I implemented Ken Thompson’s Reflections on Trusting Trust (1984 Turing Award Lecture) compiler #backdoor for the GNU Compiler Collection (GCC). The backdoor maintains persistence by re-injecting itself to any new versions of the compiler built. The secondary payload modifies a test application by adding a backdoor password to allow authentication bypass:

$ cat testapp.c
#include <string.h>
#include <stdio.h>
#include <stdlib.h>

int main(int argc, char **argv)
{
if (argc == 2 && !strcmp(argv[1], "secret"))
{
printf("access granted!\n");
return EXIT_SUCCESS;
}
else
{
printf("access denied!\n");
return EXIT_FAILURE;
}
}
$ gcc -Wall -O2 -o testapp.c -o testapp
$ ./testapp kensentme
access granted!
$

I spent most time (around two hours) writing the generalized tooling that produces the final quine version of the malicious payload. Now that this is done, the actual code can be adjusted trivially to exploit more target code without any need to adjust the self-reproducing section of the code. This method of exploitation could be extended to target various binaries: SSH Server, Linux Kernel, Setuid binaries and similar. While itself written in C, the secondary payloads can target any programming languages supported by GCC.

It should be noted that GCC build checks for malicious compiler changes such as this. This check can – of course – also be bypassed. However, most serious projects have measures in place to avoid hacks of this nature.

Some links:
- Ken Thompson's "Reflections on Trusting Trust" paper: cs.cmu.edu/~rdriley/487/papers…
- David A. Wheeler: "Fully Countering Trusting Trust through Diverse Double-Compiling (DDC) - Countering Trojan Horse attacks on Compilers" dwheeler.com/trusting-trust/

#hacking #exploitdevelopment #kenthompson #infosec #cybersecurity @vegard

Here's a thorough analysis of all the commits by "Jia Tan" from 2023-08 through 2024-03, showing the many legitimate code changes done before the introduction of the #xz #backdoor:

tukaani.org/xz-backdoor/review…

Excellent summary by Solar Designer on oss-security of what's happened in the last two weeks in response to the #xz #backdoor:

openwall.com/lists/oss-securit…

Noteworthy:
- #OpenSSH implemented systemd notification
- #systemd moves to dlopen(3) for some dependencies
- another detailed timeline at research.swtch.com/xz-timeline
- similar social engineering takeover attempts suspected in #OpenJS and #OpenSSF

Three years ago, #FDroid had a similar kind of attempt as the #xz #backdoor. A new contributor submitted a merge request to improve the search, which was oft requested but the maintainers hadn't found time to work on. There was also pressure from other random accounts to merge it. In the end, it became clear that it added a #SQLinjection #vuln. In this case, we managed to catch it before it was merged. Since similar tactics were used, I think its relevant now

gitlab.com/fdroid/fdroidclient…

Search improvements: Sort based on keyword matching and removed alphabetic sort (!889) · Merge requests · F-Droid / Client · GitLab

The search results are pretty unusable currently. So I've changed it to show apps in this order: App name matches keyword, summary matches keyword, description matches keyword. Also,...

^GitLab

Unfolding now: news.ycombinator.com/item?id=3…

- openwall.com/lists/oss-securit…
- github.com/tukaani-project/xz/…

An incredibly technically complex #backdoor in xz (potentially also in libarchive and elsewhere) was just discovered. This backdoor has been quietly implemented over years, with the assistance of a wide array of subtly interconnected accounts:

- github.com/tukaani-project/xz/…
- bugs.debian.org/cgi-bin/bugrep…
- github.com/jamespfennell/xz/pu…

The timeline on this is going to take so long to unravel

#security #linux

feat: update vendored xz to 5.6.1 by jaredallard · Pull Request #2 · jamespfennell/xz

Updates the vendored version of xz to be 5.6.1. Also updates the vendor script to support the addition of SPDX-License-Identifier headers into some files.

^GitHub

Here's a stark reminder that any #backdoor is a #vulnerability:

"China-based hackers used a stolen sign-in key" to hack into US government's #Microsoft email accounts.

That's why we at Tutanota fight for strong encryption - without any backdoor. 🔒

edition.cnn.com/2023/07/12/pol…

Passt ja zu meiner Custom-ROM-Serie: "Smartphones mit verbreitetem Qualcomm-Chip senden heimlich private Informationen an US-Chiphersteller" 👇🤦

#android #security #qualcomm #backdoor #tracking #privacy #sicherheit #datenschutz

nitrokey.com/de/news/2023/smar…

Smartphones mit verbreitetem Qualcomm-Chip senden heimlich private Informationen an US-Chiphersteller

^{www.nitrokey.com}