Cross-build injection attacks: Keeping an eye on Web applications' open source components

Listen to Michael Cobb's tip Download Cobb's cross-build injection attack advice to your PC or favorite mobile device.

Injection-based attacks have proven effective, yielding access to private data or possible control over a compromised machine. Software vendors are in a continual race to fix the holes that allow these attacks to succeed. But what if a hacker could inject malicious code when a program is actually compiled and created? Unfortunately, with the way that certain programs are now being built, applications have grown susceptible to what's known as cross-build injection.

Taking advantage of the build process
Modern software applications are complex and comprised of many different components. To speed up their development, creators build most software from a combination of pre-written source code and third-party components. After all, why spend weeks reinventing a program feature when it can be quickly found and integrated into an application, especially now that many such components are open source and -- via the GNU General Public License -- can be obtained for free?

To further accelerate development, simplify project management and reduce application build time, modern compilers permit developers to include dependency information within a project's settings. Dependency information allows the application to be built in an automated fashion by retrieving pre-determined components from the appropriate repositories. Maven, for example, is a popular and widely used build system that handles dependency management and multi-project relationships. Maven and other similar tools, like Ant and Ivy, help developers handle huge amounts of code. Such management leads to the problem of cross-build injection.

For more Web application security information: Experts at CSI 2007 said that Web application developers need security assistance. Learn how attackers can use Google Code Search to find vulnerabilities in open source software. Michael Cobb examines the art of threat modeling and how the process can imrpove Web application security.

If, as part of the build process, developers automatically retrieve external dependencies, such as open source components, then an attacker has an opportunity to insert code into a target program by compromising its third-party components. There are two ways to do this.

For one, the attacker can compromise the server that hosts the components and replace them with malicious copies. Alternatively, malware creators can compromise the DNS server of the build machine, redirecting requests to a machine controlled by the attacker. Either method works because developers and their tools do not question the source or integrity of the code they are using. Most Internet users know not to open email attachments from unknown sources, yet software developers regularly download code and incorporate it into their applications without reviewing exactly what it does. The dangers of this practice are magnified when a build process is set up to automatically retrieve code from the Internet.

Raising the stakes
The integrity of applications built in this way depend on the security of the sites hosting open source components. Applications also rely on the network infrastructure used to locate them. The safest way to avoid cross-build injection attacks is to not use automated tools that incorporate dependency resolution. If such a practice is not feasible, then development teams must create their own internal repository, along with a strictly enforced policy to control how new code or components are added to it. These regulations should include a review to ensure that the code is safe and fit for purpose. To mitigate DNS compromises, the server hosting the repository should only be referred to by its IP address.

Should cross-build injection attacks become widespread, they would undermine the open source movement and the growing acceptance of open source software. When a program is compromised at the point of creation, there is no limit to the malicious actions that it can carry out. Looking ahead, I think we will see more use of digitally signed code and build tools that incorporate signature checking, both of which can ensure that code is coming from a known source and has not been tampered with in any way.

About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several SearchSecurity.com Security Schools and, as a SearchSecurity.com site expert, answers user questions on application security and platform security.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Threat Monitor Tracing malware's steps with RE:Trace Worst practices: Learning from bad security tips Worst practices: Encryption conniptions Stopping malware in its tracks Built-in Windows commands to determine if a system has been hacked Exploit research: Keeping tabs on the hacker underground Data loss prevention from the inside out Enterprise security in 2008: Malware trends suggest new twists on old tricks Thinking fast-flux: New bait for advanced phishing tactics Lessons learned from TJX: Best practices for enterprise wireless encryption Open Source Security Tools Will Cisco's plan to open access to the IOS improve network security? How secure is a mobile phone platform that has an open source framework? Google hacking exposes a world of security flaws Tor network 'bridges' help evade blockers Should enterprises use open source productivity suites? Sourcefire CEO to step down Screencast: Opening up the Network Security Toolkit Enigmail: Wrapping email in a digital security blanket Barracuda enlists open source help in Trend Micro patent fight Making the NAC decision: Open source vs. commercial network access control products Secure Software Development New hacking technique exploits common NULL programming error Will Cisco's plan to open access to the IOS improve network security? Best practices for using restriction policy whitelists Application hardening tools help repel software pirates What software development best practices can prevent input validation attacks? Enterprise security in 2008: Building trust into the application development process Federal aid helps uncover open source flaws Group releases Java standards for secure development Information security book excerpts and reviews Watchfire releases scanner update under IBM umbrella RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Back Orifice  (SearchSecurity.com) Blowfish  (SearchSecurity.com) Kermit  (SearchSecurity.com) Open Source Hardening Project  (SearchSecurity.com) Snort  (SearchSecurity.com) SnortSnarf  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.