xz-utils attack and potential mitigations

[kmk3]

Background

It has recently been reported that the upstream xz project contained malicious
code targeting sshd in its official source code tarballs (versions 5.6.0 and
5.6.1), affecting distribution packages created from them.

It was able to target the sshd service directly because on certain
systemd-based distributions openssh was patched to link libsystemd, which in
turn linked liblzma (provided by xz). This allowed it to directly override
certain functions in the sshd process through the use of GNU indirect functions
(ifuncs).

Most of the malicious code was hidden inside a corrupted xz archive that was
added to the tests in the git repository and a small portion was added to the
configure script (to uncorrupt the archive and run the code within), but only
in the distributed source code tarballs (not in the git repository).

On certain distributions the package has been reverted to an earlier version
and further analysis may still be ongoing.

There is also prior criticism about the safety of the xz file format itself and
of its suitability as a long-term archival format.

Sources:

• https://www.openwall.com/lists/oss-security/2024/03/29/4
• https://tukaani.org/xz-backdoor/review.html
• https://research.swtch.com/xz-timeline (this one links to many more)
• https://archlinux.org/news/the-xz-package-has-been-backdoored/
• https://lists.debian.org/debian-security-announce/2024/msg00057.html
• https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
• https://www.nongnu.org/lzip/xz_inadequate.html

Issues

Each of the following items is linked to something that makes it less likely to
be reviewed (compared to common parts of the code in the repository):

1. A user-generated source code tarball does not contain the git history and
   may contain changes not present in the git repository (and despite that, the
   files present in both would usually be assumed to be equivalent)
2. autoconf-generated configure scripts are gigantic and hard to read
3. Tests in general are likely to contain a lot of repetitive code, non-code
   files and checks for obscure corner cases (which are harder to tell the
   legitimacy of and how relevant they still are)
4. Binary files are harder to analyze (and may require specialized tools)

Suggestions

Note: These are not necessarily new; some of them were already done or
suggested elsewhere.

Considering the above, if I had to come up with suggestions to mitigate the
issues they would be the following:

For distributions:

• Avoid unnecessarily adding dependencies (and linking) to third-party code in
  core system programs and libraries

For packagers/users:

• Use a .tar.gz snapshot of the git repository (generated by the repository
  host, such as GitHub) at a specific tag/commit as the primary package source
  instead of a user-uploaded tarball
• Always re-generate the configure script with auto(re)conf before running it
• Do not run tests by default and when running them do so in a separate
  checkout (such as in a separate job in CI)

For the project:

• Generate new binary files at build-time instead of committing them
• Try to do the same for the existing binary files
• Maybe replace xz with something else like gzip (or provide both .tar.gz and
  .tar.xz archives)

[kmk3]

Additional suggestion for the project:

• Maybe delete the configure script from the repository

Note that the configure script can be generated with:

autoreconf [-i] # execute at least once before autoconf
autoconf

Deleting the configure script would also make maintenance and reviews of
configure.ac easier, as currently the generated file may contain many misc
changes depending on the autoconf (and distribution) version used. That is, to
avoid committing unrelated/unnecessary changes to the configure script, it is
currently necessary to manually ignore/undo them while committing only the
intended changes after running autoconf.

Though note that if the configure script is removed from the repository, then
it will not be available in .tar.gz snapshots of the repository.

A configure script could still be provided in a tarball to keep it working
without needing extra dependencies.

Maybe the configure script and tarball could be generated in CI for the release
to help ensure reproducibility. The distribution itself could also generate
both from the .tar.gz repository snapshot.

[topimiettinen]

configure is 5583 lines autogenerated shell script, full of non-trivial sed scripts etc. It's just too easy to hide anything there. It's not reasonable to expect anyone really to validate it before using, except by regenerating it with autoreconf and then comparing the result. But why'd you need the script in the tarball in the first place? I'd leave it out.

[topimiettinen]

1. I think distro packages should be built using signed git commits/release tags instead of traditional tarballs, but that's up to distros.

