logo
allArticlesConferencesPresentations

Picking Lockfiles: Attacking & Defending Your Supply Chain

Conference:  BlackHat USA 2021

2021-11-11

Summary

Defending Against Log File Tampering in DevOps
  • Log files are sensitive and all changes to them need to be reviewed carefully
  • Automated dependency updates can reduce low effort attack vectors
  • Automatically checking the integrity of log files can help detect tampering
  • Leadership communication and careful control are important aspects when red teaming this type of attack
The demo showed how defensive tooling can be used to check the integrity of a log file and detect any mismatches between the data in the log file and the registry. The tool reported an error for a dependency, Dom Purify, where the integrity hash and resolved URL did not match. It was recommended to run the tool in a CI job and let it run every time there are changes checked or submitted to the project. This can help automatically fail pipelines if log file tampering is detected.

Abstract

An advantage of open source software (OSS) development is that it enables contributions from the public, adding new features and improvements. This also makes OSS projects a target of supply chain attacks. We present both an offensive and defensive perspective of an attack technique that hides malicious code in open source contributions and that reduce the likelihood of the modifications being caught during review.Our technique leverages lockfiles commonly used by modern package managers to allow deterministic resolution of dependencies necessary to run an application. Our technique is based on the observation that 1) package managers do not sufficiently verify the integrity of lockfiles, 2) lockfiles are machine-generated and small modifications are easily missed during code review due to the mass of changes included, and 3) the prevalent use of third-party packages and package managers in open source software projects.For blue teams, we provide a light-weight tool that verifies the integrity of a lockfile well suited to be executed in CI pipelines. For red teams, we demonstrate both manual and automated approaches for choosing targets and tampering lockfiles, share Mitre Att&ck TTPs, and offer advice on what to look for when both defending and perpetuating this technique, making it easier to simulate this type of supply chain attack.Our work builds on previous work by Liran Tal [1]. We expand on their work by presenting more methods for tampering lockfiles, applying it to additional programming ecosystems (Ruby on Rails and Go in addition to Node.js), and providing tools that verify the integrity of a lockfile as well as automate the tasks of targeting suitable dependencies and tampering a lockfile.[1] https://snyk.io/blog/why-npm-lockfiles-can-be-a-security-blindspot-for-injecting-malicious-modules/
Materials:
Tags:

Post a comment

Related work

Authenticating Supply-chain Metadata: Building Remote Code Attestations on GitHub

Conference:  SupplyChainSecurityCon 2022
Authors: Laurent Simon, Asra Ali
2022-06-21

Building SLSA 3 Conforment Attestors for Artifacts Generated on GitHub

Conference:  KubeCon + CloudNativeCon Europe 2023
Authors: Ian Lewis, Asra Ali
2023-04-21

Trust But Verify: Bringing Supply Chain Integrity To CD GitOps

Conference:  KubeCon + CloudNativeCon North America 2022
Authors: Yuji Watanabe, Hirokuni Kitahara
2022-10-27

Spicing up Container Image Security with SLSA & GUAC

Conference:  Cloud Native SecurityCon North America 2023
Authors: Ian Lewis

Exploiting Vulnerabilities and Flaws to Attack Supply Chain

Conference:  RSA Conference 2023
Authors: Ilay Goldman, Yakir Kadkoda
2023-04-24

Purl and Vers: The Mostly Universal Package URL and Version Ranges Identifiers for Dependencies and Vulnerabilities

Conference:  SupplyChainSecurityCon 2022
Authors: Hritik Vijay, Philippe Ombredanne
2022-06-22