Microsoft Releases CodeQL for Detecting Solorigate Tampering
Microsoft announced on Thursday that its CodeQL queries, which were used to detect possible compromise in its source code after the Solorigate attacks, are now publicly available at the GitHub repository.
The queries, written in C#, are open source releases that others can use to detect if Solorigate-style supply-chain tampering happened in their software builds. The queries look for specific indicators of compromise and are described at this CodeQL GitHub "ReadMe" page.
Microsoft's CodeQL queries check for "syntactic" traits associated with the Solorigate attacks, which are defined as code bits that are considered to be easy to alter or that turned up as "coincidental" code. The queries also check for "semantic" aspects, which are defined as the "techniques or patterns" that were used by the attack code.
The CodeQL solution works by building a database that models code as it gets compiled. This database permits investigative queries to be run afterward. Microsoft uses CodeQL as part of its own software build processes. It provides Microsoft with a centralized means for analyzing its spread-out code.
"We built this capability to analyze thousands of repositories for newly described variants of vulnerabilities within hours of the variant being described, but it also allowed us to do a first-pass investigation for Solorigate implant patterns similarly, quickly," the announcement explained.
CodeQL was just one tool Microsoft used in its Solorigate investigations. It's not considered to be a wholly foolproof because an attacker "could change both syntax and techniques," but it allowed Microsoft to quickly check for possible incursions.
Microsoft sees CodeQL as being helpful to other software developers, as well.
"CodeQL is a powerful developer tool, and our hope is that this post inspires organizations to explore how it can be used to improve reactive security response and act as a compromise detection tool," the announcement noted.
"Solorigate" is the term Microsoft uses for the initial tainted code that was injected into the update process of SolarWinds Orion management software, which was first discovered in December. It was one of the tools leveraged by an advanced persistent threat actor (thought to be Russian) to conduct espionage, targeting government and software companies. Other security researchers have referred to this supply-chain attack software component found in Orion as "Sunburst."
Microsoft is a user of the Orion software and was a victim of the attack, and later became one of the principal Solorigate investigators. Some of Microsoft's own source code was viewed, but not modified, as a consequence of the attack, Microsoft has admitted. Microsoft claims it follows an "assumed breach" software development approach that ensures that "secrets" (passwords) aren't in its compiled code.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.