Is That Really the Source Code?

The main security advantage of open-source software is, well, that the source code is open for all to see. You can’t hide traditional backdoors. Instead, you have to resort to much subtler and usually more limited “bug-doors” — errors that compromise security — and hope nobody notices. If or when they do, that backdoor is gone.

Unfortunately, it turns out there’s a key flaw. While it should (in theory) be possible to verify the published, compiled software is identical to what the published source code says it should do… it turns out that in practice that’s impossible. Small changes that are made automatically when the software is compiled make that impossible to do.

In other words, if you compromise whoever is doing the compiling, you can add backdoors and nobody will notice.

The classic defense here is to compile everything from published source code instead of just installing pre-compiled binary packages. But even that raises a chicken-and-egg problem (http://cm.bell-labs.com/who/ken/trust.html).

https://blogs.kde.org/2013/06/19/really-source-code-software

“A cherished characteristic of computers is their deterministic behaviour: software gives the same result for the same input. This makes it possible, in theory, to build binary packages from source packages that are bit for bit identical to the published binary packages. In practice however, building a binary package results in a different file each time. This is mostly due to timestamps stored in the builds. In packages built on OpenSUSE and Fedora differences are seen that are harder to explain. They may be due to any number of differences in the build environment. If these can be eliminated, the builds will be more predictable. Binary package would need to contain a description of the environment in which they were built.

Compiling software is resource intensive and it is valuable to have someone compile software for you. Unless it is possible to verify that compiled software corresponds to the source code it claims to correspond to, one has to trust the service that compiles the software. Based on a test with a simple package, tar, there is hope that with relatively minor changes to the build tools it is possible to make bit perfect builds.”

Advertisements
%d bloggers like this: