Skip to Main Content
Talk Intermediate

XZ Utils Backdoor: What it is and What it means for the FOSS Community?

Approved
Session Description

This talk will be a deep-dive on CVE-2024-3094 -- a vulnerability (backdoor)

discovered in the XZ compression program in late March 2024. This vulnerability

was assigned the highest score of 10 on the Common Vulnerability Scoring System

(CVSS). This was a sophisticated exploit relying on various compiler and linker

features, obfuscated code, and most importantly social engineering to gain the

trust of developers to get commit access to the repositories.


During this talk, I will discuss:

   1. the technical aspects of the exploit - how it was hidden, and the

various techniques used

   2. what does the discovery of this exploit, and the means used to implant

the same mean for the broader FOSS ecosystem and community

   3. how do we build continued trust in the Software Supply Chain?


Finally, I will also reflect on the broader social aspects of the FOSS

community, especially the trust mechanisms.


References

https://lwn.net/Articles/967866/

Session Categories

FOSS

Speakers

Sachin Garg
CTO NavankurIT
Sachin Garg

Dr. Sachin Garg is a hands-on technology leader with 25+ years of varied academic and industry experience. He holds a PhD in Public Policy from the Schar School of Policy & Government, George Mason University, USA along with a Masters in Computer Science. He started his career at the Centre for Development of Advanced Computing and has held leadership positions at various multinationals, as well as a foray in academia as an Assistant Professor at the Indian School of Business. He is a keen technologist, deeply interested in the real-life, societal impacts of technology and innovation. As one of the earliest users of Linux in India, Sachin is an Opensource evangelist who has studied multiple aspects of the opensource ecosystem, including its legal, public-policy, and social aspects from up close. As CIO, he is involved in developing the technology strategy for TalentOla—a recruitment consulting startup. As CTO for NavankurIT, he helps MSMEs in developing their technology stacks. He also independently consults organisations like the World Bank on aspects related to Public Policy and technology.

Reviews

No reviews yet.