add notes about compiler poc and solar winds mitigation
This commit is contained in:
parent
beea47e1f6
commit
778774fe33
|
@ -97,6 +97,11 @@ toolchain -->
|
|||
<!-- https://distrowatch.com/images/other/distro-family-tree.png -->
|
||||
|
||||
<!-- TODO: libfakerand to act as the "why" -->
|
||||
<!--
|
||||
* Create modified compiler which injects libfakerand during build time
|
||||
* Use it to compile software from source, for example bitcoin core
|
||||
* Show that the wallet generated with bitcoin core is not random
|
||||
-->
|
||||
|
||||
---
|
||||
|
||||
|
@ -174,6 +179,35 @@ StageX allows us to bootstrap the compiler toolchain, making it easy to verify t
|
|||
|
||||
---
|
||||
|
||||
# Solar Winds
|
||||
|
||||
According to: https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/
|
||||
|
||||
> * SUNSPOT is StellarParticle’s malware used to insert the SUNBURST backdoor into software builds of the SolarWinds Orion IT management product.
|
||||
> * SUNSPOT monitors running processes for those involved in compilation of the Orion product and replaces one of the source files to include the SUNBURST backdoor code.
|
||||
> * Several safeguards were added to SUNSPOT to avoid the Orion builds from failing, potentially alerting developers to the adversary’s presence.
|
||||
|
||||
<!--
|
||||
We can see that the compromise occurred because the threat actors infiltrated the network
|
||||
and replaced source code files during build time.
|
||||
|
||||
This is clearly something we could have prevented by using determinism.
|
||||
|
||||
* Ensuring that all our build time dependencies are reviewed and built deterministically
|
||||
* Ensuring that our commits are signed (additional protection)
|
||||
* Ensuring that the final result is determnistic
|
||||
|
||||
If Solar Winds deployed a secondary runner in an isolated environment that's pull only,
|
||||
it's nearly impossible they would not notice that something is amuck in their final
|
||||
release build. In fact if any developer built the code locally, they would have noticed
|
||||
that something is not lining up.
|
||||
|
||||
TODO create graph illustrating what their deployment pipeline likely looks today
|
||||
TODO create graph of what it would look like with multi reproduction
|
||||
-->
|
||||
|
||||
---
|
||||
|
||||
# **What's Next?**
|
||||
|
||||
Packaging more software
|
||||
|
|
Loading…
Reference in New Issue