{"type":"doc","content":[{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"摘要:近來供應鏈攻擊頻發,供應鏈攻擊和勒索軟件攻擊正成爲黑客謀利的重要手段,造成的社會危害巨大。如何纔能有效的防範供應鏈攻擊,正成爲軟件供應商需要思考的問題,Google的SLSA供應鏈完整性框架,給了我們很多有益的參考。","attrs":{}}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"本文分享自華爲雲社區","attrs":{}},{"type":"link","attrs":{"href":"https://bbs.huaweicloud.com/blogs/281888?utm_source=infoq&utm_medium=bbs-ex&utm_campaign=developer&utm_content=content","title":"","type":null},"content":[{"type":"text","text":"《供應鏈攻擊的防範》","attrs":{}}]},{"type":"text","text":",原文作者:Uncle_Tom 。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"1. 歷史上最大的勒索軟件攻擊","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"7月2日勒索組織REvil,攻擊了一家來自瑞典的IT管理服務提供商(managed service providers(MSP)) – Kaseya。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Kaseya的VSA(虛擬系統管理)是一個基於雲的管理服務提供商(MSP)平臺,該平臺爲客戶提供了一套基於Web的新一代自動化IT系統管理解決方案。MSP通過建立自己的網絡運作中心(Network Operating Center(NOC))來爲企業提供 24×7×365 的系統管理服務的業務。MSP可以實現對客戶的IT系統的進行遠程的管理、實時的監控、對企業系統運作情況進行統計,以及執行補丁管理等。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Kaseya在全球已經擁有了超過10000家客戶,其中包括50%以上的全球100強IT管理服務提供商及各大龍頭企業,分別來自銀行業、金融業、零售業、貿易業、教育機構、政府機構、醫療機構和交通運輸業等領域。全球有超過1300萬臺以上的終端和設備通過Kaseya的軟件進行管理。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"REvil利用零日漏洞(CVE-2021-30116)攻陷MSP平臺之後,向VSA內部推送了惡意更新,在企業網上部署了勒索軟件,導致Kaseya遭受工具鏈攻擊。REvil宣稱鎖定了超過一百萬個系統,並願意就通用解密器進行談判,起價爲7000萬美元,這是迄今爲止開價最高的贖金。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/39/396d020c17e3d2fb7edfa49ea45f361e.jpeg","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"REvil頻繁作案:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2020年5月,REvil聲稱破譯了唐納德·特朗普公司用於保護其數據的橢圓曲線密碼術,併爲他們盜竊的數據索要4200萬美元的贖金。","attrs":{}}]}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2021年3月18日,REvil附屬公司在網絡上聲稱,他們已從跨國硬件和電子公司宏碁安裝勒索軟件並盜取大量數據,併爲此索取5000萬美元的贖金。","attrs":{}}]}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2021年3月27日,REvil攻擊哈里斯聯盟,並在其博客上發佈了聯盟的多份財務文件。","attrs":{}}]}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2021年4月,REvil竊取了廣達電腦即將推出的蘋果產品的計劃,並威脅要公開發布這些計劃,除非他們收到5000萬美元作爲贖金。","attrs":{}}]}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2021年5月30日,全球最大肉類供應商JBS受到REvil勒索軟件的攻擊,該公司不得不將所有美國牛肉工廠暫時關閉,並中斷了家禽和豬肉工廠的運營。最終,JBS還是向REvil支付了1100萬美元的比特幣贖金。","attrs":{}}]}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2021年6月11日,全球再生能源巨擘Invenergy證實其作業系統遭到了勒索軟件的攻擊,REvil聲稱對此事負責。","attrs":{}}]}]}],"attrs":{}},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"2. 近來供應鏈攻擊頻繁","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2020/12,SolarWinds旗下軟件被用於供應鏈攻擊","attrs":{}}]}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"SolarWinds公司創辦於1999年,總部位於美國德克薩斯州奧斯汀,在多個國家設有銷售和產品開發辦事處,主要生產銷售網絡和系統監測管理類的軟件產品,爲全球30萬家客戶服務,覆蓋了政府、軍事、教育等大量重要機構和超過9成的世界500強企業,知名客戶清單包括:《美國財富》500強企業中的425家;美國十大電信公司;美軍所有五個分支;五角大樓,美國國務院,NASA,NSA,美國郵政局,NOAA,美國司法部和總統辦公室;美國前五名會計師事務;全球數百所大學等。