Picking Lockfiles - Attacking & Defending Your Supply Chain

Explore the offensive and defensive aspects of supply chain attacks targeting open source software projects in this 31-minute Black Hat conference talk. Learn about a specific attack technique that conceals malicious code within open source contributions, making it difficult to detect during code reviews. Dive into the concept of lockfile tampering, understanding its implications for software integrity. Examine real-world examples, including a GitLab merge request and automated dependency updates. Gain insights into attacker techniques, objectives, and tooling, such as the Bump-Key tool. Discover defensive strategies to protect your supply chain and understand the importance of lockfile integrity. Enhance your knowledge of both the attacker's perspective and defensive measures in this comprehensive exploration of supply chain security in open source development.

Intro
A Quick Story
Why are we talking about supply chains?
Attacking Supply Chains with Lockfiles
Defending Supply Chains
Lockfile example
Lockfile Tampering - Example
Multiple Attributes Occurrences
Integrity Hash Not Mandatory
Attacker Perspective: Compromising Supply Chains using Lockfiles
Attacker Techniques and Objectives
Bump-Key Tooling
Example: GitLab Merge Request
Example: Automated Dependency Update
Closing Words