Papers
Topics
Authors
Recent
2000 character limit reached

On the critical path to implant backdoors and the effectiveness of potential mitigation techniques: Early learnings from XZ (2404.08987v1)

Published 13 Apr 2024 in cs.CR

Abstract: An emerging supply-chain attack due to a backdoor in XZ Utils has been identified. The backdoor allows an attacker to run commands remotely on vulnerable servers utilizing SSH without prior authentication. We have started to collect available information with regards to this attack to discuss current mitigation strategies for such kinds of supply-chain attacks. This paper introduces the critical attack path of the XZ backdoor and provides an overview about potential mitigation techniques related to relevant stages of the attack path.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (56)
  1. NatiSand: Native Code Sandboxing for JavaScript Runtimes. In Proceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses (Hong Kong, China) (RAID ’23). ACM, 639–653. https://doi.org/10.1145/3607199.3607233
  2. Building Secure and Reliable Systems. O’Reilly Media. https://google.github.io/building-secure-and-reliable-systems/
  3. Akamai Security Intelligence Group. 2024. XZ Utils Backdoor — Everything You Need to Know, and What You Can Do. https://www.akamai.com/blog/security-research/critical-linux-backdoor-xz-utils-discovered-what-to-know (accessed: 2024-04-09).
  4. AOSP. 2024. android:isolatedProcess feature. https://developer.android.com/guide/topics/manifest/service-element#isolated (accessed: 2024-04-08).
  5. Evan Boehs. 2024. Everything I know about the XZ backdoor. https://boehs.org/node/everything-i-know-about-the-xz-backdoor (accessed: 2024-04-02).
  6. Bootstrappable Builds. 2017. Bootstrappable Builds Website. https://bootstrappable.org/ (accessed: 2024-04-04).
  7. Scott Chacon and Ben Straub. 2024. Git Tools - Signing Your Work. In Pro Git (2nd ed.). Apress. https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work (accessed: 2024-04-12).
  8. Gynvael Coldwind. 2024. xz/liblzma: Bash-stage Obfuscation Explained. https://gynvael.coldwind.pl/?lang=en&id=782 (accessed: 2024-04-02).
  9. Lasse Collin. 2022. Re: [xz-devel] XZ for Java. Reply on mailing list xz-devel. https://www.mail-archive.com/[email protected]/msg00567.html (accessed: 2024-04-11).
  10. Lasse Collin. 2024. XZ Utils backdoor. https://tukaani.org/xz-backdoor/ (accessed: 2024-04-12).
  11. Russ Cox. 2024. The xz attack shell script. https://research.swtch.com/xz-script (accessed: 2024-04-11).
  12. Carl Dong. 2019. Bitcoin Build System Security. Talk at Breaking Bitcoin 2019 Amsterdam. https://www.youtube.com/watch?v=I2iShmUTEl8 (accessed 2024-04-12).
  13. Joshua J. Drake. 2016. Stagefright: An Android Exploitation Case Study. In WOOT’16: 10th USENIX Workshop on Offensive Technologies (Austin, TX). USENIX Association. https://www.usenix.org/conference/woot16/workshop-program/presentation/drake
  14. Thomas Dullien. 2020. Weird Machines, Exploitability, and Provable Unexploitability. IEEE Transactions on Emerging Topics in Computing 8, 2 (2020), 391–403. https://doi.org/10.1109/TETC.2017.2785299
  15. European Commission. 2024. eIDAS Regulation. https://digital-strategy.ec.europa.eu/en/policies/eidas-regulation (accessed: 2024-04-12).
  16. Andres Freund. 2024. backdoor in upstream xz/liblzma leading to ssh server compromise. Post on mailing list oss-security@openwall. https://openwall.com/lists/oss-security/2024/03/29/4 (accessed: 2024-04-12).
  17. GitPackaging. Debian Wiki. https://wiki.debian.org/GitPackaging (accessed: 2024-04-10).
