Supply Chain Anarchy - Trojaned Binaries in the Java Ecosystem


In 1984, Ken Thompson wrote, “You can't trust code that you did not totally create yourself. (Especially code from companies that employ people like me.)” [1] Yet modern software applications are 80% open source components.[2] The supply chain is total anarchy.




All this third-party code runs with the full privileges of the application, essentially granting full access to host, backend, datacenter, and possibly intranet. Obviously, if a popular component, like Log4j or Apache Commons, were trojaned, it would give an attacker a hall pass to most of the datacenters in the world. Much of our trust in open source components comes from the fact that the source is public and “given enough eyeballs, all bugs are shallow.” [3] Unfortunately, in the Java ecosystem (and most other environments), there is literally no assurance that a given binary matches the source.




This talk reports on the results of a large-scale experiment to search the universe of Java libraries for malicious discrepancies between source code and binaries. We created an automated security pipeline that automatically matches repositories, builds code, performs a “security diff” of the bytecode instructions, and generates human-readable reports for analysis. Our “security diff” tool ignores inconsequential differences between compilers, flags, and versions, so that only truly different code gets flagged. The experiment is currently underway and hundreds of libraries have been analyzed.




Of course, source-to-binary traceability is not everything, a malicious developer could hide attacks in the source code [4]. A crafty malicious developer would intentionally introduce vulnerabilities that look like accidents to establish some plausible deniability. So, given the trust that these libraries have been granted, and the potential attractiveness to an attacker (particularly nation-sponsored or financially motivated hackers), we absolutely have to know if public source code matches the binaries we blindly trust.




Jeff Williams
CTO, Contrast Security
Jeff Williams is a co-founder and CTO of Contrast Security, the world's first unified application vulnerability assessment *and* attack protection platform. Jeff has over 20 years experience in security leadership roles, including the first Global Chairman of the OWASP Foundation.


-

Managed by the official OWASP Media Project https://www.owasp.org/index.php/OWASP...