A couple of recent incidents are shedding some light on the complexity of ensuring software code integrity throughout the supply chain.
In the first incident, nothing more than a USB battery charger connected to an USB port can turn your PC into a zombie under the control of attackers (see US CERT’s note: Energizer DUO USB battery charger software allows unauthorized remote system access) . While there is nothing new in this type of attack, recent headlines showing how attackers can mount complex schemes by compounding well-known attack vectors demonstrate that trustworthy software is an essential part of the solution.
So, how do we get there? Clearly, signing software is not sufficient. The USB battery charger program was digitally signed. Signing software guarantees you that the software comes from a trusted vendor, it does not tell you whether the software itself is trustworthy or not. Only strong software assurance programs can increase the trust we put in the software we buy or we download.
In its recent report, SAFECode defines software assurance as “confidence that software, hardware and services are free from intentional and unintentional vulnerabilities and that the software functions as intended.” This can only be achieved by ingraining software security practices in the development process which includes two dimensions:
- Reducing the occurrence of unintentional vulnerabilities by training developers and by performing threat modeling, source code scanning and security testing during the software development lifecycle.
- Controlling code integrity throughout the lifecycle to prevent (a) the addition of malware to the software binary by an infected computer involved in the software development lifecycle and (b) the insertion of malicious software directly in the source code by an attacker.
The second incident shows that the security of the final system does not solely depend on the trustworthiness of the software it is made of. Recently, Vodafone smart phones powered by the Google Android software were found to be infected by the Mariposa Botnet (see Malware found on HTC Android phone from Vodafone). In this case the malware does not appear to come from the Android software itself, but rather has been inserted later in the assembly process when the components were integrated by the phone manufacturer.
This is a great illustration of how all actors involved in the software supply chain play a role in delivering trustworthy solutions or systems to end customers. Software vendors need to apply controls in their software development process for the software they develop and for the software they integrate in their own products. System integrators need to do the same when they assemble the final solution for their customers.
Recent work by SAFECode (Software Supply Chain Integrity Framework) and by the University of Maryland in collaboration with SAIC (A Cyber Supply Chain Assurance Reference Model) has started defining how software assurance spans across the software supply chain. These are the first steps towards a better understanding of a very complex problem that can only be solved through close collaboration between the actors involved in the software supply chain.