  18. GitHub, Inc. 2024. About protected branches. https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches (accessed: 2024-04-12).
  19. Google. 2013. OSS-Fuzz: Continuous Fuzzing for Open Source Software. https://github.com/google/oss-fuzz (accessed: 2024-04-11).
  20. Google. 2024a. Accepting New Projects. https://google.github.io/oss-fuzz/getting-started/accepting-new-projects/ (accessed: 2024-04-12).
  21. Google. 2024b. Sandbox2 Explained. https://developers.google.com/code-sandboxing/sandbox2/explained
  22. Google Chromium Team. 2024a. Linux Sandboxing. https://chromium.googlesource.com/chromium/src/+/0e94f26e8/docs/linux_sandboxing.md
  23. Google Chromium Team. 2024b. Sandbox. https://chromium.googlesource.com/chromium/src/+/b4730a0c2773d8f6728946013eb812c6d3975bec/docs/design/sandbox.md
  24. Guido GĂ¼nther. 2021. When upstream uses Git. git-buildpackage Documentation Version 0.9.31. https://honk.sigxcpu.org/projects/git-buildpackage/manual-html/gbp.import.upstream-git.html (accessed: 2024-04-10).
  25. Jann Horn. 2021. How a simple Linux kernel memory corruption bug can lead to complete system compromise. Project Zero. https://googleprojectzero.blogspot.com/2021/10/how-simple-linux-kernel-memory.html (accessed: 2024-04-12).
  26. International Criminal Court. 2021. Rome Statute of the International Criminal Court. International Criminal Court, The Hague, The Netherlands. https://www.icc-cpi.int/sites/default/files/Publications/Rome-Statute.pdf
  27. Hans Jansen. 2023a. Add ifunc check to CMakeLists.txt. https://git.tukaani.org/?p=xz.git;a=commitdiff;h=b72d21202402a603db6d512fb9271cfa83249639 (accessed: 2024-04-12).
  28. Hans Jansen. 2023b. Add ifunc check to configure.ac. https://git.tukaani.org/?p=xz.git;a=commitdiff;h=23b5c36fb71904bfbe16bb20f976da38dadf6c3b (accessed: 2024-04-12).
  29. Hans Jansen. 2024. xz-utils: New upstream version available. Debian Bug report #1067708. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067708 (accessed: 2024-04-11).
  30. JiaT75. 2021. Added error text to warning when untaring with bsdtar. Pull request #1609. https://github.com/libarchive/libarchive/pull/1609 (accessed: 2024-04-02).
  31. JiaT75. 2022. CMake: Update .gitignore for CMake artifacts from in source build. https://github.com/tukaani-project/xz/commit/8ace358d65059152d9a1f43f4770170d29d35754 (accessed: 2024-04-11).
  32. JiaT75. 2023a. xz: Disable ifunc to fix Issue 60259. Pull request #10667. https://github.com/google/oss-fuzz/pull/10667 (accessed: 2024-04-12).
  33. JiaT75. 2023b. xz-java: Add upstream maintainers to contact fields in project.yaml. Pull request #11295. https://github.com/google/oss-fuzz/pull/11295/ (accessed: 2024-04-12).
  34. JiaT75. 2023c. XZ updates. Pull request #9960. https://github.com/google/oss-fuzz/pull/9960 (accessed: 2024-04-11).
  35. jonathanmetzman. 2024. xz: Disable ifunc to fix Issue 60259. Comment on pull request #10667. https://github.com/google/oss-fuzz/pull/10667#pullrequestreview-1518981986 (accessed: 2024-04-12).
  36. Jigar Kumar. 2022. Re: [xz-devel] [PATCH] String to filter and filter to string. Reply on mailing list xz-devel. https://www.mail-archive.com/[email protected]/msg00555.html (accessed: 2024-04-12).
  37. Sandcrust: Automatic Sandboxing of Unsafe Components in Rust. In Proceedings of the 9th Workshop on Programming Languages and Operating Systems (Shanghai, China) (PLOS ’17). ACM, 51–57. https://doi.org/10.1145/3144555.3144562
  38. Mobile App Distribution Transparency (MADT): Design and evaluation of a system to mitigate necessary trust in mobile app distribution systems. In Secure IT Systems. 28th Nordic Conference, NordSec 2023 (Oslo, Norway) (LNCS, Vol. 14324/2024). Springer, 185–203. https://doi.org/10.1007/978-3-031-47748-5_11
