After the #XZ attack, I have a suggestion for all #software forges (#Forgejo, #GitHub, #Gitea, #Sourceforge, etc.):
Have some way to visualize binary files better, including diffs to such files. Cuz now, we have basically nothing except byte counters.
Since they're binary files, it must be as generic as possible. But even some rendering or analysis is better than nothing.
The idea is to expose weird patterns in binary files that could be a sign of an attack.
The XZ attack could have been caught BEFORE merging if the binary files would
have been rendered in some way. They had large sections of equal bytes which was very sus. Rendering every byte as a grayscale pixel has exposed very sus uniform gray sections alongside noise sections.
That's just one idea. A skilled attacker could still work around that. Ideally, multiple modes of rendering binary files (and diffs) would exist so it's harder to hide.
But to be clear: I am under no illusion this will be a magic bullet solution to these types of attacks, nor will it "solve" security. Frankly, I'm not an security expert, I'm just thinking aloud here. 😅
But if there is one thing we should have all learned of the XZ attack is that binary files are sus. They are best avoided but if that's not possible, I believe making them less of a black box could help.
Add comment