flat assembler
Message board for the users of flat assembler.

Index > Heap > On trusting open source softwares

Goto page 1, 2  Next
Author
Thread Post new topic Reply to topic
TmX



Joined: 02 Mar 2006
Posts: 821
Location: Jakarta, Indonesia
TmX
I used to think that open source software are generally trustworthy, because... they are open source, you can examine the source codes.

But, after reading, this article, I become slightly confused.

It's possible to insert backdoor into open source app and at the same time the code still looks clean.
Wow, isn't that amazing?

So, are open source apps still trustworthy?
I'm not being paranoid here, though. Just being curious... Smile
Post 26 Jan 2010, 14:43
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17278
Location: In your JS exploiting you and your system
revolution
TmX wrote:
It's possible to insert backdoor into open source app ...
Yes of course. Why would anyone think anything different? It is basic psychology.

Here is how it works: Because it is open source that means that it won't be possible to put in "bad" code, so no one will be silly enough to try putting "bad" code in there, so why should you bother to check it when "bad" code wont be there?

Almost everyone does not check the code they download in open source software. Checking is time consuming and expensive and since we expect that nothing bad is there then there is very little reason to check it anyway. Hence why some people can put in bad code and get away with it.

Open source is not a magic bullet to cure all evil. But far too many people believe it is, unfortunately.
Post 26 Jan 2010, 14:51
View user's profile Send private message Visit poster's website Reply with quote
TmX



Joined: 02 Mar 2006
Posts: 821
Location: Jakarta, Indonesia
TmX
revolution wrote:

Almost everyone does not check the code they download in open source software. Checking is time consuming and expensive and since we expect that nothing bad is there then there is very little reason to check it anyway. Hence why some people can put in bad code and get away with it.


Yeah, looks pretty makes sense to me.
I used to think that open source softwares are more trustworthier because "thousands of eyes" will take a look into the code, and if someone find something that's not right/malicious, then he can give warning/make a patch/etc immediately.

Not so many people interested in dissecting the code, right?
Post 26 Jan 2010, 15:08
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17278
Location: In your JS exploiting you and your system
revolution
It works both ways. "Thousands" of eyes looking; and "thousands" of bad people wanting to put their evil code into it.
Post 26 Jan 2010, 15:56
View user's profile Send private message Visit poster's website Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 2915
Location: [RSP+8*5]
bitRAKE
BadCode™ could be very slight - a single character wrong would be sufficient. Eyes alone are not sufficient - a good source code management system is needed. Why does # always commit changes with buffer problems? Why isn't # using the safe APIs decided upon? # shouldn't have commit access.
Post 26 Jan 2010, 18:03
View user's profile Send private message Visit poster's website Reply with quote
Borsuc



Joined: 29 Dec 2005
Posts: 2466
Location: Bucharest, Romania
Borsuc
The article is more subtle than that. It modifies the compiler to put the backdoor into any apps compiled. And the compiler source code with the bad code gets reset back to normal -- when you compile a new compiler version with a clean source but with the infected binary (seriously, you can't compile any source without a binary compiler!), the new compiler binary will also have the backdoor.

Even if you looked at the source, you wouldn't see it. Both the compiler source AND the any other app source.
Post 26 Jan 2010, 19:40
View user's profile Send private message Reply with quote
ManOfSteel



Joined: 02 Feb 2005
Posts: 1154
ManOfSteel
TmX wrote:
It's possible to insert backdoor into open source app and at the same time the code still looks clean.
Wow, isn't that amazing?

So, are open source apps still trustworthy?

If something exists, then it's not trustworthy, until proven otherwise and as long as it remains unchanged. That's not limited to software or technology.
Only when you discover the objective truth of something can you judge whether or not you can trust it.

At least with OSS you *may* check the source of the application, and of the system on which it is built, and of the build tool-chain that is used, while with CSS you have to disassemble all these, and as you may have once discovered, the deadlisting can be a pain to read, especially if you're checking every line. Besides, whether you care or not, you're probably also breaking the law by doing so.
So what I can say is that OSS is not better than CSS in that regard. CSS is just *in a way* worse than OSS.

I don't agree with the "not many people bother to check the source" theory.
It all depends on the size and importance of the project. For instance when it comes to operating systems, compilers, etc. *there are* many people checking the source and security vulnerabilities have been found in the past by both users and security experts. If you check the way these projects work internally, you can see malicious code could hardly last a significantly long time undetected.

We've already discussed similar things in the past.
Post 26 Jan 2010, 20:04
View user's profile Send private message Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 2915
Location: [RSP+8*5]
bitRAKE
How can the compiler identify itself on all architectures? I'm imagining a hash of an abstract representation, or some source code specific key. An external tool could randomize the source code - not just the variable names, but algorithm transformations. It would become very difficult for the compiler to recognize itself.
Post 26 Jan 2010, 20:34
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17278
Location: In your JS exploiting you and your system
revolution
bitRAKE wrote:
How can the compiler identify itself on all architectures?
It recognises the input source code; which is supposed to be platform independent.
bitRAKE wrote:
An external tool could randomize the source code - not just the variable names, but algorithm transformations. It would become very difficult for the compiler to recognize itself.
Yes, of course. Once you have identified the problem the the solution is easy to apply. But it is the initial identification that is always the key to these things.
Post 26 Jan 2010, 20:39
View user's profile Send private message Visit poster's website Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 2915
Location: [RSP+8*5]
bitRAKE
That obfuscated code can easily hide a back door - problem just moved.
Post 26 Jan 2010, 20:45
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17278
Location: In your JS exploiting you and your system
revolution
The only way to be 100% sure you have a completely non-evil system setup is to throw away all computers and never use them again. But, more practically, since we can't (or don't want to) do that, then we have to put our trust in foreign code, foreign chips and/or foreign boards that we did not ourselves make. That is just life, you can't escape all risks completely.

