Home TECH NEWS A new tool hopes to rescue open source from supply chain attacks

A new tool hopes to rescue open source from supply chain attacks



Destructiveness in Russian history NotPetya malware attack And its nearest SolarWinds cyber espionage In addition to the Kremlin, there are some things in common: they are all real-world software examples Supply chain attackThis is a term, what happens when a hacker inserts malicious code into legitimate software that can spread widely. As more and more supply chain attacks emerge, a new open source project is preparing to take a stand and make an important protection measure free and easy to implement.

Founder of log in It is hoped that their platform can promote the adoption of code signing, which is an important protection for the software supply chain, but it is a popular and widely used open source software that is often overlooked. Open source developers do not always have the resources, time, expertise, or funds to fully implement code signing on top of all other non-negotiable components they need to build to make their code work.

“Until about a year and a half ago, I felt like a lunatic standing in a corner with a sign in my hand that said’the end is coming.’ No one understood this problem,” Google’s open source software supply chain Researcher and engineer Dan Lorenc said. “But in the past year, the situation has changed a lot. Now everyone is talking about supply chain security, we have a Executive order Regarding it, everyone is beginning to realize the importance of open source and how we can actually invest some resources to fix its security for everyone. “

Lorenc is far from the only one who focuses on The challenge of assurance Open source project or supply chain. However, the mainstream attention from recent high-profile hacking attacks has brought a whole new enthusiasm for the work Lorenc and his collaborators have already carried out.

To understand the importance of Sigstore, you need to understand the role of code signing. Think of it as a battle order delivered in ancient times. The generals would recognize the handwriting of the royal scribe, the signature of the commander-in-chief, and the detailed wax seal on the envelope, while a carefully vetted network of pages conveyed information in a controlled chain of custody. The system is effective because it is difficult (though not entirely impossible) for external entities to penetrate the process, copy key elements, and bypass all these integrity checks.

The same is true for encrypted code signing. You can’t just write Windows updates and distribute them to your closest friends or enemies. Unless there is a serious problem, only Microsoft can do this. For anyone outside of Microsoft, one reason sending updates to your Windows laptop is so challenging is that the software needs to be “signed” by the right creator at the right time. This is John Hancock and wax print in the digital age.

However, you can understand why the risks of ancient wars and modern software are so high.If someone can Send rogue orders or updates, and they could launch a coup-or endanger billions of computers. The benefits of code signing are obvious, but it requires a low threshold for enthusiasts, volunteers, and other open source contributors to join it.

“These are huge issues that put the entire world’s infrastructure at risk,” said Bob Callaway, chief architect of enterprise open source software company RedHat. “This is certainly not a panacea for all problems, but it will greatly weaken people’s actual use of best practices and encryption techniques that have existed for a long time, and make releases more secure.”

Sigstore, this is Connected The Linux Foundation is currently led by Google, Red Hat, and Purdue University, combining two components. First, it coordinates complex cryptography for users; it even provides the option to deal with everything literally for developers who can’t or don’t want to do the extra work on their own. By using established, pre-existing identifiers (such as email addresses) or third-party login systems (such as Google login or Facebook login), you can quickly start to cryptographically sign the code you generate at a specific time. Second, Sigstore will Automatically generate a public, immutable open source log of all activities. This provides public responsibility for each submission and provides a place to start investigating whether there is a problem.


Source link


Please enter your comment!
Please enter your name here