Build Code is Still Code: Finding the Antidote for Pipeline Poisoning
Brent Pappas, Paul Gazzillo
TL;DR
The paper tackles pipeline poisoning by showing that build-system code, not just program code, can undermine software supply chain security. It introduces development phase isolation as a formal security property and presents Foreman, a lightweight checker that monitors phase-level file accesses and enforces permissions. Through a case study on the XZ Utils backdoor, it demonstrates that phase-isolation checks can detect and prevent malicious flows from test or configuration phases into compilation. The work outlines a concrete, multi-stage research program toward automatic specification, scalable analysis, and seamless integration of build-system checkers across real pipelines.
Abstract
Open source C code underpins society's computing infrastructure. Decades of work has helped harden C code against attackers, but C projects do not consist of only C code. C projects also contain build system code for automating development tasks like compilation, testing, and packaging. These build systems are critcal to software supply chain security and vulnerable to being poisoned, with the XZ Utils and SolarWinds attacks being recent examples. Existing techniques try to harden software supply chains by verifying software dependencies, but such methods ignore the build system itself. Similarly, classic software security checkers only analyze and monitor program code, not build system code. Moreover, poisoned build systems can easily circumvent tools for detecting program code vulnerabilities by disabling such checks. We present development phase isolation, a novel strategy for hardening build systems against poisoning by modeling the information and behavior permissions of build automation as if it were program code. We have prototyped this approach as a tool called Foreman, which successfully detects and warns about the poisoned test files involved in the XZ Utils attack. We outline our future plans to protect against pipeline poisoning by automatically checking development phase isolation. We envision a future where build system security checkers are as prevalent as program code checkers.
