Full Disclosure mailing list archives
Backdoors and source code (was Re: Multiple Backdoors found...)
From: Kevin <kkadow () gmail com>
Date: Fri, 7 Jan 2005 19:54:44 -0600
On Sun, 02 Jan 2005 20:27:09 -0800, Blue Boar <BlueBoar () thievco com> wrote:
Dave Aitel wrote:Of course, this sort of thing is basically impossible to disprove - especially without source.If I were looking for a well-hidden backdoor, I wouldn't bother with source. There's no guarantee that a particular binary was produced by a particular group of source unless you can compile it yourself to the same set of bytes.
And even when you have two binary files built by the same compiler version on two different machines running the same OS version, it's not uncommon for the two files to not produce the same set of bytes. See the recent thread on 'httpd cleanup' from the OpenBSD 'tech' list.
Even then, you've got no guarantee the backdoor isn't introduced as part of the build process or a compiler quirk, rather than being in the source.
On the subject of "visible source" as a protection against backdoors, I notice that PGP.Com offers source code to their products for download for exactly this purpose, but does *not* provide any instructions on how to validate that the binaries produced from the "visible source" PGP desktop for Windows match up with the binary executables and libraries distributed when you install a licensed PGP desktop build. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Backdoors and source code (was Re: Multiple Backdoors found...) Kevin (Jan 07)