I-Google yethule uhlaka lwe-SLSA (Supply-chain Levels for Software Artifacts), olufinyeza ulwazi olukhona ekuvikeleni ingqalasizinda yokuthuthukisa ekuhlaselweni okwenziwa esigabeni sokubhala ikhodi, ukuhlola, ukuhlanganisa nokusabalalisa umkhiqizo.
Izinqubo zokuthuthukisa ziya ngokuya ziba yinkimbinkimbi futhi zincike kumathuluzi ezinkampani zangaphandle, okudala izimo ezivumayo zokuqhubekisela phambili ukuhlasela okuhlobene nokungahlonzi futhi kuxhashazwe ubuthakathaka kumkhiqizo wokugcina, kodwa ukufaka engcupheni inqubo yokuthuthukiswa ngokwayo (ukuhlasela kwe-supply chain, ngokuvamile okuhloswe ngayo ukwethula izinguquko ezinonya ohlelweni lokubhala amakhodi, ukufaka esikhundleni sezingxenye ezisabalalisiwe kanye nokuncika).
Uhlaka lucabangela izinhlobo ezingu-8 zokuhlasela ezihlobene nosongo lokwenza izinguquko ezinonya esigabeni sokuthuthukiswa kwekhodi, ukuhlanganisa, ukuhlolwa nokusatshalaliswa komkhiqizo.
- I. Kubandakanya izinguquko kukhodi yomthombo equkethe izicabha ezingemuva noma amaphutha afihliwe aholela ekubeni sengozini.
Isibonelo sokuhlasela: “Ukuzinikela Komzenzisi” - umzamo wokuphromotha amapeshi anobungozi ku-Linux kernel.
Indlela yokuphepha ephakanyisiwe: ukubuyekezwa okuzimele koshintsho ngalunye onjiniyela ababili.
- B. Ukuyekethisa kweplathifomu yokulawula ikhodi yomthombo.
Isibonelo sokuhlasela: ukujova ukwenza okunonya nge-backdoor endaweni ye-Git yephrojekthi ye-PHP ngemva kokuputshuzwa kwamaphasiwedi kanjiniyela.
Indlela yokuvikela ephakanyisiwe: Ukwenyuka kokuvikeleka kweplatifomu yokuphatha ikhodi (endabeni ye-PHP, ukuhlasela kwenziwa ngokusebenzisa isikhombikubona esisetshenziswa kancane se-HTTPS, esivumela izinguquko ukuthi zithunyelwe lapho ungena ngemvume usebenzisa iphasiwedi ngaphandle kokuhlola ukhiye we-SSH, naphezu kwalokho. iqiniso lokuthi i-MD5 engathembekile isetshenziselwe ukwenza amagama ayimfihlo e-hash).
- C. Ukwenza izinguquko esigabeni sokudlulisa ikhodi ohlelweni lokwakha noma oluqhubekayo lokuhlanganisa (ikhodi engahambisani nekhodi evela endaweni yokugcina yakhiwe).
Isibonelo sokuhlasela: Ukujova i-backdoor kuWebmin ngokwenza izinguquko kwingqalasizinda yokwakha, okuholela ekusetshenzisweni kwamafayela ekhodi ahlukile kumafayela endaweni yokugcina.
Indlela yokuvikela ehlongozwayo: Ukuhlola ubuqotho nokuhlonza umthombo wekhodi kuseva yokuhlanganisa.
- D. Ukuyekethisa kwenkundla yomhlangano.
Isibonelo sokuhlasela: ukuhlasela kweSolarWinds, lapho ukufakwa kwe-backdoor emkhiqizweni we-SolarWinds Orion kwaqinisekiswa ngesikhathi sokuhlangana.
Indlela yokuvikela ehlongozwayo: ukuqaliswa kwezinyathelo zokuphepha ezithuthukisiwe zeplathifomu yomhlangano.
- E. Ukuthuthukiswa kwekhodi enonya ngokuncika kwekhwalithi ephansi.
Isibonelo sokuhlasela: ukwethulwa kwe-backdoor kumtapo wolwazi odumile wokusakaza imicimbi ngokwengeza ukuncika okungenangozi bese kufaka phakathi ikhodi enonya kwesinye sezibuyekezo zalokhu kuncika (ushintsho olunonya aluzange luboniswe kunqolobane ye-git, kodwa etholakala kuphela kuphakheji ye-MNP eqediwe).
Indlela yokuvikela ephakanyisiwe: sebenzisa ngokuphindaphindiwe izimfuneko ze-SLSA kukho konke ukuncika (esimeni sokusakazwa komcimbi, isheke lizoveza ukuhlanganiswa kwekhodi engahambisani nokuqukethwe kwendawo enkulu ye-Git).
