Deep Dive into XZ Utils Backdoor - Columbia Engineering, Advanced Systems Programming Guest Lecture

On March 29th, a developer from Microsoft published that he had discovered a backdoor built into XZ Utils, a compression package included with nearly every major Linux distribution. If gone unnoticed, this backdoor could have provided its authors with root-level access to millions servers across the internet. Interestingly, the core mechanism the backdoor uses to compromise host machines is something we just finished studying — dynamic linking and loading of ELF objects. This lecture will explore implementation details of the XZ Utils backdoor and describe the novel multi-year effort to put it in place–along with its consequences for the larger world of open source software development.

This is a recording of a guest lecture presented to the W4995 Advanced Systems Programming class at Columbia University.

00:00 - Intro
02:09 - Background on Open Source Development
05:47 - Backdoor Timeline
19:31 - How the Payload Works
48:46 - Reverse Engineering the Payload
57:56 - Live Demo
1:01:35 - Attribution
1:05:37 - Larger Implications

Скачать видео