Abstract
Deterministic builds, where the compile and build processes are reproducible, can be used to achieve increased trust in distributed binaries. As the trust can be distributed across a set of builders, where all provide their own signature of a byte-to-byte identical binary, all have to cooperate in order to introduce unwanted code in the binary. On the other hand, if an attacker manages to incorporate malicious code in the source, and make this remain undetected during code reviews, the deterministic build provides additional opportunities to introduce e.g., a backdoor. The impact of such a successful attack would be serious since the actual trust model is exploited. In this paper, the problem of crafting such hidden code that is difficult to detect, both during code reviews of the source code as well as static analysis of the binary executable is addressed. It is shown that the displacement and immediate fields of an instruction can be used the embed hidden code directly from the C programming language.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Edge, J.: A backdoor in UnrealIRCd (2010). https://lwn.net/Articles/392201/
Posted by corbet. An attempt to backdoor the kernel (2003). https://lwn.net/Articles/57135/
Evans, C.: Alert: vsftpd download backdoored (2011). http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html
SecurityFocus.com. ProFTPD Backdoor Unauthorized Access Vulnerability (2010). http://www.securityfocus.com/bid/45150
welivesecurity.com. Linux/SSHDoor.A Backdoored SSH daemon that steals passwords (2013). http://www.welivesecurity.com/2013/01/24/linux-sshdoor-a-backdoored-ssh-daemon-that-steals-passwords/
Coverity: Software Testing and Static Analysis Tools. http://www.coverity.com/
Flawfinder. http://www.dwheeler.com/flawfinder/
Splint. http://www.splint.org/
Howard, M.A.: A process for performing security code reviews. IEEE Secur. Priv. 4(4), 74–79 (2006)
Asundi, J., Jayant, R.: Patch review processes in open source software development communities: a comparative case study. In: Proceedings of the 40th Annual Hawaii International Conference on System Sciences, HICSS 2007, p. 166c. IEEE Computer Society, Washington, DC (2007)
Rigby, P.C., Storey, M.-A.: Understanding broadcast based peer review on open source software projects. In: Proceedings of the 33rd International Conference on Software Engineering, ICSE 2011, pp. 541–550. ACM, New York (2011)
Bosu, A., Carver, J.C.: Impact of developer reputation on code review outcomes in OSS projects: an empirical investigation. In: Proceedings of the 8th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement, ESEM 2014, pp. 33:1–33:10. ACM, New York (2014)
Bosu, A., Carver, J.C.: Peer code review to prevent security vulnerabilities: an empirical evaluation. In: 2013 IEEE 7th International Conference on Software Security and Reliability-Companion (SERE-C), pp. 229–230, June 2013
Wang, Z., Ming, J., Jia, C., Gao, D.: Linear obfuscation to combat symbolic execution. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 210–226. Springer, Heidelberg (2011)
Sharif, M., Lanzi, A., Giffin, J., Lee, W.: Impeding malware analysis using conditional code obfuscation. In: Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS) (2008)
Schuster, F., Holz, T.: Towards reducing the attack surface of software backdoors. In: Proceedings of the ACM SIGSAC Conference on Computer Communications Security, CCS 2013, pp. 851–862. ACM, New York (2013)
Andriesse, D., Bos, H.: Instruction-level steganography for covert trigger-based malware. In: Dietrich, S. (ed.) DIMVA 2014. LNCS, vol. 8550, pp. 41–50. Springer, Heidelberg (2014)
Gitian. https://gitian.org/
Debian: Reproducible builds. https://wiki.debian.org/ReproducibleBuilds
Tor: Deterministic builds. https://blog.torproject.org/category/tags/deterministic-builds
Intel 64 and IA-32 Architectures Software Developer’s Manual. https://www-ssl.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-software-developer-manual-325462.pdf
Bitcoin core. https://bitcoincore.org
Lagarias, J.C., Rains, E., Vanderbei, R.J.: The Kruskal Count (2001). http://arxiv.org/abs/math/0110143
Jamthagen, C., Lantz, P., Hell, M.: A new instruction overlapping technique for anti-disassembly and obfuscation of x86 binaries. In: 2013 Workshop on Anti-malware Testing Research (WATeR), pp. 1–9, October 2013
Hiding code in deterministically built binaries - Proof-of-Concept - Linux/x86. https://github.com/cjamthagen/backdoor_deterministic_code
shell_bind_tcp.asm. https://github.com/geyslan/SLAE/blob/master/1st.assignment/shell_bind_tcp.asm
Wang, T., Lu, K., Lu, L., Chung, S., Lee, W.: Jekyll on iOS: when benign apps become evil. In: Proceedings of the 22nd USENIX Conference on Security, SEC 2013, pp. 559–572. USENIX Association, Berkeley (2013)
Jamthagen, C., Karlsson, L., Stankovski, P., Hell, M.: eavesROP: listening for ROP Payloads in data streams. In: Chow, S.S.M., Camenisch, J., Hui, L.C.K., Yiu, S.M. (eds.) ISC 2014. LNCS, vol. 8783, pp. 413–424. Springer International Publishing, Heidelberg (2014)
Shacham, H.: The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In: Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS 2007, pp. 552–561. ACM, New York (2007)
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Jämthagen, C., Lantz, P., Hell, M. (2016). Exploiting Trust in Deterministic Builds. In: Skavhaug, A., Guiochet, J., Bitsch, F. (eds) Computer Safety, Reliability, and Security. SAFECOMP 2016. Lecture Notes in Computer Science(), vol 9922. Springer, Cham. https://doi.org/10.1007/978-3-319-45477-1_19
Download citation
DOI: https://doi.org/10.1007/978-3-319-45477-1_19
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-45476-4
Online ISBN: 978-3-319-45477-1
eBook Packages: Computer ScienceComputer Science (R0)