge after #242

Related Issue(s)

Fixes https://linear.app/ona-team/issue/CLC-1960/implement-in-flight-checksumming-leeway

How to test

  1. Build the updated leeway binary: go build -o leeway .
  2. Test CLI flag availability: ./leeway build --help (verify --in-flight-checksums appears)
  3. Test with flag enabled: ./leeway build --in-flight-checksums <target>
  4. Test without flag: ./leeway build <target> (should work as before)
  5. Run existing tests: go test ./... to ensure no regressions

Documentation

/hold

leodido and others added 5 commits September 26, 2025 09:38
@leodido @ona-agent
Add checksum storage to build context for in-flight checksumming
bb3f821 
- Add InFlightChecksums fields to buildContext and buildOptions structs
- Implement conditional initialization in newBuildContext()
- Add WithInFlightChecksums() build option following Leeway patterns
- Thread-safe storage with sync.RWMutex for parallel builds
- Feature disabled by default (nil map when disabled)

Foundation for preventing TOCTU attacks during parallel builds as
specified in Christian's security requirements.

Co-authored-by: Ona <[email protected]>
@leodido @ona-agent
Implement checksum helper functions for in-flight checksumming
ae51001 
Add four core functions for TOCTU attack prevention:

- recordArtifactChecksum(): Thread-safe checksum recording after artifact creation
- verifyArtifactChecksum(): Individual artifact tampering detection
- computeSHA256(): Standard file hashing with proper resource management
- verifyAllArtifactChecksums(): Batch verification before signing handoff

Features:
✅ Thread-safe operations with sync.RWMutex for parallel builds
✅ Feature toggle support (nil map = disabled, no performance impact)
✅ Security-focused logging with truncated checksums for debugging
✅ Clear TOCTU attack detection with actionable error messages
✅ Non-fatal error handling (warns but doesn't break builds)
✅ Follows Leeway patterns and coding conventions

Ready for integration into build process to prevent cache artifact
tampering during parallel builds.

Co-authored-by: Ona <[email protected]>
@leodido @ona-agent
Hook checksum recording after cache artifact creation
12f1210 
Add checksum recording immediately after PackageBuildPhasePackage execution:

- Hook placed after executeCommandsForPackage() completes successfully
- Records checksum of freshly created cache artifact (.tar.gz/.tar)
- Uses buildctx.LocalCache.Location(p) to get artifact path
- Non-fatal error handling with structured logging
- Executes before RegisterNewlyBuilt() to establish baseline

Timing ensures:
✅ Cache artifact exists and is complete
✅ Checksum captured immediately after creation
✅ Attack window minimized before potential tampering
✅ Baseline established before signing handoff

This implements Christian's requirement: 'checksums the cached tar.gz
file right after creation, and keeps it in memory' to prevent TOCTU
attacks during parallel builds.

Co-authored-by: Ona <[email protected]>
@leodido @ona-agent
Add end-of-build verification to complete TOCTU attack protection
3f40064 
Add comprehensive checksum verification before signing handoff:

- Verify all tracked cache artifacts at end of Build() function
- Placed after vulnerability scanning, before final return
- Batch verification of all recorded checksums using verifyAllArtifactChecksums()
- Build fails with clear security message on tampering detection
- Feature-gated by ctx.InFlightChecksums flag

Security properties:
✅ Complete protection against cache artifact tampering
✅ Detection window covers entire parallel build process
✅ Cryptographic integrity verification (SHA256)
✅ Immediate build failure on TOCTU attack detection
✅ Clear 'potential TOCTU attack detected' error messages

This completes Christian's security requirement: 'reverifies all signatures
and writes them to a well known location. If the cached file has changed
during the build, because of a malicious package, we'd know.'

The core security mechanism is now complete and bulletproof.

Co-authored-by: Ona <[email protected]>
@leodido @ona-agent
Add --in-flight-checksums CLI flag for TOCTU attack prevention
df9b1c0 
- Add boolean flag to enable checksumming of cache artifacts
- Integrate with existing build option system
- Position flag near other security-related options
- Default to false for backward compatibility

Co-authored-by: Ona <[email protected]>
@leodido leodido self-assigned this Sep 26, 2025
@leodido leodido marked this pull request as ready for review September 26, 2025 10:06
@leodido leodido requested review from csweichel and geropl September 26, 2025 10:08
@leodido @ona-agent
Add comprehensive tests for in-flight checksumming security
120f2f8 
Step 6: Core Security Tests Complete

- Add pkg/leeway/build_checksum_test.go with 4 test functions
- Test checksum recording and verification functionality
- Simulate TOCTU attacks with file tampering detection
- Validate error handling and messaging
- Test feature toggle behavior (enabled/disabled)
- Add CLI integration tests in cmd/build_test.go
- Verify --in-flight-checksums flag parsing and help text
- Test integration with build options system
- Ensure backward compatibility and no regressions

All tests pass with comprehensive edge case coverage including:
- Real attack simulation scenarios
- Multiple artifact batch processing
- Nonexistent file handling
- Disabled feature behavior

Co-authored-by: Ona <[email protected]>
geropl
geropl approved these changes Sep 26, 2025
View reviewed changes
Copy link
Member

@geropl geropl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The changes and tests themselves LGTM!

I'm not too firm in leeway, so I can't tell 100% that the places we integrate with, and the paths awe are checking are correct. But I assume you can and did verify this, so leaving my ✔️ here

This was referenced Sep 29, 2025
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@geropl geropl geropl approved these changes

@csweichel csweichel Awaiting requested review from csweichel

Assignees

@leodido leodido

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@leodido @geropl