Other Attempts to Take Over Open Source Projects

After the XZ Utils discovery, people have been examining other open-source projects. Surprising no one, the incident is not unique:

The OpenJS Foundation Cross Project Council received a suspicious series of emails with similar messages, bearing different names and overlapping GitHub-associated emails. These emails implored OpenJS to take action to update one of its popular JavaScript projects to “address any critical vulnerabilities,” yet cited no specifics. The email author(s) wanted OpenJS to designate them as a new maintainer of the project despite having little prior involvement. This approach bears strong resemblance to the manner in which “Jia Tan” positioned themselves in the XZ/liblzma backdoor.

[…]

The OpenJS team also recognized a similar suspicious pattern in two other popular JavaScript projects not hosted by its Foundation, and immediately flagged the potential security concerns to respective OpenJS leaders, and the Cybersecurity and Infrastructure Security Agency (CISA) within the United States Department of Homeland Security (DHS).

The article includes a list of suspicious patterns, and another list of security best practices.

Posted on April 18, 2024 at 7:06 AM10 Comments

Comments

Winter April 18, 2024 7:59 AM

OpenJS could to be the wrong target as there seem to be several developers with visibility involved.

I am more concerned about 1/2 overworked developer projects that are mainly in maintenance mode. These are the developers who do not have the time and resources to do everything “right”, following the OpenSSF guidelines. It is these overextended projects that might be tempted to welcome “new blood” to help them out in a perceived “security emergency”.

XZ was a textbook exemplar of such a target. The fact that the person(s) behind Jian Tan had already been working with the lead developer for a year or more would make it even more difficult to recognize the game plan.

echo April 18, 2024 9:23 AM

Given I’m the only person who to the best of my knowledge has ever linked to or discussed the multi-domain security model, and maybe 3-4 lines at most on anything were related to this were mention in previous topics this week I’ll sit this one out. I’m too busy reading other material to even glance the article.

Doubtless everyone is going to prove me wrong by pulling a 180 and displaying lots of sage knowing looks and outpourings of empathy for people they were previously slagging off and trampling over!

Mark Wolfgang April 18, 2024 10:26 AM

If the XZ compromise was indeed a nation state with a long time horizon, then there’s little doubt they would run parallel ops to compromise several open source projects.

Small, obscure projects with one or two devs. Inactive projects etc.

Imagine an open source project lead who started his project as a hobby. Project became popular and his library became included in other projects. Project founder/dec gets their dream job based on the credibility of his hobby project and now has no time to maintain. In comes helpful volunteer dev who contributes significantly to the project over a year or two. Project founder eventually empowers volunteer to essentially take over project.

Clive Robinson April 18, 2024 11:47 AM

@ Mark Wolfgang, ALL,

Re : Dangers of a journey gone past it’s destination.

“Project founder/dec gets their dream job based on the credibility of his hobby project and now has no time to maintain.”

The problems usually start before then…

Imagine a bus ride where after they have got on the bus, the passengers decide they want the bus to go where they want. Not where the journey is scheduled to go.

Chaos ensures and the bus zig zags across the map, no passenger is happy and the buss driver is going mad trying to make them happy.

To many Open Source Software projects are like this. A project like a bus can not be where the users who are just demanding passengers want it to be.

You will note that successful projects are ones where the driver sticks to the route and schedule, and the passengers can get on and off at any time. The passengers can “walk or wait” if maybe they think a better bus will come along…

Otherwise they are “On for the ride” and can sit there and keep quite.

If a passenger does not want to “walk or wait”, then the expensive options start with “pay for” say a hire car, or chauffeur service, or even buy a vehicle and pay a driver may be the only options available. But they almost never want to pay…

Thus we get the idea of the “project tyrant” or “benign dictator” as “the glorious leader”.

But it never lasts there is always someone who comes along and claims every one should be “equals” only some think they are “more equal than others” because they demand demand, don’t give credit and think every one should praise them etc etc.

So the project goes “over the side of a cliff” or similar as the driver decides enough of the madness they are getting off one way or another.

As for those thinking they are “more equal than others”, all to often they have no skills or other attributes of use to offer.

So the project becomes orphaned or abandoned, and like children in times past vulnerable to abuse in all sorts of ways or effectively die of neglect.

Andrew Duane April 18, 2024 12:09 PM

Don’t forget the much simpler version of this (that almost worked), where someone hid a “uid = 0” instead of “uid == 0” inside a hugely complicated if statement on an open system call flag check in Linux, hoping no one would notice. Almost no one did, but someone spotted it right before (right after?) the commit.

