By Sheng-Feng Huang, PUFsecurity
In mid-December last year, SolarWinds, a company specializing in IT management solutions, was at the center of a software supply chain attack. Not only did attackers damage SolarWinds’ software development environment and code signing infrastructure, but they also implanted malicious backdoors around the world. The attackers released fake software patches to clients via SolarWinds’ software control and construction system, which proliferated backdoor programs and exposed confidential information. The US saw the incident as a national-level attack impacting Fortune 500 companies and government organizations. Undoubtedly, the impact and implications are huge.
According to information security experts, the attack was a multi-step act. A mishap at the beginning of the attack played a crucial role. Developers at SolarWinds accidentally leaked FTP credentials on GitHub in plain text, which allowed the attackers to use compression and Base64 coding to conceal the backdoor code. The code went undetected, even by professional developers.
Furthermore, the hackers embedded malicious source code in the version control system and obtained related certificates and secret keys. These crucial items enabled attackers to invade the development environment and code signing infrastructure. After entering customer networks, the hackers evaded firewalls and security controls in their environments.
In the case of SolarWinds, protecting the software supply chain and reducing the risks from these types of attacks is generally impossible. Even so, the careful development of security specifications, procedures, and detection tools can lower the risks. The following steps can help prevent software supply chain attacks.
Restrict Access to Server Host
Aside from preventing the careless disclosure of server credentials, the first level of protection for clients should be restricting IP access or limiting the valid period for credential and recording access logins. Security during periods of software delivery, updates and downloads are crucial. A web-application firewall (WAF) or run-time application self-protection (RASP) is helpful for service deployment, and the server host should deploy a host intrusion prevention system (HIPS) and other defense systems.
Control the Secret Key of Accounts
Hardware security is vital to a supply chain. During the software development and construction process, there are many passwords, keys, and certificates that need proper management. Developers can use personal hardware security keys as identity authentication tools and personal credential management and protection. For the organizational information structure, systems such as a hardware security module (HSM) that can execute cryptographic operations and a key management service (KMS) will help solve security pain points. After careful security testing and confirmation, the hardware module will enhance the security of an organization. The HSM's main tamper evidence/proof and tamper evidence functions are key features. Using an HSM during software construction can encrypt and sign documents and codes without exposing the key, ensuring the security of software encryption and signatures. In addition, a KMS can act as another layer of management and control of keys and certificates. Centralized management helps solve the problem of secrets scattered in software development such as application programming interface (API) tokens, passwords, certificates and more. A KMS provides strict access control and records detailed audit logs. Furthermore, besides storing static secrets, secrets can also be dynamically generated, so that applications can only access sensitive data within a defined period, thereby reducing the risk of secret key theft.
Adopt the Principle of Least Authorization
Excessive user privileges and account abuse are common in the software development or testing phase. Granting users limited access privilege when operating APIs is the best way to avoid damage caused by leaked account information. Alternatively, an authorization account can be downgraded, or a test account can be removed through a standard operating procedure (SOP) or automated detection in the deployment phase to ensure there are no vulnerabilities.
Strengthen Software Release and Signing Procedures
Performing an integrity check for the signing process after software is released can prevent software tampering. A hardware security module can enhance the security level of the signing process. Code signing is the basis for software security and relies on the strength of the private key. The key is not safe when stored in general computer software or a database because it is vulnerable to theft. Therefore, it is a safer best practice to protect the key in a secure, tamper-proof hardware security module.
Implement a Code Review Process
A good software engineering process should implement a review before merging or constructing code. Code reviews can promptly remove computer security concerns such as format string attacks, race hazards, memory leaks, credential leaks and buffer overflows. Reviews can also prevent code tampering and backdoor attacks. Besides code reviews by experienced developers, commercial automated code vulnerability analysis and scanning tools can detect and patch security vulnerabilities during the build phase.
Check the Integrity of the Code Signing Process
Code signing can ensure the integrity of the system and prevent tampering. Executing code signing thoroughly, regardless of whether in internal or external module libraries, release/deployment repository or even the final software execution stage, will help reduce the risk of code tampering. The use of an HSM in the code signing program is a way to strengthen the security of the signature certificate and key. The signature process should take place in another secure environment to enhance secret key security. For example, the HSM under the ARM Tee or the Intel SGX framework is a secure environment for the process.
Test Third-party Library Security
Typically, developing a software composition and software stack is difficult for a company or organization since they rely on external libraries or modules to accelerate development. A credible public package repository will perform security scans for the managed package modules, perform identity and package certification for developers and related organizations and reference external packages and libraries. Integrity checks ensure better code security and quality, and they require library packages developed by certified developers since library packages of unknown origin can compromise security. When code for the web software framework and component development that directly refer to a third-party CDN URL is compromised, the attack becomes a springboard for the incident to evolve to a larger scale; therefore, such references require extra caution.
Watch for Vulnerabilities in Supply- and Client-side Security
To prevent security risks caused by the software supply chain, formulating organizational security specifications, and expanding a risk security assessment system to include suppliers with important access rights to the organization's network, data suppliers and hardware suppliers are extremely important. By using commercial security detection software or anti-virus software, the automatic detection and repair process will repeatedly scan the devices, detecting malicious software or other vulnerabilities in advance, and reduce hacking risks in the supply chain. Moreover, finding software security vulnerabilities can reduce software and hardware risks during self-development or procurement from suppliers.
The security recommendations mentioned above will reduce the risk of vulnerabilities and attacks in all aspects of the software supply chain. PUF-based hardware security IPs provided by PUFsecurity can form a root-of-trust based on the PUF’s randomness, non-clonability and stability. With key management, digital signatures and cryptographic algorithms provided by our extended solution, PUFsecurity can provide low cost and higher security protection for components like an HSM and a security key. We believe these measures will protect everybody’s supply chain.