Picking Lockfiles: Attacking & Defending Your Supply Chain

Presented at Black Hat Europe 2021, Nov. 11, 2021, 3:20 p.m. (40 minutes).

An advantage of open source software (OSS) development is that it enables contributions from the public, adding new features and improvements. This also makes OSS projects a target of supply chain attacks. We present both an offensive and defensive perspective of an attack technique that hides malicious code in open source contributions and that reduce the likelihood of the modifications being caught during review.<br><br>Our technique leverages lockfiles commonly used by modern package managers to allow deterministic resolution of dependencies necessary to run an application. Our technique is based on the observation that 1) package managers do not sufficiently verify the integrity of lockfiles, 2) lockfiles are machine-generated and small modifications are easily missed during code review due to the mass of changes included, and 3) the prevalent use of third-party packages and package managers in open source software projects.<br><br>For blue teams, we provide a light-weight tool that verifies the integrity of a lockfile well suited to be executed in CI pipelines. For red teams, we demonstrate both manual and automated approaches for choosing targets and tampering lockfiles, share Mitre Att&ck TTPs, and offer advice on what to look for when both defending and perpetuating this technique, making it easier to simulate this type of supply chain attack.<br><br>Our work builds on previous work by Liran Tal [1]. We expand on their work by presenting more methods for tampering lockfiles, applying it to additional programming ecosystems (Ruby on Rails and Go in addition to Node.js), and providing tools that verify the integrity of a lockfile as well as automate the tasks of targeting suitable dependencies and tampering a lockfile.<br><br>[1] https://snyk.io/blog/why-npm-lockfiles-can-be-a-security-blindspot-for-injecting-malicious-modules/

Presenters:

  • Greg Johnson - Staff Security Engineer, Red Team, GitLab
    Greg Johnson is a Staff Security Engineer, Red Team at GitLab. Greg has over 22 years of experience in the IT industry having held positions as a software engineer, manager, and multiple positions in offensive security. In his free time, Greg likes spending time outdoors with his family, learning how seemingly random things work, and building/restoring old motorcycles.
  • Dennis Appelt - Staff Security Engineer, Security Research, GitLab
    Dennis Appelt specializes in application security and security testing. Before joining GitLab, he obtained a PhD at the University of Luxembourg on the topic of automated security testing and worked at Ripple securing blockchain applications. In his spare time, Dennis loves rock climbing and playing boardgames with friends.

Links:

Similar Presentations: