notes/bootstrapping: create a devtools-backdoors section - blog

commit: b7d6d7ff0ea496968cd92eb49d8655df06839f6a
parent 36b14df2253e4e0a7e541845750663a427adaa0b
Author: Haelwenn (lanodan) Monnier <contact@hacktivis.me>
Date:   Fri,  3 Oct 2025 09:17:36 +0200

notes/bootstrapping: create a devtools-backdoors section

Diffstat:
M notes/bootstrapping.shtml 36 ++++++++++++++++++++++++++++++++----

1 file changed, 32 insertions(+), 4 deletions(-)
diff --git a/notes/bootstrapping.shtml b/notes/bootstrapping.shtml
@@ -13,14 +13,11 @@
 				<li><a href="https://bootstrapping.miraheze.org/wiki/Main_Page">bootstrapping wiki</a></li>
 				<li><a href="https://dwheeler.com/trusting-trust/">David A. Wheeler’s Page on Fully Countering Trusting Trust through Diverse Double-Compiling (DDC) - Countering Trojan Horse attacks on Compilers</a> (Note: Requires trustworthy bootstrap compiler(s) as starting point)</li>
 				<li><a href="https://www.quora.com/What-is-a-coders-worst-nightmare/answer/Mick-Stute?srid=tQ46&amp;share=1">Mike Stute's answer to What is a coder's worst nightmare?</a></li>
-				<li><a href="https://research.swtch.com/nih">research!rsc: Running the “Reflections on Trusting Trust” Compiler</a>: This notably contains the code that Ken Thomspon used together with explainations</li>
 			</ul>
 			<h2>Reasons</h2>
 			<dl>
 				<dt>Security</dt>
-				<dd>See <a href="https://niconiconi.neocities.org/posts/ken-thompson-really-did-launch-his-trusting-trust-trojan-attack-in-real-life/">Ken Thompson Really Did Launch His "Trusting Trust" Trojan Attack in Real Life</a>.
-					And <a href="https://manishearth.github.io/blog/2016/12/02/reflections-on-rusting-trust/">Reflections on Rusting Trust</a>: Proof of Concept, backdooring The One True Rust Compiler.
-				</dd>
+				<dd>See the "<a href="#devtools-backdoors">Backdoors inserted into dev tools</a>" section</dd>
 
 				<dt>Portability</dt>
 				<dd>Binary executables have much higher <a href="https://en.wikipedia.org/wiki/Software_rot">bitrot</a> than source code and keeping obsolete binary interfaces often means keeping known security issues.</dd>
@@ -32,6 +29,37 @@
 				<dd>One of <a href="https://reproducible-builds.org/">reproducibility</a>'s effect is allowing to audit source code instead of binaries, but said source code needs to be actually used.</dd>
 			</dl>
 
+			<h2 id="devtools-backdoors">Backdoors inserted into dev tools</h2>
+			<p>This is by no means an exhaustive list, mostly because it happens way too regularly on npm.</p>
+
+			<h3>Ken Thompson “Reflections on Trusting Trust” Compiler</h3>
+			<p>In Chronological order:</p>
+			<ol>
+				<li>1983-10: <a href="https://dl.acm.org/doi/10.1145/358198.358210">Reflections on Trusting Trust, Ken Thompson</a></li>
+				<li>2022-07-27: <a href="https://niconiconi.neocities.org/posts/ken-thompson-really-did-launch-his-trusting-trust-trojan-attack-in-real-life/">Ken Thompson Really Did Launch His "Trusting Trust" Trojan Attack in Real Life</a></li>
+				<li>2023-03-12: <a href="https://www.youtube.com/live/kaandEt_pKw?t=3284">Q&A section after Ken Thompson talk on keeping his music collection</a> (<a href="https://www.socallinuxexpo.org/scale/20x/presentations/keynote-ken-thompson">Talk page</a>)</li>
+				<li>2023-10-25: <a href="https://research.swtch.com/nih">research!rsc: Running the “Reflections on Trusting Trust” Compiler</a>: This notably contains the code that Ken Thomspon used together with explainations</li>
+			</ol>
+
+			<h3>CVE-2024-3094: Jia Tan backdoor in xz-utils</h3>
+			<p>
+				This one is noteworthy for primarily being an insertion of a payload
+				into a <code>./configure</code> script generated by autotools rather
+				than a binary; being a near-successful attack on OpenSSH when patched
+				to link with systemd-journald; having been detected pretty much
+				by a combination of sheer curiosity and lucky pre-existing benchmark.
+			</p>
+			<ol>
+				<li><a href="https://www.openwall.com/lists/oss-security/2024/03/29/4">Discovery by Andres Freund</a></li>
+				<li><a href="https://tukaani.org/xz-backdoor/">https://tukaani.org/xz-backdoor/</a></li>
+				<li><a href="https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27">Detailed FAQ on the xz-utils backdoor</a> by Sam James</li>
+			</ol>
+
+			<h3>Proof of Concepts</h3>
+			<ul>
+				<li><a href="https://manishearth.github.io/blog/2016/12/02/reflections-on-rusting-trust/">Reflections on Rusting Trust</a>: Backdooring The One True Rust Compiler.</li>
+			</ul>
+
 			<h2 id="tools">Tools</h2>
 			<dl>
 				<dt><a href="https://hacktivis.me/projects/deblob">deblob</a></dt>