Jeremy Long, the founder and lead of the OWASP’s dependency-check project, believes he has found a solution to the challenging problem of securing the software supply chain. Long has introduced a unique process called binary source validation, which involves inspecting software at a layer deeper than its source code, focusing on the build artifacts created during coding. By validating these artifacts as legitimate, Long hopes to enhance the security of the overall software build.
The concept of binary source validation stems from a well-known 1984 paper titled “Reflections on Trusting Trust” by Ken Thompson, co-author of Unix. Thompson’s paper discussed the process of compromising a code compiler with a hidden backdoor that does not appear in the published source code. If a developer uses this compromised compiler to create the next version of the software, the backdoor is injected into the compiler itself. Consequently, any software compiled with this compromised compiler will also contain the backdoor. Thompson famously revealed in his paper how he dropped a backdoor deep into Unix using this method.
According to Long, traditional developer tools that focus on validating runtime dependencies in source code are not sufficient to identify these backdoors or any malicious code hidden within the software build. He emphasizes that there is a need to delve deeper into the process of building software and validate the binary output of the compiler.
At the Black Hat USA 2023 conference in Las Vegas, Long presented his solution, along with other significant issues related to securing the software supply chain, in a session called “Reflections on Trust in the Software Supply Chain.”
To demonstrate binary source validation, Long focused on higher-level programming languages such as Java and .NET. He found that IBM’s Code Genome project, inspired by Thompson’s paper, came closest to his envisioned solution. The Code Genome project aims to provide a “semantically meaningful fingerprint” for software, offering developers a way to validate artifacts independently. Long explained that by analyzing the instruction set in the binary, developers can verify whether it aligns with the source code, increasing their confidence that the build has not been compromised.
While software bills of material (SBOMs) have been praised for providing organizations with visibility into their software and helping identify known vulnerabilities, Long argues that they are not enough. SBOMs essentially serve as an inventory of software components and their dependencies, ensuring that no known vulnerabilities are present before deployment. However, Long notes that this limited focus on known vulnerabilities leaves the supply chain security incomplete.
Recognizing the need for a more comprehensive approach, a formulation bill of materials has been developed and incorporated into the latest version of the open-source SBOM tool called CycloneDX. This formulation bill of materials provides insights into the dependencies required for the software to run and details about the build process, including the build platform, plug-ins, libraries, and other components used. It enables organizations to identify vulnerabilities in these components before deployment. However, Long suggests that this approach still falls short when it comes to addressing zero-day vulnerabilities, emphasizing the absence of suitable tools.
Long sees binary source validation as a potential solution to the security challenges faced by the software supply chain. However, he acknowledges that it will take time for this approach to come to fruition and be widely adopted.
The urgency for addressing software supply chain security has been driven by a series of high-impact attacks, such as SolarWinds and Log4j, which have exploited vulnerabilities in software dependencies. These attacks have demonstrated the difficulty of combating such threats and the lack of effective mechanisms for developers to identify malicious code within components before widespread deployment.
Moreover, attackers have escalated their tactics by targeting open-source code libraries and other programming platforms and tools, such as Python, which are commonly used by developers. This approach allows malicious actors to infiltrate multiple systems across the software supply chain, amplifying their impact.
The introduction of binary source validation offers a fresh perspective on securing the software supply chain. By validating build artifacts at a deeper level, developers can enhance their assurance that the software build has not been compromised. While challenges remain, Long’s innovative approach has the potential to transform the way software is built and secured in the future.