public inbox for overseers@sourceware.org
 help / color / mirror / Atom feed
From: Jeffrey Walton <noloader@gmail.com>
To: Paul Koning <paulkoning@comcast.net>
Cc: Jonathon Anderson <anderson.jonathonm@gmail.com>,
	Andreas Schwab <schwab@linux-m68k.org>,
	 Michael Matz <matz@suse.de>, Martin Uecker <uecker@tugraz.at>,
	Ian Lance Taylor <iant@golang.org>,
	 Paul Eggert <eggert@cs.ucla.edu>,
	Sandra Loosemore <sloosemore@baylibre.com>,
	 Mark Wielaard <mark@klomp.org>,
	overseers@sourceware.org, gcc@gcc.gnu.org,
	 binutils@sourceware.org, gdb@sourceware.org,
	libc-alpha@sourceware.org
Subject: Re: Sourceware mitigating and preventing the next xz-backdoor
Date: Tue, 9 Apr 2024 17:40:45 -0400	[thread overview]
Message-ID: <CAH8yC8=cXn5==_aV=2tW7jfnjrf3umKNAFT0cOgpjNBbGBru-w@mail.gmail.com> (raw)
In-Reply-To: <62A5C6AE-FE86-48EA-8E0D-E1B17959C8EA@comcast.net>

On Tue, Apr 9, 2024 at 4:11 PM Paul Koning via Gdb <gdb@sourceware.org> wrote:
>
> > On Apr 9, 2024, at 3:59 PM, Jonathon Anderson via Gcc <gcc@gcc.gnu.org> wrote:
> >
> > On Tue, Apr 9, 2024, 10:57 Andreas Schwab <schwab@linux-m68k.org> wrote:
> >
> >> On Apr 09 2024, anderson.jonathonm@gmail.com wrote:
> >>
> >>> - This xz backdoor injection unpacked attacker-controlled files and ran
> >> them during `configure`. Newer build systems implement a build abstraction
> >> (aka DSL) that acts similar to a sandbox and enforces rules (e.g. the only
> >> code run during `meson setup` is from `meson.build` files and CMake).
> >> Generally speaking the only way to disobey those rules is via an "escape"
> >> command (e.g. `run_command()`) of which there are few. This reduces the
> >> task of auditing the build scripts for sandbox-breaking malicious intent
> >> significantly, only the "escapes" need investigation and they which
> >> should(tm) be rare for well-behaved projects.
> >>
> >> Just like you can put your backdoor in *.m4 files, you can put them in
> >> *.cmake files.
> >
> >
> > CMake has its own sandbox and rules and escapes (granted, much more of
> > them). But regardless, the injection code would be committed to the
> > repository (point 2) and would not hold up to a source directory mounted
> > read-only (point 3).
>
> Why would the injection code necessarily be committed to the repository?  It wasn't in the xz attack -- one hole in the procedures is that the kits didn't match the repository and no checks caught this.

In the Xz case, the victims should not have been able to execute a
well known but modified *.m4 file. The *.m4 files should have been on
the build machine already; or, the latest *.m4 files installed on the
build machine via an updated Autoconf; or the latest serial-numbered
*.m4 macro should have been fetched from a trusted source like GNU.
They provide the provenance needed to allow their execution.

In the browser world, content security policy (CSP) allows third party
code to execute, assuming a script-src and an integrity tag. The
provenance and integrity is enforced.

> I don't see how a different build system would cure that issue.  Instead, there needs to be some sort of audit that verifies there aren't rogue or modified elements in the kit.

Code provenance and code integrity was not enforced. Part of the
problem is the Autotools design. It is from a bygone era. No one
should be able to override a named, GNU supplied m4 macro. That's a
bug, not a feature.

