Stopping Supply Chain Attacks With Preflight

CodeCov and Supply Chain Attacks

Introducing: Preflight

How Does Preflight Work?

Getting Preflight

$ brew tap spectralops/tap && brew install preflight

Flying With Preflight

So how does it look in action?

$ curl -L https://XXX | preflight run sha256=1ce...2244a6e86 ⌛️ Preflight starting ❌ Preflight failed: Digest does not match. Expected: <...> Actual: <...> Information: It is recommended to inspect the modified file contents.
$ curl -L https://XXX | preflight run sha256=1ce...2244a6e86 ⌛️ Preflight starting using file lookup: malshare.current.sha256.txt ❌ Preflight failed: Digest matches but marked as vulnerable. Digest matches but marked as vulnerable. Information: Vulnerability: Hash was found in a vulnerable digest list More: malshare.current.sha256.txt
$ curl -L https://XXX | preflight run sha256=1ce...2244a6e86 ⌛️ Preflight starting ✅ Preflight verified ... actual script output ...

Codecov Revisited

$ curl -s https://codecov.io/bash | ./preflight create sha256=d6aa3207c4908d123bd8af62ec0538e3f2b9f257c3de62fad4e29cd3b59b41d9
sha256=d6aa3207c4908d123bd8af62ec0538e3f2b9f257c3de62fad4e29cd3b59b41d9
steps: - curl -s https://codecov.io/bash | sh
steps: - curl -s https://codecov.io/bash | ./ci/preflight run sha256=d6aa3207c4908d123bd8af62ec0538e3f2b9f257c3de62fad4e29cd3b59b41d9

Dealing With Change

$ preflight <hash list|https://url/to/hash-list>
curl .. | ./ci/preflight run sha256=d6aa3207c4908d123bd8af62ec0538e3f2b9f257c3de62fad4e29cd3b59b41d9,sha256=<new hash>,...
curl .. | ./ci/preflight run https://dl.example.com/hashes.txt

Checking Scripts And Binaries

Piping:

$ curl -s https://example.com/some-script | preflight check sha256=d6aa3207c4<...>b4 | sh

Executables:

$ preflight check sha256=d6aa3207c4<...>b4 ./my-script.sh

Creating New Hashes

$ preflight create test.sh sha256=fe6d02cf15642ff8d5f61cad6d636a62fd46a5e5a49c06733fece838f5fa9d85
$ preflight create test.sh --digest md5 md5=cb62874fea06458b2b0cabf2322c9d55

Malware lookup

File Lookup

env: PF_FILE_LOOKUP: malshare.current.sha256.txt steps: - wget https://www.malshare.com/daily/malshare.current.sha256.txt - curl https://... | preflight <sha>
$ PF_FILE_LOOKUP=malshare.current.sha256.txt preflight run fe6d02cf15642ff8d5f61cad6d636a62fd46a5e5a49c06733fece838f5fa9d85 test.sh ⌛️ Preflight starting using file lookup: malshare.current.sha256.txt ❌ Preflight failed: Digest matches but marked as vulnerable. Information: Vulnerability: Hash was found in a vulnerable digest list More: malshare.current.sha256.txt

VirusTotal Lookup

env: PF_VT_TOKEN: {{secrets.PF_VT_TOKEN}} steps: - curl https://... | preflight <sha>
$ PF_VT_TOKEN=xxx preflight check e86d4eb1e888bd625389f2e50644be67a6bdbd77ff3bceaaf182d45860b88d80 kx-leecher.exe ⌛️ Preflight starting using VirusTotal ❌ Preflight failed: Digest matches but marked as vulnerable. Information: Vulnerability: VirusTotal stats - malicious: 40, suspicious 0 More: https://www.virustotal.com/gui/file/e86d4eb1e888bd625389f2e50644be67a6bdbd77ff3bceaaf182d45860b88d80/detection

Summary

--

--

--

@jondot | Founder & CEO @ Spectral. Rust + FP + Hacking + Cracking + OSS. Previously CTO @ HiredScore, Como, Conduit.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Why Panther Chose Snowflake

Advanced PowerUp.ps1 Usage

DNIF’s approach for FireEye’s Stolen Red Team Tools

Automated Security Testing Using ZAP Python API

Aegees Overview: More On What The App Can Do and How It Works

NewsCrypto.io - AI Sentiment Tool Upgrade

Bug Bounty For Beginners

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Dotan Nahum

Dotan Nahum

@jondot | Founder & CEO @ Spectral. Rust + FP + Hacking + Cracking + OSS. Previously CTO @ HiredScore, Como, Conduit.

More from Medium

FATA[0009] FAILED TO CREATE API: UNABLE TO RUN POST-SCAFFOLD TASKS OF “BASE.GO.KUBEBUILDER.IO/V3”:

What is an Operator in K8s and why FPGAs need one in Data Centers

GoReleaser 1.3 — the first of 2022

InitController for Sidecar IPTables