Software Supply Chains Risk
Attackers hacking the “path to production”
SUNBURST
Orion Software Build system based on Teamcity was compromised. Found build agents and deployed malicious DLL. Initially snuck deadcode into a release. Once they were able to verify that their code made it into a release, they replaced that with code they wanted to run. No source code comprimise, used an injected DLL into the build agents. Discovered by Fireeye: writeup here
Software & Tools
SLSA - Supply Chain Levels for Software artifacts
Youtube: 8RT5bf6wEJk
Software
3 boundaries:
- Source Control System
- Build System
- Use boundary
Levels
- Documentation of the build Progress - unsigned provenance
- Temper resistance of the build service - hosted source/build, signed provenance
- Prevents extra resistancwe to specific threats. Security controls on host, non-falsifiable provenance
- Highest Levels of confidence and trust - two-party review + hermetic builds
Tern
Tern is a software package inspection tool that can create a Software Bill of Materials (SBOM) for containers. It’s written in Python3 with a smattering of shell scripts
OPA
OPA for vuln analysis - https://www.openpolicyagent.org/
Sigstore
sigstore - sigstore empowers software developers to securely sign software artifacts such as release files, container images, binaries, bill of material manifests and more. Signing materials are then stored in a tamper-resistant public log.
Fulcio
fulcio is a free Root-CA for code signing certs - issuing certificates based on an OIDC email address. fulcio only signs short-lived certificates that are valid for under 20 minutes.
Falco
Falco, the cloud-native runtime security project, is the de facto Kubernetes threat detection engine. Falco is the first runtime security project to join CNCF as an incubation-level project. Falco acts as a security camera detecting unexpected behavior, intrusions, and data theft in real time.
Government
Executive Order 14028
Improving the Nation’s Cybersecurity directs NIST to publish a variety of guidance that would enhance software supply chain security
Terms
| Term | Definition |
|---|---|
| Attestation | the action of being a witness to or formally certifying something |
| SCA | Software Composition analysis |
| BAB | Binary Authz for Borg - Google Code Provenance and code identity |
| Typosquatting | Registering a package with a very easy type, in the hopes it is picked up and used as a software dependency |
| SBOM | Software Bill of Materials |
| Provenance | where did this software come from? How can that be verified? |
| SLSA | Supply Chain Levels for Software Artifacts. Framework for grading supply chain confidence |
Resources
- https://github.com/bureado/awesome-software-supply-chain-security
- https://slsa.dev
- https://in-toto.io
- https://github.com/tern-tools/tern
- https://github.com/sigstore/cosign cosign container signing
- https://www.cisa.gov/publication/software-supply-chain-attacks
- https://github.blog/2020-09-02-secure-your-software-supply-chain-and-protect-against-supply-chain-threats-github-blog/
- https://cloud.google.com/docs/security/binary-authorization-for-borg - Binary Authorization for Borg: how Google verifies code provenance and implements code identity
Related Notes
- Antisiphon Flash CTF #3 2022 Writeup
- DEFCON 30
- HTB: Pandora Writeup
- Generating Random Unique IDs
- Cyberdefenders Hacked Challenge EWF Mounts
- iptables Cheatsheet
- AWS S3 Multi-Tenancy
- Primary Keys
- Session Management
- Software Supply Chains Risk
