From 778774fe33e2a678457d694e92c003941e42d7ec Mon Sep 17 00:00:00 2001
From: Anton Livaja <anton@livaja.me>
Date: Wed, 21 Aug 2024 13:22:55 -0400
Subject: [PATCH] add notes about compiler poc and solar winds mitigation

---
 stagex/stagex.md | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/stagex/stagex.md b/stagex/stagex.md
index 6e442dc..4514934 100644
--- a/stagex/stagex.md
+++ b/stagex/stagex.md
@@ -97,6 +97,11 @@ toolchain -->
 <!-- https://distrowatch.com/images/other/distro-family-tree.png -->
 
 <!-- TODO: libfakerand to act as the "why" -->
+<!--
+* Create modified compiler which injects libfakerand during build time
+* Use it to compile software from source, for example bitcoin core
+* Show that the wallet generated with bitcoin core is not random
+-->
 
 ---
 
@@ -174,6 +179,35 @@ StageX allows us to bootstrap the compiler toolchain, making it easy to verify t
 
 ---
 
+# Solar Winds
+
+According to: https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/
+
+> * SUNSPOT is StellarParticle’s malware used to insert the SUNBURST backdoor into software builds of the SolarWinds Orion IT management product.
+> * SUNSPOT monitors running processes for those involved in compilation of the Orion product and replaces one of the source files to include the SUNBURST backdoor code.
+> * Several safeguards were added to SUNSPOT to avoid the Orion builds from failing, potentially alerting developers to the adversary’s presence.
+
+<!--
+We can see that the compromise occurred because the threat actors infiltrated the network
+and replaced source code files during build time.
+
+This is clearly something we could have prevented by using determinism.
+
+* Ensuring that all our build time dependencies are reviewed and built deterministically
+* Ensuring that our commits are signed (additional protection)
+* Ensuring that the final result is determnistic
+
+If Solar Winds deployed a secondary runner in an isolated environment that's pull only,
+it's nearly impossible they would not notice that something is amuck in their final
+release build. In fact if any developer built the code locally, they would have noticed
+that something is not lining up.
+
+TODO create graph illustrating what their deployment pipeline likely looks today
+TODO create graph of what it would look like with multi reproduction
+-->
+
+---
+
 # **What's Next?**
 
 Packaging more software