help3007 articles all ANNOUNCEMENTS recent articles
login to post a new article
tagged articles (144 / 199) the unit in general (6) software security in the news (1) lectures (5) labs (22) project (78) final exam (17) tests and quizzes (9) trivia (3) the C language (3)
help3007 topics from today and yesterday from the past week from the past two weeks ALL topics, most recent first
  login
chapter0 unitinfo research projects
csforum csse-feedback csbreakdown cssubmit csmarks
2nd semester help fora Algebra Advanced Algorithms Cloud Computing High Performance Computing Intelligent Agents Professional Computing Relational Database Management Systems Systems Programming
  It's UWAweek 47

help3007

This forum is provided to promote discussion amongst students enrolled in CITS3007 Secure Coding. If posting a question, it's suggested you check first whether your question is answered in the unit Frequently Asked Questions (FAQ) list, and use the search box (on the right) to see if an answer to your question has already been posted.

Please consider offering answers and suggestions to help other students! And if you fix a problem by following a suggestion here, it would be great if other interested students could see a short "Great, fixed it!"  followup message.

Note that any posts must comply with the UWA Code of Conduct and the UWA Academic Conduct Policy. That means you should (a) treat everyone with respect and courtesy, and (b) not post your solutions to an assessment that's in progress.

If asking a programming question, it's recommended you read How do I ask a good question? If reporting or troubleshooting a bug in software used in the unit, it's recommend you read How to report bugs effectively.
Displaying selected article
Showing 1 of 170 articles.
Currently 29 other people reading this forum.
 UWA week 14 (1st semester, non-teaching week) ↓
SVG not supported

Login to reply

👍?
helpful
5:34pm Wed 3rd Apr, Arran S.

Hi all,

Over the Easter weekend, malicious code (CVE-2024-3094) was discovered in the popular XZ Utils compression package which created a backdoor into affected Linux systems.

The incident has been very widely reported in technical and security news media (though not at all, so far as I can tell, by mainstream news sites) – one of the best introductory articles is this one from Ars Technica.

Despite the vulnerability being in libraries from the XZ Utils package, it created a backdoor in the SSH service. How is this possible?

In brief: a memory bug in a library used by an executable can introduce vulnerabilities in the executable itself – and on affected Linux systems, sshd is patched so that it indirectly relies on XZ Utils.

In a bit more detail: We know that when a request is made to run a binary executable, the OS looks in the on-disk executable for a text segment to be loaded into memory. Executables can be either statically linked (every machine instruction needed is contained in the executable itself) or dynamically linked (at runtime, shared libraries used by the program will be looked for on disk).[1] If the program is dynamically linked, then a memory vulnerability in a single library can affect the whole program. Every bit of executable code is considered "equal", in the sense that any instruction can read or write to any bit of the heap or stack.
Now, the original source code for SSH doesn't rely on XZ Utils. But many distributions of Linux customize the SSH source code when incorporating it, and alter it to make use of a shared library for Systemd, which in turn makes use of XZ Utils.

So, it pays to be cautious when adding a dependency on a library – even if your code is completely bug-free, a bug in a dependency can introduce vulnerabilities. Some libraries relied on by many modern systems are maintained by just one person (see this XKCD comic), and if that one person's code is compromised (either because they are hacked or tricked, or because they are themselves untrustworthy), that can cause problems for all the systems that rely on them.

xkcd comic image

In this case, XZ Utils is maintained by just two people, of whom one has been in poor health, and the other is apparently untrustworthy.

Could you be affected? It's possible -- the compromised versions of XZ utils are 5.6.0 (released on 24 February) and 5.6.1 (released on 9 March), so if you are running Linux, it might be worth checking what version XZ Utils you are running. If you are using Ubuntu, however, you're unlikely to be affected. The most current release of Ubuntu (23.10) only uses XZ utils version 5.4. You'd have to be using daily builds from the as-yet-unreleased version 24.04 to be affected. (You could also be affected if you're running Brew on the Mac OS -- see here.)

You can find more discussion of the vulnerability and its implications for system security on Hacker News, Reddit, and many other online fora as well as individual blog posts. You might also find interesting some older discussions of backdoors that have been discovered in free or open source software over the years.

Cheers,

Arran

 

[1]: On Linux, you can see what libraries are being used by a running program by looking at the file /proc/*somepid*/maps, where somepid is the process ID of a running program -- the contents is documented in man proc (search for /proc/[pid]/maps in the man page).
    Running cat /proc/$$/maps will show you the libraries being used by your shell (usually Bash) -- $$ is a shell variable that expands to the process ID of the shell itself.

The University of Western Australia

Computer Science and Software Engineering

CRICOS Code: 00126G 		Written by [email protected]
Powered by history
Feedback always welcome - it makes our software better!
Last modified  8:08AM Aug 25 2024
Privacy policy