ByteOS Network

CAPEC-538:Open-Source Library Manipulation

Attack Pattern ID:538

Version:v3.9

Attack Pattern Name:Open-Source Library Manipulation

Abstraction:Detailed

Status:Stable

Likelihood of Attack:Low

Typical Severity:High

Details Content History Related Weaknesses Reports

▼Description

Adversaries implant malicious code in open source software (OSS) libraries to have it widely distributed, as OSS is commonly downloaded by developers and other users to incorporate into software development projects. The adversary can have a particular system in mind to target, or the implantation can be the first stage of follow-on attacks on many systems.

▼Relationships

Nature	Type	ID	Name
ChildOf	S	444	Development Alteration

Nature: ChildOf

Type: Standard

ID: 444

Name: Development Alteration

▼Execution Flow

Explore

The open-source code currently in use on a selected target system.
The depth in the dependency graph of the open source code in relationship to other code bases in use on the target system. Choosing an OSS lower in the graph decreases the probability of discovery, but also decreases the scope of its use within the target system.
The programming language in which the open source code is implemented. Different languages present different opportunities for using known software weaknesses.
The quality of processes in place to make a contribution. For instance, some contribution sites use static and dynamic analysis tools, which could increase the probability of discovery.
The security requirements necessary to make a contribution. For instance, is the ownership lax allowing unsigned commits or anonymous users.

Determine the relevant open-source code project to target

The adversary will make the selection based on various criteria:

Experiment

The adversary will probably avoid easy-to-find software weaknesses, especially ones that static and dynamic analysis tools are likely to discover.
Common coding errors or missing edge cases of the algorithm, which can be explained away as being accidental, if discovered, will be preferred by the adversary.
Sometimes no identity is required to make a contribution. Other options are to steal an existing identity or create one. When creating a new identity, strike a balance between too little or too much detail. Using an stolen identity could cause a notification to be sent to the actual user.

Develop a plan for malicious contribution

The adversary develops a plan to contribute malicious code, taking the following into consideration:

Exploit

Execute the plan for malicious contribution

Write the code to be contributed based on the plan and then submit the contribution. Multiple commits, possibly using multiple identities, will help obscure the attack. Monitor the contribution site to try to determine if the code has been uploaded to the target system.

▼Prerequisites

Access to the open source code base being used by the manufacturer in a system being developed or currently deployed at a victim location.

▼Skills Required

High

Advanced knowledge about the inclusion and specific usage of an open source code project within system being targeted for infiltration.

▼Example Instances

▼Related Weaknesses

ID	Name
CWE-494	Download of Code Without Integrity Check
CWE-829	Inclusion of Functionality from Untrusted Control Sphere

ID: CWE-494

Name: Download of Code Without Integrity Check

ID: CWE-829

Name: Inclusion of Functionality from Untrusted Control Sphere

▼Taxonomy Mappings

Taxonomy Name	Entry ID	Entry Name
ATTACK	1195.001	Supply Chain Compromise: Software Dependencies and Development Tools

Taxonomy Name: ATTACK

Entry ID: 1195.001

Entry Name: Supply Chain Compromise: Software Dependencies and Development Tools

▼References

Reference ID: REF-439

Title: Supply Chain Attack Framework and Attack Patterns

Author: John F. Miller

Publication:

Publisher:The MITRE Corporation

URL:http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf

Day:N/A

Month:N/A

Year:2013