Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Mitigating Open-source Software Supply Chain Attacks

Mitigating Open-source Software Supply Chain Attacks

Talk "Mitigating Open-source Software Supply Chain Attacks" presented at PackagingCon 2021.

Ashish Bijlani

November 10, 2021
Tweet

More Decks by Ashish Bijlani

Other Decks in Technology

Transcript

  1. Mitigating Open-source
    Software Supply Chain Attacks
    Ashish Bijlani, Ajinkya Rajput
    Ossillate Inc.

    View full-size slide

  2. The state of open-source software
    ● De-facto standard way of developing digital products/services
    ● Open source software makes up at least 70% of all software
    ○ Source: 2020 Synopsys report
    “Software is eating the world”
    - Marc andreessen, 2011
    “Open-source software is eating the world”
    - Everybody, 2021

    View full-size slide

  3. Open-source software distribution: packages
    ● Code is “packaged” and published on Package Managers
    ○ Example, PyPi hosts over 300K Python packages
    ● Code is “sourced” from Package Managers by installing
    ○ Example, pip3 install dateutils
    # Packages

    View full-size slide

  4. In open-source software, we trust
    ● Anybody can publish packages
    ○ Individual developers, groups, and companies
    ● Software we use on our servers, laptops,
    phones, coffee makers, baby monitors,

    is written by unknown volunteers
    ○ Which we blindly TRUST?

    View full-size slide

  5. Bad actors capitalize on our trust
    by exploiting weakness in
    the code we source
    AS WELL AS
    the way we source it

    View full-size slide

  6. Security weaknesses in the code (a.k.a. vulnerabilities)
    ● Are programming bugs introduced accidentally,
    ○ Example, buffer overflow (due to missing bound checks)
    ● Pose indirect threats
    ○ Need an exploit to trigger the buggy code
    ○ May not always have a high impact
    ● Can be fixed by upgrading to the latest version/release

    View full-size slide

  7. Security weaknesses in the distribution/sourcing process
    ● Anybody can publish their packages using their credentials
    ● No checks or code vetting
    ● Packages are searched and installed using names
    ○ Package Managers (e.g., PyPi, NPM) do not show source code
    ● Bad actors exploit new attack vectors to propagate malware
    7

    View full-size slide

  8. Malware in open-source software packages

    View full-size slide

  9. Case study: mitmproxy2
    - Typosquatting attack
    - Impersonates “mitmproxy”
    - Exploits name typo during installation
    or dev inexperience
    - Removes safeguards: everyone on
    the same network can execute code
    on your machine with a single HTTP
    request

    View full-size slide

  10. Case study: rest-client RubyGems package (100M+ downloads)
    Under production environment, it downloads malicious payload via patebin.com and executes via
    eval, which installs a Remote-Code-Execution (RCE) backdoor on web servers

    View full-size slide

  11. Unlike vulnerabilities, malware is
    ● Intentionally harmful code (NOT accidental programming bug),
    ○ Example, backdoor installed to steal sensitive data
    ● Poses direct and dangerous threats
    ○ Doesn’t need an exploit - itself is an exploit (e.g., triggered on installation)
    ○ Is obfuscated to avoid detection
    ○ Hidden in popular packages for wider reach
    ○ Evasive - may only trigger under narrow conditions (e.g. production)
    ● Can only be fixed by yanking malicious package/dependency version

    View full-size slide

  12. Can we improve the sourcing process?
    ● Today, package stability/maturity/popularity/reputation/safety is inferred from
    ○ Number of GitHub stars/forks,
    ○ Number of open issues on GitHub,
    ○ Number of downloads
    ○ Project documentation/website,
    ○ Number of recent code commits,
    ○ Number of tests cases
    ○ Backing companies (e.g., FB, Uber)
    ● BUT,
    ○ Stars/forks/downloads are attacker-controlled
    ○ Impersonated projects have the same website/documentation/tests/commits
    ○ Should we look at the package code and hundreds of dependencies?

    View full-size slide

  13. Our focus
    1. Background
    1. Malware in open-source software
    1. Our work
    1. Findings

    View full-size slide

  14. About me
    Ashish Bijlani, Ph.D.
    Research Scientist, Ossillate, Inc.
    - Graduated Dec’20, Georgia Tech
    - Cybersecurity/Systems research
    - Creator of ExtFUSE file system
    - eBPF + FUSE = Much faster FUSE
    - Created a 32-bit x86 OS (Capital) that boots
    from a 5.25” floppy disk

    View full-size slide

  15. Our work
    ● Started as a research project at Georgia Tech in 2019
    ○ Downloaded and analyzed over 1.3M NPM+PyPi+RubyGems packages (60TB)
    ○ Detected 339 previously unknown malware (82% confirmed, 3 CVEs, many over a year old)
    ○ Details in academic paper: https://arxiv.org/pdf/2002.01139.pdf
    ● Funded by NSF to continue development
    ● Continuous scanning of packages
    ○ PyPi supported (more coming soon!)

    View full-size slide

  16. Our technology
    - Deep static analysis (Abstract Syntax Tree construction + API analysis)
    - Dynamic analysis (API monitoring during installation)
    - Metadata analysis (millions of data points)

    View full-size slide

  17. Our recent findings (malicious PyPi packages)
    - https://pypi.org/project/dandh811/
    - https://pypi.org/project/KrisQian/
    - https://pypi.org/project/dpp-client
    - https://pypi.org/project/defal96863
    - https://pypi.org/project/idodaniel/
    - and more...

    View full-size slide

  18. Findings: malware 1
    - Homepage redirects to
    billibilli.com
    - Setup.py downloads and
    executes a script with hidden
    output
    - Payload execution code is
    present for Windows and Linux.
    Commented for Darwin.
    MALWARE

    View full-size slide

  19. Findings: malware 1
    -invalid email,
    -homepage redirects to injection.vip
    - setup.py script downloads and spawns a python file (the download server is unreachable now)
    - comment mentions for security testing only, but the payload is unavailable
    MALWARE

    View full-size slide

  20. Announcing three FREE tools for developers (in BETA)
    ● Smart assistant for sourcing open-source software packages
    ○ Package explorer - web app at https://ossillate.com
    ○ Command Line - PyPi package (releasing later today!)
    ○ GitHub Actions Plugin (coming soon!)
    ● Flag packages that are:
    ○ Malicious (malware),
    ○ Suspicious (potentially malicious),
    ○ Vulnerable (containing CVEs),
    ○ Undesirable (possessing unwanted attributes)
    ● Supported Package Managers
    ○ PyPi, more coming soon!

    View full-size slide

  21. Thank you!
    Visit us at ossillate.com
    Write to us: [email protected]
    Get in touch with us on Slack
    https://join.slack.com/t/ossillatecommunity/
    shared_invite/zt-yfezeo6u-
    Fb5iBqODh2UJT1i8LmAjMQ

    View full-size slide