Published Oct 26, 2022

Episode 535: Dan Lorenc on Supply Chain Attacks

Dan Lorenc, CEO of Chainguard, delves into the intricacies of software supply chain attacks, emphasizing the urgent need for transparency and rigorous security in package management to combat threats like Log4Shell and SolarWinds, and explores attack techniques such as dependency confusion and code obfuscation.
Episode Highlights
Software Engineering Radio - the podcast for professional software developers logo

Popular Clips

Episode Highlights

  • Dependency Confusion

    Dependency confusion is a sophisticated attack strategy where attackers exploit public repositories to inject malicious code by mimicking internal package names. explains that this technique leverages the order in which package managers search for packages, often prioritizing public repositories over private ones 1. This oversight allows attackers to upload malicious packages with the same names as internal ones, leading to potential remote code execution vulnerabilities 1.

    You don't really see names as incredibly sensitive data. Sometimes the code is, but the name of the package is something that people copy around all the time.

    ---

    Additionally, Lorenc highlights the related tactic of typo squatting, where attackers create packages with names similar to popular ones, relying on human error or social engineering to spread their malicious code 2.

       

    Code Obfuscation

    Code obfuscation is a technique used to hide vulnerabilities within software, making detection challenging. notes that while many attackers are lazy and leave obvious traces, some employ sophisticated methods to conceal their malicious activities 3. These methods include encoding strings or using manual obfuscation techniques that evade standard security scanners 3.

    There are a lot of bug doors, I think is the technique there where if you could read code and see every bug, then you'd be the best programmer in the world.

    ---

    Lorenc also mentions the International Obfuscated C Code Competition, where programmers create code that performs hidden tasks, illustrating the potential for obfuscated code to sit undetected in software systems 4.

       

    Malicious Inputs

    Malicious inputs are another vector for compromising software systems, often exploiting logging vulnerabilities. describes how attackers can inject malicious code into logging systems by embedding harmful strings in inputs like HTTP headers or IP address fields 5. These inputs can trigger unintended behaviors, such as downloading and executing untrusted code, due to the presence of interpreters in unexpected places 5.

    People build like a small programming language into these logging libraries.

    ---

    Lorenc emphasizes that the intersection of seemingly benign features can lead to vulnerabilities, as seen in Java's logging libraries, where template expansions can inadvertently execute remote code 6.

Related Episodes