A New Linux Tool Aims to Guard Against Supply Chain Attacks
Following alarming incidents such as Russia’s massive 2017 NotPetya malware attack and the Kremlin’s 2020 SolarWinds cyberespionage campaign, both of which were carried out by poisoning software distribution wells, organizations all over the world have been scrambling to get a handle on software supply chain security. Stronger protection, in general, and for open-source software in particular, is understanding what software you’re actually running, with a critical focus on enumerating all the various bits that make up the total and confirming that they are what they should be. So, when you pack a box of software heirlooms and place it on a shelf, you know it doesn’t include a live microphone or a Tupperware full of deviled eggs that have been sitting in the box for years.
It takes a massive effort to develop a method that generates a manifest of what’s inside every box in every basement and garage, but a new tool from security firm Chainguard aims to provide exactly that for the software “containers” that strengthen almost all digital services today.
On Thursday, Chainguard introduced Wolfi, a Linux distribution developed specifically for how digital systems are created nowadays in the cloud. Most people do not use Linux, the well-known open-source operating system, on their PCs. (If they do, they may not be aware of it, like with Android, which is based on a modified version of Linux.) Moreover, the open-source operating system is widely used in servers and cloud infrastructure throughout the world, mainly due to its flexibility in deployment. Unlike Microsoft and Apple operating systems, where your only option is whatever ice cream flavor they offer, Linux’s open nature allows developers to build many kinds of flavors—known as “distributions”—to satisfy varied desires and unique demands. However, the Chainguard developers, who have all worked in open-source software for years, including on other Linux distributions, believed that a strong flavor was lacking.
“What we’ve done is built a distribution that we feel will work well for enterprises looking to seriously address supply chain security,” says Chainguard principal engineer Ariadne Conill. “Different distributions have different pieces of software that they include—they’re curated collections of software. By starting with a Linux distribution that gets everything right from the beginning, that’s a huge advantage for software developers to get their own stuff right.”
Consider software containers to be similar to a shipping container dwelling. Everything you need to live is there, but you can pick it up and transfer it anywhere you choose. If an operating system is analogous to the appliances, electrical wiring, plumbing, and other infrastructure in a container home, Wolfi is pre-vetting and pre-itemizing those to assure the security of everything in your container home.
Wolfi is designed to be used in tandem with other Chainguard products that assist developers in securely expanding and adding to the software in their container. In other words, validating furniture and personal things and adding them to your container house index is straightforward. If your home is broken into, it will be easy to discover what happened and how. You also have a complete manifest to show customs if you ever wish to transport your property overseas.
“It’s the exact same thing with software as with physical goods—there can be contraband or counterfeit goods that people are trying to hide and sneak by,” says Adolfo Garcia, a software engineer at Chainguard. “For software, if you don’t have the capability to collect the information at build time, you’re going to be missing a lot about what’s in there.”
