Build Code is Still Code: Finding the Antidote for Pipeline Poisoning
Brent Pappas, Paul Gazzillo
TL;DR
This paper introduces Foreman, a novel approach and tool for detecting poisoned build systems in software development pipelines, addressing a critical security gap in supply chain protection.
Contribution
It proposes development phase isolation to model build system permissions and demonstrates its effectiveness in detecting poisoned build files, advancing supply chain security.
Findings
Foreman successfully detected poisoned build files in the XZ Utils attack
Development phase isolation effectively models build system permissions
Future work will automate checks for development phase isolation
Abstract
Open source C code underpins society's computing infrastructure. Decades of work has helped harden C code against attackers, but C projects do not consist of only C code. C projects also contain build system code for automating development tasks like compilation, testing, and packaging. These build systems are critcal to software supply chain security and vulnerable to being poisoned, with the XZ Utils and SolarWinds attacks being recent examples. Existing techniques try to harden software supply chains by verifying software dependencies, but such methods ignore the build system itself. Similarly, classic software security checkers only analyze and monitor program code, not build system code. Moreover, poisoned build systems can easily circumvent tools for detecting program code vulnerabilities by disabling such checks. We present development phase isolation, a novel strategy for…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsSecurity and Verification in Computing · Advanced Malware Detection Techniques · Web Application Security Vulnerabilities