Vulnerability in compiler leads to stealth backdoor in software

It is a fact, software has bugs and compilers (software which build other software) are not an exception. The CVE-2018-8232 discloses a vulnerability found in ML compiler from Microsoft which is used to compile assembly code since decades. This vulnerability is able to introduce a misinterpretation of conditions resulting in a gap between what is written in the source code to what is really compiled and executed by a machine. Of course, if this gap of behavior would only be for the sake of speaking, it will not be fun. In this presentation, we will talk about how it has been possible to exploit the vulnerability to silently introduce operational backdoors in any software compiled with ML, with no risk to be discovered. The result is to provide to a normally not authorized user an access to a higher credential such as runas software does. Attendees to the talk will learn how critical compilers are for security, the methodology to introduce a backdoor in a software at compiler level and how a company such as Microsoft dealt (or did not deal) to correct a bug in a compiler which potentially impacted other software for at least 30 years.

David Baptiste

David Baptiste is a PhD student at the (C+V)^O laboratory in ESIEA. His research is mainly focused on malware analysis, security under windows operating system, networks, kernel development and vulnerabilities. Sometimes math, physic or anything cool from that stuff is perfect for him to enhance everyday life. Although he likes good food and good vine (we never change), he is okay if you offer him beers. He has already made several conferences included: iAwacs, Cocon, Ground zero summit, EICAR, ECCWS, Defcon.

Social sharing