CAPEC-538: Open-Source Library Manipulation
CAPEC版本: 3.9
更新日期: 2023-01-24
攻击模式描述
Adversaries implant malicious code in open source software (OSS) libraries to have it widely distributed, as OSS is commonly downloaded by developers and other users to incorporate into software development projects. The adversary can have a particular system in mind to target, or the implantation can be the first stage of follow-on attacks on many systems.
执行流程
步骤 1 Explore
[Determine the relevant open-source code project to target] The adversary will make the selection based on various criteria:
步骤 2 Experiment
[Develop a plan for malicious contribution] The adversary develops a plan to contribute malicious code, taking the following into consideration:
步骤 3 Exploit
[Execute the plan for malicious contribution] Write the code to be contributed based on the plan and then submit the contribution. Multiple commits, possibly using multiple identities, will help obscure the attack. Monitor the contribution site to try to determine if the code has been uploaded to the target system.
前提条件
- Access to the open source code base being used by the manufacturer in a system being developed or currently deployed at a victim location.
所需技能
示例实例
An adversary with access to an open source code project introduces a hard-to-find bug in the software that allows under very specific conditions for encryption to be disabled on data streams. The adversary commits the change to the code which is picked up by a manufacturer who develops VPN software. It is eventually deployed at the victim's location where the very specific conditions are met giving the adversary the ability to sniff plaintext traffic thought to be encrypted. This can provide to the adversary access to sensitive data of the victim.
分类映射
| 分类名称 | 条目ID | 条目名称 |
|---|---|---|
| ATTACK | 1195.001 | Supply Chain Compromise: Software Dependencies and Development Tools |