This event has ended. Create your own event → Check it out
This event has ended. Create your own
View analytic
Friday, September 22 • 10:30am - 11:15am
Supply Chain Anarchy – Trojaned Binaries in the Java Ecosystem

Sign up or log in to save this to your schedule and see who's attending!

Feedback form is now closed.

In 1984, Ken Thompson wrote, “You can't trust code that you did not totally create yourself. (Especially code from companies that employ people like me.)” [1] Yet modern software applications are 80% open source components.[2] The supply chain is total anarchy.


All this third-party code runs with the full privileges of the application, essentially granting full access to host, backend, datacenter, and possibly intranet. Obviously, if a popular component, like Log4j or Apache Commons, were trojaned, it would give an attacker a hall pass to most of the datacenters in the world. Much of our trust in open source components comes from the fact that the source is public and “given enough eyeballs, all bugs are shallow.” [3] Unfortunately, in the Java ecosystem (and most other environments), there is literally no assurance that a given binary matches the source.


This talk reports on the results of a large-scale experiment to search the universe of Java libraries for malicious discrepancies between source code and binaries. We created an automated security pipeline that automatically matches repositories, builds code, performs a “security diff” of the bytecode instructions, and generates human-readable reports for analysis. Our “security diff” tool ignores inconsequential differences between compilers, flags, and versions, so that only truly different code gets flagged. The experiment is currently underway and hundreds of libraries have been analyzed.


Of course, source-to-binary traceability is not everything, a malicious developer could hide attacks in the source code [4]. A crafty malicious developer would intentionally introduce vulnerabilities that look like accidents to establish some plausible deniability. So, given the trust that these libraries have been granted, and the potential attractiveness to an attacker (particularly nation-sponsored or financially motivated hackers), we absolutely have to know if public source code matches the binaries we blindly trust.


avatar for Jeff Williams

Jeff Williams

CTO, Contrast Security
Jeff Williams is a co-founder and CTO of Contrast Security, the world's first unified application vulnerability assessment *and* attack protection platform. Jeff has over 20 years experience in security leadership roles, including the first Global Chairman of the OWASP Foundatio... Read More →

Friday September 22, 2017 10:30am - 11:15am
Coronado J

Attendees (33)