Join us at hack.lu 2025 — Info & Registration
Duration: 30 min
Type: Talk
Speakers: Hilko Bengen
Abstract
The backdoor that had been added to xz-utils by an unknown threat actor (CVE-2024-3094) may be seen as a wakeup call in that too little attention is being paid on what happens behind the scenes in our software build processes. When we type ./configure && make, cargo build, pip install or similar chants into our terminals or CI pipelines, we expect that magic happens and that we get software artifacts that Just Work.
Given the right instrumentation tools, it is possible to observe what actually happens during the build process of most software packages and in most cases we can infer whether a binary has actually been built from the presented sources as we expect. It is also possible to detect abnormal uses of compilers or linkers.
I will present a Linux-based prototype toolset for generating and analyzing those lower-level build logs and discuss curious findings and limitations of the approach.
Description
.