2. With WIP: Meson build #6311, I'm proposing to move away of the auto**** as the preferred method of compilation. The old method could be kept as an option, but at least distro packagers should switch to meson for package builds.

3. Our test setup also expects that the built version of Firejail is installed to the test system. I'm not sure that's a good idea. Perhaps a cleaner way would be to build an OS image containing Firejail and then use it to boot a container to run the tests. I think it's preferred to run more tests as part of packaging process rather than fewer. During the CI build, source tree should be read-only, also the build tree during tests (except test log files etc).

4. Hopefully there won't be any need for binary files here. But it's also possible to hide malicious data even in text files.

[glitsj16]

Very hot, interesting and complicated topic. Not that I have strong opinions yet on what build tooling to favor at this moment in time. It might take a while for the dust of the xz-utils backdoor debacle to settle. In this context I stumbled upon the de-autoconfiscation HOWTO from autodafe - not to be mistaken with a fuzzer framework bearing the same name. Might help informed decision-taking on such a vital subject.

[topimiettinen]

Interesting option. If the opposition for Meson is too strong, pure Makefile approach (throwing out just auto****) could be also good enough. For Firejail we don't need a lot of fancy options (like support for Windows, BSD, shared libraries, ancient compilers etc.).

[kmk3]

@glitsj16 on Apr 20:

Very hot, interesting and complicated topic. Not that I have strong
opinions yet on what build tooling to favor at this moment in time. It might
take a while for the dust of the xz-utils backdoor debacle to settle. In this
context I stumbled upon the de-autoconfiscation
HOWTO
from autodafe - not to be mistaken with a
fuzzer framework bearing the
same name. Might help informed
decision-taking on such a vital subject.

Thanks for the link, it was an interesting read.

I agree that going full autotools makes the build process much more complex
with makefile generation and whatnot and might be too much for many projects.

Though note that our usage is already quite minimal: There is only autoconf;
there is no automake or libtool. And there is no makefile or header file
generation. All autoconf does is automate the generation of the configure
script, which only generates config.mk from config.mk.in (and config.sh from
config.sh.in) based on user input and on what is detected on the system.
Everything else is done by make directly.

@topimiettinen on Apr 21:

Interesting option. If the opposition for Meson is too strong, pure Makefile
approach (throwing out just auto****) could be also good enough. For
Firejail we don't need a lot of fancy options (like support for Windows, BSD,
shared libraries, ancient compilers etc.).

Do you mean building without needing to run a configure script (by setting the
autoconf variables manually) or reimplementing the configure script using
makefiles?

[topimiettinen]

Building without configure would be nice. Though then the methods specifying any options would be uncommon.

[kmk3]

Building without configure would be nice. Though then the methods specifying
any options would be uncommon.

Well... If you don't mind specifying them in a file instead of the CLI and you
know exactly which tools, paths, headers, libraries, functions, features,
compilers and compiler flags you want to use (and that they are all available
and that the given combination works or if you don't mind finding out whether
it works or not at build-time instead of configure-time), then I suppose you
could copy config.mk.in into config.mk and manually set each input variable.

[topimiettinen]

That could be the default. Then if an optional component is missing, the builder would use something like HAVE_SELINUX= make, or in case of a distro, apply a local patch which changes config.mk.

[glitsj16]

Always re-generate the configure script with auto(re)conf before running it

@kmk3
Turning this specific suggestion (which I fully agree with) into a practical example, am I correctly interpreting it to mean it would be wise to do this in a PKGBUILD prepare() function? Currently both the Arch Linux firejail and the AUR's firejail-git packages run configure without such a prior autoreconf step. This is just an example, I haven't checked other OS'es firejail packaging.

prepare() {
  cd "${srcdir}/${pkgname}"
  NOCONFIGURE=1 autoreconf -vfi
}

Maybe we should try to contact package maintainers and invite them to share their input on this?

[topimiettinen]

@reinerh ?