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"據析大約有超過250 家美國聯邦機構和企業受到影響,其中包括美國財政部、美國NTIA,美國安全公司FireEye等,可以算得上是2020年最具影響力的供應鏈攻擊事件了。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2020/12,黑客組織FIN11利用AccellionFTA服務器的多個0day漏洞攻擊全球上百家企業","attrs":{}}]}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"黑客利用4個安全缺陷攻擊AccellionFTA服務器(FTA服務器是一款在2000年時代開發的文件共享工具,可使企業以簡單的方式和員工以及客戶共享文件),安裝了一個名爲“DEWMODE”的webshell,之後用於下載存儲在受害者FTA設備上的文件。Accellion公司在新聞稿中指出,”在約300個FTA客戶端中,受害者不到100人,而其中不到25個人遭受嚴重的數據盜取事件。在這25個客戶中,某些客戶的FTA文件分享服務器遭攻擊後收到了勒索留言。攻擊者發送郵件要求支付比特幣,或者在由Clop勒索團伙運營的網站上公開受害者數據。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2021/03,國際航空電信公司(SITA)受到供應鏈攻擊","attrs":{}}]}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"國際航空電信公司(SITA)佔據全球90%航空份額的通信和IT廠商,存儲在該公司位於美國服務器中的乘客信息遭“高度複雜的攻擊”。受攻擊的服務器位於亞特拉大,屬於SITA乘客服務系統(SITAPSS)。SITAPSS運營該系統是爲了處理航空乘客信息,爲SITA多家總部位於歐盟的企業所有。星空聯盟(國際航空公司聯盟)的航空公司成員包括漢莎航空、新西蘭航空和新加坡航空以及OneWorld成員國泰航空、芬蘭航空、日本航空和馬來西亞航空公司已經開始和受影響用戶通信,並表示,韓國航空公司濟州航空的乘客數據也遭攻陷。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"3. 供應鏈攻擊","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"供應鏈攻擊是一種以軟件開發人員和供應商爲目標的一種威脅, 攻擊者通過感染合法應用來分發惡意軟件來訪問源代碼、構建過程或更新機制從而達到對開發人員和供應商進行攻擊的目的。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"軟件供應鏈可劃分爲開發、交付、運行三個大的環節,每個環節都可能會引入供應鏈安全風險從而遭受攻擊,上游環節的安全問題會傳遞到下游環節並被放大。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"黑客往往通過攻陷某知名官網的服務器,篡改其服務器上所提供的軟件源代碼,使得這些軟件在被用戶下載後安裝時觸發惡意行爲。這些攜帶惡意代碼的軟件來自受信任的分發渠道,攜帶着相應的供應商數字簽名,使得惡意程序的隱蔽性大大增強,安全檢測難度加大。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"當攻擊者通過供應鏈攻擊散播的惡意軟件是以加密技術鎖住系統資料,並藉此勒索企業,就構成了勒索軟件攻擊。通常當供應鏈攻擊和勒索軟件攻擊被一起使用時,會造成更大的危害。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"例如,對於Kaseya的攻擊,安全公司Huntress Labs在Reddit上發佈了一篇帖子,詳細介紹Kaseya VSA入侵的工作原理,該木馬軟件以Kaseya VSA Agent Hot-fix的形式發佈,通過Kaseya的MSP管理平臺,將補丁分發到Kaseya用於客戶管理的虛擬機VSA上,從而完成惡意軟件對客戶關鍵信息的加密和勒索。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"供應鏈攻擊的典型攻擊方法","attrs":{}}]}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/fc/fc90dfaba13fe7c80fe695a1f0fbba69.png","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"《2020年中國網絡安全報告》稱供應鏈攻擊已成爲2020年最具影響力的高級威脅之一。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"4. 供應鏈攻擊的防範","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"4.1. Google的SLSA供應鏈完整性框架","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"6月16日,Google在安全博客上發表了一篇《Introducing SLSA, an End-to-End Framework for Supply Chain Integrity》博客,介紹了一個叫SLSA(莎莎(讀音salsa))的用來檢測端到端供應鏈完整性的框架。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"SLSA解決的問題:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"軟件生產商想要保護他們的供應鏈,但不知道具體如何;","attrs":{}}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"軟件消費者希望瞭解並限制他們遭受供應鏈攻擊的風險,但沒有辦法這樣做;","attrs":{}}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"單獨的工件簽名只能防止我們關心的攻擊的一個子集","attrs":{}}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"SLSA制定的標準是軟件生產者和消費者的指導原則:","attrs":{}}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"軟件生產者可以遵循這些準則來使他們的軟件更加安全;","attrs":{}}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"軟件消費者可以根據軟件包的安全狀況做出決定。","attrs":{}}]}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"SLSA是一套可逐步採用的安全指南,由行業共識建立。