Supply Chain Anarchy – Trojaned Binaries in the Java Ecosystem

Presented at AppSec USA 2017, Sept. 22, 2017, 10:30 a.m. (45 minutes)

In 1984, Ken Thompson wrote, "You can't trust code that you did not totally create yourself. (Especially code from companies that employ people like me.)" [1] Yet modern software applications are 80% open source components.[2] The supply chain is total anarchy.   All this third-party code runs with the full privileges of the application, essentially granting full access to host, backend, datacenter, and possibly intranet. Obviously, if a popular component, like Log4j or Apache Commons, were trojaned, it would give an attacker a hall pass to most of the datacenters in the world. Much of our trust in open source components comes from the fact that the source is public and "given enough eyeballs, all bugs are shallow." [3] Unfortunately, in the Java ecosystem (and most other environments), there is literally no assurance that a given binary matches the source.   This talk reports on the results of a large-scale experiment to search the universe of Java libraries for malicious discrepancies between source code and binaries. We created an automated security pipeline that automatically matches repositories, builds code, performs a "security diff" of the bytecode instructions, and generates human-readable reports for analysis. Our "security diff" tool ignores inconsequential differences between compilers, flags, and versions, so that only truly different code gets flagged. The experiment is currently underway and hundreds of libraries have been analyzed.   Of course, source-to-binary traceability is not everything, a malicious developer could hide attacks in the source code [4]. A crafty malicious developer would intentionally introduce vulnerabilities that look like accidents to establish some plausible deniability. So, given the trust that these libraries have been granted, and the potential attractiveness to an attacker (particularly nation-sponsored or financially motivated hackers), we absolutely have to know if public source code matches the binaries we blindly trust.

Presenters:

• Jeff Williams - CTO - Contrast Security
  Jeff Williams is a co-founder and CTO of Contrast Security, the world's first unified application vulnerability assessment *and* attack protection platform. Jeff has over 20 years experience in security leadership roles, including the first Global Chairman of the OWASP Foundation where he created many open-source standards, tools, libraries, and guidelines - including the OWASP Top Ten, WebGoat, ESAPI, XSS CheatSheet, ASVS and more. Jeff welcomes hearing from you and may be reached directly at jeff.williams@contrastsecurity.com.

Links:

• https://appsecusa2017.sched.com/event/B2Xi/supply-chain-anarchy-trojaned-binaries-in-the-java-ecosystem
• https://infocon.org/cons/OWASP/AppSecUSA 2017/Supply Chain Anarchy - Trojaned Binaries in the Java Ecosystem.mp4
• https://www.youtube.com/watch?v=T3EtMR6PpSk

Similar Presentations:

• REcon 2023 / Reversing NIM binaries: the easy way
• ShellCon 2021 Virtual / Signed, Sealed, Delivered: Abusing Trust in Software Supply Chain Attacks
• DEF CON 24 (2016) / Developing Managed Code Rootkits for the Java Runtime Environment