Execution Flow
1) Explore
[Determine the relevant open-source code project to target] The adversary will make the selection based on various criteria:
- The open-source code currently in use on a selected target system.
- The depth in the dependency graph of the open source code in relationship to other code bases in use on the target system. Choosing an OSS lower in the graph decreases the probability of discovery, but also decreases the scope of its use within the target system.
- The programming language in which the open source code is implemented. Different languages present different opportunities for using known software weaknesses.
- The quality of processes in place to make a contribution. For instance, some contribution sites use static and dynamic analysis tools, which could increase the probability of discovery.
- The security requirements necessary to make a contribution. For instance, is the ownership lax allowing unsigned commits or anonymous users.
2) Experiment
[Develop a plan for malicious contribution] The adversary develops a plan to contribute malicious code, taking the following into consideration:
- The adversary will probably avoid easy-to-find software weaknesses, especially ones that static and dynamic analysis tools are likely to discover.
- Common coding errors or missing edge cases of the algorithm, which can be explained away as being accidental, if discovered, will be preferred by the adversary.
- Sometimes no identity is required to make a contribution. Other options are to steal an existing identity or create one. When creating a new identity, strike a balance between too little or too much detail. Using an stolen identity could cause a notification to be sent to the actual user.
3) Exploit
[Execute the plan for malicious contribution] Write the code to be contributed based on the plan and then submit the contribution. Multiple commits, possibly using multiple identities, will help obscure the attack. Monitor the contribution site to try to determine if the code has been uploaded to the target system.
Prerequisites
Access to the open source code base being used by the manufacturer in a system being developed or currently deployed at a victim location.
Skills Required
Advanced knowledge about the inclusion and specific usage of an open source code project within system being targeted for infiltration.
Related Weaknesses
CWE-ID |
Weakness Name |
CWE-494 |
Download of Code Without Integrity Check The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code. |
CWE-829 |
Inclusion of Functionality from Untrusted Control Sphere The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere. |
References
REF-439
Supply Chain Attack Framework and Attack Patterns
John F. Miller.
http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf
Submission
Name |
Organization |
Date |
Date Release |
CAPEC Content Team |
The MITRE Corporation |
2014-06-23 +00:00 |
Modifications
Name |
Organization |
Date |
Comment |
CAPEC Content Team |
The MITRE Corporation |
2015-11-09 +00:00 |
Updated Related_Attack_Patterns, Typical_Likelihood_of_Exploit |
CAPEC Content Team |
The MITRE Corporation |
2018-07-31 +00:00 |
Updated Related_Attack_Patterns |
CAPEC Content Team |
The MITRE Corporation |
2019-09-30 +00:00 |
Updated Description, Execution_Flow, Related_Attack_Patterns |
CAPEC Content Team |
The MITRE Corporation |
2021-06-24 +00:00 |
Updated @Name, Description, Example_Instances, Execution_Flow, Related_Attack_Patterns |
CAPEC Content Team |
The MITRE Corporation |
2022-09-29 +00:00 |
Updated Execution_Flow, Taxonomy_Mappings |
CAPEC Content Team |
The MITRE Corporation |
2023-01-24 +00:00 |
Updated Related_Weaknesses |