Picking Lockfiles: Attacking & Defending Your Supply Chain

Conference:  BlackHat USA 2021



Defending Against Log File Tampering in DevOps
  • Log files are sensitive and all changes to them need to be reviewed carefully
  • Automated dependency updates can reduce low effort attack vectors
  • Automatically checking the integrity of log files can help detect tampering
  • Leadership communication and careful control are important aspects when red teaming this type of attack
The demo showed how defensive tooling can be used to check the integrity of a log file and detect any mismatches between the data in the log file and the registry. The tool reported an error for a dependency, Dom Purify, where the integrity hash and resolved URL did not match. It was recommended to run the tool in a CI job and let it run every time there are changes checked or submitted to the project. This can help automatically fail pipelines if log file tampering is detected.


An advantage of open source software (OSS) development is that it enables contributions from the public, adding new features and improvements. This also makes OSS projects a target of supply chain attacks. We present both an offensive and defensive perspective of an attack technique that hides malicious code in open source contributions and that reduce the likelihood of the modifications being caught during review.Our technique leverages lockfiles commonly used by modern package managers to allow deterministic resolution of dependencies necessary to run an application. Our technique is based on the observation that 1) package managers do not sufficiently verify the integrity of lockfiles, 2) lockfiles are machine-generated and small modifications are easily missed during code review due to the mass of changes included, and 3) the prevalent use of third-party packages and package managers in open source software projects.For blue teams, we provide a light-weight tool that verifies the integrity of a lockfile well suited to be executed in CI pipelines. For red teams, we demonstrate both manual and automated approaches for choosing targets and tampering lockfiles, share Mitre Att&ck TTPs, and offer advice on what to look for when both defending and perpetuating this technique, making it easier to simulate this type of supply chain attack.Our work builds on previous work by Liran Tal [1]. We expand on their work by presenting more methods for tampering lockfiles, applying it to additional programming ecosystems (Ruby on Rails and Go in addition to Node.js), and providing tools that verify the integrity of a lockfile as well as automate the tasks of targeting suitable dependencies and tampering a lockfile.[1] https://snyk.io/blog/why-npm-lockfiles-can-be-a-security-blindspot-for-injecting-malicious-modules/