Deep Dive into XZ Utils Backdoor - Columbia Engineering, Advanced Systems Programming Guest Lecture

preview_player
Показать описание
On March 29th, a developer from Microsoft published that he had discovered a backdoor built into XZ Utils, a compression package included with nearly every major Linux distribution. If gone unnoticed, this backdoor could have provided its authors with root-level access to millions servers across the internet. Interestingly, the core mechanism the backdoor uses to compromise host machines is something we just finished studying — dynamic linking and loading of ELF objects. This lecture will explore implementation details of the XZ Utils backdoor and describe the novel multi-year effort to put it in place–along with its consequences for the larger world of open source software development.

This is a recording of a guest lecture presented to the W4995 Advanced Systems Programming class at Columbia University.

00:00 - Intro
02:09 - Background on Open Source Development
05:47 - Backdoor Timeline
19:31 - How the Payload Works
48:46 - Reverse Engineering the Payload
57:56 - Live Demo
1:01:35 - Attribution
1:05:37 - Larger Implications
  1. Denzel Farmer
Рекомендации по теме
Deep Dive into 1:18:26

Deep Dive into XZ Utils Backdoor - Columbia Engineering, Advanced Systems Programming Guest Lecture

revealing the features 0:09:29

revealing the features of the XZ backdoor

Linux got wrecked 0:04:32

Linux got wrecked by backdoor attack

Technical Deep Dive 0:44:51

Technical Deep Dive Into The XZ Backdoor - Timo Schmid

Unmasking the XZ 0:01:01

Unmasking the XZ Utils Backdoor: A Deep Dive into CVE-2024-3094

What Everyone Missed 0:20:24

What Everyone Missed About The Linux Hack

XZ Exploits Prove 0:19:19

XZ Exploits Prove Open Source Software Is Superior (And Also Vulnerable)

The XZ Backdoor: 0:01:01

The XZ Backdoor: A Deep Dive into the Recent Security Breach by Kim's Workspace

Unmasking the XZ 0:02:55

Unmasking the XZ Utils Backdoor: A Deep Dive by Kim's Workspace

How did this 0:00:47

How did this happen???

The xz Compromise 0:05:47

The xz Compromise | LinuxTalk With TuxCare - Linux & Cybersecurity Simplified #4

How to Protect 0:01:46

How to Protect Against the XZ Backdoor Hack

Exposed: The Hidden 0:08:12

Exposed: The Hidden Backdoor Threat in XZ

Unmasking the XZ 0:03:30

Unmasking the XZ Utils Backdoor: A Deep Dive into CVE-2024-3094

DEF CON 32 0:41:41

DEF CON 32 - The XZ Backdoor Story: The Undercover Op That Set the Internet on Fire - Thomas Roccia

Understanding XZ Utils 0:32:15

Understanding XZ Utils CVE-2024-3094: Key Fundamentals

The XZ Backdoor: 0:02:56

The XZ Backdoor: A Deep Dive into the Recent Security Breach by Kim's Workspace

XZ Utils Critical 0:29:36

XZ Utils Critical Backdoor (CVE- 2024-3094) - The Fallacy of Secure Open Source Code

The XZ Apocalypse 0:45:04

The XZ Apocalypse

I do not 0:00:59

I do not think that we are changing the world

Unmasking the XZ 0:01:01

Unmasking the XZ Utils Backdoor: A Deep Dive by Kim's Workspace

The Critical Path 1:09:24

The Critical Path to Implant Backdoors and Potential Mitigation Techniques: Learnings from XZ...

The Most Dangerous 0:06:13

The Most Dangerous 2024 Vulnerability: XZ Utility Backdoor Revealed!

How a Hacker 0:15:57

How a Hacker Saved The Internet

Комментарии
Автор

This is really cool. The college students asked really good questions, helped me understand everything so much better.

VihaShah
Автор

My computing teacher from high school (entering uni in 2025) posted about this CVE in april when it first got discovered. Today i watched a video from fern that talked about this same CVE. Then i went down a rabbit hole and found this gem! Thanks! Ive learnt a bit about buffer overflows in OSCP and the part on stack and heap really tickled my dormant memories on ESP and EBP hahahahaha i loved it!

jowsonjgong
Автор

Getting a backdoor into open source software: 1. Start making useful contributions, 2. write mean messages to push for shared maintainership, 3. step in as savior, 4. build trust as competent contributor over years, 5. add overly convoluted testing system, 6. insert payload into repo, 7. make your first release as co-maintainer with untracked release script that compiles in backdoor, 8. nag distros to use the new version, 9. get caught in prerelease by german dev that notices the backdoor delays logins by 0.3s and decompiles your code to figure out why.
Getting a backdoor into proprietary software: 1. knock on CEO's office door, 2. present secret court order, 3. work with devs to add your backdoor.

JoeTaber
Автор

Such a brilliant presentation structure. Every slide answers the questions that arise from the previous

Stdvwr
Автор

This was a great explanation of how it worked on a technical level. Thanks for the lecture + summary!

TestamentScar
Автор

This was shockingly good & interesting. It is making me think about how a talk can be steered by posing an unusual audience — in this case, some college kids who just learned about linkers but can’t necessarily be assumed to know broadly what someone would typically know if they had that specialist knowledge. 5 stars, and your competition are the folks who’ve explained things from the internet worm thru stuxnet and beyond.

brentknight
Автор

This was a really interesting and detailed overview of the backdoor.
I followed many of the discussions while it was being discovered, like how it was implemented, how it got compiled into the binary and what effect it had on sshd, but this lecture presented the actual effects on the system.

After reading the different discussions, seeing code examples and the details about the social engineering aspect, this video helped me see how the backdoor actually loaded itself into memory.
This reveals a lot more of the sophistication behind the backdoor and the layers of obfuscation wasn't really obvious to me before now.

Extremely helpful!

Jabbl
Автор

Awesome lecture! I learned a ton and it was super engaging.

Pii
Автор

This is amazing thank you so much for this lecture!

danygagnon
Автор

This won't blow up like it should because you have 97 subscribers ... but the amount of depth you went into and the ease with which you explained a ton of very complicated concepts stretched out over 1+ hr is pretty absurd to me given that you are 20? years old. Damn bro. You know computers.

cusematt
Автор

This is much needed presentation - thank you!
Gripes: the audio is OK but could be better, but most of all - and this can't be said too often - all presenters (all the time, in all venues) when taking audience questions need to *REPEAT THE FSCKING QUESTIONS* before answering them....

michaelodonnell
Автор

Hey, this was a good video, thanks. I can't hear all of the questions though, it would have been good if you had repeated the questions that were being asked. Some of them became clear due to your answers, others less so. This can sometimes be an issue in the auditorium too.

playthingz
Автор

great vid Denzel - so is it enough to update your XZ install to the "Fixed" packages with Jia's commits removed to fix this system wide?

JohnAlanWoods
Автор

Lesson learned: dont't fuck around with database engineers unless you want to find out. Classic FAFO

gruselhaus
Автор

At 4 minutes you said suppository rather than repository. Freudian slip methinks.

JB_inks
Автор

"Probably not US", the hypocrisy is at same level of the backdoor.

Shahriyarj
Автор

What's the target audience that watches a talk about the details of the backdoor but doesn't know what SSH is or how the open-source community works?

Nice talk anyway!

Tibug
Автор

the volume is very low :( hard to hear this

Flarel
Автор

Pretty good, but please no more upspeak.

felipec