All of lore.kernel.org
 help / color / mirror / Atom feed
From: "Theodore Ts'o" <tytso@mit.edu>
To: James Bottomley <James.Bottomley@hansenpartnership.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>,
	"tech-board-discuss@lists.linuxfoundation.org"
	<tech-board-discuss@lists.linuxfoundation.org>
Subject: Re: xz meltdown/Lasse Collin
Date: Sat, 13 Apr 2024 20:11:25 -0400	[thread overview]
Message-ID: <20240414001125.GF187181@mit.edu> (raw)
In-Reply-To: <68255101309f2ac39927d47b3d527c4883a2e791.camel@HansenPartnership.com>

On Sat, Apr 13, 2024 at 10:12:44AM -0400, James Bottomley wrote:
> 
> I gave an idea for that above.  But the first key step is pro-active
> identification.  The MO of the burnout attack was to try to make the
> attacker the single help resource; people in this position tend not to
> know they need to ask for other help.  So the first step has to be pro-
> active in looking for them (which is also useful for providing a risk
> report about the entire ecosystem).

It's important not to over-index on the specifics of how the xz-utils
attack was carried out.  Yes, this time the attack was carried out by
trying to identify someone who was close to being burned out.  It also
involved generated files and autotools.  But that's not the only way
such an attack could be carried out.

If we're talking about a nation-state with a vast amount of resources
and patience, the next time the attack might involve someone just
becoming a trusted contributor and contributing years of good work and
reviews before trying to submit a change which introduces some other
kind of back door or bug.

Perhaps the next attack will involve getting an agent hired by a major
AI chip vendor, and the backdoor will be hidden inside the proprietary
binaries distributed by that AI chip vendor to download firmware into
that company's GPU.  (And if these propietary drivers and binaries are
used by a large number of hyperscale cloud vendors, a backdoor into
that GPU driver or the GPU's support binaries would
be.... devastating.)

That's not to say that we shouldn't find ways to better support
https://xkcd.com/2347.  Or that we interrogate whether autotools is
the best long-term solution, or how to come up with a better solution
without going down the systemd approach of "we only care about Linux
and all other OS's are Not Our PRoblem).  Or that we should have tools
that look for differences between binaries built for distributions
versus built out of the git tree, perhaps by looking for behavioral or
performacne differences.

But let's not over-focus on the burnout attack, or the "only activate
if the build infrastructure is Debian or Fedora" attributes of what
happened this time around.  It is very likely that the next attempt to
subvert software supply chain will be quite different.

		 	      	      - Ted

  reply	other threads:[~2024-04-14  0:17 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-04-12 17:36 xz meltdown/Lasse Collin H. Peter Anvin
2024-04-13 13:16 ` James Bottomley
2024-04-13 13:47   ` H. Peter Anvin
2024-04-13 14:12     ` James Bottomley
2024-04-14  0:11       ` Theodore Ts'o [this message]
2024-04-14 13:42         ` James Bottomley
2024-04-14 10:21   ` Vegard Nossum
2024-04-14 14:45     ` James Bottomley
2024-04-15 18:00       ` Kees Cook
2024-04-16 14:05         ` James Bottomley
2024-04-18  5:20           ` Michael Ellerman
2024-04-16  6:24     ` Michael Ellerman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240414001125.GF187181@mit.edu \
    --to=tytso@mit.edu \
    --cc=James.Bottomley@hansenpartnership.com \
    --cc=hpa@zytor.com \
    --cc=tech-board-discuss@lists.linuxfoundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.