add notes about compiler poc and solar winds mitigation
This commit is contained in:
parent
8f13f5cde2
commit
351ec034c3
GPG Key ID:
8E401478A3FBEF72
|
|
@ -97,6 +97,11 @@ toolchain -->
|
||||||
<!-- https://distrowatch.com/images/other/distro-family-tree.png -->
|
<!-- https://distrowatch.com/images/other/distro-family-tree.png -->
|
||||||
|
|
||||||
<!-- TODO: libfakerand to act as the "why" -->
|
<!-- TODO: libfakerand to act as the "why" -->
|
||||||
|
<!--
|
||||||
|
* Create modified compiler which injects libfakerand during build time
|
||||||
|
* Use it to compile software from source, for example bitcoin core
|
||||||
|
* Show that the wallet generated with bitcoin core is not random
|
||||||
|
-->
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
|
|
@ -174,6 +179,35 @@ StageX allows us to bootstrap the compiler toolchain, making it easy to verify t
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
|
# Solar Winds
|
||||||
|
|
||||||
|
According to: https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/
|
||||||
|
|
||||||
|
> * SUNSPOT is StellarParticle’s malware used to insert the SUNBURST backdoor into software builds of the SolarWinds Orion IT management product.
|
||||||
|
> * SUNSPOT monitors running processes for those involved in compilation of the Orion product and replaces one of the source files to include the SUNBURST backdoor code.
|
||||||
|
> * Several safeguards were added to SUNSPOT to avoid the Orion builds from failing, potentially alerting developers to the adversary’s presence.
|
||||||
|
|
||||||
|
<!--
|
||||||
|
We can see that the compromise occurred because the threat actors infiltrated the network
|
||||||
|
and replaced source code files during build time.
|
||||||
|
|
||||||
|
This is clearly something we could have prevented by using determinism.
|
||||||
|
|
||||||
|
* Ensuring that all our build time dependencies are reviewed and built deterministically
|
||||||
|
* Ensuring that our commits are signed (additional protection)
|
||||||
|
* Ensuring that the final result is determnistic
|
||||||
|
|
||||||
|
If Solar Winds deployed a secondary runner in an isolated environment that's pull only,
|
||||||
|
it's nearly impossible they would not notice that something is amuck in their final
|
||||||
|
release build. In fact if any developer built the code locally, they would have noticed
|
||||||
|
that something is not lining up.
|
||||||
|
|
||||||
|
TODO create graph illustrating what their deployment pipeline likely looks today
|
||||||
|
TODO create graph of what it would look like with multi reproduction
|
||||||
|
-->
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
# **What's Next?**
|
# **What's Next?**
|
||||||
|
|
||||||
Packaging more software
|
Packaging more software
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue