Backdoors and source code (was Re: Multiple Backdoors found...)

[Kevin <kkadow () gmail com>]

On Sun, 02 Jan 2005 20:27:09 -0800, Blue Boar <BlueBoar () thievco com> wrote:
> Dave Aitel wrote:
> > Of course, this sort of thing is basically impossible to disprove -
> > especially without source.
>
> If I were looking for a well-hidden backdoor, I wouldn't bother with
> source.  There's no guarantee that a particular binary was produced by a
> particular group of source unless you can compile it yourself to the
> same set of bytes.

And even when you have two binary files built by the same compiler
version on two different machines running the same OS version, it's
not uncommon for the two files to not produce the same set of bytes. 
See the recent thread on 'httpd cleanup' from the OpenBSD 'tech' list.


> Even then, you've got no guarantee the backdoor
> isn't introduced as part of the build process or a compiler quirk,
> rather than being in the source.

On the subject of "visible source" as a protection against backdoors,
I notice that PGP.Com offers source code to their products for
download for exactly this purpose, but does *not* provide any
instructions on how to validate that the binaries produced from the
"visible source" PGP desktop for Windows match up with the binary
executables and libraries distributed when you install a licensed PGP
desktop build.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html