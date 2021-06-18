



Google has proposed a framework called SLSA to deal with supply chain attacks. This is a security risk represented by a recent breach of the SolarWinds Orion IT monitoring platform.

SLSA stands for Software Artif Supply Chain Level, pronounced “salsa” for those who tend to add useful vowels, and security guidance and programmatic guarantees to follow the process of building and deploying software. Aims to provide.

“SLSA’s goal is to improve the state of the industry, especially open source, and protect against the most pressing integrity threats,” said Kim Lewandowski, Google Product Manager, and Mark Lodato, Google Software Engineer, on Wednesday. I mentioned it in my blog post. .. “SLSA allows consumers to make informed choices about the security regime of the software they consume.”

Recently, there has been a surge in supply chain attacks attempting to exploit the weaknesses of software creation and distribution pipelines. Besides exploiting SolarWinds incidents and Apache Struts vulnerabilities, there are many attacks on software package registries that developers rely on to support complex applications such as npm, PyPI, RubyGems, and Maven Central.

According to Security Biz Sona Type [PDF]Attacks on open source projects increased by 430% in 2020. One of the many plausible reasons is that it guarantees widespread distribution of malware by jeopardizing its reliance on widely used libraries. As described in the 2019 TU Darmstadt research paper, the top five npm packages in 2018 are “each reaching 134,774-166,086 other packages, making them a very attractive target for attackers. I will. “

Eat your own dog food

SLSA is based on Google’s own internal security process, the Binary Authorization for Borg, which has been used by advertising giants for over eight years and is now mandated for production workloads. It consists of standards (rules), certifications (which can establish compliance with standards), and technical controls (signed metadata of an automated policy framework).

Currently, SLSA is more or less useful security advice. But I hope it goes beyond that.

“In its final form, SLSA differs from the list of best practices in its enforcement. Auditable metadata that can be fed to the policy engine to give” SLSA certification “to a particular package or build platform. Supports automatic creation of. Learn about Lewandowski and Lodato.

Four levels of compliance are envisioned. The best SLSA4 includes an airtight and reproducible build process as a reasonable way for two people to see all the changes and make sure nothing has been tampered with.

SLSA helps detect issues such as hypocrite commits, source control platform breaches, malicious changes or breaches of build infrastructure, dependency breaks, dangerous build artifacts, repository hijacking, and typosquatting attacks. Is expected.

In a related security note, the nonprofits behind Let’s Encrypt and other useful projects, Google and ISRG, have funded developer Miguel Ojeda to work on Rust for Linux and other security projects since April. I have been doing so for a year. Adding Rust code to the Linux kernel is expected to reduce memory safety errors.

“Since then [the Linux kernel is] It is mainly written in C and is not memory safe. Memory safety vulnerabilities such as buffer overflows and post-free use are always a concern, “said Josh Aas, executive director of ISRG, in a blog post.

“By allowing Rust to write parts of the memory-safe Linux kernel, we can completely eliminate memory safety vulnerabilities from certain components, such as drivers.”

