Merge branch 'main' into zero-trust-whitepaper

Author: mrsabath

.github/auto_request_review.yml

@@ -25,6 +25,7 @@ reviewers:
       - mlieberman85
       - ragashreeshekar
       - sublimino
+      - eddie-knight
     supply-chain-security-reviewers:
       - mnm678
       - mlieberman85

CODEOWNERS

@@ -1,4 +1,4 @@
-# CNCF Security Technical Advisory Group
+# Security Technical Advisory Group
 
 ![Cloud Native Security Logo](/design/logo/cloud-native-security-horizontal-darkmodesafe.svg)
 
@@ -41,7 +41,7 @@ There is a growing ecosystem of tools that promises to unlock developer producti
 ## Publications
 
 TAG Security has published several resources for the community, which can be
-found in the [publications](PUBLICATIONS.md) document.
+found under [publications](publications/README.md).
 
 ## Governance
 
@@ -122,32 +122,37 @@ seen [here](governance/related-groups/README.md)
 
 ### Security TAG Chairs
 
-- Andrew Martin ([@sublimino](https://github.com/sublimino)), ControlPlane [Chair term: 3/17/2022 - 3/17/2024]
-- Pushkar Joglekar ([@PushkarJ](https://github.com/PushkarJ)), Independent [Chair term: 6/3/2023 - 6/3/2025]
-- Marina Moore ([@mnm678](https://github.com/mnm678)), NYU [Chair term: 10/3/2023 - 10/3/2025]
+| Name                  | Organization            | Term                | Handle    |
+|-----------------------|------------------------|---------------------|-----------|
+| Pushkar Joglekar      | Independent            | June, 2023 - June, 2025 | @PushkarJ |
+| Marina Moore          | Independent                  | October, 2023 - October, 2025 | @mnm678   |
+| Eddie Knight          | Sonatype               | May, 2024 - May, 2026 | @eddie-knight |
+
 
 ### Tech Leads
 
-- Justin Cappos ([@JustinCappos](https://github.com/JustinCappos)), New York
-  University
-- Ash Narkar ([@ashutosh-narkar](https://github.com/ashutosh-narkar)), Styra
-- Andres Vega ([@anvega](https://github.com/anvega))
-- Ragashree Shekar ([@ragashreeshekar](https://github.com/ragashreeshekar)), Independent
-- Michael Lieberman ([@mlieberman85](https://github.com/mlieberman85)), Kusari
+| Name                  | Organization            | Handle              |
+|-----------------------|------------------------|---------------------|
+| Justin Cappos         | New York University    | @JustinCappos       |
+| Ash Narkar            | Styra                  | @ashutosh-narkar    |
+| Andrés Vega           | M42                    | @anvega             |
+| Ragashree Shekar      | Independent            | @ragashreeshekar    |
+| Michael Lieberman     | Kusari                 | @mlieberman85       |
+| John Kjell    | TestifySec                 | @jkjell       |
+
 
 ### Security TAG Chair Emeriti
 
-- Dan Shaw ([@dshaw](https://github.com/dshaw)),
-  PayPal [Chair term: 6/3/2019 - 9/3/2020]
-- Sarah Allen ([@ultrasaurus](https://github.com/ultrasaurus)), [Chair term:
-  6/3/2019 - 6/3/2021]
-- Jeyappragash JJ ([@pragashj](https://github.com/pragashj)),
-  Tetrate.io [Chair term: 6/3/2019 - 6/3/2021]
-- Emily Fox ([@TheFoxAtWork](https://github.com/TheFoxAtWork)),
-  Apple [Chair term: 9/28/2020 - 2/4/2022]
-- Brandon Lum ([@lumjjb](https://github.com/lumjjb)), Google [Chair term:
-  6/3/2021 - 6/3/2023]
-- Aradhana Chetal ([@achetal01](https://github.com/achetal01)), TIAA [Chair term: 6/3/2021 - 9/3/2023]
+| Name                  | Organization            | Term                | Handle    |
+|-----------------------|------------------------|---------------------|-----------|
+| Dan Shaw              | PayPal                 | June, 2019 - September, 2020 | @dshaw    |
+| Sarah Allen           |                        | June, 2019 - June, 2021 | @ultrasaurus |
+| Jeyappragash JJ       | Tetrate.io             | June, 2019 - June, 2021 | @pragashj |
+| Emily Fox             | Apple                  | September, 2020 - February, 2022 | @TheFoxAtWork |
+| Brandon Lum           | Google                 | June, 2021 - June, 2023 | @lumjjb   |
+| Aradhana Chetal       | TIAA                   | June, 2021 - September, 2023 | @achetal01 |
+| Andrew Martin         | ControlPlane           | March, 2022 - March, 2024 | @sublimino|
+
 
