commit: b7d6d7ff0ea496968cd92eb49d8655df06839f6a
parent 36b14df2253e4e0a7e541845750663a427adaa0b
Author: Haelwenn (lanodan) Monnier <contact@hacktivis.me>
Date: Fri, 3 Oct 2025 09:17:36 +0200
notes/bootstrapping: create a devtools-backdoors section
Diffstat:
1 file changed, 32 insertions(+), 4 deletions(-)
diff --git a/notes/bootstrapping.shtml b/notes/bootstrapping.shtml
@@ -13,14 +13,11 @@
<li><a href="https://bootstrapping.miraheze.org/wiki/Main_Page">bootstrapping wiki</a></li>
<li><a href="https://dwheeler.com/trusting-trust/">David A. Wheeler’s Page on Fully Countering Trusting Trust through Diverse Double-Compiling (DDC) - Countering Trojan Horse attacks on Compilers</a> (Note: Requires trustworthy bootstrap compiler(s) as starting point)</li>
<li><a href="https://www.quora.com/What-is-a-coders-worst-nightmare/answer/Mick-Stute?srid=tQ46&share=1">Mike Stute's answer to What is a coder's worst nightmare?</a></li>
- <li><a href="https://research.swtch.com/nih">research!rsc: Running the “Reflections on Trusting Trust” Compiler</a>: This notably contains the code that Ken Thomspon used together with explainations</li>
</ul>
<h2>Reasons</h2>
<dl>
<dt>Security</dt>
- <dd>See <a href="https://niconiconi.neocities.org/posts/ken-thompson-really-did-launch-his-trusting-trust-trojan-attack-in-real-life/">Ken Thompson Really Did Launch His "Trusting Trust" Trojan Attack in Real Life</a>.
- And <a href="https://manishearth.github.io/blog/2016/12/02/reflections-on-rusting-trust/">Reflections on Rusting Trust</a>: Proof of Concept, backdooring The One True Rust Compiler.
- </dd>
+ <dd>See the "<a href="#devtools-backdoors">Backdoors inserted into dev tools</a>" section</dd>
<dt>Portability</dt>
<dd>Binary executables have much higher <a href="https://en.wikipedia.org/wiki/Software_rot">bitrot</a> than source code and keeping obsolete binary interfaces often means keeping known security issues.</dd>
@@ -32,6 +29,37 @@
<dd>One of <a href="https://reproducible-builds.org/">reproducibility</a>'s effect is allowing to audit source code instead of binaries, but said source code needs to be actually used.</dd>
</dl>
+ <h2 id="devtools-backdoors">Backdoors inserted into dev tools</h2>
+ <p>This is by no means an exhaustive list, mostly because it happens way too regularly on npm.</p>
+
+ <h3>Ken Thompson “Reflections on Trusting Trust” Compiler</h3>
+ <p>In Chronological order:</p>
+ <ol>
+ <li>1983-10: <a href="https://dl.acm.org/doi/10.1145/358198.358210">Reflections on Trusting Trust, Ken Thompson</a></li>
+ <li>2022-07-27: <a href="https://niconiconi.neocities.org/posts/ken-thompson-really-did-launch-his-trusting-trust-trojan-attack-in-real-life/">Ken Thompson Really Did Launch His "Trusting Trust" Trojan Attack in Real Life</a></li>
+ <li>2023-03-12: <a href="https://www.youtube.com/live/kaandEt_pKw?t=3284">Q&A section after Ken Thompson talk on keeping his music collection</a> (<a href="https://www.socallinuxexpo.org/scale/20x/presentations/keynote-ken-thompson">Talk page</a>)</li>
+ <li>2023-10-25: <a href="https://research.swtch.com/nih">research!rsc: Running the “Reflections on Trusting Trust” Compiler</a>: This notably contains the code that Ken Thomspon used together with explainations</li>
+ </ol>
+
+ <h3>CVE-2024-3094: Jia Tan backdoor in xz-utils</h3>
+ <p>
+ This one is noteworthy for primarily being an insertion of a payload
+ into a <code>./configure</code> script generated by autotools rather
+ than a binary; being a near-successful attack on OpenSSH when patched
+ to link with systemd-journald; having been detected pretty much
+ by a combination of sheer curiosity and lucky pre-existing benchmark.
+ </p>
+ <ol>
+ <li><a href="https://www.openwall.com/lists/oss-security/2024/03/29/4">Discovery by Andres Freund</a></li>
+ <li><a href="https://tukaani.org/xz-backdoor/">https://tukaani.org/xz-backdoor/</a></li>
+ <li><a href="https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27">Detailed FAQ on the xz-utils backdoor</a> by Sam James</li>
+ </ol>
+
+ <h3>Proof of Concepts</h3>
+ <ul>
+ <li><a href="https://manishearth.github.io/blog/2016/12/02/reflections-on-rusting-trust/">Reflections on Rusting Trust</a>: Backdooring The One True Rust Compiler.</li>
+ </ul>
+
<h2 id="tools">Tools</h2>
<dl>
<dt><a href="https://hacktivis.me/projects/deblob">deblob</a></dt>