Skip to main content

Lund University Publications

LUND UNIVERSITY LIBRARIES

Exploiting Trust in Deterministic Builds

Jämthagen, Christopher LU ; Lantz, Patrik LU and Hell, Martin LU (2016) In Lecture notes in computer science 9922. p.238-249
Abstract
Deterministic builds, where the compile and build processes are reproducible, can be used to achieve increased trust in distributed binaries. As the trust can be distributed across a set of builders, where all provide their own signature of a byte-to-byte identical binary, all have to cooperate in order to introduce unwanted code in the binary. On the other hand, if an attacker manages to incorporate malicious code in the source, and make this remain undetected during code reviews, the deterministic build provides additional opportunities to introduce e.g., a backdoor. The impact of such a successful attack would be serious since the actual trust model is exploited. In this paper, the problem of crafting such hidden code that is difficult... (More)
Deterministic builds, where the compile and build processes are reproducible, can be used to achieve increased trust in distributed binaries. As the trust can be distributed across a set of builders, where all provide their own signature of a byte-to-byte identical binary, all have to cooperate in order to introduce unwanted code in the binary. On the other hand, if an attacker manages to incorporate malicious code in the source, and make this remain undetected during code reviews, the deterministic build provides additional opportunities to introduce e.g., a backdoor. The impact of such a successful attack would be serious since the actual trust model is exploited. In this paper, the problem of crafting such hidden code that is difficult to detect, both during code reviews of the source code as well as static analysis of the binary executable is addressed. It is shown that the displacement and immediate fields of an instruction can be used the embed hidden code directly from the C programming language. (Less)
Please use this url to cite or link to this publication:
author
; and
organization
publishing date
type
Chapter in Book/Report/Conference proceeding
publication status
published
subject
host publication
Computer Safety, Reliability, and Security : 35th International Conference, SAFECOMP 2016, Trondheim, Norway, September 21-23, 2016, Proceedings - 35th International Conference, SAFECOMP 2016, Trondheim, Norway, September 21-23, 2016, Proceedings
series title
Lecture notes in computer science
editor
Skavhaug, Amund ; Guiochet, Jérémie and Bitsch, Friedemann
volume
9922
pages
12 pages
publisher
Springer
external identifiers
  • scopus:84988614154
ISSN
0302-9743
ISBN
978-3-319-45476-4
978-3-319-45477-1
DOI
10.1007/978-3-319-45477-1_19
language
English
LU publication?
yes
id
b6c12b98-2a09-45ec-96d6-f9ce8b2f2dbf
date added to LUP
2016-09-19 18:23:26
date last changed
2024-01-04 12:37:51
@inproceedings{b6c12b98-2a09-45ec-96d6-f9ce8b2f2dbf,
  abstract     = {{Deterministic builds, where the compile and build processes are reproducible, can be used to achieve increased trust in distributed binaries. As the trust can be distributed across a set of builders, where all provide their own signature of a byte-to-byte identical binary, all have to cooperate in order to introduce unwanted code in the binary. On the other hand, if an attacker manages to incorporate malicious code in the source, and make this remain undetected during code reviews, the deterministic build provides additional opportunities to introduce e.g., a backdoor. The impact of such a successful attack would be serious since the actual trust model is exploited. In this paper, the problem of crafting such hidden code that is difficult to detect, both during code reviews of the source code as well as static analysis of the binary executable is addressed. It is shown that the displacement and immediate fields of an instruction can be used the embed hidden code directly from the C programming language.}},
  author       = {{Jämthagen, Christopher and Lantz, Patrik and Hell, Martin}},
  booktitle    = {{Computer Safety, Reliability, and Security : 35th International Conference, SAFECOMP 2016, Trondheim, Norway, September 21-23, 2016, Proceedings}},
  editor       = {{Skavhaug, Amund and Guiochet, Jérémie and Bitsch, Friedemann}},
  isbn         = {{978-3-319-45476-4}},
  issn         = {{0302-9743}},
  language     = {{eng}},
  month        = {{09}},
  pages        = {{238--249}},
  publisher    = {{Springer}},
  series       = {{Lecture notes in computer science}},
  title        = {{Exploiting Trust in Deterministic Builds}},
  url          = {{http://dx.doi.org/10.1007/978-3-319-45477-1_19}},
  doi          = {{10.1007/978-3-319-45477-1_19}},
  volume       = {{9922}},
  year         = {{2016}},
}