SLSA是用來防止普通供應鏈攻擊,明確列舉了開發過程中各個環節可能受到的攻擊,並將這些攻擊點標註爲A到H共8個攻擊點;同時對開發過程中的三個輸出中間件:原碼(source)、依賴(dependency)和包(package)通過安全等級的劃分來體現供應鏈的完整性強度。SLSA的四個級別旨在增量和可操作,並防止特定的完整性攻擊。SLSA 4代表理想的最終狀態,較低的級別代表具有相應完整性保證的里程碑。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"4.2. 開發過程供應鏈威脅","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"開發過程供應鏈威脅圖","attrs":{}}]}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/d3/d3c22a64a686516b39e3aa72d258570f.jpeg","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"圖中的相關定義","attrs":{}}]}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/d1/d12f69ecc423472f9bf9cd7ff672a944.jpeg","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"特例","attrs":{}},{"type":"text","text":":","attrs":{}}]}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"包含源碼的zip包是一個包,不是源。因爲這個文件是由其他源碼構建產生的。例如一個git提交的zip文件","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"開發過程供應鏈威脅描述","attrs":{}}]}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/1d/1d098ae987a98f87a0b909e1adac7d4e.jpeg","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"4.3. SLSA的安全級別","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"中間件的SLSA級別描述了其直接供應鏈的完整性強度,主要有四個SLSA級別。SLSA 4是當前最高級別,代表理想的終極狀態。SLSA 1–3提供較低的安全保證,但更容易滿足要求。根據Google的經驗,實現SLSA 4可能需要很多年和大量的努力,因此中間裏程碑是重要的。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"級別定義","attrs":{}}]}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/e6/e6f9fe98342ce3cdd7a76b7f9d659c3f.jpeg","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"4.4. SLSA安全級別的要求","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"SLSA給達到每個級別定義了實現要求,具體如下:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/ba/ba46ed7b09a717d015e999e65141fe95.jpeg","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"4.5. 應用舉例","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"下圖是SLSA給出的應用舉例,可以看到每個交付的中間件都有一個自身的hash值和出處的定義,從而保證整個中間件的可追溯和可驗證。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/7d/7d4738c16b0b3988a9bbec6a481e23aa.jpeg","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"5. 總結","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"供應鏈攻擊正成爲危害最大的網絡威脅之一,且發生的頻率正在上升;","attrs":{}}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"供應鏈攻擊由於擁有上游的正式發佈渠道和有效的簽名,作爲下游的使用者防範困難;","attrs":{}}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"作爲軟件的開發者,在做好開源軟件缺陷的管理之外,還要提高自身的風險管理能力,能夠識別開發過程中惡意的變動,並觸發追查和防範措施;","attrs":{}}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Google的SLSA供應鏈完整性框架,全面的考慮了供應鏈的各個環節可能引入的安全威脅,提供了防止供應鏈攻擊的一種有效的方法;","attrs":{}}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Google的SLSA供應鏈完整性框架,可以成爲我們開發過程中防範供應鏈攻擊的一個很好的借鑑;","attrs":{}}]}]}],"attrs":{}},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"6. 參考","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"微軟安全供應鏈攻擊","attrs":{}}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Google:IntroducingSLSA,anEnd-to-EndFrameworkforSupplyChainIntegrity","attrs":{}}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2021-07-05勒索組織REvil發起供應鏈攻擊,索要7000萬美元贖金","attrs":{}}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2021-03-07大規模供應鏈攻擊攻陷了數家航空公司","attrs":{}}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2020-12-16SolarWinds旗下軟件被用於供應鏈攻擊事件分析","attrs":{}}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"洞見RSA2021|備受熱捧的“供應鏈攻擊”如何防禦?","attrs":{}}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"5-ways-your-software-supply-chain-is-out-to-get-you-part-5-hostile-takeover","attrs":{}}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"rsa創新沙盒盤點-apiiro-代碼風險平臺","attrs":{}}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"top-5-tips-to-prevent-the-solarwinds-solorigate-attack","attrs":{}}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"解讀6種最常見的軟件供應鏈攻擊類型","attrs":{}}]}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https://bbs.huaweicloud.com/blogs?utm_source=infoq&utm_medium=bbs-ex&utm_campaign=developer&utm_content=content","title":"","type":null},"content":[{"type":"text","text":"點擊關注,第一時間瞭解華爲雲新鮮技術~","attrs":{}}]}]}]}
剖析供應鏈攻擊的防範
{"type":"doc","content":[{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"摘要:近來供應鏈攻擊頻發,供應鏈攻擊和勒索軟件攻擊正成爲黑客謀利的重要手段,造成的社會危害巨大。如何纔能有效的防範供應鏈攻擊,正成爲軟件供應商需要思考的問題,Google的SLSA供應鏈完整性框架,給了我們很多有益的參考。","attrs":{}}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"本文分享自華爲雲社區","attrs":{}},{"type":"link","attrs":{"href":"https://bbs.huaweicloud.com/blogs/281888?utm_source=infoq&utm_medium=bbs-ex&utm_campaign=developer&utm_content=content","title":"","type":null},"content":[{"type":"text","text":"《供應鏈攻擊的防範》","attrs":{}}]},{"type":"text","text":",原文作者:Uncle_Tom 。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"1. 歷史上最大的勒索軟件攻擊","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"7月2日勒索組織REvil,攻擊了一家來自瑞典的IT管理服務提供商(managed service providers(MSP)) – Kaseya。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Kaseya的VSA(虛擬系統管理)是一個基於雲的管理服務提供商(MSP)平臺,該平臺爲客戶提供了一套基於Web的新一代自動化IT系統管理解決方案。MSP通過建立自己的網絡運作中心(Network Operating Center(NOC))來爲企業提供 24×7×365 的系統管理服務的業務。MSP可以實現對客戶的IT系統的進行遠程的管理、實時的監控、對企業系統運作情況進行統計,以及執行補丁管理等。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Kaseya在全球已經擁有了超過10000家客戶,其中包括50%以上的全球100強IT管理服務提供商及各大龍頭企業,分別來自銀行業、金融業、零售業、貿易業、教育機構、政府機構、醫療機構和交通運輸業等領域。全球有超過1300萬臺以上的終端和設備通過Kaseya的軟件進行管理。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"REvil利用零日漏洞(CVE-2021-30116)攻陷MSP平臺之後,向VSA內部推送了惡意更新,在企業網上部署了勒索軟件,導致Kaseya遭受工具鏈攻擊。REvil宣稱鎖定了超過一百萬個系統,並願意就通用解密器進行談判,起價爲7000萬美元,這是迄今爲止開價最高的贖金。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/39/396d020c17e3d2fb7edfa49ea45f361e.jpeg","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"REvil頻繁作案:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2020年5月,REvil聲稱破譯了唐納德·特朗普公司用於保護其數據的橢圓曲線密碼術,併爲他們盜竊的數據索要4200萬美元的贖金。","attrs":{}}]}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2021年3月18日,REvil附屬公司在網絡上聲稱,他們已從跨國硬件和電子公司宏碁安裝勒索軟件並盜取大量數據,併爲此索取5000萬美元的贖金。","attrs":{}}]}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2021年3月27日,REvil攻擊哈里斯聯盟,並在其博客上發佈了聯盟的多份財務文件。","attrs":{}}]}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2021年4月,REvil竊取了廣達電腦即將推出的蘋果產品的計劃,並威脅要公開發布這些計劃,除非他們收到5000萬美元作爲贖金。","attrs":{}}]}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2021年5月30日,全球最大肉類供應商JBS受到REvil勒索軟件的攻擊,該公司不得不將所有美國牛肉工廠暫時關閉,並中斷了家禽和豬肉工廠的運營。最終,JBS還是向REvil支付了1100萬美元的比特幣贖金。","attrs":{}}]}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2021年6月11日,全球再生能源巨擘Invenergy證實其作業系統遭到了勒索軟件的攻擊,REvil聲稱對此事負責。","attrs":{}}]}]}],"attrs":{}},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"2. 近來供應鏈攻擊頻繁","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2020/12,SolarWinds旗下軟件被用於供應鏈攻擊","attrs":{}}]}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"SolarWinds公司創辦於1999年,總部位於美國德克薩斯州奧斯汀,在多個國家設有銷售和產品開發辦事處,主要生產銷售網絡和系統監測管理類的軟件產品,爲全球30萬家客戶服務,覆蓋了政府、軍事、教育等大量重要機構和超過9成的世界500強企業,知名客戶清單包括:《美國財富》500強企業中的425家;美國十大電信公司;美軍所有五個分支;五角大樓,美國國務院,NASA,NSA,美國郵政局,NOAA,美國司法部和總統辦公室;美國前五名會計師事務;全球數百所大學等。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"據析大約有超過250 家美國聯邦機構和企業受到影響,其中包括美國財政部、美國NTIA,美國安全公司FireEye等,可以算得上是2020年最具影響力的供應鏈攻擊事件了。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2020/12,黑客組織FIN11利用AccellionFTA服務器的多個0day漏洞攻擊全球上百家企業","attrs":{}}]}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"黑客利用4個安全缺陷攻擊AccellionFTA服務器(FTA服務器是一款在2000年時代開發的文件共享工具,可使企業以簡單的方式和員工以及客戶共享文件),安裝了一個名爲“DEWMODE”的webshell,之後用於下載存儲在受害者FTA設備上的文件。Accellion公司在新聞稿中指出,”在約300個FTA客戶端中,受害者不到100人,而其中不到25個人遭受嚴重的數據盜取事件。在這25個客戶中,某些客戶的FTA文件分享服務器遭攻擊後收到了勒索留言。攻擊者發送郵件要求支付比特幣,或者在由Clop勒索團伙運營的網站上公開受害者數據。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2021/03,國際航空電信公司(SITA)受到供應鏈攻擊","attrs":{}}]}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"國際航空電信公司(SITA)佔據全球90%航空份額的通信和IT廠商,存儲在該公司位於美國服務器中的乘客信息遭“高度複雜的攻擊”。受攻擊的服務器位於亞特拉大,屬於SITA乘客服務系統(SITAPSS)。SITAPSS運營該系統是爲了處理航空乘客信息,爲SITA多家總部位於歐盟的企業所有。星空聯盟(國際航空公司聯盟)的航空公司成員包括漢莎航空、新西蘭航空和新加坡航空以及OneWorld成員國泰航空、芬蘭航空、日本航空和馬來西亞航空公司已經開始和受影響用戶通信,並表示,韓國航空公司濟州航空的乘客數據也遭攻陷。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"3. 供應鏈攻擊","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"供應鏈攻擊是一種以軟件開發人員和供應商爲目標的一種威脅, 攻擊者通過感染合法應用來分發惡意軟件來訪問源代碼、構建過程或更新機制從而達到對開發人員和供應商進行攻擊的目的。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"軟件供應鏈可劃分爲開發、交付、運行三個大的環節,每個環節都可能會引入供應鏈安全風險從而遭受攻擊,上游環節的安全問題會傳遞到下游環節並被放大。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"黑客往往通過攻陷某知名官網的服務器,篡改其服務器上所提供的軟件源代碼,使得這些軟件在被用戶下載後安裝時觸發惡意行爲。這些攜帶惡意代碼的軟件來自受信任的分發渠道,攜帶着相應的供應商數字簽名,使得惡意程序的隱蔽性大大增強,安全檢測難度加大。