In today’s business world, it is essential to have a well-functioning supply chain. This means that products and materials are delivered to your customers in a timely and safe manner. However, there are times when the supply chain can be attacked. This can happen when someone unauthorized accesses or steals your company’s information. In order to protect your supply chain, you need to take several steps:

  1. Protect your data: Your data is the lifeblood of your supply chain. If someone gains access to it, they can steal your customers’ information, damage your business reputation, or even cause financial losses. To protect your data, you should use secure systems and encrypt all communication between employees.
  2. Keep track of who is responsible for each step in the supply chain: Each step in the supply chain has a role that must be played by someone. Make sure that everyone who is responsible for a particular step knows their job and what they need to do in order to ensure that the product arrives on time and in safe condition.
  3. Use technology: Technology has become an important part of our lives these days. It allows us to keep track of our surroundings and make sure that our products arrive in good condition at our customers’ doors. However, technology can also be used for malicious purposes. Make sure that you use caution when using technology in the Supply Chain context and always keep an eye on potential threats!

Many applications download external dependencies during their build routines. Using those downloads as-is can be dangerous. How do you know the file on the server hasn’t been replaced with a malicious version?

This command illustrates the simplest of supply chain attacks. Piping an install script into your shell is convenient but risky. If example.com has been compromised, you’ve just given an attacker unfettered access to your system.

File Checksums

You can mitigate the dangers of this approach by checking if the downloaded file matches a known checksum. Many reputable open-source projects will publish a checksum that you can compare against. Only run the file if its calculated checksum matches your known value.

Implementing this check into your build scripts can quickly get repetitive. Preflight is a tool that helps you perform checksum comparisons so you can avoid common supply chain attacks.

Preflight accepts a binary’s path and a checksum to compare it against. If the file’s checksum matches, it’ll be executed as normal. Otherwise, the command is aborted, guarding your build script or CI pipeline against unintended malicious code inclusion.

Using Preflight

You can download Preflight from its GitHub releases page. The tool’s also distributed as preflight in the Homebrew package manager.

At its simplest, Preflight can be used anywhere you’d normally reach for | sh. Pipe another command into Preflight, supplying a checksum to match before anything is executed.

Now the install script will only be executed if it matches the known checksum. This gives you confidence that the file’s content hasn’t been tampered with. Preflight supports the sha256, sha1 and md5 hash types.

You should hardcode known checksums into your build scripts. Don’t download a checksum file provided by the same server as the target file. Assume an attacker with the ability to modify the script has also uploaded a bogus checksum file.

Programmatic Checks

Sometimes you might want to take an action depending on whether a file successfully matches its checksum. In this case, you can use preflight check to perform the comparison without actually executing the file.

The command will exit with status code 0 if the file’s checksum matches. A status code of 1 will be issued when there’s a discrepancy. Preflight will also emit an error message to the standard output stream.

Creating Hashes With Preflight

Not all software projects publish hashes for their releases. Preflight has built-in support for generating a new hash if you need one for a dependency.

Download the file from the vendor’s website. Then pass it into preflight create to get the hash of the file’s contents.

A SHA256 hash is generated by default. You can switch to SHA1 or MD5 by adding the –digest flag to the command.

Adding Malware Scans

Beyond basic checksum comparisons, Preflight supports optional malware scanning. This feature scans your file against known malware signatures.

Malware lists are provided by third-party services. Preflight works with any text file containing a list of known malware checksums. Malshare is one provider of these lists.

Set the PF_FILE_LOOKUP environment variable to point to your file’s location. Preflight will detect this variable and enable malware look-ups. When you run preflight check or preflight run, the target file’s checksum will be compared against the entries in the malware list. The check will fail if there’s a match.

What About Other Kinds of Dependency?

Preflight focuses on checks of static files. It’s best suited to pre-built binary downloads which you acquire directly from the vendor.

It’s less realistic to use Preflight with dependencies acquired via package managers. Risks arising from software installed via npm, Composer, NuGet, or Maven will need to be handled in a different way. You can use package manager features such as vendor scoping to ensure dependencies get installed from trusted repositories.

Preflight should be one component in your defense against supply chain injections. Analyze your build scripts to identify intrusion vectors provided by other forms of third-party software.

Summary

Supply chain attacks are a growing problem that affects the security of software deployments. Many developers incorporate direct software downloads into their build scripts. This could give attackers a way to include code in a target project, by compromising an upstream vendor.

Preflight simplifies security checks of third-party scripts and binaries. There is a certain irony though: by using Preflight, you become reliant on a third-party package that you will need to download. You can mitigate this by building Preflight from source yourself and hosting the binary on an internal server that you trust.