StepSecurity Harden Runner: Detect source code tampering during the build process

In December 2020, the industry was rocked by the disclosure of a supply chain attack against SolarWinds, Inc. This attack method focused on the inclusion of unauthorized malicious code during the build process, rather than modifying the source code in the source control system or modifying the artifact in the artifact registry [1].

Such tampering is hard to detect. Countermeasures such as setting branch protection and code review do not help in such an attack, since the code is not tampered in the source control system (box 1 below). Code signing does not help since the artifact that is signed has already been tampered during the build process. As an example, in the SolarWinds supply chain attack, the software was signed, but had been tampered before signing, during the build process (box 2 below) [2].

StepSecurity (https://stepsecurity.io), a software supply chain security company, has built a solution to detect such tampering of source code during the build process. As of now the solution is available when you build your code using GitHub Actions on the GitHub-hosted runners.

GitHub Actions is a popular CI/CD platform that allows you to automate your build, test, and deployment pipeline. GitHub-hosted runners are the virtual machines (VMs) that execute jobs in a GitHub Actions workflow and are hosted by GitHub [3].

StepSecurity’s Harden Runner is an agent for the GitHub-hosted runner (Ubuntu VM) to monitor the build process. It uses the Linux audit framework to audit for file modifications during the build process. Linux audit helps make your system more secure by providing you with means to analyze what is happening on your system [4].

StepSecurity’s solution is called Harden Runner because it hardens the runner, which is the virutal machine that executes build jobs. Adding Harden Runner to your GitHub Actions workflow is easy. You just add it as the first step in the workflow.

Harden Runner can detect source code modification during the build process and shows it as an error annotation in the workflow (screenshot below). It also shows the syscall and the executable that modified the file. In the future we plan on enabling such detections for artifacts generated on the build server. We also plan on sending notifications for such detections.

Harden Runner is being used in GitHub Actions workflows in more than 500 repositories, out of which over 300 are public repositories. It is being used in popular open-source projects such as Node Version Manager and Caffeine and open-source projects from Google, Microsoft, and Automattic.

Harden Runner is available on the GitHub Actions marketplace. If you want to do a hands-on tutorial for this scenario, you can follow the steps using a fork of the Supply Chain Goat public repository.

To get updates as more capabilities are released, follow Step Security on LinkedIn and Twitter.

References:

[1] SUNSPOT: An Implant in the Build Process — https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/

[2] Preventing Supply Chain Attacks like SolarWinds https://www.linuxfoundation.org/blog/preventing-supply-chain-attacks-like-solarwinds/

[3] About GitHub-hosted runners — https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners

[4] Linux Audit framework — https://wiki.archlinux.org/title/Audit_framework

StepSecurity Harden Runner GitHub Action — https://github.com/marketplace/actions/harden-runner

Supply Chain Goat — https://github.com/step-security/supply-chain-goat/blob/main/MonitorSourceCode.md

‍