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"當攻擊者通過供應鏈攻擊散播的惡意軟件是以加密技術鎖住系統資料,並藉此勒索企業,就構成了勒索軟件攻擊。通常當供應鏈攻擊和勒索軟件攻擊被一起使用時,會造成更大的危害。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"例如,對於Kaseya的攻擊,安全公司Huntress Labs在Reddit上發佈了一篇帖子,詳細介紹Kaseya VSA入侵的工作原理,該木馬軟件以Kaseya VSA Agent Hot-fix的形式發佈,通過Kaseya的MSP管理平臺,將補丁分發到Kaseya用於客戶管理的虛擬機VSA上,從而完成惡意軟件對客戶關鍵信息的加密和勒索。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"供應鏈攻擊的典型攻擊方法","attrs":{}}]}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/fc/fc90dfaba13fe7c80fe695a1f0fbba69.png","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"《2020年中國網絡安全報告》稱供應鏈攻擊已成爲2020年最具影響力的高級威脅之一。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"4. 供應鏈攻擊的防範","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"4.1. Google的SLSA供應鏈完整性框架","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"6月16日,Google在安全博客上發表了一篇《Introducing SLSA, an End-to-End Framework for Supply Chain Integrity》博客,介紹了一個叫SLSA(莎莎(讀音salsa))的用來檢測端到端供應鏈完整性的框架。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"SLSA解決的問題:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"軟件生產商想要保護他們的供應鏈,但不知道具體如何;","attrs":{}}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"軟件消費者希望瞭解並限制他們遭受供應鏈攻擊的風險,但沒有辦法這樣做;","attrs":{}}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"單獨的工件簽名只能防止我們關心的攻擊的一個子集","attrs":{}}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"SLSA制定的標準是軟件生產者和消費者的指導原則:","attrs":{}}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"軟件生產者可以遵循這些準則來使他們的軟件更加安全;","attrs":{}}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"軟件消費者可以根據軟件包的安全狀況做出決定。","attrs":{}}]}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"SLSA是一套可逐步採用的安全指南,由行業共識建立。SLSA是用來防止普通供應鏈攻擊,明確列舉了開發過程中各個環節可能受到的攻擊,並將這些攻擊點標註爲A到H共8個攻擊點;同時對開發過程中的三個輸出中間件:原碼(source)、依賴(dependency)和包(package)通過安全等級的劃分來體現供應鏈的完整性強度。SLSA的四個級別旨在增量和可操作,並防止特定的完整性攻擊。SLSA 4代表理想的最終狀態,較低的級別代表具有相應完整性保證的里程碑。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"4.2. 開發過程供應鏈威脅","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"開發過程供應鏈威脅圖","attrs":{}}]}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/d3/d3c22a64a686516b39e3aa72d258570f.jpeg","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"圖中的相關定義","attrs":{}}]}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/d1/d12f69ecc423472f9bf9cd7ff672a944.jpeg","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"特例","attrs":{}},{"type":"text","text":":","attrs":{}}]}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"包含源碼的zip包是一個包,不是源。因爲這個文件是由其他源碼構建產生的。例如一個git提交的zip文件","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"開發過程供應鏈威脅描述","attrs":{}}]}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/1d/1d098ae987a98f87a0b909e1adac7d4e.jpeg","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"4.3. SLSA的安全級別","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"中間件的SLSA級別描述了其直接供應鏈的完整性強度,主要有四個SLSA級別。