[reinerh]

Debian is autoreconf'ing by default (an opt-out (or using older packaging helpers) is required to skip that). firejail is also autoreconf'ed before the build.

[topimiettinen]

What about switching to meson, would that be a problem?

[reinerh]

I don't think so, meson is supported. (maybe don't use bleeding-edge meson features, so that it can still be backported)

[kmk3]

@topimiettinen on Apr 20:

1. I think distro packages should be built using signed git commits/release
   tags instead of traditional tarballs, but that's up to distros.

For signing, the release tags could be improved by creating them as signed tags
(git tag -s) or at least annotated tags (git tag -a), which contain a
timestamp.

But even without any signing, if an archive is provided by GitHub directly
(instead of being user-uploaded), then the bar for tampering is substantially
increased, as GitHub itself would have to be attacked. Also, it already
provides the git repository, so if there are concerns about downloading an
archive generated by GitHub, the same should apply when cloning the git
repository.

Distributions could (and some probably do) also use the same file hashes for
the snapshot. And have an internal copy of the git repositories and check that
git archive generates an archive that matches the one from the hosting
provider.

If there are multiple hosting providers involved and they all use git archive
to generate the snapshots (and they are all reproducible) then ultimately the
trust would rest on git itself, which is already a dependency for any project
using GitHub.

2. With WIP: Meson build
   #6311, I'm proposing to
   move away of the auto**** as the preferred method of compilation. The
   old method could be kept as an option, but at least distro packagers
   should switch to meson for package builds.

I'll reply to this separately.

Offtopic: Could you write "autotools", "autoconf" or something else directly
without asterisks?

Adding non-formatting asterisks in the middle of the text messes with markdown
syntax highlighting in vim (the rest of the paragraph is shown as bold).

3. Our test setup also expects that the built version of Firejail is
   installed to the test system. I'm not sure that's a good idea.

Ideally running the tests would not depend on having a system-wide
installation.

Interesting, running the compiled binary directly now seems to work. The last
time I tried it, I remember that it would abort with an error (maybe it
required being executed from a specific place).

Perhaps a cleaner way would be to build an OS image containing Firejail and
then use it to boot a container to run the tests.

Indeed, maybe using qemu to run a minimal image and then install/run the tests.

But even without it, the tests could probably be split into ones that are safe
to run locally/on the host (such as basic profile tests) and ones that are not
(such as the ones that mess with network interfaces and firejail.config).

I think it's preferred to run more tests as part of packaging process rather
than fewer.

Yes, tests should still be executed when packaging for distribution, but
ideally isolated from the main build where the final programs will be sourced
from.

What I meant by "Do not run tests by default" is that instead of a normal build
(for example, by just running make) implying "build and test" it would just
imply "build".

If we assume that tests face less thorough review (at least outside of the
upstream project) compared to the code and that their benefit is dubious when
merely building (not distributing) a project, then it might be a good idea to
avoid them in most cases.

That is, for users just building from the AUR (for example), tests would not be
run.

And when packaging for distribution, run the normal build without the tests and
then run the tests isolated (in a separate checkout/job/vm/whatever).

This could both be done by the projects themselves (such as by make implying
just make build instead of make build test, for example) and by the
packagers (by exlicitly running make build in the recipe, for example).

During the CI build, source tree should be read-only, also the build tree
during tests (except test log files etc).

Even if the source code itself is read-only, malicious code in the tests could
still modify the compiled programs. I'd guess that the most straightforward
way to avoid that would probably be to run the build/tests separately
(especially now that containers are common). The main downside would be that
the build may have to be executed again for the test job (like it is done in CI
here), though caching may be possible.

Maybe there is a simple way to make the build tree read-only between the build
and the test though I'm not aware of any and there are projects where mostly
everything is created at the root of the project directory during the
build/tests (such as the log files you mention).

4. Hopefully there won't be any need for binary files here.

There are a few committed binary files:

$ git ls-files --eol | grep '^i/-text'
i/-text w/-text attr/-text              etc-fixes/seccomp-join-bug/eecf35c-backports.zip
i/-text w/-text attr/-text              test/appimage/hello-x86_64.AppImage
i/-text w/-text attr/text=auto eol=lf   test/filters/memwrexe-32
i/-text w/-text attr/text=auto eol=lf   test/filters/namespaces
i/-text w/-text attr/text=auto eol=lf   test/filters/namespaces-32
i/-text w/-text attr/text=auto eol=lf   test/seccomp-extra/memwrexe

I'm not sure if the zip and etc-fixes are still used; maybe they can be
removed.

The filters could probably be generated at build-time.

Creating AppImages requires specialized tooling which is generally not packaged
(and whose author actively discourages packaging). Given enough releases, this
could arguably be a bigger attack vector than a static AppImage.

Though maybe they could be generated in CI to at least increase
reproducibility.

But it's also possible to hide malicious data even in text files.

Yes, but other than generated files, it would likely require more effort to to
so.

[topimiettinen]

Maybe there is a simple way to make the build tree read-only between the build
and the test though I'm not aware of any and there are projects where mostly
everything is created at the root of the project directory during the
build/tests (such as the log files you mention).

What a coincidence, we have a tool which can make parts of the file system read-only: Firejail! Some features may be missing somewhere...

[topimiettinen]

Creating AppImages requires specialized tooling which is generally not packaged
(and whose author actively discourages packaging). Given enough releases, this
could arguably be a bigger attack vector than a static AppImage.

Does not seem too hard according to this using AppImage/appimagetool. I'd remove the image with the other binary files.

[kmk3]

Maybe there is a simple way to make the build tree read-only between the
build and the test though I'm not aware of any and there are projects where
mostly everything is created at the root of the project directory during
the build/tests (such as the log files you mention).

What a coincidence, we have a tool which can make parts of the file system
read-only: Firejail! Some features may be missing somewhere...

Haha that's indeed one way to do it, though distributions might not be too keen
on using SUID programs during the build.

[kmk3]

Creating AppImages requires specialized tooling which is generally not
packaged (and whose author actively discourages packaging). Given enough
releases, this could arguably be a bigger attack vector than a static
AppImage.

Does not seem too hard according to
this
using AppImage/appimagetool. I'd
remove the image with the other binary files.

It seems that not even the AUR has packages that build it from source (the ones
I've seen just download the binary), let alone having it packaged on Arch
directly (for example).

See also a previous comment about this issue:

• AppImage: automatically detect profile #4355 (comment)

We could however keep the AppImage and add a target to remake it. It could
then be used locally if desired and in CI to check for reproducibility issues.

[topimiettinen]

Haha that's indeed one way to do it, though distributions might not be too keen
on using SUID programs during the build.

We could use bwrap (assuming unprivileged namespaces are available) but then we wouldn't eat our own dog food. With Firejail, we could ship the build profiles (for example firejail-build, firejail-install, firejail-test).

[kmk3]

@topimiettinen

Could you clarify what exactly are your concerns security-wise with the build
system (as currently implemented in this project) that would not be addressed
by the suggestions in the following comments?

• xz-utils attack and potential mitigations #6316 (comment)
• xz-utils attack and potential mitigations #6316 (comment)
• xz-utils attack and potential mitigations #6316 (comment)

[topimiettinen]

If we decide to keep the Make system, I'd like to get rid of at least generated configure and m4 directory in the repository as well as the binary files.

Preferably all auto**** (happier now?) should be eliminated from the build process. For example, even if we didn't have configure or m4 in the repository, if a malicious tarball contained these files, they still could be used by someone, because they are part of auto**** architecture. There is no way to state that our release tarballs won't ever contain them.

[kmk3]

If we decide to keep the Make system, I'd like to get rid of at least
generated configure and m4 directory in the repository as well as the
binary files.

For reference, removing configure and binary files are being discussed in the
following threads:

• xz-utils attack and potential mitigations #6316 (comment)
• xz-utils attack and potential mitigations #6316 (comment)

As for the m4 directory, there is a single file in it. It has 15 lines of
code, is vendored from from autoconf-archive and was updated once. Any new
file added to m4 would likely be similar in these regards.

This seems to be a common practice for projects using autoconf, as usually the
files are self-contained, not that large and only a few are used, to the point
that unlike autoconf/make, autoconf-archive is not part of base-devel on Arch,
for example.

A CI check could be added to verify that all vendored files match upstream
files exactly.

Preferably all auto**** (happier now?) should be eliminated from the build
process. For example, even if we didn't have configure or m4 in the
repository, if a malicious tarball contained these files, they still could be
used by someone, because they are part of auto**** architecture.

What exactly is the threat model?

Is it just a maintainer adding malicious code to a new/existing file in a
release tarball?

There is no way to state that our release tarballs won't ever contain them.

Is there a way to state that our release tarballs won't ever contain malicious
code elsewhere?

Even without considering generated/vendored files, were the other files in the
existing tarballs actually verified by someone/something?

If they are not being verified, then the problem exists regardless of the
contents of the tarball and doing that seems like a pre-requisite to solve the
underlying issue.

If they are being verified, then the configure script could be re-generated and
checked to see if the result matches exactly what is in the tarball.

[topimiettinen]

Is it just a maintainer adding malicious code to a new/existing file in a
release tarball?

That was the method used for xz-utils. A very advanced MITM attack could also replace the tarball and it's signature during download (or redirect the download page) for a distro packager. Possibly doable when the country is behind a great firewall.

If they are not being verified, then the problem exists regardless of the
contents of the tarball and doing that seems like a pre-requisite to solve the
underlying issue.

I don't think the distros are verifying if the tarballs match the git repository. But for that they need a copy of the repository and then the tarball is pretty much useless. We can't solve this problem, except perhaps by never releasing any tarballs and directing distros to use the signed release commits directly.

[glitsj16]

Sources:

• Deep Dive into XZ Utils backdoor (Columbia Engineering Advanced Systems Programming Guest Lecture) [video]

[topimiettinen]

Interesting coverage on how the malicious payload could defeat RELRO etc. protections with ld.so audit hook and GNU IFUNC. Plugging those holes (for example, disable audit feature of ld.so and replace IFUNC with something less dangerous) should be the responsibility of glibc and other users of IFUNC feature. If someone (or something like a state actor) wanted to use Firejail to backdoor systems, the methods probably wouldn't be same at all. Running as root, a backdoored Firejail could listen to sockets, insert kernel modules, attach to other running processes, tweak the firejailed executable, configuration or the libraries when copying etc. There are probably much stealthier options.

The non-technical side of the xz attack was that the actions of a malicious developer were trusted and the review (when possible) didn't catch the changes to backdoor the system. "Given enough eyeballs, all bugs are shallow" didn't happen this time. I think this part is a harder to solve.

[glitsj16]

Running as root, a backdoored Firejail could listen to sockets, insert kernel modules, attach to other running processes, tweak the firejailed executable, configuration or the libraries when copying etc. There are probably much stealthier options.

Sounds very reasonable. Still, running as root remains a pain-point topic. Both as potential attack vector from a purely technical point of view, and as a social problem regarding the (ill-)conceived pre-conceptions against SUID binaries. I wonder how/if systemd's run0 concept might prove useful for Firejail in this context (cfr. #3315).

[glitsj16]

Adding one more interesting resource. To be clear, I'm not against going for meson whatsoever. I'm also not experienced in GNU Make. I'll hold-off adding anything else, I think this will get sorted eventually, whatever decision is taken on the road ahead.

Thanks to both @kmk3 and @topimiettinen for taking the time and efforts to look into this important topic. Quite promising for Firejail's future to see such level of dedication, expertise and consideration.

Here's the reference and its accompanying discussion on HN:

• Using Landlock to sandbox GNU Make
• HackerNews discussion

[topimiettinen]

LWN coverage of EOSS and OSSNA: one of the topics is xz-utils attack, autotools and M4. Comments are also interesting.