Exploiting Trust in Deterministic Builds
(2016) In Lecture notes in computer science 9922. p.238-249- Abstract
- Deterministic builds, where the compile and build processes are reproducible, can be used to achieve increased trust in distributed binaries. As the trust can be distributed across a set of builders, where all provide their own signature of a byte-to-byte identical binary, all have to cooperate in order to introduce unwanted code in the binary. On the other hand, if an attacker manages to incorporate malicious code in the source, and make this remain undetected during code reviews, the deterministic build provides additional opportunities to introduce e.g., a backdoor. The impact of such a successful attack would be serious since the actual trust model is exploited. In this paper, the problem of crafting such hidden code that is difficult... (More)
- Deterministic builds, where the compile and build processes are reproducible, can be used to achieve increased trust in distributed binaries. As the trust can be distributed across a set of builders, where all provide their own signature of a byte-to-byte identical binary, all have to cooperate in order to introduce unwanted code in the binary. On the other hand, if an attacker manages to incorporate malicious code in the source, and make this remain undetected during code reviews, the deterministic build provides additional opportunities to introduce e.g., a backdoor. The impact of such a successful attack would be serious since the actual trust model is exploited. In this paper, the problem of crafting such hidden code that is difficult to detect, both during code reviews of the source code as well as static analysis of the binary executable is addressed. It is shown that the displacement and immediate fields of an instruction can be used the embed hidden code directly from the C programming language. (Less)
Please use this url to cite or link to this publication:
https://lup.lub.lu.se/record/b6c12b98-2a09-45ec-96d6-f9ce8b2f2dbf
- author
- Jämthagen, Christopher LU ; Lantz, Patrik LU and Hell, Martin LU
- organization
- publishing date
- 2016-09-04
- type
- Chapter in Book/Report/Conference proceeding
- publication status
- published
- subject
- host publication
- Computer Safety, Reliability, and Security : 35th International Conference, SAFECOMP 2016, Trondheim, Norway, September 21-23, 2016, Proceedings - 35th International Conference, SAFECOMP 2016, Trondheim, Norway, September 21-23, 2016, Proceedings
- series title
- Lecture notes in computer science
- editor
- Skavhaug, Amund ; Guiochet, Jérémie and Bitsch, Friedemann
- volume
- 9922
- pages
- 12 pages
- publisher
- Springer
- external identifiers
-
- scopus:84988614154
- ISSN
- 0302-9743
- ISBN
- 978-3-319-45477-1
- 978-3-319-45476-4
- DOI
- 10.1007/978-3-319-45477-1_19
- language
- English
- LU publication?
- yes
- id
- b6c12b98-2a09-45ec-96d6-f9ce8b2f2dbf
- date added to LUP
- 2016-09-19 18:23:26
- date last changed
- 2024-04-19 08:47:38
@inproceedings{b6c12b98-2a09-45ec-96d6-f9ce8b2f2dbf, abstract = {{Deterministic builds, where the compile and build processes are reproducible, can be used to achieve increased trust in distributed binaries. As the trust can be distributed across a set of builders, where all provide their own signature of a byte-to-byte identical binary, all have to cooperate in order to introduce unwanted code in the binary. On the other hand, if an attacker manages to incorporate malicious code in the source, and make this remain undetected during code reviews, the deterministic build provides additional opportunities to introduce e.g., a backdoor. The impact of such a successful attack would be serious since the actual trust model is exploited. In this paper, the problem of crafting such hidden code that is difficult to detect, both during code reviews of the source code as well as static analysis of the binary executable is addressed. It is shown that the displacement and immediate fields of an instruction can be used the embed hidden code directly from the C programming language.}}, author = {{Jämthagen, Christopher and Lantz, Patrik and Hell, Martin}}, booktitle = {{Computer Safety, Reliability, and Security : 35th International Conference, SAFECOMP 2016, Trondheim, Norway, September 21-23, 2016, Proceedings}}, editor = {{Skavhaug, Amund and Guiochet, Jérémie and Bitsch, Friedemann}}, isbn = {{978-3-319-45477-1}}, issn = {{0302-9743}}, language = {{eng}}, month = {{09}}, pages = {{238--249}}, publisher = {{Springer}}, series = {{Lecture notes in computer science}}, title = {{Exploiting Trust in Deterministic Builds}}, url = {{http://dx.doi.org/10.1007/978-3-319-45477-1_19}}, doi = {{10.1007/978-3-319-45477-1_19}}, volume = {{9922}}, year = {{2016}}, }