Advanced

Exploiting Trust in Deterministic Builds

Jämthagen, Christopher LU ; Lantz, Patrik LU and Hell, Martin LU (2016) In Lecture notes in computer science 9922. p.238-249
Abstract
Deterministic builds, where the compile and build processes are reproducible, can be used to achieve increased trust in distributed binaries. As the trust can be distributed across a set of builders, where all provide their own signature of a byte-to-byte identical binary, all have to cooperate in order to introduce unwanted code in the binary. On the other hand, if an attacker manages to incorporate malicious code in the source, and make this remain undetected during code reviews, the deterministic build provides additional opportunities to introduce e.g., a backdoor. The impact of such a successful attack would be serious since the actual trust model is exploited. In this paper, the problem of crafting such hidden code that is difficult... (More)
Deterministic builds, where the compile and build processes are reproducible, can be used to achieve increased trust in distributed binaries. As the trust can be distributed across a set of builders, where all provide their own signature of a byte-to-byte identical binary, all have to cooperate in order to introduce unwanted code in the binary. On the other hand, if an attacker manages to incorporate malicious code in the source, and make this remain undetected during code reviews, the deterministic build provides additional opportunities to introduce e.g., a backdoor. The impact of such a successful attack would be serious since the actual trust model is exploited. In this paper, the problem of crafting such hidden code that is difficult to detect, both during code reviews of the source code as well as static analysis of the binary executable is addressed. It is shown that the displacement and immediate fields of an instruction can be used the embed hidden code directly from the C programming language. (Less)
Please use this url to cite or link to this publication:
author
organization
publishing date
type
Chapter in Book/Report/Conference proceeding
publication status
published
subject
in
Lecture notes in computer science
editor
Skavhaug, Amund ; Guiochet , Jérémie; Bitsch, Friedemann ; ; and
volume
9922
pages
12 pages
publisher
Springer
external identifiers
  • scopus:84988614154
ISSN
0302-9743
ISBN
978-3-319-45476-4
DOI
10.1007/978-3-319-45477-1_19
language
English
LU publication?
yes
id
b6c12b98-2a09-45ec-96d6-f9ce8b2f2dbf
date added to LUP
2016-09-19 18:23:26
date last changed
2017-02-16 11:16:39
@inproceedings{b6c12b98-2a09-45ec-96d6-f9ce8b2f2dbf,
  abstract     = {Deterministic builds, where the compile and build processes are reproducible, can be used to achieve increased trust in distributed binaries. As the trust can be distributed across a set of builders, where all provide their own signature of a byte-to-byte identical binary, all have to cooperate in order to introduce unwanted code in the binary. On the other hand, if an attacker manages to incorporate malicious code in the source, and make this remain undetected during code reviews, the deterministic build provides additional opportunities to introduce e.g., a backdoor. The impact of such a successful attack would be serious since the actual trust model is exploited. In this paper, the problem of crafting such hidden code that is difficult to detect, both during code reviews of the source code as well as static analysis of the binary executable is addressed. It is shown that the displacement and immediate fields of an instruction can be used the embed hidden code directly from the C programming language.},
  author       = {Jämthagen, Christopher and Lantz, Patrik and Hell, Martin},
  booktitle    = {Lecture notes in computer science},
  editor       = {Skavhaug, Amund  and Guiochet , Jérémie and Bitsch, Friedemann },
  isbn         = {978-3-319-45476-4},
  issn         = {0302-9743},
  language     = {eng},
  month        = {09},
  pages        = {238--249},
  publisher    = {Springer},
  title        = {Exploiting Trust in Deterministic Builds},
  url          = {http://dx.doi.org/10.1007/978-3-319-45477-1_19},
  volume       = {9922},
  year         = {2016},
}