Ben Hawkes
"OpenSSH Backdoors" -- a few thoughts on supply-chain attacks against OpenSSH, and what we can learn from both historical and modern events. https://blog.isosceles.com/openssh-backdoors/
OpenSSH Backdoors

Imagine this: an OpenSSH backdoor is discovered, maintainers rush to push out a fixed release package, security researchers trade technical details on mailing lists to analyze the backdoor code. Speculation abounds on the attribution and motives of the attacker, and the tech media pounces on the story. A near miss

Isosceles Blog
Aug 23, 2024 at 6:04pmWeb
Show threadKees Cook (old account)Aug 23, 2024
@hawkes "build systems are a perfect mix of inscrutability and expressiveness" 💯
Show threadGildásio JúniorAug 23, 2024

That's a great post as usual. Also I love the "Defenders think in lists. Attackers think in graphs" post shared. Even though it seems obvious many defenders fail to reasoning like this.

https://github.com/JohnLaTwC/Shared/blob/master/Defenders%20think%20in%20lists.%20Attackers%20think%20in%20graphs.%20As%20long%20as%20this%20is%20true%2C%20attackers%20win.md

Shared/Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win.md at master · JohnLaTwC/Shared

Shared Blogs and Notebooks. Contribute to JohnLaTwC/Shared development by creating an account on GitHub.

GitHub
Show threadRoyans TharakanAug 24, 2024
@hawkes loved the write up.
Show threadTim (Wadhwa-)Brown Aug 24, 2024
@hawkes A+, would read again.
Show threadDavid Chisnall (*Now with 50% more sarcasm!*)Aug 25, 2024

@hawkes Bog customers need to ask vendors for features that enable in-address-space compartmentalisation.

And that doesn’t mean more page table features. Programmers don’t think about pages, they think about objects and so the sharing granularity needs to be object graphs, not sets of pages.

CHERIoT and the supply chain

Late last week we learned that much of the world narrowly avoided a backdoor in SSH, introduced via the dependency on liblzma via libsystemd. A malicious actor introduced a backdoor into liblzma, which could exploit SSH via this dependency chain (introduced by Linux distributions, not in the upstream OpenSSH). This specific attack is not relevant to CHERIoT because it targets programs that have much bigger system requirements than the kinds of devices that we support, but the underlying concept is directly relevant. This is one of the categories of attack that CHERIoT was designed to protect against.

CHERIoT Platform