After discovering malicious users who were using open source projects to participate in dangerous activities like bitcoin mining, SourceClear created a free project to help the community uncover suspicious versions before they became a problem.
SourceClear, which is dedicated to helping developers use open source software safely, has spent the past 18 months trying to dig deeper into the problems of the open source world. As a result, SourceClear uncovered a bunch of issues that weren’t immediately on the organization’s roadmap, but it scared them enough to do something about it, according to SourceClear Founder and CEO Mark Curphey.
He said that when developers build someone else’s open source code, they put their trust in him, which is normally good as most developers are honest citizens and develop open source projects for the good. community, he said.
(Related: A Look at the Future of Software Security)
After some research, Curphey said he started noticing a lot of malicious activity. Part of this activity included mining bitcoin with open source projects, where every time a developer built their project, an instance of a continuous integration server would start mining.
To combat these exploits, SourceClear created Build Inspector, an open source forensic sandbox for continuous integration environments. Build Inspector can monitor network traffic, file changes, and monitor processes and threads to make sure no one is creating a backdoor or modifying files after build.
Using the sandboxed environments, construction operations will take place in isolation, so there can be no compromise on the machine, the company said. Requirements for Build Inspector include Ruby (2.2.3 is recommended), Vagrant, and Bundler. Once these are installed, the developer can add the Sahara Vagrant plug-in and bundle the project dependencies.
âUltimately this technology will be based on our technology, but in the meantime we wanted to do the right thing and help the open source community protect themselves and be safe,â said Curphey.
The reality, he says, is that ransomware is moving from the desktop to enterprise applications. SourceClear has observed other instances of people bundling bad libraries and pushing them into the open source ecosystem. These malicious trends are similar to what happened with viruses, which took off because instead of targeting one person’s desktop, one person could target an entire server and impact an entire team.
“You can target one person and a hundred thousand people are running [the software], and it’s a lot more efficient for the attacker, âsaid Curphey. “What we are seeing is that the bad guy economy has really changed with reusable code.”
Executing unreliable code can open up several dangerous scenarios for today’s developer, Curphey said. For example, a person might trick a developer into thinking they are using 10 different types of open source libraries, but under the hood these libraries are taken from a malware hosting site.
Another possible scenario is that a developer pulls an open source library that is “perfectly fine,” but a malicious user can replace the library with a bad one, Curphey said.
According to Curphey, Build Inspector is not something developers would want to put into production because it spawns a virtual machine and slows down the build process. Developers can use Build Inspector if they are suspicious of something in their code or open source libraries, and that way they can run it in the sandbox to figure out what is going on before the developer does. ‘use for an enterprise application, he added.
âOpen source is fantastic and continues to be,â said Curphey. âThe problem is, you have to know what free software you have. The second thing is you have to know where it came from. The third thing you need to know is what it does, and the fourth thing is does it contain any vulnerabilities. “