Re: Reproducible Builds for Fedora

[Dhiru Kholia <dhiru.kholia () gmail com>]

On 09/25/13 at 06:55pm, Solar Designer wrote:
> Dhiru, all -
>
> Ensuring that "objdump -d" has stayed the same between a known-good and
> another build of a binary is not sufficient to tell that the new build
> is not trojaned.  Changes to other sections (e.g., to embedded data that
> the program uses or/and to relocations) or/and to the ELF header may be
> sufficient to introduce meaningful backdoors.
>
> Recent research:
>
> https://www.usenix.org/conference/woot13/weird-machines-elf-spotlight-underappreciated-metadata
>
> "Our proof-of-concept toolkit highlights how important it is that
> defenders expand their focus beyond the code and data sections of
> untrusted binaries"
>
> [ Dhiru, weren't you there in person? ;-) ]

I was there but the talk was too technical ;)

> December 2006 paper saying that a related technique has "been used in
> the virus world many years prior to this paper":
>
> http://uninformed.org/?v=6&a=3&t=sumry
>
> Besides ELF being Turing-complete on its own, the ELF header may contain
> native executable code too:
>
> http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html

After some thinking (and after reading Alexander's emails) I think that
producing byte-for-byte identical builds is the only sane choice we are
left with.

I had this "byte-for-byte" clause in my initial version of the proposal
but I dropped it, thinking that it was too "ambitious" for an initial
proof-of-concept. It was probably a bad decision on my part. 

That being said, we have started working towards getting byte-for-byte
identical builds.

-- 
Dhiru