Re: Reproducible Builds for Fedora

[Solar Designer <solar () openwall com>]

Dhiru, all -

I did not review the code, so my reply is based on Sebastian's message only:

On Wed, Sep 25, 2013 at 10:08:01AM +0200, Sebastian Krahmer wrote:
>                 base=`basename $f`
>                 objdump -d rpm1/$f | grep -v $base > dump1
>                 objdump -d rpm2/$f | grep -v $base > dump2
>                 diff -u dump1 dump2 > /dev/null
>                 if [ $? -ne 0 ] ; then
>                           echo "File disassembly differs $f"
>                           cnt=`expr $cnt + 1`
>                 fi
> [...]
>
> for ELF files and doing a sha256sum for other file types. My concern is
> that attackers could construct a package that contains function-names that
> match the basename of the binary that you are checking. The "grep -v"
> will remove that, leaving a clean compare for injected code like
> 'call $base' etc. That would leave a wrong feeling about equal binaries.

Ensuring that "objdump -d" has stayed the same between a known-good and
another build of a binary is not sufficient to tell that the new build
is not trojaned.  Changes to other sections (e.g., to embedded data that
the program uses or/and to relocations) or/and to the ELF header may be
sufficient to introduce meaningful backdoors.

Recent research:

https://www.usenix.org/conference/woot13/weird-machines-elf-spotlight-underappreciated-metadata

"Our proof-of-concept toolkit highlights how important it is that
defenders expand their focus beyond the code and data sections of
untrusted binaries"

[ Dhiru, weren't you there in person? ;-) ]

December 2006 paper saying that a related technique has "been used in
the virus world many years prior to this paper":

http://uninformed.org/?v=6&a=3&t=sumry

Besides ELF being Turing-complete on its own, the ELF header may contain
native executable code too:

http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html

Alexander