Conference:  Black Hat Asia 2023

Authors: Alex Matrosov, Richard Hughes, Kai Michaelis

2023-05-12

Over the past two years, attacks on multiple targets in the semiconductor industry have consistently led to leaks of firmware source code. A compromised developer device could potentially give an attacker access to the source code repository, adding a major gap in the security of the software supply chain. There are multiple policies in place to improve transparency in the firmware supply chain in general, but implementing and adopting them will take years. The technology industry is in the midst of active discussions about the use of "software bill of materials" (SBOMs) to address supply chain security risks.In order to implement supply chain security practices, there must be better transparency on software dependencies. Previously, any piece of software shipped as black-box without providing any information related to software dependencies and third-party components. Firmware has largely been looked at in the same way. We already discussed in our previous talks the multiple levels of complexity in the UEFI firmware ecosystem and supply chain taxonomy and we already discussed the firmware supply chain complexity topics regarding the firmware update delivery and how the timing plays a negative role to give an attackers advantage to adopt already known vulnerabilities (N-days) to their attacks in last year's research "The Firmware Supply-Chain Security Is Broken: Can We Fix It?".The silicon vendor reference code vulnerabilities are always the worst since impacting the whole industry and all the device vendors have used the same chips on their devices. When it comes to applying mitigations, how does the industry take advantage of them, and who controls their adoption in the firmware? Those are all good questions, but unfortunately, no positive news can be shared. The system firmware attack vectors will be discussed in this talk from the perspective of attacking the operating system or hypervisor. The nature of these attacks breaks the foundation of confidential computing and often creates problems for the entire industry.This talk will focus on practical examples of such attacks and how they are dangerous.

Conference:  Black Hat Asia 2023

Authors: Fyodor Yarochkin, Zhengyu Dong, Vladimir Kropotov, Paul Pajares

2023-05-11

Mobile phones may come pre-infected with malicious firmware before they are even delivered to the customers. This is a growing problem for regular users and enterprises. Many businesses produce mobile devices by outsourcing the manufacturing process. The process comes with risks. The supply chain of the outsourced manufacturing can be easily infiltrated by third-party threat actors.In this presentation, we will dive into the criminal operations of a criminal enterprise that targets mobile phones. The criminal group has infected millions of android devices, mainly mobile phones, but also smart watches, smart TVs and more. The infection turns these devices into mobile proxies, tools for stealing and selling SMS messages, social media and online messaging accounts and monetization via advertisements and click fraud. Our data shows that this is a continuously growing problem. We manually analyzed dozens of the stock-firmware images to confirm the presence of malicious software in these models. Further, through our telemetry data, we confirmed that there are millions of infected devices operated globally. The main cluster of these devices is in South-East Asia and Eastern Europe, however, this is a truly global problem.In this presentation, we will share our insights on the scope and scale of the problem, discuss how these criminal enterprises operate and monetize infected devices and share techniques we used to identify and further analyze a large number of stock firmware images. We will also share some insights on the ecosystem of supply-chain targeting criminal groups and their modus operandi.

Conference:  Cloud Native SecurityCon North America 2022

Authors: Billy Lynch

2022-10-25

Attestations are a useful tool for attaching supply chain metadata to artifacts and images, but how can we attach attestations to source code itself? In this talk, we'll go into some of the ways you can attach attestations to source code with Git. Learn how data can be stored verifiably alongside commits, how attestations can be modeled to describe SLSA source requirements, and how tools like Gitsign can make this easy to add to your CI/CD pipelines.

Conference:  SupplyChainSecurityCon 2022

Authors: Matt Jarvis, Steve Hendrick

2022-06-21

The main theme of the conference presentation is the importance of involving developers in improving security knowledge and leveraging specialized security tools to automate security processes in DevOps. The presentation also emphasizes the need to rely on vendors for guidance and to follow best practices for security policy.

• Involving developers in improving security knowledge and empowering them to make decisions based on guidance and feedback can be effective in improving security posture.
• Leveraging specialized security tools, such as FAST, is crucial for providing guidance and insight for identifying security risks.
• Relying on vendors for guidance and help in solving security problems is necessary due to the complexity of identifying security risks.
• Automating security processes is essential for addressing security issues without impacting the speed of innovation.
• Following best practices for security policy, such as those provided by the Linux Foundation's Secure Software Development course, can help organizations understand their current security posture and improve it over time.

Conference:  SupplyChainSecurityCon 2022

Authors: Rose Judge, Joshua Lock

2022-06-21

The presentation discusses the importance of reproducibility in software development pipelines and infrastructure for better security and transparency. It provides three levels of reproducibility and their supply chain security implications.

• Reproducibility in software development pipelines and infrastructure is crucial for better security and transparency
• There are three levels of reproducibility: unscripted builds, repeatable builds, and rebuildable builds
• Rebuildable builds control all explicit inputs for a build and can produce an equivalent artifact that can be reproduced at any future point in time
• Achieving reproducible builds requires engineering effort and long-term storage, which can be costly for some organizations