Bringing automatic detection of backdoors to the CI pipeline

<p><strong>Software backdoors aren’t a myth—they’re a recurring nightmare</strong>. Time and again, we’ve watched malicious code slip into open-source ecosystems. The notorious xz compromise grabbed headlines, but it wasn’t the first act in this drama. Earlier breaches included the PHP incident in 2021, as well as vulnerabilities in vsFTPd (CVE-2011-2523) and ProFTPD (CVE-2010-20103). And here’s the unsettling truth: these examples likely just scratch the surface. <strong>Why does it matter?</strong> Because a single backdoor in a widely used project turns into a hacker’s dream buffet—millions of machines served up for exploitation.</p> <p><strong>Tracking down and eliminating backdoors isn’t a quick win</strong>—it’s like diving headfirst into sprawling code jungles. Sounds epic? In reality, even for a veteran armed with reverse-engineering gear, it’s a grueling slog. So grueling that most people simply don’t bother. The good news? <strong>New tools such as ROSA (<a href="https://github.com/binsec/rosa">https://github.com/binsec/rosa</a>) prove that large-scale backdoor detection can be automated</strong>—at least to a significant extent. Here’s the twist: traditional fuzzers like AFL++ (<a href="https://github.com/AFLplusplus/AFLplusplus">https://github.com/AFLplusplus/AFLplusplus</a>) test programs with endless input variations to trigger crashes. It’s brute force, but brilliant for uncovering memory-safety flaws. Backdoors, however, play by different rules—they don’t crash; they lurk behind hidden triggers and perfectly valid behaviors. ROSA changes the game by training fuzzers to tell “normal” execution apart from “backdoored” behavior.</p> <p>But there’s a catch: <strong>ROSA’s current use case is after-the-fact analysis, helping security experts vet full software releases</strong> (including binaries). Following the <a href="https://en.wikipedia.org/wiki/Shift-left_testing">shift-left paradigm</a>, <strong>our goal is to bring this detection magic into the CI pipeline</strong>—so we can stop backdoors before they ever land. Sounds great, but reality bites: ROSA produces false alarms and can require a significant test budget to find backdoors, which are a nightmare in CI. <strong>In this talk</strong>, we would like explore the methodological and technical upgrades needed to build a ROSA-based backdoor detection prototype that thrives in CI environments. Think reduced resources, and minimal noise—all within the tight resource windows CI jobs demand.</p>