- F. Kulayishwa ama-artifact angadalwanga ohlelweni lwe-CI/CD.
Isibonelo sokuhlasela: ukwengeza ikhodi enonya kusikripthi se-CodeCov, esivumele abahlaseli ukuthi bakhiphe ulwazi olugcinwe endaweni yesistimu yokuhlanganisa yamakhasimende eqhubekayo.
Indlela yokuvikela ehlongozwayo: ukulawula umthombo nobuqotho bama-artifact (esimweni se-CodeCov, kungase kuvezwe ukuthi umbhalo we-Bash Uploader othunyelwe usuka kuwebhusayithi ye-codecov.io awuhambisani nekhodi evela endaweni yokugcina iphrojekthi).
- G. Ukunciphisa inqolobane yephakheji.
Isibonelo sokuhlasela: Abacwaningi bakwazi ukusebenzisa izibuko zamanye amaphakheji adumile ukuze basabalalise amaphakheji anonya ngawo.
Indlela yokuvikela ephakanyisiwe: Ukuqinisekisa ukuthi ama-artifact asabalalisiwe ahlanganiswa kusukela kumakhodi omthombo ashiwo.
- H. Ukudida umsebenzisi ukufaka iphakheji engalungile.
Isibonelo sokuhlasela: ukusebenzisa i-typosquatting (i-NPM, i-RubyGems, i-PyPI) ukubeka amaphakheji kumakhosombe afanayo ngokubhala kuzinhlelo zokusebenza ezidumile (isibonelo, i-coffe-script esikhundleni se-coffee-script).
Ukuvimbela izinsongo ezihlatshwe umkhosi, i-SLSA inikeza isethi yezincomo, kanye namathuluzi okwenza ngokuzenzakalelayo ukudalwa kwemethadatha yocwaningo. I-SLSA ifingqa izindlela ezivamile zokuhlasela futhi yethula umqondo wezendlalelo zokuphepha. Izinga ngalinye libeka izidingo ezithile zengqalasizinda ukuze kuqinisekiswe ubuqotho bezinto zobuciko ezisetshenziswa ekuthuthukisweni. Lapho izinga le-SLSA liphezulu elisekelwayo, kulapho ukuvikela okwengeziwe kusetshenziswa khona futhi ingqalasizinda ivikeleka kangcono ekuhlaselweni okuvamile.
- I-SLSA 1 idinga ukuthi inqubo yokwakha i-othomathikhi ngokugcwele futhi ikhiqize imethadatha (“i-provenance”) emayelana nendlela ama-artifacts akhiwa ngayo, okuhlanganisa ulwazi olumayelana nemithombo, ukuncika, kanye nenqubo yokwakha (isibonelo sokukhiqiza imethadatha ukuze kucwaningwe kuhlinzekwe Izenzo ze-GitHub). I-SLSA 1 ayibandakanyi izici zokuvikela ezinguqukweni ezinonya, kodwa imane ihlonze ikhodi futhi inikeze imethadatha yokuphathwa kobungozi nokuhlaziywa kwengozi.
- I-SLSA 2 - inweba ileveli yokuqala ngokudinga ukusetshenziswa kokulawulwa kwenguqulo namasevisi wokuhlanganisa akhiqiza imethadatha eqinisekisiwe. Ukusetshenziswa kwe-SLSA 2 kukuvumela ukuthi ulandele umsuka wekhodi futhi kuvimbele izinguquko ezingagunyaziwe kukhodi esimweni samasevisi okwakha athembekile.
- I-SLSA 3 - iqinisekisa ukuthi ikhodi yomthombo nenkundla yokwakha ihlangabezana nezimfuneko zamazinga aqinisekisa ikhono lokuhlola ikhodi nokuqinisekisa ubuqotho bemethadatha enikeziwe. Kucatshangwa ukuthi abacwaningi mabhuku bangaqinisekisa izinkundla ngokumelene nezidingo zamazinga.
- I-SLSA 4 iyizinga eliphezulu kakhulu, ingezelela amazinga adlule nalezi zidingo ezilandelayo:
- Ukubuyekezwa okuphoqelekile kwazo zonke izinguquko ngonjiniyela ababili abahlukene.
- Zonke izinyathelo zokwakha, ikhodi, kanye nokuncika kumele kumenyezelwe ngokugcwele, konke okuncikile kufanele kukhishwe ngokuhlukana futhi kuqinisekiswe, futhi inqubo yokwakha kufanele yenziwe ungaxhunyiwe ku-inthanethi.
- Ukusebenzisa inqubo yokwakha ephindaphindwayo kukuvumela ukuthi uphinde inqubo yokwakha ngokwakho futhi uqinisekise ukuthi okusebenzisekayo kwakhiwe ngekhodi yomthombo enikeziwe.
Source: opennet.ru