diff options
Diffstat (limited to 'incident-response-xz.tex')
| -rw-r--r-- | incident-response-xz.tex | 64 |
1 files changed, 39 insertions, 25 deletions
diff --git a/incident-response-xz.tex b/incident-response-xz.tex index e3b474a..40ea47c 100644 --- a/incident-response-xz.tex +++ b/incident-response-xz.tex @@ -1,7 +1,6 @@ %% SPDX-License-Identifier: CC0-1.0 %% %% Copyright (C) 2024 W. Kosior <koszko@koszko.org> - \documentclass{beamer} \usetheme{Rochester} \usecolortheme{seagull} @@ -15,7 +14,8 @@ \usepackage{soul} \setbeamertemplate{navigation symbols}{} -\setbeameroption{show notes} +%\setbeameroption{show notes} +\setbeameroption{show only notes} \newenvironment{prettyitemize}{% \begin{itemize} @@ -24,9 +24,9 @@ \end{itemize} } -\newcommand{\meme}[1]{% - \href{#1}{Meme \includesvg[height=\baselineskip]{Awesome.svg}} -} +% \newcommand{\meme}[1]{% +% \href{#1}{Meme \includesvg[height=\baselineskip]{Awesome.svg}} +% } \newcommand{\memeframe}[2]{% \begin{frame}{#1 (Meme)} @@ -47,7 +47,9 @@ } \title{Incident response — 2024 xz backdoor} - +\subtitle{ + Wojciech Kosior \& Krzysztof Ambroży +} \begin{document} \frame{ @@ -89,9 +91,9 @@ \end{prettyitemize} \pause \vspace{2em} - \begin{center} - \meme{https://i0.wp.com/lex-img-p.s3.us-west-2.amazonaws.com/img/5ddde247-464a-4532-bfe4-5e0a1ed16062-RackMultipart20240407-179-1kxtsc.png?ssl=1} - \end{center} + % \begin{center} + % \meme{https://i0.wp.com/lex-img-p.s3.us-west-2.amazonaws.com/img/5ddde247-464a-4532-bfe4-5e0a1ed16062-RackMultipart20240407-179-1kxtsc.png?ssl=1} + % \end{center} \end{frame} \note{ @@ -346,17 +348,27 @@ cp .libs/liblzma_la-crc64_fast.o .libs/liblzma_la-crc64-fast.o || true \begin{frame}{Backdoor loading} \begin{itemize} - \item in many distros OpenSSH happens to be patched to use systemd - notifications + \item many popular distros patch OpenSSH server to use systemd notifications \item systemd depends on lzma \item liblzma gets loaded into OpenSSH process and replaces function - {\vRSAPublicDecyrpt} with its own - \item uses ``IFUNC'' + {\vRSAPublicDecyrpt} with its own implementation utilizing 'IFUNC' functionality of glibc + % \item uses ``IFUNC'' \end{itemize} - - \vspace{1em} - - \itshape +\end{frame} +% \begin{frame}{Backdoor loading} +\note{ + % \begin{itemize} + % \item in many distros OpenSSH happens to be patched to use systemd + % notifications + % \item systemd depends on lzma + % \item liblzma gets loaded into OpenSSH process and replaces function + % {\vRSAPublicDecyrpt} with its own + % \item uses ``IFUNC'' + % \end{itemize} + + % \vspace{1em} + + % \itshape ``The GNU indirect function support (IFUNC) is a feature of the GNU toolchain that allows a developer to create multiple implementations of a given function and to select amongst them at runtime using a resolver function which is also @@ -364,8 +376,8 @@ cp .libs/liblzma_la-crc64_fast.o .libs/liblzma_la-crc64-fast.o || true loader during early startup to resolve which of the implementations will be used by the application.'' \normalfont -\end{frame} - +% \end{frame} +} \note{ \begin{itemize} \item systemd depends on lzma @@ -416,7 +428,7 @@ cp .libs/liblzma_la-crc64_fast.o .libs/liblzma_la-crc64-fast.o || true \end{itemize} } -\memeframe{Discovery}{https://media.telefonicatech.com/telefonicatech/uploads/2024/4/downgrade-xz-meme.jpg} +% \memeframe{Discovery}{https://media.telefonicatech.com/telefonicatech/uploads/2024/4/downgrade-xz-meme.jpg} \screenshotframe{Reactions — Debian}{reactions-dsa.png} @@ -525,6 +537,8 @@ cp .libs/liblzma_la-crc64_fast.o .libs/liblzma_la-crc64-fast.o || true \screenshotframe{Lasse Collin's xz repo cleanup}{lasse-cleanup-commit.png} +\screenshotframe{New release without backdoor (2 weeks ago)}{new-release.png} + \note{ \scalebox{0.75}{\begin{minipage}{1.333\textwidth} \begin{itemize} @@ -592,7 +606,7 @@ cp .libs/liblzma_la-crc64_fast.o .libs/liblzma_la-crc64-fast.o || true responsible way? } -\memeframe{Lessons Learned}{https://redlib.pussthecat.org/img/j8wcm4aajprc1.jpeg} +% \memeframe{Lessons Learned}{https://redlib.pussthecat.org/img/j8wcm4aajprc1.jpeg} \begin{frame}{References} \small @@ -621,10 +635,10 @@ cp .libs/liblzma_la-crc64_fast.o .libs/liblzma_la-crc64-fast.o || true \item XZ logo — \st{Copyright (C) 2023 Jia Tan} made by haxxors behind the backdoor, distributed under the \href{https://creativecommons.org/licenses/by-sa/4.0/}{CC-BY-SA-4.0} license - \item Awesome ``emoji'' — by Openclipart user rones, uploaded 2011 (released - into public domain with - \href{https://creativecommons.org/publicdomain/zero/1.0/legalcode.en}{CC - Zero v1.0}) + % \item Awesome ``emoji'' — by Openclipart user rones, uploaded 2011 (released + % into public domain with + % \href{https://creativecommons.org/publicdomain/zero/1.0/legalcode.en}{CC + % Zero v1.0}) \item the original Autotools diagram — Copyright (C) 2001-2024 Gentoo Authors, distributed under the \href{https://creativecommons.org/licenses/by-sa/4.0/}{CC-BY-SA-4.0} |