During the Open Security Summit 2024, Yahoo! Principal Security Engineer Mert Coskuner and Kondukto CEO & Co-Founder Cenk Kalpakoglu delved into the intriguing topic of securing CI Runners through eBPF agents. Although the title might seem unconventional, it reflects their creative approach to solving security challenges in continuous integration environments.
With the rapid digital transformation of businesses, there has been an increasing focus on supply chain attacks and their impact on security. These attacks exploit vulnerabilities at various stages of the software development lifecycle, making them a significant threat.
In this blog post we are going to explore the evolving landscape of such supply chain attacks, their potential consequences for organizations, and we will also provide a brief introduction to kntrl, a new open-source tool, which will help with preventing some of these attacks.
One of the major factors contributing to the susceptibility of supply chains is the presence of several attack vectors. Vulnerable packages, compromised pipeline tools, and compromised artifact repositories serve as prime entry points for threat actors.
In recent years, we have witnessed a surge in high-profile incidents that have exposed critical vulnerabilities in the software development process. These attacks not only compromise the integrity of software supply chains but also erode trust in the overall security of the digital systems and infrastructure.
One well-known example is the concept of "repoing" (aka "repo-jacking") where malicious actors hijack vulnerable repositories by exploiting changes in usernames. By gaining control over these repositories, attackers can inject their own malicious code into the software being distributed. This type of attack not only compromises the software's security but also puts the end-users at risk.
To fish developers into installing malicious packages, attackers also leverage techniques such as creating fake HR profiles or adopting guises of trusted organizations. These techniques exploit the inherent trust developers have in the software tools they use, leading to the inadvertent installation of malware-infected packages.
To get a better grasp on the severity of supply chain attacks, let’s examine real-world examples that highlight the techniques employed by threat actors. Such attacks involve the compromise of a popular package registry, wherein malicious packages were uploaded and distributed to unsuspecting developers. These packages, seemingly harmless at first glance, contained code that would execute malicious actions once incorporated into software projects. These incidents exposed numerous organizations to potential security breaches and led to costly remediation efforts.
Attacks like the ones described above have also gained in popularity with nation-state actors and their significant resources.
The increased utilisation of AI in software development now extends this risk, of falling victim to "rep-jacking", from your real dependencies to "hallucinated ones".
The alarming rise in supply chain attacks necessitates immediate attention and proactive measures from the cybersecurity community. The potential monetary and security damage caused by these attacks is staggering, with estimates reaching billions of dollars annually. Beyond the financial impact, these attacks erode trust in digital systems, disrupt operations, and expose organizations and individuals to a wide range of exploits.
Addressing supply chain attacks requires a multifaceted approach involving collaboration between organizations, developers, and cybersecurity experts. This collaboration should focus on securing all stages of the software development lifecycle, from code creation to deployment. By integrating security practices and mechanisms throughout the supply chain, we can minimize the entry points available to attackers and fortify the overall resilience of the ecosystem.
Organizations must therefore invest in robust security measures that prioritize detection and mitigation of supply chain attacks. By implementing advanced threat intelligence solutions, organizations can proactively identify malicious activities and swiftly respond to potential threats. Additionally, continuous monitoring, vulnerability assessment and risk management practices should be integrated into the development processes to identify and address potential vulnerabilities and threats.
In our pursuit of securing CI/CD Runners, we propose a solution that involves monitoring network attacks using eBPF (extended Berkeley Packet Filter) technology. This technology provides a powerful toolset for low-level control in the Linux Kernel, enabling granular monitoring and control of network traffic.
By leveraging the capabilities of eBPF, we can develop robust monitoring solutions that help detect and prevent network-based attacks targeting the software supply chain. eBPF programs can hook into kernel-level actions, intercept and analyze network traffic, and effectively detect malicious activities and patterns. This approach serves as a proactive defense mechanism, allowing security teams to swiftly respond to supply chain attacks before they can cause further damage.
Moreover, eBPF provides an efficient and scalable framework for monitoring network traffic without compromising system performance. Its ability to dynamically load and execute code within the kernel offers real-time visibility into network activities, enabling rapid threat detection and response.
kntrl is exactly such an eBPF program. It monitors and prevents anomalies in the CI/CD Runners using eBPF. It is built using a "Compile Once, Run Everywhere" approach (BPF CO-RE) and can be used as a standalone application or integrate its binary in your CI/CD pipelines. You can read more about its capabilities in its announcement blog post.
We strongly believe in open-source and we are proud to have been able to release kntrl as an open-source tool. Let's collaborate on building an open-source solution that helps making our supply chains more secure. Join the kntrl Slack channel and feel free to check out the codebase.