ZeroNights 2018, David Baptiste's 'Vulnerability In Compiler Leads To Stealth Backdoor In Software' →
From The Video Description: It is a fact, software has bugs and compilers (software which build other software) are not an exception. The CVE-2018-8232 discloses a vulnerability found in ML compiler from Microsoft which is used to compile assembly code since decades. This vulnerability is able to introduce a misinterpretation of conditions resulting in a gap between what is written in the source code to what is really compiled and executed by a machine. Of course, if this gap of behavior would only be for the sake of speaking, it will not be fun. In this presentation, we will talk about how it has been possible to exploit the vulnerability to silently introduce operational backdoors in any software compiled with ML, with no risk to be discovered. The result is to provide to a normally not authorized user an access to a higher credential such as runas software does. Attendees to the talk will learn how critical compilers are for security, the methodology to introduce a backdoor in a software at compiler level and how a company such as Microsoft dealt (or did not deal) to correct a bug in a compiler which potentially impacted other software for at least 30 years. - David Baptiste's Vulnerability In Compiler Leads To Stealth Backdoor In Software