From: Claudio Bantaloukas <Claudio.Bantaloukas@arm.com>
To: Andreas Schwab <schwab@linux-m68k.org>,
"anderson.jonathonm@gmail.com" <anderson.jonathonm@gmail.com>
Cc: Michael Matz <matz@suse.de>, Martin Uecker <uecker@tugraz.at>,
Ian Lance Taylor <iant@golang.org>,
Paul Koning <paulkoning@comcast.net>,
Paul Eggert <eggert@cs.ucla.edu>,
Sandra Loosemore <sloosemore@baylibre.com>,
Mark Wielaard <mark@klomp.org>,
"overseers@sourceware.org" <overseers@sourceware.org>,
"gcc@gcc.gnu.org" <gcc@gcc.gnu.org>,
"binutils@sourceware.org" <binutils@sourceware.org>,
"gdb@sourceware.org" <gdb@sourceware.org>,
"libc-alpha@sourceware.org" <libc-alpha@sourceware.org>
Subject: Re: Sourceware mitigating and preventing the next xz-backdoor
Date: Wed, 10 Apr 2024 10:26:48 +0000 [thread overview]
Message-ID: <b13aae52-344c-4192-a0fe-20065ee53885@arm.com> (raw)
In-Reply-To: <87h6gazafa.fsf@igel.home>
On 09/04/2024 18:57, Andreas Schwab wrote:
> On Apr 09 2024, anderson.jonathonm@gmail.com wrote:
>
>> - This xz backdoor injection unpacked attacker-controlled files and ran them during `configure`. Newer build systems implement a build abstraction (aka DSL) that acts similar to a sandbox and enforces rules (e.g. the only code run during `meson setup` is from `meson.build` files and CMake). Generally speaking the only way to disobey those rules is via an "escape" command (e.g. `run_command()`) of which there are few. This reduces the task of auditing the build scripts for sandbox-breaking malicious intent significantly, only the "escapes" need investigation and they which should(tm) be rare for well-behaved projects.
>
> Just like you can put your backdoor in *.m4 files, you can put them in
> *.cmake files.
>
Hi Andreas,
Indeed you're right and seeing the hijacked CMakeLists.txt in the commit
was eye opening.
There is a not so subtle difference though. The amount of nasty that the
attacker thought could get away with was different between the
build-to-host.m4 and the CMakeLists.txt attack vectors.
For the CMakeLists.txt file, the wanted change was very small, adding a
dot to a piece of c code so that the test that runs it goes into one of
the perfectly acceptable states (cannot compile the c file), thus
disabling a security feature.
This change was "hidden" in a patch containing a bunch of pointless
renames and veiled in plausible deniability (oops, that dot went in the
by mistake, silly me, here's a patch to fix the file). The attacker was
lucky because noone really checked.
https://git.tukaani.org/?p=xz.git;a=commitdiff;h=328c52da8a2bbb81307644efdb58db2c422d9ba7;hp=eb8ad59e9bab32a8d655796afd39597ea6dcc64d
Compare that to what the m4 file did. Russ Cox has an interesting
analysis https://research.swtch.com/xz-script
From which I'll pick a choice quote: "makes a handful of inscrutable
changes that don’t look terribly out of place".
I figured out the problem with the CMakeFile.txt quickly. I'm not 100%
sure if the configure.ac is ok (after looking at it for 10 minutes, it
looks ok, but I'm not sure!). I would not be able to recognise good code
from bad in the m4 file.
Admittedly, I'm biased in favour of cmake's DSL, have more experience
with it despite using ./configure since the mid 90s and have a
preference. But it would be hard to argue against the fact that benign
m4, as practiced in the wild today is hard to separate from malicious m4
by a majority of developers, including experienced ones like Mr. Cox above.