It would have given someone who knew the right combination of flags to give to open to set their uid to 0.

Clive Robinson April 18, 2024 12:52 PM

@ Bruce, ALL,

Re : It’s not a supply chain.

We’ve sort of fallen into a trap in our thinking in the ICT Industry and it keeps reoccurring multiple times every year.

That is for “convenience” we take a term from the “tangible physical world”, and reuse the term in the “intangible information world”.

It rarely actually fits comfortably and we bring across assumptions we really should not.

As I noted in earlier “XZ Utils” discussions,

“It’s not a supply chain attack”

Because it’s not actually a “supply chain” in the traditional sense and the attack does not happen there.

In the traditional sense “finished items in the warehouse” were the start of the “supply chain” which finished with the customers signiture for the item at their “goods inwards” “landing dock”. Thus original NSA “supply chain attacks” really were done in the “tangible physical world” “supply chain” by “implants”. Boxes were grabbed at transport nodes, taken to secure / secret premises and unsealed, cases taken out opened, sub-assemblies inserted, cases closed, put back in original boxes, artfully resealed and put back in the supply chain at the same transport node…”.

The nature of modern FOSS and similar is more like a manufacturing purchase from a “Bill of Materials” to be manufactured / assembled into a “finished item” effectively at the “customer premises”.

The attack actually does not happen in “the supply chain” but starts before it with the construction of parts for the BOM and finishes inside the customer premises after the item is assembled / constructed from the BOM listed parts.

The BOM is not a “supply chain” but a “supplier parts list”. The reality is it’s just a part of a “manufacturing supply tree”.

That is hundreds of component parts are sourced from many places and they get constructed into many sub assemblies, that are in turn sourced from many places to form larger sub-assembles, sub-systems or final systems. This mass of supply chains through multiple assembly points kind of looks like the roots of a tree.

Hence “supply-tree”. Two important things to note,

1, Sub-assemblies are “independent”
2, Independent sub assemblies can and do have shared standard components.

This turns the “tree” root idea into more of a “funnel-web”.

Those that have seen real funnel-webs know they can be monstrous in size and the “poisonous spider” can be anywhere in the web just waiting.

cybershow April 19, 2024 4:21 AM

I agree with you Clive; interception and tampering/meddling with goods
in transit is not quite the same as interference with the precursors
of manufacture. It seems more akin to exerting subtle influence on
bill of materials, perhaps just on choices, like choosing a weaker
cipher. It is closer to infiltration.

So I somewhat misused the term here

A comment from another forum was to the effect “Please don’t call us
FOSS developers your ‘supply chain’. Nobody pays us, and we are not
assets in your commercial game”

This rings true and further weakens “supply chain” as the proper
description. I used an analogy that the companies using FOSS
dependencies are foraging, gathering or harvesting foods from common
land. Beware that someone poisons the apple while still on the tree.

As Bruce’s post confirms about my concern for developer vulnerability,
there’s an enormous psychological attack surface out there for all
kinds of mischief.

Bob Paddock April 19, 2024 8:45 AM

@Andrew Duane
“someone hid a ‘uid = 0’ instead of ‘uid == 0′”

That is why constants belong on the left:

‘0 == uid’

The error is immediately caught because something can not be assigned to a constant.

I’ve gotten many nonsensical answers for reasons against that simple security precaution in coding. Alas some languages do object to it. The most common ones don’t.

joanne h April 19, 2024 11:21 AM

@Bob Paddock, I agree that the “constants on the left” style is good, but developers of software projects often object to “stylistic” patches—which makes it more of a political problem than a technical one.

Also, the trick doesn’t work when comparing two variables. What if they’d wanted to compare ‘uid’ and ‘root_uid’? (While that example may seem contrived, user namespaces do complicate the idea of root always being user 0.) Some help from our tools could be useful—for example, a compiler switch that makes assignment expressions return void results.

44 52 4D CO+2 April 19, 2024 7:41 PM

These types of attacks are difficult to detect or protect against programmatically as they prey on a violation of trust through social engineering. In the short term, clearly and transparently sharing suspicious activity like those we mentioned above will help other communities stay vigilant.

Mentioning well-known suspicious activity is not the same idea as clearly and transparently sharing things.

Does anyone know where to find that information, or is it still under embargo?

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.