Dive into a DEF CON 32 conference talk exploring the dramatic discovery and investigation of a critical backdoor in the XZ/liblzma library that threatened SSH servers worldwide. Follow the timeline from the initial alert by Microsoft engineer Andres Freund to OSS security, through the unraveling of a complex undercover operation involving a mysterious maintainer named Jia Tan. Learn about the technical intricacies of how the backdoor was implemented and could be exploited, the coincidental nature of its discovery, and the methodical process of how trust was gained within the project. Examine the broader implications for open-source security, including crucial lessons learned and potential improvements for preventing similar incidents in the future. Uncover the complete story behind this significant security incident that put the entire internet at risk and the fortunate circumstances that helped avoid a potentially devastating outcome.
The XZ Backdoor Story: How a Supply Chain Attack Nearly Compromised SSH Servers
Overview
Syllabus
On Fri, 29 Mar 2024, at exactly , OSS security received a message from Andres Freund, a software engineer at Microsoft, stating he had discovered a backdoor in upstream xz/liblzma that could compromise SSH servers. The open-source project XZ, specifically the liblzma library, has been compromised by a mysterious maintainer named Jia Tan, putting the entire internet at risk. Fortunately, this discovery helped us avoid the worst.
Taught by
DEFCONConference