Cheers,
Claudio Bantaloukas
next prev parent reply other threads:[~2024-04-10 10:27 UTC|newest]
Thread overview: 57+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-29 20:39 Security warning about xz library compromise Mark Wielaard
2024-04-01 15:06 ` Sourceware mitigating and preventing the next xz-backdoor Mark Wielaard
2024-04-02 19:54 ` Sandra Loosemore
2024-04-02 20:03 ` Paul Eggert
2024-04-02 20:20 ` Paul Koning
2024-04-02 20:28 ` Ian Lance Taylor
2024-04-03 6:26 ` Martin Uecker
2024-04-03 14:00 ` Michael Matz
2024-04-03 14:14 ` Paul Koning
2024-04-03 14:32 ` Martin Uecker
2024-04-03 14:46 ` Jeffrey Walton
2024-04-03 16:02 ` Michael Matz
2024-04-03 16:26 ` Joel Sherrill
2024-04-03 16:32 ` Martin Uecker
2024-04-03 16:51 ` Andreas Schwab
2024-04-03 16:56 ` Jonathan Wakely
2024-04-03 18:46 ` Jonathon Anderson
2024-04-03 19:01 ` Martin Uecker
2024-04-05 21:15 ` Andrew Sutton
2024-04-06 13:00 ` Richard Biener
2024-04-06 15:59 ` Martin Uecker
2024-04-04 13:59 ` Michael Matz
2024-04-09 16:44 ` anderson.jonathonm
2024-04-09 17:57 ` Andreas Schwab
2024-04-09 19:59 ` Jonathon Anderson
2024-04-09 20:11 ` Paul Koning
2024-04-09 21:40 ` Jeffrey Walton
2024-04-09 21:50 ` Paul Eggert
2024-04-09 21:58 ` Sam James
2024-04-09 22:15 ` Paul Eggert
2024-04-09 22:22 ` Sam James
2024-04-09 22:53 ` Paul Eggert
2024-04-09 22:03 ` Jonathon Anderson
2024-04-09 22:10 ` Sam James
2024-04-09 21:54 ` Jonathon Anderson
2024-04-09 22:00 ` Sam James
2024-04-10 14:09 ` Frank Ch. Eigler
2024-04-10 18:47 ` Jonathon Anderson
2024-04-10 19:00 ` Frank Ch. Eigler
2024-04-10 10:26 ` Claudio Bantaloukas [this message]
2024-04-02 22:08 ` Guinevere Larsen
2024-04-02 22:21 ` Guinevere Larsen
2024-04-02 22:50 ` Jeffrey Walton
2024-04-02 23:20 ` Mark Wielaard
2024-04-02 23:34 ` Paul Koning
2024-04-03 0:37 ` Jeffrey Walton
2024-04-03 8:08 ` Florian Weimer
2024-04-03 13:53 ` Joel Sherrill
2024-04-04 10:25 ` Mark Wielaard
2024-04-10 16:30 ` Alejandro Colomar
2024-04-21 15:30 ` Mark Wielaard
2024-04-21 20:40 ` Alejandro Colomar
2024-04-21 20:52 ` Alejandro Colomar
2024-04-30 11:28 ` Alejandro Colomar
2024-04-03 14:04 ` Tom Tromey
2024-04-03 14:42 ` Jeff Law
2024-04-04 10:48 ` Mark Wielaard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b13aae52-344c-4192-a0fe-20065ee53885@arm.com \
--to=claudio.bantaloukas@arm.com \
--cc=anderson.jonathonm@gmail.com \
--cc=binutils@sourceware.org \
--cc=eggert@cs.ucla.edu \
--cc=gcc@gcc.gnu.org \
--cc=gdb@sourceware.org \
--cc=iant@golang.org \
--cc=libc-alpha@sourceware.org \
--cc=mark@klomp.org \
--cc=matz@suse.de \
--cc=overseers@sourceware.org \
--cc=paulkoning@comcast.net \
--cc=schwab@linux-m68k.org \
--cc=sloosemore@baylibre.com \
--cc=uecker@tugraz.at \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).