In this talk, the XZ Upstream Supply Chain Attack (CVE-2024-3094) is used as a case study to demonstrate how supply chain attacks can be detected by tracing the build system by a graph based approach. The increasing prevalence of supply chain attacks on Free/Libre Open Source Software (FLOSS) projects has been highlighted recently by the supply chain attack on the xz project to backdoor SSH servers. The detection of this particular attack was coincidental, raising concerns about potentially undetected threats.

C/C++ build systems, such as GNU autotools, Make, and CMake, have grown highly complex and diverse, exposing a large attack surface to exploit. However, essentially, these build systems all compile the source code to object files and link them together to executables or libraries. For FLOSS projects, we can be even more stringent by postulating that every binary must originate from source code within the upstream project. Technically, this relationship can be modeled by the help of a graph data structure. By traversing this graph, it can be ensured that all distributed binaries originate from upstream source code showcasing the successful detection of the supply chain attack.

Further studies could scale this approach to analyze all Debian packages regularly to detect anomalies early. To prevent attacks (or at least make them harder to conceal), the authors further propose transitioning to a descriptive build system, which reduces complexity and increases transparency, making separate tracing unnecessary.