  39. The Android Platform Security Model (2023). https://doi.org/10.48550/arXiv.1904.05572
  40. Vishal Midha and Anol Bhattacherjee. 2012. Governance practices and software maintenance: A study of open source projects. Decision Support Systems 54, 1 (2012), 23–32. https://doi.org/10.1016/j.dss.2012.03.002
  41. Build Systems à la Carte. Proc. ACM Program. 2, ICFP, Article 79 (2018), 29 pages. https://doi.org/10.1145/3236774
  42. Mozilla. 2024. Cargo Vet. https://mozilla.github.io/cargo-vet/ (accessed: 2024-04-12).
  43. Mozilla Wiki. 2024. Security/Sandbox/Process model. https://wiki.mozilla.org/Security/Sandbox/Process_model
  44. Carlos O’Donell. 2024. GNU_IFUNC. glibc wiki. https://sourceware.org/glibc/wiki/GNU_IFUNC (accessed: 2024-04-10).
  45. Open Worldwide Application Security Project (OWASP). 2023. OWASP Developer Guide. Release version v4.0.1. https://owasp.org/www-project-developer-guide/release/verification/dos_donts/open_source_software/ (accessed: 2024-04-12).
  46. Reproducible Builds. 2016. Reproducible Builds Website. https://reproducible-builds.org/ (accessed: 2024-04-12).
  47. Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities. NIST Special Publication 800-218. NIST. https://doi.org/10.6028/NIST.SP.800-218
  48. Jia Tan. 2022. [xz-devel] [PATCH] String to filter and filter to string. Post on mailing list xz-devel. https://www.mail-archive.com/[email protected]/msg00553.html (accessed: 2024-04-11).
  49. Jia Tan. 2024a. Tests: Add a few test files. https://git.tukaani.org/?p=xz.git;a=commitdiff;h=cf44e4b7f5dfdbf8c78aef377c10f71e274f63c0 (accessed: 2024-04-11).
  50. Jia Tan. 2024b. Tests: Update two test files. https://git.tukaani.org/?p=xz.git;a=commitdiff;h=6e636819e8f070330d835fce46289a3ff72a7b89 (accessed: 2024-04-11).
  51. Interrupt-oriented bugdoor programming: a minimalist approach to bugdooring embedded systems firmware. In Proceedings of the 30th Annual Computer Security Applications Conference (New Orleans, Louisiana, USA) (ACSAC ’14). ACM, 116–125. https://doi.org/10.1145/2664243.2664268
  52. The Tukaani Project. 2024. LZMA Utils. https://tukaani.org/lzma/ (accessed: 2024-04-02).
  53. in-toto: Providing farm-to-table guarantees for bits and bytes. In 28th USENIX Security Symposium (USENIX Security 19) (Santa Clara, CA). USENIX Association, 1393–1410. https://www.usenix.org/conference/usenixsecurity19/presentation/torres-arias
  54. Wietse Venema. 2014. Re: Official Postfix source code repository? Reply on mailing list mailing.postfix.users. https://groups.google.com/g/mailing.postfix.users/c/6Kkel3J_nv4/m/fFWPVHDM9XUJ (accessed: 2024-04-11).
  55. Reilly Watson. 2013. History of LZMA Utils and XZ Utils. https://github.com/kobolabs/liblzma/blob/87b7682ce4b1c849504e2b3641cebaad62aaef87/doc/history.txt (accessed: 2024-04-11).
  56. CHERI: A hybrid capability-system architecture for scalable software compartmentalization. In 2015 IEEE Symposium on Security and Privacy. IEEE, 20–37. https://doi.org/10.1109/SP.2015.9
Citations (4)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
Slide Deck Streamline Icon: https://streamlinehq.com

Whiteboard

Dice Question Streamline Icon: https://streamlinehq.com

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now
Lightbulb Streamline Icon: https://streamlinehq.com

Continue Learning

We haven't generated follow-up questions for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now
List To Do Tasks Checklist Streamline Icon: https://streamlinehq.com

Collections

Sign up for free to add this paper to one or more collections.

User Circle Single Streamline Icon: https://streamlinehq.com Sign Up