SLSA 4是當前最高級別,代表理想的終極狀態。SLSA 1–3提供較低的安全保證,但更容易滿足要求。根據Google的經驗,實現SLSA 4可能需要很多年和大量的努力,因此中間裏程碑是重要的。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"級別定義","attrs":{}}]}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/e6/e6f9fe98342ce3cdd7a76b7f9d659c3f.jpeg","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"4.4. SLSA安全級別的要求","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"SLSA給達到每個級別定義了實現要求,具體如下:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/ba/ba46ed7b09a717d015e999e65141fe95.jpeg","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"4.5. 應用舉例","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"下圖是SLSA給出的應用舉例,可以看到每個交付的中間件都有一個自身的hash值和出處的定義,從而保證整個中間件的可追溯和可驗證。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/7d/7d4738c16b0b3988a9bbec6a481e23aa.jpeg","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"5. 總結","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"供應鏈攻擊正成爲危害最大的網絡威脅之一,且發生的頻率正在上升;","attrs":{}}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"供應鏈攻擊由於擁有上游的正式發佈渠道和有效的簽名,作爲下游的使用者防範困難;","attrs":{}}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"作爲軟件的開發者,在做好開源軟件缺陷的管理之外,還要提高自身的風險管理能力,能夠識別開發過程中惡意的變動,並觸發追查和防範措施;","attrs":{}}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Google的SLSA供應鏈完整性框架,全面的考慮了供應鏈的各個環節可能引入的安全威脅,提供了防止供應鏈攻擊的一種有效的方法;","attrs":{}}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Google的SLSA供應鏈完整性框架,可以成爲我們開發過程中防範供應鏈攻擊的一個很好的借鑑;","attrs":{}}]}]}],"attrs":{}},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"6. 參考","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"微軟安全供應鏈攻擊","attrs":{}}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Google:IntroducingSLSA,anEnd-to-EndFrameworkforSupplyChainIntegrity","attrs":{}}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2021-07-05勒索組織REvil發起供應鏈攻擊,索要7000萬美元贖金","attrs":{}}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2021-03-07大規模供應鏈攻擊攻陷了數家航空公司","attrs":{}}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2020-12-16SolarWinds旗下軟件被用於供應鏈攻擊事件分析","attrs":{}}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"洞見RSA2021|備受熱捧的“供應鏈攻擊”如何防禦?","attrs":{}}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"5-ways-your-software-supply-chain-is-out-to-get-you-part-5-hostile-takeover","attrs":{}}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"rsa創新沙盒盤點-apiiro-代碼風險平臺","attrs":{}}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"top-5-tips-to-prevent-the-solarwinds-solorigate-attack","attrs":{}}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"解讀6種最常見的軟件供應鏈攻擊類型","attrs":{}}]}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https://bbs.huaweicloud.com/blogs?utm_source=infoq&utm_medium=bbs-ex&utm_campaign=developer&utm_content=content","title":"","type":null},"content":[{"type":"text","text":"點擊關注,第一時間瞭解華爲雲新鮮技術~","attrs":{}}]}]}]}
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章