Skip to content

Supply Chain Security

Exam

  • Gwak/Quak
  • Describe any software chain attack -> Might be in exam

Updates

  • Added localhost condition
  • Added MIT License
  • Added Basic Documentation

Install Script Analyzer

  • Finds out potentially malicious imports & IPs

ArchDetective

CloudSec

We made a few adjustments in the final design and we will present it through the demo.

  • AFL is coverage guided fuzzer which mutates the input & checks if that give a mutated behavior
  • Sanitizers insert additional run-time checks into your program to catch bugs
  • Valgrind is dynamic binary instrumentation framework which translates binary code as it runs into its own intermidiate language & analyzes the code

In-Toto

  • Provides a framework to protect the integrity of the software supply chain.
  • Ensures that each task in the chain is executed as planned by authorized personnel and that the product is not tampered with during transit.
  • Working:
    • Project owners create a layout specifying: Steps, Authorized functionaries, Artifact rules
    • Functionaries execute steps using in-toto-run or in-toto-record
    • Command execution, materials, and products are recorded in the link file.
    • Links are signed by functionaries to verify execution authenticity.
    • Artifact rules ensure:
      • Only authorized actions on artifacts are performed.
      • Integrity and traceability of artifacts are maintained throughout the supply chain.
    • in-toto-verify:
      • Validates layout signatures, expiration, and step execution by authorized functionaries.
      • Checks command validity, artifact integrity, and inspections against defined rules.
    • in-toto-sign is used to manage metadata signatures

SBOM-it

  • SBOMit stands for "SBOM on in-toto", a specification aimed at enhancing software supply chain security by improving the reliability and integrity of Software Bills of Materials (SBOMs).
  • It proposes a method to generate metadata for an SBOM during the software creation process, utilizing in-toto attestations and layouts.
  • Enables the generation of a detailed SBOM in various formats, integrating both in-toto verified steps and supplemental information for a comprehensive overview.
  • Components
    • In-toto Attestations: Records from each step of the software supply chain, accompanied by metadata.
    • In-toto Layout: A framework signed by the project owner, outlining valid attestation metadata and establishing a structured policy.
    • Supplemental SBOM Information: Additional details not covered by in-toto, such as company name, providing extra context to enhance the final SBOM.

TUF

  • Purpose: TUF is designed to secure software update systems against various attacks that can compromise the integrity of updates, such as distributing malicious files or compromising signing keys.
  • Framework: It provides a framework consisting of libraries, file formats, and utilities to enhance the security of both new and existing software update systems.
  • TUF aims to minimize the impact of key compromises and other attacks, ensuring the security and authenticity of software updates.
  • It is designed to be flexible, catering to a wide variety of software update systems, and is easily integrable with existing systems.
  • Working:
    • TUF defines roles and metadata to ensure only trusted parties can perform specific actions.
    • Metadata contains verifiable records about the state of a repository or application.
    • Clients use metadata to make decisions on which files to update.
    • Metadata includes expiration dates to detect outdated information.
    • TUF automates the identification, download, and verification of updates.
    • The software update system leverages TUF to enhance security transparently.

Uptane

  • Uptane is a security framework for ensuring the integrity of software updates, initially developed for the automotive industry but adaptable to various sectors reliant on over-the-air updates.
  • Working:
    • Director Repository: Decides which updates are sent to specific vehicles.
    • Image Repository: Stores metadata about available updates.
    • End-to-End Security: Guarantees updates only come from legitimate sources.
    • Compromise Resilience: Even if one part is compromised, system integrity remains intact.

Sigstore

  • Sigstore is an open-source project aimed at enhancing software supply chain security by enabling secure signing and verification of software artifacts such as release files, container images, binaries, SBOMs, etc.
  • Working:
    • Sigstore client requests a certificate from Fulcio.
    • Fulcio issues a short-lived certificate bound to a verifiable identity.
    • Client signs the artifact using an ephemeral key and the certificate.
    • Artifact's details are recorded in Rekor, a transparency log.
    • Verification involves checking signature, identity, certificate's signature, and proof of inclusion in Rekor.

Questions

Why does whitespace matter for software supply chain security?

Whitespace is dependent on programming language semantics. 1. Different contributors use different OS (CRLF vs LF)  2. Does not handle line wrapping -> Causes whitespace diffs 3. Is not configured for programming languages

Why is it important to have different open source licenses for different file types?

  • allows developers to manage and protect the project's intellectual property (IP) effectively
  • When you try to enforce your license for the wrong files, it may not get enforced properly.
  • It is fine until something happens legally.

List one advantage and disadvantage of backtracking dependency resolution vs using a SAT solver.

Backtracking

  • Backtracking is a brute-force algorithmic technique used to solve combinatorial problems. In the context of dependency resolution, it works by systematically trying different combinations of choices until a solution is found or proven impossible.
  • When resolving dependencies, backtracking typically involves recursively trying out different options for each dependency until a valid solution is found or all possibilities have been exhausted.
  • This method can be resource-intensive
  • While backtracking guarantees finding a solution if one exists, it might not be the most efficient approach, especially for large problem instances.
  • Advantage: Backtracking algorithms are relatively simple to implement and understand.
  • Disadvantage: Backtracking algorithms can be less efficient, especially for large dependency graphs

SAT Solver

  • SAT (Boolean Satisfiability Problem) solvers are algorithms used to determine the satisfiability of a given Boolean formula
  • SAT solvers use sophisticated algorithms to efficiently explore the solution space and find a satisfying assignment if one exists.
  • SAT solvers are particularly effective for complex dependency resolution problems with large numbers of dependencies and constraints.
  • Advantage: SAT solvers are highly efficient and can handle large dependency graphs with many constraints.
  • Disadvantage: Implementing and configuring a SAT solver can be challenging.