 ### On-going projects
 
@@ -175,7 +180,7 @@ the project and its risk profile.
 Facilitator: Justin Cappos ([@JustinCappos](https://github.com/JustinCappos)),
 New York University
 
-Co-chair representatives: @sublimino @PushkarJ
+Co-chair representatives: @PushkarJ @eddie-knight
 
 #### Software Supply Chain Security
 

README.md

@@ -103,15 +103,9 @@ them
 
 - [Markdown](https://github.com/cncf/tag-security/tree/main/supply-chain-security/compromises)
 
-
-
 ## Use Cases & Personas
 
 List of use cases to enable secure access, policy control and safety for users
 of cloud native technology
 
 - [Markdown](https://github.com/cncf/tag-security/blob/main/usecase-personas/README.md)
-
-
-
-

PUBLICATIONS.md publications/README.md

@@ -60,7 +60,7 @@ This chapter goes over background concepts of fuzzing and gives a practical demo
 ## Fuzzing foundations
 Fuzzing is a program analysis technique closely connected to testing. In testing, a common practice is to execute code using a fixed input setting. In fuzzing, the testing is done using pseudo-random data as input to a target piece of code, meaning the target code is run over and over again with pseudo-random data as input. The goal of fuzzing is to discover if any arbitrary input can lead to a bug in the target code. For example, a simple way to fuzz a modern browser is to generate random files and then open each file in the browser with the goal of identifying potential patterns that can cause issues in the browser.
 
-The common set up when fuzzing a piece of software is to construct a fuzzing set up for the code and then run this fuzzer for an extended period of time, and monitor if any bugs occur in the target code during the process. The fuzzer can be run in many settings, including running it locally locally, as part of a CI/CD pipeline or part of a larger management framework for handling the running of fuzzers. The specific time run for the fuzzer ranges from a few minutes to hundreds or even thousands of hours.
+The common set up when fuzzing a piece of software is to construct a fuzzing set up for the code and then run this fuzzer for an extended period of time, and monitor if any bugs occur in the target code during the process. The fuzzer can be run in many settings, including running it locally, as part of a CI/CD pipeline or part of a larger management framework for handling the running of fuzzers. The specific time run for the fuzzer ranges from a few minutes to hundreds or even thousands of hours.
 
 The core technique of fuzzing is simple in that it executes target code indefinitely using pseudo-random input. However, fuzzing comes in many flavors and in this handbook we will be concerned with the concert of coverage-guided fuzzing. This is a technique that relies on monitoring the target code under to extract the specific code executed by a given input, and use this to improve generation of pseudo-random input to increase likelihood of generating new inputs that trigger unique code paths. Coverage-guided fuzzing has had a significant impact on fuzzing in the last 15 years and is the most common fuzzing technique used in modern software development.
 
@@ -102,14 +102,14 @@ In order to make the fuzzing work the developer compiles the fuzzing harness and
 #include <stdlib.h>
 
 int parseUntrustedBuffer(const uint8_t *buffer, size_t size) {
-        if (size < 2) {
-                return -1;
-        }
-        if (buffer[0] == 'A') {
-                if (buffer[1] == 'B') {
-                        assert(0);
-                }
+    if (size < 2) {
+        return -1;
+    }
+    if (buffer[0] == 'A') {
+        if (buffer[1] == 'B') {
+            assert(0);
         }
+    }
     return 0;
 }
 ```
@@ -124,7 +124,7 @@ The question in place for the fuzzer in this case is whether it will come up wit
 extern int parseUntrustedBuffer(const uint8_t *buffer, size_t size);
 
 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
-        parseUntrustedBuffer(data, size);
+    parseUntrustedBuffer(data, size);
     return 0;
 }
 ```
@@ -191,7 +191,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
 }
 ```
 
-ompiling this and launching the fuzzer in a manner similar to Example 1 will result in the binary running forever. In each iteration of the fuzzer it will either print “Size 123” or “Not size 123”, however, by default it will never stop. This can seem counterintuitive at first, partly because it signals that there is no notion of “completeness” when fuzzing, as opposed to testing. This is correct in the sense there is no single truth value denoting if the fuzzing is complete or not, it is by nature an infinite while loop. To this end, a harness is generally run until either one of the conditions hold:
+Compiling this and launching the fuzzer in a manner similar to Example 1 will result in the binary running forever. In each iteration of the fuzzer it will either print “Size 123” or “Not size 123”, however, by default it will never stop. This can seem counterintuitive at first, partly because it signals that there is no notion of “completeness” when fuzzing, as opposed to testing. This is correct in the sense there is no single truth value denoting if the fuzzing is complete or not, it is by nature an infinite while loop. To this end, a harness is generally run until either one of the conditions hold:
 
 1. A timeout has been reached;
 2. The fuzzer found a bug and, therefore, exits.
@@ -356,7 +356,7 @@ The core task that we have to do in order to use LibFuzzer to fuzz a target appl
 #include <stdint.h>
 
 int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
-	/* Fuzz driver implementation */
+    /* Fuzz driver implementation */
 }
 ```
 
