RSS
Логотип
Баннер в шапке 1
Баннер в шапке 2

Open Source Security Foundation OpenSSF

Company

Content

Owners

+ Nadella Satya (Satya Nadella)

History

2024: Hackers try to seize control in Open Source communities

The Open Source Security Foundation (OpenSSF), which in the Linux Foundation is engaged in improving the security of open source projects, published in mid-April a warning from[1] about interference attempts to intercept control in the development communities of various OpenJS Foundation projects.

This organization acts as a platform for the development of JavaScript-based projects such as Node.js, jQuery, Appium, Dojo, PEP, Mocha and webpack. According to Omar Arasaratnam, chief manager of OpenSSF and Robin Jinn, chief operating officer of the OpenJS Foundation, the activities of some developers are similar to those deployed by hackers to seize control of the XZ Utils project and embed a bookmark (backdoor) into this utility to compromise SSH servers.

Kaspersky Lab published a study[2] of bookmark implementation in XZ Utils

An attempt to build a malicious bookmark into XZ Utils was discovered by the world community at the end of March this year. Here is how Kaspersky Lab characterizes the situation with this project in its TG channel:

File:Aquote1.png
The main conclusion is that the attackers wanted to achieve the launch of arbitrary code through sshd, which would give them free access to a huge number of servers running SSH. In order to solve an ambitious task, a multi-stage operation and a very cunning chain of infection were developed, including hiding parts of the backdoor in test cases in order to reduce the likelihood of detection when analyzing the source code.
File:Aquote2.png

Naturally, after identifying such an attack on the supply chain of open components, other institutions involved in the development of open-source projects began to revise the rules for measuring control, especially for key projects.

The JavaScript language ecosystem is one of the most important in modern conditions, since it is used in most web applications. Therefore, OpenSSF decided to prepare a corresponding report.

In particular, its authors identified the following patterns of suspicious behavior that allows you to suspect social engineering in the actions of developers:

  • Friendly but aggressive and persistent harassment of the accompanying or supported organization by relatively unknown community members.
  • Request to upgrade a particular developer from new or unknown persons.
  • Approval of the new codes comes from unknown community members who can also use fake identifiers.
  • Public activity and attempted code embedding of blobs as artifacts. For example, a bookmark in XZ Utils was a specially created file as part of a set of tests that could not be analyzed by a person.
  • Intentionally confusing or difficult to understand source code.
  • Gradually increasing security problems. For example, the XZ Utils problem began with a relatively harmless replacement of the safe_fprintf () function with fprintf () to test who will fix it and how.
  • Using atypical methods to compile, build, and deploy projects that can allow external malicious binary intersperses to be inserted.
  • Instilling a false sense of urgency, especially if it forces the attendant to reduce the scrutiny or skip the code control steps.

Interestingly, if we analyze these signs of dangerous behavior of developers in projects with open codes, then participants in the Russian program for ensuring the safety of open projects, which is coordinated, may also be suitable for them. In FSTEC Russia them, the verification and elimination of vulnerabilities in key open components is carried out by Russian development companies that analyze codes in order to find defects and eliminate them. Naturally, at the same time, you have to introduce your engineers into the decision-making chain. As a result, such actions can be regarded by product owners as an attempt to intercept them.

In general, it can be stated that the work with open codes is now changing. You can no longer just take and use third-party software code even with an open license. Companies that develop software based on open codes have to start a separate division as part of the secure development cycle - Open source security (OSS). Such units are engaged in the use of measures and technologies to protect against vulnerabilities, threats and attacks that may arise during the development, use and distribution of open source software.

File:Aquote1.png
Within the framework of OSS, code is analyzed for vulnerabilities, regular updates and patches to fix detected problems, control of component supply chains, authentication and user authorization, data encryption and other measures aimed at ensuring the security of open source projects, - explained the situation for TAdviser Alexander Chernov, head of cyber intelligence at Innostage CyberART. - It is also important to support an active developer and user community to respond quickly to vulnerabilities and share security information. It is worth noting that this area is relatively new, and only very mature companies implement OSS processes. Open code incidents show that this issue needs to be given due consideration.
File:Aquote2.png

2020: Creating an organization

In early August 2020, Microsoft, Google, Red Hat, IBM and several other technology companies launched the Open Source Security Foundation (OpenSSF), which will address open source software security issues. This alliance was created under the wing of the Linux Foundation.

The main goal of OpenSSF is to simplify the industry's efforts to protect Open Source products by combining the most popular projects and companies involved in these initiatives. The creators of OpenSSF note that open source software has become widespread in the technology industry and is used everywhere: from data centers to consumer equipment.

Microsoft, Google and IBM have created an organization to protect open source software from viruses

As explained in Microsoft,  the open community is engaged in the development of Open Source software in the absence of a single center responsible for its quality and support. And as the source code is copied and modified, the versioning process becomes more complicated and the risk of malicious elements being introduced increases. This makes it necessary to create joint efforts to improve the security of open source software, the company noted.

The Core Infrastructure Initiative, which was a reaction to the discovery in 2014 of the infamous Heartbleed vulnerability in the Open SSL protocol , as well as the Open Source Security Coalition, founded in 2019   at the initiative of the GitHub Security laboratory, are going under the OpenSSF umbrella.

In addition, it is planned to use protected assembly systems when developing open source software. OpenSSF will work on coordinated disclosure of vulnerability information, development of security tools and mechanisms for protecting software from viruses.[3]

Notes