Supply Chainsaw: Practical software supply chain attacks for everyone


I recently presented Supply Chainsaw: Practical software supply chain attacks for everyone at the OPCDE technical security conference in Dubai.

In between pictures of Sharknadoes and memes were an array of software supply chain attacks:

  • We proved most programming language package managers have major security weaknesses
    • Typo or wrong command attacks compromise those who make mistakes installing packages
    • Anonymous automatic registration and publishing make attacks easy
    • Weak authentication, no 2-factor, sometimes none at all
    • Developers of popular open-source packages and their powerful credentials are exposed to many different attacks through the development process and permanent credential caching
  • Operating system package managers are manual-review and harder to poison
  • But nearly every OS is acquired insecurely and unlikely to be verified by the user, from Linux to Mac OS, to Windows
  • MITM attacks proven practical against proxy/VPN/Tor users - over 5,000 potential opportunities to poison executable downloads in my test
  • We became OS and package mirrors to prove
    • Anyone could infect packages and OS’s delivered via mirror
    • Can be quick, cheap, anonymous, with worldwide effect
    • Packages often are not verified against anything external
    • We were never denied anything we asked for
    • We are running honest mirrors, but we have no guarantee others are trustworthy or have not been compromised
  • Between hundreds and millions of users can be compromised using these techniques
  • Supply chain attacks are happening in the wild now

You can download the presentation here: Supply Chainsaw or you can view on slideshare (although you'll miss out on the slides with animations) here:

Comments are closed.