@@ -834,17 +834,17 @@ We can use the following fuzzer to attack this code:
 
 ```c
 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size){
-	char *new_str = (char *)malloc(size+1);
-	if (new_str == NULL){
-		return 0;
-	}
-	memcpy(new_str, data, size);
-	new_str[size] = '\0';
-	
-	attack_me(new_str);
-	
-	free(new_str);
-	return 0;
+    char *new_str = (char *)malloc(size+1);
+    if (new_str == NULL){
+        return 0;
+    }
+    memcpy(new_str, data, size);
+    new_str[size] = '\0';
+    
+    attack_me(new_str);
+    
+    free(new_str);
+    return 0;
 }
 ```
 
@@ -1578,14 +1578,14 @@ The project has two fuzzers `fuzz_complex_parser.c:`
 #include "char_lib.h"
 
 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
-  char *ns = malloc(size+1);
-  memcpy(ns, data, size);
-  ns[size] = '\0';
-  
-  count_lowercase_letters(ns);
-  
-  free(ns);
-  return 0;
+    char *ns = malloc(size+1);
+    memcpy(ns, data, size);
+    ns[size] = '\0';
+    
+    count_lowercase_letters(ns);
+    
+    free(ns);
+    return 0;
 }
 ```
 
@@ -1600,14 +1600,14 @@ and `fuzz_char_lib.c`
 #include "char_lib.h"
 
 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
-  char *ns = malloc(size+1);
-  memcpy(ns, data, size);
-  ns[size] = '\0';
-  
-  parse_complex_format(ns);
-  
-  free(ns);
-  return 0;
+    char *ns = malloc(size+1);
+    memcpy(ns, data, size);
+    ns[size] = '\0';
+    
+    parse_complex_format(ns);
+    
+    free(ns);
+    return 0;
 }
 ```
 

security-fuzzing-handbook/fuzzing-handbook.md

@@ -0,0 +1,24 @@
+<!-- cSpell:ignore warbeast -->
+
+# GitGot: using GitHub repositories as exfiltration store
+
+ReversingLabs identified two npm packages, "warbeast2000" and "kodiak2k" which
+were designed to steal SSH keys from developers by exploiting GitHub
+repositories _as storage_.
+
+## Impact
+
+> Fortunately, the reach of this campaign was limited. ReversingLabs observed
+> different accounts publishing warbeast2000 and kodiak2k on npm. The
+> warbeast2000 package was downloaded a little less than 400 times, whereas the
+> kodiak2k was downloaded around 950 times.
+
+## Type of compromise
+
+- **Trust and Signing**: This means that in addition to leveraging implicit
+trust on `github.com` for pulls, attackers were using Personal Access Tokens
+(PATs) to leverage that implicit trust for exfiltration.
+
+## References  
+
+- [ReversingLabs Blog](https://www.reversinglabs.com/blog/gitgot-cybercriminals-using-github-to-store-stolen-data)

supply-chain-security/compromises/2024/gitgot.md

@@ -0,0 +1,38 @@
+<!-- cSpell:ignore sophos -->
+
+# Exploitation of Digital Signing Certificates in Malware Distribution
+
+In early 2024, a suspicious 3proxy sample was identified, signed with a
+Microsoft Windows Hardware Compatibility certificate. This sample, submitted
+by "Hainan YouHu Technology Co. Ltd," disguised as a setup file for an Android
+screen-sharing app (LaiXi), turned out to be malware. The discovery prompted
+further investigations, revealing other samples with similar characteristics,
+leading to a suspicion that a software supply chain attack had been conducted
+on the publishing party:
+
+> We have no evidence to suggest that the LaiXi developers deliberately
+> embedded the malicious file into their product, or that a threat actor
+> conducted a supply chain attack to insert it into the compilation/building
+> process of the LaiXi application. However, we will note that given the links
+> between LaiXi and the malicious backdoor we investigated – and the length of
+> time those links have existed (since at least January 2023, as we’ll discuss
+> shortly) – users should exercise extreme caution when it comes to
+> downloading, installing, and using LaiXi.
+
+## Impact
+
+The malware exploits the trust placed in digitally signed certificates, allowing
+it to bypass security systems that automatically trust signed files. This misuse
+of digital signing undermines the integrity of certificate-based security systems
+and highlights vulnerabilities in the certificate issuing and validation process.
+
+## Type of Compromise
+
+- **Trust and Signing:** The incident involved the misuse of legitimate digital
+signing certificates to authenticate malicious software, tricking systems and
+users by presenting the malware as trustworthy.
+
+## References
+
+- [Sophos Report](https://news.sophos.com/en-us/2024/04/09/smoke-and-screen-mirrors-a-strange-signed-backdoor/)
+- [Stairwell Analysis](https://stairwell.com/resources/signed-sealed-but-not-always-secure-rethinking-trust-in-digitally-signed-certificates/)

