undefined | Better HN

0 pointssaurik12y ago0 comments

It is possible to analyze the behavior of a program without access to the source code that makes it easy to recompile and distribute modified builds. I routinely open binary files in disassemblers to read through their behavior. Yes, it is possible to obfuscate the hell out of parts of binary code, and that would certainly throw up a red flag for me, but concentrating on the source code seems to miss the point that source code can also be obfuscated, if the source code looks "too weird" we probably aren't going to trust it either, and it is also possible to hide a bunch of behaviors across wide areas of "open" "clear" code (so nothing looks "too weird" at any given place in the code).

To be very explicit about this, as I think this is a very subtle problem that people tend to totally misunderstand: if I wanted to distribute a chat program and have it be "evil" I would not distribute a binary with hidden behavior (if nothing else, when you find this code in my binary I'm pretty damn well screwed ;P): I'd instead distribute an open source program that involved a threaded work queue for handling multiple socket connections to peers and which had a few very subtle use-after-free race conditions that would only come up under nearly impossible timing scenarios that I knew how to trigger and exploit, giving me complete control of your client whenever I wanted.

These are the kinds of bugs people use to attack open source "secure" web browsers like Chrome year after year at Pwn2Own because people are simply bad at concurrency. In this sense, I'd thereby trust a closed source web browser that had no threads or which was implemented in a type-safe garbage collected language (executed on a simply-engineered runtime from someone separate that I trusted, which could also be closed source for all I care) a lot more than I'd trust Chrome. I'd even probably have an easier time understanding what it is doing disassembling it than reading Chrome's code. (To be clear, such a browser doesn't exist: probably you should use Chrome.)

0 comments

hendzen12y ago

Actually, there has been some recent research [0] in cryptography that shows it is possible to produce binaries that are obfuscated in such a way such that they are computationally infeasible to deobfuscate (see the linked reference for a formal definition of indistinguishability obfuscation).

[0] - http://eprint.iacr.org/2013/451.pdf

saurikOP12y ago

Yes. Even more simply, it is an impossible problem in the general case to even determine in a given x86 binary what parts are code and what parts are data (there was someone at RV '04 that published a paper on that result while working on his CodeSurfer binary analysis tool).

This does not, however, contradict my argument: as we can take a binary and generate really horrible C code from it (by just emulating via C, unrolling the instructions) the same result is true of source code; however, we would find that block of code highly suspicious ;P.

Again: if I wanted to give myself a backdoor into a chat program, I wouldn't distribute a backdoor into a binary, I'd provide open source code with subtle bugs that would take people years to find and that when found would look like honest "concurrency is hard" mistakes.

I am not saying that whether something is open source or not is totally irrelevant, but the people I'm responding to seem to be having this gut reaction "if it isn't open source it can't be trusted", so I'm attempting to provide enough context to show that it isn't that simple.

bigiain12y ago

I think there's also a bit of "if the crypto can be trusted, opening the source code doesn't weaken it and helps build trust".

Personally, I'm running BTSync - and even though I've got it syncing EncFS encrypted data, the app has enough privileges to read the unencrypted versions of those EncFS filesystems if it were instructed to.

I'd feel happier if a few trusted security experts from a few different countries/jurisdictions had blogged about their analysis of the source code and the likelyhood of the binary produced from the source being either intentionally or unintentionally compromised.

Having said that, as you point out, we've got the Chrome source, lots of people look very hard at it, and it _still_ fails year after year… Hopefully, BTSync and BTChat (or my hypothetical Open Source reimplemetations) are significantly less complex than a full featured browser, and not would not require nearly so much focus on performance that "provably secure" or perhaps just "significantly less likely to have obscure bugs" coding techniques could be used in spite of speed penalties - browser vendors have significant motivation to optimise for speed above all else, hopefully the much smaller subject domains of sync or chat clients would allow security to sensibly be prioritised instead.

xenonite12y ago

Even more than that, if one wants to insert backdoors in OOS, one could easily do that getting barely noticed.

A program might be open source, still the binaries offered for download might be compromised. Who is able to notice that now?

You might compile the software yourself, but the majority of users wont.

You might have reverse engineered a closed source software, but I guess you won't do that for the OSS binaries.

1 more reply

StavrosK12y ago

Your argument is a bit disingenuous. You say you'd trust simple closed-source software more than complicated open-source counterparts. That's a false dichotomy. Open source X is always more easily auditable than closed source X.