Assume that at least some packages in a repository have the wrong architecture.  What is the most efficient way to detect these packages?*

  • Analyze magic bytes
  • automated scripting to analyze package metadata
  • download the whole package and extract and then analyse

In what circumstances might a computer server connect with a URL which is not listed in a string in the source code?  Will all such cases likely be benign, all malicious, or mixed?

Mixed - SSRF  - Config -> .bashprofile

Name and describe at least two properties of a linter that are important.

  • It should be able to find bugs that actually matter
  • Less false positive
  • Customizable, Extensible

Describe a compiler hardening option and when it would be useful.

  • D_FORTIFY_SOURCE=2: This macro enables additional compile-time and run-time checks to detect buffer overflows and other vulnerabilities in standard library functions.
  • fstack-protector: This flag enables stack protection by inserting stack canaries into functions that contain buffer overflow vulnerabilities. It helps detect stack smashing attacks.

Is it likely to be easier or harder to detect malicious install scripts in an ecosystem like Python, which has complex install scripts?  Why?

  • Python packages often rely on numerous dependencies, leading to complex installation processes.
  • it is tough to review them for vulnerable code.

It can crash the webserver

How does running code in an enclave (like SGX) change the trust model from running it in a VM?

  • Enclaves provide a higher level of isolation compared to VMs
  • Enclaves enable fine-grained access control, allowing only authorized code to access the data and code within the enclave.
  • Enclaves support remote attestation, allowing a remote party to verify the integrity of the enclave and the code running inside it.

Name something better performed as a GitHub action, than as a git pre-commit hook.

  • web application -> Automate the process of building, testing, and deploying using Github Action CI/CD pipeline
  • The pre-commit hook will run only on the developer’s local machine.

How is an in-toto attestation different from a signature?

  • Signatures primarily focus on verifying the integrity and authenticity of data, without necessarily validating the actions performed.
  • In-toto attestations provide comprehensive evidence of who did what in each step, including the command executed, the files involved, and the functionary responsible.

Given a set of an organization’s supply chain metadata (in-toto attestations, git repositories, SBOMs, etc.), how might you understand where vulnerabilities exist in an organization?

  • in-toto attestations to understand the sequence of steps in the supply chain, who performed each step, and the commands executed.
  • Look for any suspicious commits, branches, or changes 
  • Analyze SBOMs to understand the composition of software components and dependencies used in the organization's products.
  • Identify known vulnerabilities in third-party libraries or components by cross-referencing SBOM data with vulnerability databases

What are delegations used for in TUF?

  • Delegations in TUF indeed enhance security by distributing responsibilities across different roles. If a delegated user's key is compromised, it can be revoked without affecting the security of other users in the system, thereby minimizing the impact of potential compromises. This decentralized approach adds an additional layer of protection to the update system.
  • Delegations are used to assign responsibilities and roles to different user from one user in TUF. They provide enhanced security because even if one of the keys is compromised only that key needs to be revoked without compromising the entire system. This also helps other users to work with flexibility and without giving up their key to anyone else for the same task

What is an ephemeral key (as is provided by Sigstore)?

  • An ephemeral key, as provided by Sigstore, is a temporary cryptographic key used for signing artifacts. 
  • eliminate the need for long-lived keypairs

List one type of bug you would expect to find with static analysis, but not dynamic analysis.  List a type of bug you would find with dynamic analysis, but not static analysis.

  • syntax error or a semantic
  • typos, missing semicolons, or incorrect variable usage without needing to run the program.
  • division by zero, null pointer dereference, or out-of-bounds array access

What is the purpose of SLSA?

The purpose of SLSA is to help in the secure build practices. It is a security framework designed to ensure the integrity and security of software supply chains.

What is the purpose of an SBOM?

  • provides a list of components and dependencies used in a software product
  • To assess and manage risks associated with third-party dependencies and potential vulnerabilities.

Describe something you can set with a CODEOWNERS policy in Github.

  • Define specific individuals or teams responsible for code review.
  • Assign automatic reviewers based on file paths or patterns.
  • Ensure proper ownership and accountability for different parts of a codebase.
  • Facilitate collaboration and streamline the code review process in GitHub repositories.

Describe a limitation of signed git commits, which is addressed by gittuf or gitsign.

  • While Git does provide mechanisms for signing commits using various cryptographic methods such as GPG, SSH keys, and X.509 certificates, it lacks a streamlined approach for distributing and revoking these keys securely.
  • left to manually manage their keys
  • ambiguity regarding which keys to trust and how to handle key revocation effectively.
  • gittuf and gitsign tackle this limitation by providing a structured approach to key distribution and revocation. They associate public keys directly with the repository and track policies continuously, ensuring that the validity of keys and their associated signatures is unambiguous. This not only simplifies the process of verifying commits but also enhances security by reducing the risk of using compromised or revoked keys
  • Signed git commit only verifies the signature of a person
  • Gittuf checks trust policy 

Describe a software supply chain attack and describe how industry responded to try to address it.

  • SolarWinds Attack (2020), where malicious code was inserted into software updates of the SolarWinds Orion platform.
  • Implementation of stricter verification processes for software updates.
  • Enhanced inspection of software vendors and their security practices.
  • Adoption of zero-trust architecture to limit the blast radius of potential breaches.