2025-10-23 –, Europe
The backdoor that had been added to xz-utils by an unknown threat actor (CVE-2024-3094) may be seen as a wakeup call in that too little attention is being paid on what happens behind the scenes in our software build processes. When we type ./configure && make, cargo build, pip install or similar chants into our terminals or CI pipelines, we expect that magic happens and that we get software artifacts that Just Work.
Given the right instrumentation tools, it is possible to observe what actually happens during the build process of most software packages and in most cases we can infer whether a binary has actually been built from the presented sources as we expect. It is also possible to detect abnormal uses of compilers or linkers.
I will present a Linux-based prototype toolset for generating and analyzing those lower-level build logs and discuss curious findings and limitations of the approach.
.
Hilko works in the CSIRT for a transportation and logistics company. He feels most comfortable when thinking about problems that touch systems programming, operations and IT security. For more than 25 years, he has learned to take free and open source software for granted and he is still amazed when he hears how others have found his contributions useful.