I don't think many people are worried that BT will be evil. I think many more people are worried that they'll be incompetent, and it's very hard to be competent at cryptography. That's why we want the source.

bigiain12y ago

From a "non US person" perspective, I go to BitTorrent's website and read:

  Company Overview
  
  BitTorrent Inc. is an Internet technology company based in San Francisco.

And immediately I've got _two_ things to worry about - 1) "will BT be evil/incompetent?", and 2) "will BT be leaned on by the NSA and be coerced into being evil?"

If you're a US company (or individual, or a company with US based management, developers, investors, or infrastructure) who are promoting security-related products in the post-Snowden era – many of us outside the US now have very good reasons to apply extra scrutiny to those products. Opening your source will make a _big_ difference in how readily suspicions of evilness can be allayed. As saurik points out upthread, having the source available doesn't guarantee the rest of the open source community will find and fix any carefully-enough-crafted backdoors, but keeping the source closed sends a strong message…

Avshalom12y ago

From a US perspective: The NSA doesn't lean on non-US companies because it is fully authorized to just hack them directly. Your data kept in foreign countries don't even have the nominal legal protection that US data does.

Unless you've got unbreakable security the NSA is well funded enough that it's irrelevant where you do business.

1 more reply

saurikOP12y ago

Ok, then I will say your argument is a bit disingenuous, as I did not compare "open source X" to "closed source X": I am trying to show that "is it open source" is just one of many variables that you might consider while evaluating the security of a program, and I am further attempting to claim that it is not even the most important of these variables. In the real world, we are choosing between software that differ in many ways, not just one: all individual dichotomies are "false".

I mean, I could also say the argument "you can't trust closed source software for this stuff" is also "a bit disingenuous" via the analogous argument that that open vs. closed is a "false dichotomy": a single-threaded/type-safe/un-obfuscated X-source program "is always more easily auditable" than a multi-threaded/type-unsafe/obfuscated X-source program. Now, the question becomes "what variables are more important to you, and will your reactions be 'knee jerk' or rational"?

StavrosK12y ago

Sure, it's only one variable. I disagree that it's not the most important one.

You can audit a multithreaded open source program much more easily than you can audit a single-threaded closed source program. Merely compiling it adds more obfuscation than making it needlessly, complicated will, and making it needlessly complicated will immediately raise red flags.

You don't need to analyze an open-source program to see that it's been obfuscated, and, if it claims to do anything that requires security, that would probably be enough to make you suspicious.

My ultimate point is that compiling is a form of obfuscation that has extreme plausible deniability. There's no form of obfuscation that will complicate the code of an open source program as much as compiling it will, while still looking as innocuous as compiling does.

1 more reply

sillysaurus212y ago

It is possible to analyze the behavior of a program without access to the source code

It may be possible, but it's not easy.

j / k navigate · click thread line to collapse

0 pointssaurik12y ago0 comments

0 comments

hendzen12y ago

[0] - http://eprint.iacr.org/2013/451.pdf

saurikOP12y ago

bigiain12y ago

I think there's also a bit of "if the crypto can be trusted, opening the source code doesn't weaken it and helps build trust".

xenonite12y ago

Even more than that, if one wants to insert backdoors in OOS, one could easily do that getting barely noticed.

A program might be open source, still the binaries offered for download might be compromised. Who is able to notice that now?

You might compile the software yourself, but the majority of users wont.

You might have reverse engineered a closed source software, but I guess you won't do that for the OSS binaries.

1 more reply

StavrosK12y ago

bigiain12y ago

From a "non US person" perspective, I go to BitTorrent's website and read:

  Company Overview
  
  BitTorrent Inc. is an Internet technology company based in San Francisco.

And immediately I've got _two_ things to worry about - 1) "will BT be evil/incompetent?", and 2) "will BT be leaned on by the NSA and be coerced into being evil?"

Avshalom12y ago

Unless you've got unbreakable security the NSA is well funded enough that it's irrelevant where you do business.

1 more reply

saurikOP12y ago

StavrosK12y ago

Sure, it's only one variable. I disagree that it's not the most important one.

You don't need to analyze an open-source program to see that it's been obfuscated, and, if it claims to do anything that requires security, that would probably be enough to make you suspicious.

1 more reply

sillysaurus212y ago

It is possible to analyze the behavior of a program without access to the source code

It may be possible, but it's not easy.

j / k navigate · click thread line to collapse