The XZ Utils backdoor

Slide header

Informative talk, digging into a major cybersecurity incident.

Abstract

Over the Easter weekend of 2024, the cybersecurity community exploded with uproar over CVE-2024-3094, a software supply chain attack also known as the XZ Utils backdoor. The CVE carries a maximum CVSS score of 10.0, signifying its critical severity. Security vulnerabilities with the maximum severity score are rare, but critical-level vulnerabilities are quite abundant. What sets the XZ Utils backdoor apart is the scope of the attack and the massive potential fallout it could have generated if it would have succeeded. Beyond the statistics for this vulnerability, the discovery process, the intricate engineering and social engineering aspects are wildly interesting. Let’s find out what relates a developer at Microsoft, a fundamental open-source project and a set of sock-puppet accounts on GitHub controlled by an advanced threat actor. Brace yourself for an exciting tour past exotic POSIX function control mechanisms, ELF linking symbols, ED448 keys, APTs and just plain coincidence!

Audience

This session is for anyone interested in software engineering, open-source software, cybersecurity and software governance.

We will take a forensic look at how a sophisticated backdoor was added to a critical open-source software project, and how technically worked.

Free for public events

I will provide this talk for free if the event at which it takes place is publicly accessible.

Talk layout

The talk is split up in four parts:

  • Introduction and incident timeline,
  • Technical interpretation and details,
  • Incident attribution (who might have done it),
  • Possible learning opportunities.

Goals

  • Provide a good idea of what the XZ-backdoor is.
  • Provide a detailed timeline of events.
  • Provide general knowledge on cybersecurity concepts.
  • Provide more in-depth knowledge about the technical details of the backdoor.
  • Show some of the lessons we can learn from this incident.

Technical topics

  • The CVE index and CVSS scores.
  • The XZ utils and liblzma.
  • Systemd and OpenSSH.
  • Glibc IFUNCs.
  • GNU autoconf, m4, make, bash and other build tools.
  • ED448-Goldilocks elliptic curve.
  • Social engineering and sock puppetry.