supply-chain-security/compromises/2024/laixi-3proxy.md

@@ -0,0 +1,25 @@
+# Malware Disguised as Official Installer Used to Target Korean Public Institution
+
+## Detailed Account
+
+The Kimsuky group targeted a Korean public institution by distributing malware
+disguised as an official installer. This malicious dropper, signed with a valid
+certificate from a Korean company, was designed to look like a legitimate
+application. When executed, it installed a backdoor named Endoor, capable of
+receiving commands and executing malicious activities such as taking
+screenshots and stealing credentials.
+
+## Impact
+
+The security researchers identified instances of this installer used in chained
+attacks.
+
+## Type of Compromise
+
+- **Trust and Signing**: The incident exploits trusted digital certificates to
+deploy malware, undermining the security mechanisms that rely on certificate
+validity.
+
+## References
+
+- [AhnLab Security Report](https://asec.ahnlab.com/en/63396/)

supply-chain-security/compromises/2024/targeted-signed-endoor.md

@@ -0,0 +1,55 @@
+<!-- cspell:ignore pkgsrc -->
+
+# Malicious maintainer introduces sophisticated backdoor in xz
+
+A backdoor was introduced in `xz`, a compression tool integral to various
+Linux distributions. Over the course of several years, a malicious actor
+or actors attained maintainer status and implanted a sophisticated,
+multi-stage backdoor that relied on the specific build processes of `xz`
+to activate, resulting in a modified `liblzma` library that can be used
+by any software linked against this library.
+
+## Impact
+
+The backdoor was discovered on March 28, 2024, specifically in versions
+5.6.0 and 5.6.1 of the XZ Utils package, and was assigned CVE-2024-3094.
+
+The compromised package was distributed across several Linux distributions
+including Fedora, Debian, Kali Linux, openSUSE, Arch Linux, and various
+package managers like Homebrew and pkgsrc.
+
+The apparent goal of this backdoor was to enable remote code execution
+via `sshd` on affected systems by intercepting the `RSA_public_decrypt()`
+function, looking for an attacker controlled key, and executing the payload
+via `system()` function.
+
+This incident achieved mainstream media coverage, driving further recognition
+of the threats involved in exploiting trust and lack of visibility into
+maintainer activities.
+
+The initial response guidance involved rolling back the version of `xz`,
+but this proved difficult in some ecosystems which had to intervene to
+create epochs. Also, for a number of days after the disclosure, the `xz`
+repository on GitHub was disabled which made it more cumbersome for the
+public to research what had happened.
+
+## Type of compromise
+
+While rooted on a malicious maintainer that attained this status by a
+long-term effort by an actor or actors to subvert the project, this incident
+also exhibits some attack chaining characteristics including the exploitation
+of trusted build and distribution mechanisms to deploy the backdoor. From
+the [Cloud Security Alliance](https://cloudsecurityalliance.org/blog/2024/04/25/navigating-the-xz-utils-vulnerability-cve-2024-3094-a-comprehensive-guide)
+report:
+
+> The backdoor was deliberately concealed by the developer. It gets incorporated
+into the binary during the RPM or DEB packaging process for x86-64 architecture,
+using gcc and gnu linker, under the guise of a "test" step.
+
+## References
+
+- <https://myrror.security/the-xz-attack-a-software-supply-chain-earthquake/>
+- <https://securitylabs.datadoghq.com/articles/xz-backdoor-cve-2024-3094/>
+- <https://securelist.com/xz-backdoor-story-part-1/112354/>
+- <https://medium.com/checkmarx-security/backdoor-in-xz-impacting-multiple-linux-distros-074e86989725>
+- <https://cloudsecurityalliance.org/blog/2024/04/25/navigating-the-xz-utils-vulnerability-cve-2024-3094-a-comprehensive-guide>