Abhishek Arya Profile picture
Apr 6 8 tweets 3 min read Read on X
Thoughts on xz backdoor. 1) Lack of a robust identity system on github (except when there is a tie-in to an organization which is slightly better). Anyone can create as many sock puppets accounts to do code reviews, nudge maintainers to add someone malicious as co-maintainers, etc. This is same for both most critical projects in critical infrastructure or a hobby experimental project.
2) Lack of tie-in of source to release artifacts. In xz, a malicious developer was able to modify release tarballs without anyone noticing (except test binaries). This could be solved if we have Sigstore-signed SLSA provenance everywhere, but realistically what can we do now ? Maybe OSS-Fuzz and other test frameworks need to independently test release binaries, without any developer intervention (e.g. there was some tripping on valgrind and sanitizer in this case, might not apply in other cases). Maybe, we need capability analysis (e.g. with Capslock) that looks at capability differences between versions and trips on suspicious things.
3) GOSST Upstream team had an interesting interaction with Jia Tan last year where we were trying to improve Scorecard scores for the project. The 2 PRs on Security Policy (#47) and Pinned Deps (#67) additions were successfully accepted (regular dev interactions, nothing suspicious). Jia Tan first allowed both options of email address and github security advisories, but later silently changed it to email-only a few days before launching the attack. Could someone have found this kind of PR change suspicious (or an AI commit monitoring pipeline) ?
4) Google had funded a manual security audit on xz-utils in 2023 with a vendor. The vendor didn’t spot anything suspicious and the only suggestions made were to improve fuzzing coverage. Just reinforces the fact that manual audits are hard (similar to finding a needle in a haystack). Jia Tan had a relieved response - “We are happy that no vulnerabilities were found!”.
5) OpenSSF Scorecard is not designed with the use case of a malicious maintainer. In early days, there were some attempts to create such a check but it was unfeasible to do comprehensive developer reputation checking with github token limits. We settled down to create a contributors check which relies on checking if there were any contributors from companies/orgs (could be still faked due to no validation on organizations). Should there be stronger validation of company or org identities? Still this is a tough problem for small, transitive dependencies that are operated by a single independent maintainer with losing interest in maintenance.
6) Should every binary artifact in an OSS repository be scanned (including PR upload) ? Could VirusTotal help to find some obvious things ?
7) There is quite a bit of twitter activity on OSS sustainability and how funding could have solved this. In my interactions with folks in OpenSSF Alpha-Omega, places where money has helped significantly is to give to OSS foundations (e.g. Rust, Python, etc). This helped them hire the first dedicated security staff for triaging, add security features (e.g. python trusted publishing, rust-c/c++ interoperability, etc), etc. We still need to find a scalable way to fund projects (some simple marketplace that is natively part of GitHub/GitLab/etc) and more importantly find contributors with hands on the keyboard (companies leveraging OSS, interesting vendors, etc).
8) What does a developer reputation mean ? Did Jia Tan make any mistakes that could be used to spot his malicious behavior (project activity, PR descriptions to code diff matching, user interactions, etc). This is a great area of research and we would love to collaborate here if you have ideas.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Abhishek Arya

Abhishek Arya Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(