Category: Tech

Software supply chain attacks have become an increasingly common source of risk in modern software systems. To explore mitigation strategies, I developed an experimental methodology and prototype focused on identifying and prioritizing supply chain threats while accounting for differing security requirements across organizational units.

A central premise of this work is that supply chain risk should not be evaluated uniformly across an organization. Different teams and products operate under distinct constraints, risk tolerances, and business impacts. To address this, security policies and risk thresholds are defined using CUE, an open-source constraint language, enabling declarative, fine-grained control over how risk signals are evaluated and enforced per organizational unit.

The system combines multiple analysis techniques to assess both open-source and proprietary dependencies:

Static analysis detects known vulnerability patterns and suspicious constructs in dependencies, such as unsafe APIs and injection primitives.

Dynamic analysis monitors runtime behavior to identify anomalous actions, including unexpected network activity or filesystem access.

Metadata analysis evaluates dependency provenance, maintainer history, release cadence, and repository signals.

External intelligence sources incorporate vulnerability databases and community-driven indicators.

Outputs from these components are aggregated and evaluated against CUE-defined constraints rather than fixed global rules. This allows risk scoring and enforcement decisions to be adjusted dynamically based on business context, such as deployment environment, data sensitivity, or regulatory requirements.

The current implementation focuses on a limited set of languages and package managers to enable controlled experimentation. Expanding ecosystem support and improving detection of novel or rapidly evolving attacks remain open challenges. Ethical considerations, particularly around runtime monitoring and developer trust, must also be addressed to avoid overly intrusive security controls.

This work builds on existing systems such as OWASP Dependency-Check and Grafeas, but differs in its use of constraint-based policy evaluation and an API-driven architecture designed for integration with CI/CD pipelines and governance systems. Because policies are expressed declaratively in CUE, they can be validated, composed, and updated in real time without redeploying analysis components.

As a possible extension, machine learning and large language models could be incorporated as supplementary analysis signals. Recent research suggests that language models can reason about code security properties and inconsistencies. In this context, they could be used to analyze code comments and documentation for mismatches between stated intent and observed behavior, providing additional input to the constraint evaluation layer.

Over the past few months, I had the privilege to immerse myself in Linux expert training. Guided by the expertise of Michael Kerrisk, the author of The Linux Programming Interface, I coded and philosophized my way through the first principles of the Linux world.

The first training involved the operating system architecture and low-level interfaces needed to build Linux-based systems. The five-day intensive training was an excellent opportunity to dive deep into the power of epoll, signals, Linux APIs, and multiple practical use cases, such as implementing non-blocking servers with an efficient thread count.

The second training was a journey into the depths of low-level Linux privileged applications and containers, virtualization, and sandboxing. By the end of this training, I could review Docker’s and Podman’s architecture decisions with detailed arguments (that daemon!). This intensive, four-day course was a real eye-opener. Before it, and as an example, I thought I had a low-level understanding of Linux capabilities or the UTS namespace. However, Michael’s training offered many new insights into the principles behind these features. One of the course’s highlights was building containers from scratch after understanding the workings of namespaces, cgroups, seccomp, and more.

The SCADA acronym stands for supervisory control and data acquisition. A SCADA system, is a collection of different software and hardware components that are connected through a network. The system includes inputs and sensors, PLCS and Remote terminal units and different human machine interfaces.

A SCADA system can use communication systems over TCP, for example the IEC 104 protocol. That protocol like DNP3 does not come with the authentication and packet verification batteries included. This means it’s probably vulnerable to man in the middle attacks (hint: it is).

How would a man in the middle attack look like in such a network? We are mostly familiar with such attacks for web communications like for example we know about man in the middle attacks when a user logs into their bank web admin using an untrusted network. A man in the middle attack works similarly for SCADA systems.

Let’s suppose we have an electrical grid which uses some remote transfer units. Now let’s suppose one of these RTUs detects a faulty condition and wants to communicate the condition back to the main SCADA servers. This communication is vulnerable when it’s being done over MODBUS, DNP3 or IEC 104. An attacker with enough domain knowledge will intercept the communication and will be able to modify crucial data.

For example if the communication is over TCP with IEC 104, an attacker can intercept 104 packets, modify the SPI (status) field of one packet and then route it back to the SCADA servers. This can lead to hiding the problem from the engineers and could lead eventually to economical loss or damage to the company’s image.