How do we know that Intel/AMD have not put backdoor circuitry in the CPU? The network chip? USB chip? Northbridge? etc.
Post 26 Jan 2010, 20:52
View user's profile Send private message Visit poster's website Reply with quote
TmX



Joined: 02 Mar 2006
Posts: 821
Location: Jakarta, Indonesia
TmX
ManOfSteel wrote:

I don't agree with the "not many people bother to check the source" theory.
It all depends on the size and importance of the project. For instance when it comes to operating systems, compilers, etc. *there are* many people checking the source and security vulnerabilities have been found in the past by both users and security experts. If you check the way these projects work internally, you can see malicious code could hardly last a significantly long time undetected.


OK, I understand. When it comes to big projects like the Linux kernel or GCC, then I guess I better trust the developers/community.

I once gave the Linux kernel source code a look, then I stepped back.
The kernel is too big. Maybe I should start with a smaller project, like FASM. He he...


Last edited by TmX on 27 Jan 2010, 04:02; edited 1 time in total
Post 27 Jan 2010, 03:50
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17278
Location: In your JS exploiting you and your system
revolution
TmX wrote:
OK, I understand. When it comes to big projects like the Linux kernel or GCC, then I guess I better trust the developers/community.

I once gave the Linux kernel source code a look, then I stepped back.
The kernel is too big.
Yes, this is precisely why people don't check the sources. They simply trust that others are doing it.

But what happens when everyone is trusting everyone else to check things? The extreme of this is that no one is checking because they think someone else will check for them.
Post 27 Jan 2010, 03:56
View user's profile Send private message Visit poster's website Reply with quote
ManOfSteel



Joined: 02 Feb 2005
Posts: 1154
ManOfSteel
The first thing I do after extracting the base system and the kernel is to fill /usr/src.
I often read parts of it and I am confident others do likewise with other parts.
On forums we often check the source to understand how something works and be able to help others when they have problems or when they want to modify something.

There simply is no chance malicious code can live long enough to cause serious damage or be even possible in most cases, when security officers and other people responsible of releases, as well as many users and security experts check the source, and when there are file integrity checking software, or the source (and most of the system anyway) is simply read-only.
The entire system, on every level, cannot be compromised, at the same time, worldwide. A discrepancy will appear one way or another, sooner or later, probably sooner, very soon.
Post 27 Jan 2010, 15:09
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17278
Location: In your JS exploiting you and your system
revolution
ManOfSteel: For very large projects what you mention may well be true. But there are many many thousands (perhaps millions) of smaller open source projects that do not enjoy such a situation. One has to stay wary if one wants to be sure to satisfy oneself that no evil code is being downloaded.
Post 27 Jan 2010, 15:45
View user's profile Send private message Visit poster's website Reply with quote
Borsuc



Joined: 29 Dec 2005
Posts: 2466
Location: Bucharest, Romania
Borsuc
I'd like to see what will happen if it "really happens", what the excuse will be Razz
Post 27 Jan 2010, 17:09
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
ManOfSteel, probably mentioned in the link you posted but I think it is worth mentioning it again. Debian's big OpenSSL PRNG bug was code that no one detected for at least one year and it was even discussed in a public forum, i. e., it was nothing that the maintainer did without telling anybody. What is worst is that since it was in Debian, many distros (Ubuntu for instance), inherited the bug and even with the those extra eyes it was still uncaught for a long time.

Not something that happens daily, but sometimes shit happens.
Post 27 Jan 2010, 17:13
View user's profile Send private message Reply with quote
ManOfSteel



Joined: 02 Feb 2005
Posts: 1154
ManOfSteel
revolution wrote:
there are many many thousands (perhaps millions) of smaller open source projects that do not enjoy such a situation. One has to stay wary if one wants to be sure to satisfy oneself that no evil code is being downloaded.

Of course. If users want to grab the source of small projects and build them on their machines, they should check any script that is executed during the configuration, building and installation processes. That should be enough as it's the only time something is running with heightened privileges.

Keeping the system up to date will nullify chances of having malicious code taking advantage of a known local privilege escalation vulnerability.
A system that has security as one of its priorities, should have very few such vulnerabilities in a while anyway, and patches should be available quickly. Users can refrain from compiling anything during that short period or double their vigilance.

They can also check if the setup is installing any setuid binary and check the justification for that.

Better be paranoid than sorry. Twisted Evil
Post 27 Jan 2010, 21:28
View user's profile Send private message Reply with quote
DustWolf



Joined: 26 Jan 2006
Posts: 373
Location: Ljubljana, Slovenia
DustWolf
revolution wrote:
How do we know that Intel/AMD have not put backdoor circuitry in the CPU? The network chip? USB chip? Northbridge? etc.


Intel has. It's called AMT. Bypasses software firewall and functions when the computer is turned off. Allows remote boot, shut down and general access to system memory to authenticated user, credentials stored in firmware. Uses HTTP tunneling. Cannot be turned off, can only be reset to defaults which means giving hardware vendor access as per firmware.

As for the rest of the argument, I prefer my back-doors open-source. That way if I want to be paranoid I can check them out, rather than trusting Microsoft to be honest and non-abusive towards their costumers. Think of the odds.
Post 02 Feb 2010, 01:19
View user's profile Send private message AIM Address Yahoo Messenger MSN Messenger Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17278
Location: In your JS exploiting you and your system
revolution
How come no one mentions Apple? Apple is worse than MS with regard to secrecy. Wink
Post 02 Feb 2010, 02:58
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page 1, 2  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar.

Powered by rwasa.