Richard Stallman wrote:
[[[ To any NSA and FBI agents reading my email: please consider ]]]
[[[ whether defending the US Constitution against all enemies, ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]
[...]
When considering any such change, we still should consider the question:
will this actually prevent cracks, or will it rather give crackers
an additional way to check that their activities can't be detected.
While it does not /prevent/ cracks, there is something we can ensure
that we *keep* doing: GCC, when reading from a pipe, records the input
file as "<stdin>" in debug info *even* if a "#" directive to set the
filename has been included. This was noticed by Adrien Nader (who
posted it to oss-security;
<URL:https://www.openwall.com/lists/oss-security/2024/04/03/2> and
<URL:https://marc.info/?l=oss-security&m=171214932201156&w=2>; those are
the same post at different public archives) and should provide a
"smoking gun" test to detect this type of backdoor dropping technique in
the future. This GCC behavior should be documented as a security
feature, because most program sources are not read from pipes.
The xz backdoor dropper took great pains to minimize its use of the
filesystem; only the binary blob ever touches the disk, and that
presumably because there is no other way to feed it into the linker. If
debug info is regularly checked for symbols obtained from "<stdin>" and
the presence of such symbols reliably indicates funny business, then we
force crackers to risk leaving more direct traces in the filesystem,
instead of being able to patch the code "in memory" and feed an
ephemeral stream to the compiler. The "Jia Tan" crackers seem to have
put a lot of work into minimizing the "footprint" of their dropper, so
we can assume that this must have been important to them.
To avoid false positives if this test is used, we might want to add a
rule to the GNU Coding Standards (probably in the "Makefile Conventions"
section) that code generated with other utilities MUST always be
materialized in the filesystem and MUST NOT be piped into the compiler.
-- Jacob
