The paper discusses a critical supply-chain attack that was discovered in the XZ Utils library, a widely used open-source data compression tool. The attack involves a backdoor that allows an attacker to execute malicious code remotely on vulnerable systems with root privileges.
The attack path is described in detail, consisting of the following stages:
Building Trust: The attacker, using the pseudonym "Jia Tan", gradually gained trust within the XZ Utils project by contributing code improvements over several years.
Preparation: The attacker obtained commit permissions for the XZ Utils repository and disabled security checks in the Google OSS-Fuzz project, which was used to test the library.
Injecting Backdoor: The attacker added malicious test files to the XZ Utils project, containing the backdoor code.
Deployment: The attacker released a new version of XZ Utils with the backdoor, and convinced Linux distributions to include the malicious version in their package repositories.
Exploitation: The backdoor allows the attacker to execute arbitrary commands on vulnerable SSH servers by modifying a function pointer used by the OpenSSH library.
The paper then discusses various potential mitigation techniques, including organizational security measures for open-source projects, user credibility verification, transparency logs, chain of custody, code sandboxing, and legal defenses.
翻譯成其他語言
從原文內容
arxiv.org
深入探究