Software supply chain security for Flutter and its ecosystem

Introduction

Introduction

In today's software development landscape, ensuring the security of the software supply chain is crucial. In this article, we delve into the efforts made by the Dart and Flutter teams to protect their software from tampering and security vulnerabilities during the development, building, packaging, and distribution processes.

What is a Software Supply Chain?

A software supply chain refers to the entire process affecting software from development to execution. It encompasses various components, such as:

• Resources (represented in green), including source code, third-party dependencies, and artifacts generated from building the code.
• Processes (represented in blue), which include building the source code, archiving packages, and executing applications by end users.

Risks Involved

Software supply chain attacks occur when threat actors infiltrate a company to introduce malicious code. In the context of Flutter, such an attack would target developers using the Flutter SDK and the end-users of their applications.

Potential threats can occur at various points in the supply chain:

1. Link Between Developer and Source Code: Unauthorized code bypassing review.
2. Source Code Resource: Compromising the source control management system.
3. Building Process: Modifying source code to inject malicious behavior.
4. Use of Third-Party Dependencies: Compromised packages that replace original artifacts.
5. Package Manager: Unauthorized alterations to packages leading to malicious implementations.

To mitigate these threats, documenting builds in a verifiable format known as provenance is necessary. Provenance files typically include details of the machine used for builds, timestamps, and the materials involved in the builds.

The Salsa Framework

To standardize security across applications and dependencies, the Salsa (Supply Chain Levels for Software Artifacts) framework was developed. It consists of four levels:

• Level 1: Requires automated builds and provenance documentation; helps with vulnerability management but does not prevent tampering.
• Level 2: Introduces version control and authentication, providing tampering protection if the build service is trusted.
• Level 3: Ensures that both source and build platforms allow for auditing, safeguarding against build process attacks.
• Level 4: Requires code reviews and reproducible builds, providing strong assurances against tampering.

The Dart and Flutter teams have sought to achieve Salsa compliance since early 2022.

Current Efforts

The teams are focusing on two main areas:

1. Protecting the Flutter SDK: Achieving Salsa Level 2 compliance for the Flutter SDK by mid-2023.
2. Creating Tools for the Ecosystem: Developing tools to help enhance the software supply chain security practices within the Flutter community.

Strategies and Tools

Key strategies implemented include:

• Release Automation: Enhancing security during the release process, ensuring multi-party approvals for administrative accesses.
• Provenance Generation: Creating metadata that verifies release authenticity and includes a bill of materials interconnected with vulnerability databases.

Additionally, efforts also target the Flutter ecosystem:

• Credential Detection: The package manager (pub) now detects leaked credentials during package publications.
• Dependabot Integration: Automatic dependency updates to mitigate risks associated with outdated packages.
• Content Hashes: Validating content against logs for integrity assurance.
• Automated Publishing: Streamlining the publishing process to minimize human errors and vulnerabilities.

Conclusion

The Dart and Flutter teams are committed to enhancing the security posture of their SDks and the broader ecosystem through systematic efforts and adherence to recognized frameworks like Salsa. By developing tools and strategies, they aim to protect against potential software supply chain attacks while building trust within the community.

Keywords

• Software Supply Chain
• Dart
• Flutter
• Salsa Framework
• Provenance
• Vulnerability Management
• Release Automation
• Dependabot
• Automated Publishing
• Credential Detection

FAQ

What is a software supply chain?

A software supply chain encompasses all processes and resources involved in software development, from coding to execution, including the source code, dependencies, build processes, and execution by end users.

What are some potential threats to the software supply chain?

Threats include unauthorized code submissions, compromised source control systems, malicious modifications during the building process, and the use of compromised third-party dependencies.

What is provenance in the context of software supply chain security?

Provenance is a verifiable format that documents the building process, including details like the machine used, timestamps, and materials, to ensure software integrity and authenticity.

What does the Salsa framework provide?

The Salsa framework provides a structured approach with four levels of compliance designed to enhance software supply chain security and help organizations understand their security posture concerning third-party dependencies.

How are Dart and Flutter improving software supply chain security?

Dart and Flutter are implementing release automation, generating provenance, integrating tools like Dependabot for dependency management, and enhancing the pub package manager to ensure a more secure environment for developers and users.