Jeff

  reply	other threads:[~2024-04-09 21:40 UTC|newest]

Thread overview: 57+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-03-29 20:39 Security warning about xz library compromise Mark Wielaard
2024-04-01 15:06 ` Sourceware mitigating and preventing the next xz-backdoor Mark Wielaard
2024-04-02 19:54   ` Sandra Loosemore
2024-04-02 20:03     ` Paul Eggert
2024-04-02 20:20       ` Paul Koning
2024-04-02 20:28         ` Ian Lance Taylor
2024-04-03  6:26           ` Martin Uecker
2024-04-03 14:00             ` Michael Matz
2024-04-03 14:14               ` Paul Koning
2024-04-03 14:32               ` Martin Uecker
2024-04-03 14:46                 ` Jeffrey Walton
2024-04-03 16:02                 ` Michael Matz
2024-04-03 16:26                   ` Joel Sherrill
2024-04-03 16:32                   ` Martin Uecker
2024-04-03 16:51                 ` Andreas Schwab
2024-04-03 16:56                 ` Jonathan Wakely
2024-04-03 18:46               ` Jonathon Anderson
2024-04-03 19:01                 ` Martin Uecker
2024-04-05 21:15                   ` Andrew Sutton
2024-04-06 13:00                     ` Richard Biener
2024-04-06 15:59                       ` Martin Uecker
2024-04-04 13:59                 ` Michael Matz
2024-04-09 16:44                   ` anderson.jonathonm
2024-04-09 17:57                     ` Andreas Schwab
2024-04-09 19:59                       ` Jonathon Anderson
2024-04-09 20:11                         ` Paul Koning
2024-04-09 21:40                           ` Jeffrey Walton [this message]
2024-04-09 21:50                             ` Paul Eggert
2024-04-09 21:58                               ` Sam James
2024-04-09 22:15                                 ` Paul Eggert
2024-04-09 22:22                                   ` Sam James
2024-04-09 22:53                                     ` Paul Eggert
2024-04-09 22:03                               ` Jonathon Anderson
2024-04-09 22:10                                 ` Sam James
2024-04-09 21:54                           ` Jonathon Anderson
2024-04-09 22:00                             ` Sam James
2024-04-10 14:09                             ` Frank Ch. Eigler
2024-04-10 18:47                               ` Jonathon Anderson
2024-04-10 19:00                                 ` Frank Ch. Eigler
2024-04-10 10:26                       ` Claudio Bantaloukas
2024-04-02 22:08     ` Guinevere Larsen
2024-04-02 22:21       ` Guinevere Larsen
2024-04-02 22:50       ` Jeffrey Walton
2024-04-02 23:20       ` Mark Wielaard
2024-04-02 23:34       ` Paul Koning
2024-04-03  0:37         ` Jeffrey Walton
2024-04-03  8:08       ` Florian Weimer
2024-04-03 13:53         ` Joel Sherrill
2024-04-04 10:25           ` Mark Wielaard
2024-04-10 16:30           ` Alejandro Colomar
2024-04-21 15:30             ` Mark Wielaard
2024-04-21 20:40               ` Alejandro Colomar
2024-04-21 20:52                 ` Alejandro Colomar
2024-04-30 11:28                 ` Alejandro Colomar
2024-04-03 14:04         ` Tom Tromey
2024-04-03 14:42           ` Jeff Law
2024-04-04 10:48             ` Mark Wielaard

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAH8yC8=cXn5==_aV=2tW7jfnjrf3umKNAFT0cOgpjNBbGBru-w@mail.gmail.com' \
    --to=noloader@gmail.com \
    --cc=anderson.jonathonm@gmail.com \
    --cc=binutils@sourceware.org \
    --cc=eggert@cs.ucla.edu \
    --cc=gcc@gcc.gnu.org \
    --cc=gdb@sourceware.org \
    --cc=iant@golang.org \
    --cc=libc-alpha@sourceware.org \
    --cc=mark@klomp.org \
    --cc=matz@suse.de \
    --cc=overseers@sourceware.org \
    --cc=paulkoning@comcast.net \
    --cc=schwab@linux-m68k.org \
    --cc=sloosemore@baylibre.com \
    --cc=uecker@tugraz.at \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).