Commit 69ff74d6 authored by Mark Lodato's avatar Mark Lodato
Browse files

Reformat the attacks table, fix link to reqs.

Reformat the attacks table to make it easier to maintain:
- Remove unnecessary closing `tr` and `td` tags.
- Merge short columns onto one line.
- Separate each row with a blank line.
- Break lines at natural boundaries.

Fix a stale link to build-requirements.md, which (a) was an absolute
link instead of relative, (b) pointed to a file that has since been
deleted, and (c) didn't work on slsa.dev since the jekyll-relative-links
plugin only works on Markdown links, not HTML links.
parent 3713e7da
...@@ -63,97 +63,72 @@ example: ...@@ -63,97 +63,72 @@ example:
<table> <table>
<thead> <thead>
<tr> <tr><th><th>Threat<th>Known example<th>How SLSA could have helped
<th></th>
<th><strong>Threat</strong></th>
<th><strong>Known example</strong></th>
<th><strong>How SLSA could have helped</strong></th>
</tr>
</thead> </thead>
<tbody> <tbody>
<tr>
<td>A</td> <tr><td>A<td>Submit bad code to the source repository
<td>Submit bad code to the source repository</td> <td><a href="https://lore.kernel.org/lkml/202105051005.49BFABCE@keescook/">Linux hypocrite commits</a>:
<td><a Researcher attempted to intentionally introduce vulnerabilities into the Linux
href="https://lore.kernel.org/lkml/202105051005.49BFABCE@keescook/">Linux kernel via patches on the mailing list.
hypocrite commits</a>: Researcher attempted to intentionally introduce <td>Two-person review caught most, but not all, of the vulnerabilities.
vulnerabilities into the Linux kernel via patches on the mailing list.</td>
<td>Two-person review caught most, but not all, of the vulnerabilities.</td> <tr><td>B<td>Compromise source control platform
</tr> <td><a href="https://news-web.php.net/php.internals/113838">PHP</a>:
<tr> Attacker compromised PHP's self-hosted git server and injected two malicious
<td>B</td> commits.
<td>Compromise source control platform</td> <td>A better-protected source code platform would have been a much harder target
<td><a href="https://news-web.php.net/php.internals/113838">PHP</a>: Attacker for the attackers.
compromised PHP's self-hosted git server and injected two malicious
commits.</td> <tr><td>C<td>Build with official process but from code not matching source control
<td>A better-protected source code platform would have been a much harder <td><a href="https://www.webmin.com/exploit.html">Webmin</a>:
target for the attackers. </td> Attacker modified the build infrastructure to use source files not matching
</tr> source control.
<tr> <td>A SLSA-compliant build server would have produced provenance identifying the
<td>C</td> actual sources used, allowing consumers to detect such tampering.
<td>Build with official process but from code not matching source control</td>
<td><a href="https://www.webmin.com/exploit.html">Webmin</a>: Attacker modified <tr><td>D<td>Compromise build platform
the build infrastructure to use source files not matching source <td><a href="https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/">SolarWinds</a>:
control.</td>
<td>A SLSA-compliant build server would have produced provenance identifying
the actual sources used, allowing consumers to detect such tampering.</td>
</tr>
<tr>
<td>D</td>
<td>Compromise build platform</td>
<td><a
href="https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/">SolarWinds</a>:
Attacker compromised the build platform and installed an implant that Attacker compromised the build platform and installed an implant that
injected malicious behavior during each build.</td> injected malicious behavior during each build.
<td>Higher SLSA levels require <a <td><!-- Use Markdown so that jekyll-relative-links rewrites the link. -->
href="https://github.com/slsa-framework/slsa/blob/main/build-requirements.md">stronger
security controls for the build platform</a>, making it more difficult to Higher SLSA levels require
compromise and gain persistence.</td> [stronger security controls for the build platform](requirements.md),
</tr> making it more difficult to compromise and gain persistence.
<tr>
<td>E</td> <tr><td>E<td>Use bad dependency (i.e. A-H, recursively)
<td>Use bad dependency (i.e. A-H, recursively)</td> <td><a href="https://schneider.dev/blog/event-stream-vulnerability-explained/">event-stream</a>:
<td><a
href="https://schneider.dev/blog/event-stream-vulnerability-explained/">event-stream</a>:
Attacker added an innocuous dependency and then updated the dependency to Attacker added an innocuous dependency and then updated the dependency to
add malicious behavior. The update did not match the code submitted to add malicious behavior. The update did not match the code submitted to
GitHub (i.e. attack F).</td> GitHub (i.e. attack F).
<td>Applying SLSA recursively to all dependencies would have prevented this <td>Applying SLSA recursively to all dependencies would have prevented this
particular vector, because the provenance would have indicated that it particular vector, because the provenance would have indicated that it
either wasn't built from a proper builder or that the source did not come either wasn't built from a proper builder or that the source did not come
from GitHub.</td> from GitHub.
</tr>
<tr> <tr><td>F<td>Upload an artifact that was not built by the CI/CD system
<td>F</td>
<td>Upload an artifact that was not built by the CI/CD system</td>
<td><a href="https://about.codecov.io/apr-2021-post-mortem/">CodeCov</a>: <td><a href="https://about.codecov.io/apr-2021-post-mortem/">CodeCov</a>:
Attacker used leaked credentials to upload a malicious artifact to a GCS Attacker used leaked credentials to upload a malicious artifact to a GCS
bucket, from which users download directly.</td> bucket, from which users download directly.
<td>Provenance of the artifact in the GCS bucket would have shown that the <td>Provenance of the artifact in the GCS bucket would have shown that the
artifact was not built in the expected manner from the expected source artifact was not built in the expected manner from the expected source
repo.</td> repo.
</tr>
<tr> <tr><td>G<td>Compromise package repository
<td>G</td> <td><a href="https://theupdateframework.io/papers/attacks-on-package-managers-ccs2008.pdf">Attacks on Package Mirrors</a>:
<td>Compromise package repository</td> Researcher ran mirrors for several popular package repositories, which could
<td><a have been used to serve malicious packages.
href="https://theupdateframework.io/papers/attacks-on-package-managers-ccs2008.pdf">Attacks
on Package Mirrors</a>: Researcher ran mirrors for several popular package
repositories, which could have been used to serve malicious packages.</td>
<td>Similar to above (F), provenance of the malicious artifacts would have <td>Similar to above (F), provenance of the malicious artifacts would have
shown that they were not built as expected or from the expected source shown that they were not built as expected or from the expected source
repo.</td> repo.
</tr>
<tr> <tr><td>H<td>Trick consumer into using bad package
<td>H</td> <td><a href="https://blog.sonatype.com/damaging-linux-mac-malware-bundled-within-browserify-npm-brandjack-attempt">Browserify typosquatting</a>:
<td>Trick consumer into using bad package</td> Attacker uploaded a malicious package with a similar name as the original.
<td><a
href="https://blog.sonatype.com/damaging-linux-mac-malware-bundled-within-browserify-npm-brandjack-attempt">Browserify
typosquatting</a>: Attacker uploaded a malicious package with a similar
name as the original.</td>
<td>SLSA does not directly address this threat, but provenance linking back to <td>SLSA does not directly address this threat, but provenance linking back to
source control can enable and enhance other solutions.</td> source control can enable and enhance other solutions.
</tr>
</tbody> </tbody>
</table> </table>
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment