Скачать или смотреть Analysis of and Lessons from the Xz-Utils Vulnerability – What Mig... - Taku Shimosawa & Atsuya Kato

Analysis of and Lessons from the Xz-Utils Vulnerability – What Might Come Next? - Taku Shimosawa & Atsuya Kato, Hitachi, Ltd.

The xz-utils vulnerability has attracted attentions from every person who are involved in not only open-source software but also any form of software that is built with a collaboration of developers. The vulnerability, or rather the social engineering attack has combined multiple attack techniques: maintainer takeover, obfuscated trigger code, and binary files pretending sample archives, and targeted Linux distributions, which are fundamental in the current software supply chain. In this session, Taku aggregates multiple existing analyses about the vulnerability, and explains how the attack was performed with a progress of the incident as well as technology details of the malicious source code and binary. Taku also presents a potential risk of similar incidents in open-source repositories by using some utilities including OpenSSF’s Scorecard and Criticality Score. This session would suggest what kind of attacks would come next for the software industry and would be mitigated or coped with.