logo

Untrusted Execution: Attacking the Cloud Native Supply Chain

2022-10-26

Authors:   Andrew Martin


Summary

The presentation discusses the importance of threat modeling and supply chain security in DevOps and provides best practices for securing the supply chain.
  • Threat modeling is important to bring quantifiability and reason to abstract threats and to identify attack paths.
  • The Stride process and standards documents can be used to exhaust potential permutations of threats and identify simple controls to cover as many cases as possible.
  • The attack tree is a visual representation of an attack and can be used to multiply likelihood and impact to give abstract risk scores.
  • Layering controls across the branches of the attack tree can break the attack chain and provide a minimum viable set of security configurations.
  • Pipeline metadata is important for piecing things back together and giving a different type of observation.
  • Best practices for securing the supply chain include using S-bombs, artifact signing, and evidence leaks and ledgers.
  • Measuring SAL level and mean time to remediation are useful indicators of vendor maturity.
  • Retrofitting and slowly maturing the supply chain is important.
  • Asking vendors for S-bombs is a closer first step than asking for SAL level.
The speaker mentions a tool called Witness which can run as your paid one and trace all your build behavior to help derive what you actually do and how that is built.

Abstract

Should we trust the code we run in production? Not if a motivated attacker can compromise our system’s complex supply chains. While hardened runtimes and detection can mitigate some zero day attacks, malicious internal threat actors and software implants are much harder to detect. Supply chain security looks to address some of these concerns, but with so many signing options available to us, what do we really care about? Our source code, open source dependencies, CI/CD, built containers, vendor software — or the hardware and operating systems we run on? Securing the whole supply chain is a non-trivial task, and requires consideration at all of these levels. In this talk we: - Undertake a risk-based threat model of supply chain attacks against our systems - Compare the open source supply chain security controls available to us - Examine trusted execution environments and their security properties - Propose a solution for end to end supply chain security

Materials: