Dates
Conferences
Tags
Sort by:
Most recent
Conference: Black Hat Asia 2023
Authors: Alex Matrosov, Richard Hughes, Kai Michaelis
2023-05-12
Over the past two years, attacks on multiple targets in the semiconductor industry have consistently led to leaks of firmware source code. A compromised developer device could potentially give an attacker access to the source code repository, adding a major gap in the security of the software supply chain. There are multiple policies in place to improve transparency in the firmware supply chain in general, but implementing and adopting them will take years. The technology industry is in the midst of active discussions about the use of "software bill of materials" (SBOMs) to address supply chain security risks.In order to implement supply chain security practices, there must be better transparency on software dependencies. Previously, any piece of software shipped as black-box without providing any information related to software dependencies and third-party components. Firmware has largely been looked at in the same way. We already discussed in our previous talks the multiple levels of complexity in the UEFI firmware ecosystem and supply chain taxonomy and we already discussed the firmware supply chain complexity topics regarding the firmware update delivery and how the timing plays a negative role to give an attackers advantage to adopt already known vulnerabilities (N-days) to their attacks in last year's research "The Firmware Supply-Chain Security Is Broken: Can We Fix It?".The silicon vendor reference code vulnerabilities are always the worst since impacting the whole industry and all the device vendors have used the same chips on their devices. When it comes to applying mitigations, how does the industry take advantage of them, and who controls their adoption in the firmware? Those are all good questions, but unfortunately, no positive news can be shared. The system firmware attack vectors will be discussed in this talk from the perspective of attacking the operating system or hypervisor. The nature of these attacks breaks the foundation of confidential computing and often creates problems for the entire industry.This talk will focus on practical examples of such attacks and how they are dangerous.
Conference: Black Hat Asia 2023
Authors: Fyodor Yarochkin, Zhengyu Dong, Vladimir Kropotov, Paul Pajares
2023-05-11
Mobile phones may come pre-infected with malicious firmware before they are even delivered to the customers. This is a growing problem for regular users and enterprises. Many businesses produce mobile devices by outsourcing the manufacturing process. The process comes with risks. The supply chain of the outsourced manufacturing can be easily infiltrated by third-party threat actors.In this presentation, we will dive into the criminal operations of a criminal enterprise that targets mobile phones. The criminal group has infected millions of android devices, mainly mobile phones, but also smart watches, smart TVs and more. The infection turns these devices into mobile proxies, tools for stealing and selling SMS messages, social media and online messaging accounts and monetization via advertisements and click fraud. Our data shows that this is a continuously growing problem. We manually analyzed dozens of the stock-firmware images to confirm the presence of malicious software in these models. Further, through our telemetry data, we confirmed that there are millions of infected devices operated globally. The main cluster of these devices is in South-East Asia and Eastern Europe, however, this is a truly global problem.In this presentation, we will share our insights on the scope and scale of the problem, discuss how these criminal enterprises operate and monetize infected devices and share techniques we used to identify and further analyze a large number of stock firmware images. We will also share some insights on the ecosystem of supply-chain targeting criminal groups and their modus operandi.
Conference: KubeCon + CloudNativeCon Europe 2023
Authors: Ian Lewis, Asra Ali
2023-04-21
tldr - powered by Generative AI
The importance of attestation data in securing the software delivery pipeline and the need for a verification process to establish trust in the attestation data.
- Attestation data provides proof of an event and allows tracing of outputs from inputs in the software delivery pipeline.
- Verification process is necessary to ensure integrity and authenticity of the attestation data.
- Integrity ensures that the attestation data cannot be tampered with, while authenticity ensures identification of the attestation creator.
- Non-forigibility and non-perishability ensure that the attestation content cannot be influenced by users operating the pipeline.
- Complete zero trust in the system is necessary to establish trust in the attestation data.
Conference: KubeCon + CloudNativeCon Europe 2023
Authors: Carlos Panato, Adolfo García Veytia
2023-04-20
tldr - powered by Generative AI
The presentation discusses the release toolkit and its use in securing the supply chain for software development projects.
- The release toolkit generates binaries, checksums, and signatures for release artifacts
- It includes provenance attestation and S-BOM SPDX
- The toolkit can be used with GitHub actions and is language-agnostic
- The Salsa tester creates SLSA attestations and can be used with S-BOMs generated by other tools
- The toolkit uses OIDC tokens from GitHub to generate temporary certificates for attestation
- The toolkit can be used to donate repositories to Kubernetes organization
Conference: KubeCon + CloudNativeCon North America 2022
Authors: Michael Lieberman, Mihai Maruseac
2022-10-27
By now, we’re getting bored of hearing the “am I affected by X vulnerability?” question. However, as supply chain attacks become more sophisticated, answering just this question is insufficient. Instead, we need to think about: “If TravisCI was compromised, which software is affected? With a bad actor in your supply chain, what's the blast radius?” There is a ton of information today in SBOMs, in-toto/SLSA attestations, etc. However, these documents observed individually provide limited information, but when put together and related, super-additively expand the knowledge base of our software supply chain. We built a supply chain knowledge graph tool to help better understand the relationships between artifacts and their metadata/identities. Through this high-fidelity graph, we not only answer the hard questions posed earlier, but also make new discoveries. For example, we found that most build-systems rely not only on obvious dependencies like gcc, but often overlooked projects like libpcre and sed.
Conference: KubeCon + CloudNativeCon North America 2022
Authors: Jake Sanders, Andres Vega
2022-10-26
tldr - powered by Generative AI
The presentation discusses the importance of securing software supply chains and introduces Spiffy and Spire as solutions. It also highlights the intersection of Spiffy and Spire with Project Six Store.
- Software supply chains are vulnerable to attacks and require secure solutions
- Spiffy and Spire provide a secure identity framework for managing the lifecycle of identity and reducing the likelihood of breaches
- Spiffy and Spire create an identity control plane and abstraction that simplifies high velocity pki and roll binding
- Project Six Store intersects with Spiffy and Spire by providing a secure and scalable platform for storing and sharing software artifacts
Conference: Cloud Native SecurityCon North America 2022
Authors: Billy Lynch
2022-10-25
Attestations are a useful tool for attaching supply chain metadata to artifacts and images, but how can we attach attestations to source code itself? In this talk, we'll go into some of the ways you can attach attestations to source code with Git. Learn how data can be stored verifiably alongside commits, how attestations can be modeled to describe SLSA source requirements, and how tools like Gitsign can make this easy to add to your CI/CD pipelines.
Conference: Transform X 2022
Authors: Jeff Wilke, Alexandr Wang
2022-10-19
tldr - powered by Generative AI
The importance of data and AI in e-commerce and retail, particularly in creating an authoritative catalog and optimizing inventory management for a unified buying experience.
- AI is winning against traditional algorithms in e-commerce and retail
- Data is crucial in fueling AI algorithms
- Amazon's success in creating an authoritative catalog through product type definitions
- The need for a unified buying experience through omnichannel retail and optimized inventory management
- AI can play a huge role in marketing discovery, transactional experience, and inventory management
Conference: SupplyChainSecurityCon 2022
Authors: Matt Jarvis, Steve Hendrick
2022-06-21
tldr - powered by Generative AI
The main theme of the conference presentation is the importance of involving developers in improving security knowledge and leveraging specialized security tools to automate security processes in DevOps. The presentation also emphasizes the need to rely on vendors for guidance and to follow best practices for security policy.
- Involving developers in improving security knowledge and empowering them to make decisions based on guidance and feedback can be effective in improving security posture.
- Leveraging specialized security tools, such as FAST, is crucial for providing guidance and insight for identifying security risks.
- Relying on vendors for guidance and help in solving security problems is necessary due to the complexity of identifying security risks.
- Automating security processes is essential for addressing security issues without impacting the speed of innovation.
- Following best practices for security policy, such as those provided by the Linux Foundation's Secure Software Development course, can help organizations understand their current security posture and improve it over time.
Conference: SupplyChainSecurityCon 2022
Authors: Rose Judge, Joshua Lock
2022-06-21
tldr - powered by Generative AI
The presentation discusses the importance of reproducibility in software development pipelines and infrastructure for better security and transparency. It provides three levels of reproducibility and their supply chain security implications.
- Reproducibility in software development pipelines and infrastructure is crucial for better security and transparency
- There are three levels of reproducibility: unscripted builds, repeatable builds, and rebuildable builds
- Rebuildable builds control all explicit inputs for a build and can produce an equivalent artifact that can be reproduced at any future point in time
- Achieving reproducible builds requires engineering effort and long-term storage, which can be costly for some organizations