Decompiling Software

[lxskllr]

An argument in another thread regarding Chinese software got me thinking about open source software. What would stop somebody from releasing clean source code, but a contaminated binary for mass consumption? I'm assuming it isn't possible to turn a binary into source, so how can it be checked without recompiling, and comparing md5s, or something like that? Is that a legitimate security concern, or is there a reasonable way of quickly checking?

This is probably more applicable to the Linux forum, but Windows software can be had from source too, though it's less common.

 

[Gooberlx2]

Lots of companies and groups do post the md5 of their installers and ISOs, for example, because people will download files from other sites, torrents, etc... and risk grabbing a malware tainted file.

Decompiling tools exist, but are unlikely to reconstruct the exact source, require a fair amount of expertise and certainly wouldn't be a "quick" method of checking binary legitimacy.

If some group released clean source but corrupt binaries, I'd expect the community would catch it pretty quick by checking hashes against their own compiles; assuming the software wasn't something totally obscure that hardly anyone uses or cares about.

 

[lxskllr]

I was thinking about smaller projects. Kind of one off things, that aren't commonly used. I used to have a really simple program for Windows that would split the sound off a video file. It had available source code, but that isn't to say the binary was proven good. I doubt many people knew about it, and the ones that did may have never checked the compile.

Does software compile exactly the same every time assuming it went through error free, or can the hashes vary on otherwise good compiles?

 

[Gooberlx2]

Does software compile exactly the same every time assuming it went through error free, or can the hashes vary on otherwise good compiles?

I'm not sure. I suppose that might depend on the compiler, flags set at compile time, maybe even resulting file attributes like creation date, etc.... Definitely a question for the programming forum.

 

[OVerLoRDI]

I would assume that if you are using the same libraries, compiler, and flags the source should compile into an identical binary.

You do bring up an interesting point. Just because someone releases the source code of their project, and the source code looks legit, that doesn't necessarily ensure that the binary is what it claims to be. Obviously this isn't a huge issue in linux land since a lot of software is compiled from source anyways. But in MS land this is an issue.

Maybe someone who is more informed in this area can chime in or this thread will likely just be moved to the programming forum.

 

[Nothinman]

An argument in another thread regarding Chinese software got me thinking about open source software. What would stop somebody from releasing clean source code, but a contaminated binary for mass consumption? I'm assuming it isn't possible to turn a binary into source, so how can it be checked without recompiling, and comparing md5s, or something like that? Is that a legitimate security concern, or is there a reasonable way of quickly checking?

This is probably more applicable to the Linux forum, but Windows software can be had from source too, though it's less common.

It's possible, but you would only get those who use your specific binary. If your application gets included in any distros then it'll be compiled from the source so your backdoor won't make it into them.

Does software compile exactly the same every time assuming it went through error free, or can the hashes vary on otherwise good compiles?

Only if the environment and compiler flags are exactly the same. A difference in compiler version, link library versions, etc will all have minor affects on the resulting binary.

 

[VirtualLarry]

Does software compile exactly the same every time assuming it went through error free, or can the hashes vary on otherwise good compiles?

Some compilier insert a timestamp, I think, which would screw up hashes. You would also have to have the build options exactly the same.

 

[CU]

At least in MSVS c++ without changing anything the exe will not have the same hash. The exe has a time stamp in it. Also some flags will create a different exe everytime. I don't remember the flag, but I needed it to produce a stack trace when the program crashed. The flag would reorder things in the exe every time you compiled. It was very hard to get the software certified because the group doing the certification wanted us to send them an exe and the source to compile and then they would compare the hash of the exe's to make sure we didn't sneak in anything like a backdoor.

So, yes even if a project is open source and you just use the exe from the site it could contain a backdoor. The backdoor could be in place for years without anyone ever noticing. I would only run a exe from a person or company you trust.

 

[lxskllr]

Interesting. I guess if you wanted absolute security, you'd have to compile all your software yourself. It's always worth keeping in mind. I find myself sometimes complacent with security due to running Linux, but that isn't a magic anti-malware bullet. Diligence is still required in day to day operations.

 

[Nothinman]

Interesting. I guess if you wanted absolute security, you'd have to compile all your software yourself. It's always worth keeping in mind. I find myself sometimes complacent with security due to running Linux, but that isn't a magic anti-malware bullet. Diligence is still required in day to day operations.

And even that's not that useful because there's no way you can successfully audit the source of every application you use. Eventually you have to give some level of trust to the developers, packagers, etc building the software for you.

 

[Modelworks]

Besides Md5 you can also use something like Ida Pro. Then it is easy to see if the program is doing anything it shouldn't. If these old kernel models could get replaced with something new and we could stop this building and patching of kernels designed 20 years ago then a lot of these malware issues could be solved.

 

[Nothinman]

Besides Md5 you can also use something like Ida Pro. Then it is easy to see if the program is doing anything it shouldn't. If these old kernel models could get replaced with something new and we could stop this building and patching of kernels designed 20 years ago then a lot of these malware issues could be solved.

Malware doesn't really need to do anything at the kernel level. They just do that because it makes it easier to hide. Stealing your email contacts, intercepting your keyboard input to get your CC#, etc doesn't require anything special. And the flexibility that's being exploited by Malware isn't optional for a lot of us.

 

[CastIronStove]

Interesting. I guess if you wanted absolute security, you'd have to compile all your software yourself. It's always worth keeping in mind. I find myself sometimes complacent with security due to running Linux, but that isn't a magic anti-malware bullet. Diligence is still required in day to day operations.

Even that's not enough. To be completely secure you would first need to write your own compiler.

 

[beginner99]

if the software is java or .net it is easy to "decompile" since the binaries are not actually compiled but in bytecode which can be "decompiled" to source code (without comments).
Hence any .net or java product is in some way "Open-Source".

But for anything just a little complex it would probably take you weeks to check the source code for malware.

But yeah i've had the same thoughts...

 

[Lifted]

Even that's not enough. To be completely secure you would first need to write your own compiler.

Or use an open source compiler.

 

[Modelworks]

Something many do, myself included, is to obfuscate your source code before you compile it for the final time if it is something that you want to keep private. There are tools that effectively replace things like variable names from easy to understand words like menu to kesjh, making it even harder to understand if you do decompile it.

 

[Lifted]

Something many do, myself included, is to obfuscate your source code before you compile it for the final time if it is something that you want to keep private. There are tools that effectively replace things like variable names from easy to understand words like menu to kesjh, making it even harder to understand if you do decompile it.

I knew somebody who did this at a job. No oversight obviously.

After somebody above gave him a firm push out the door for personal reasons, the others developers on staff had to inherit his code were like .

So they begged him to make changes to the code that needed to be done, and he agreed to do the work for something like $1,500/hr. So they would send him the code and specs of the redesign, he would run it through his variable converter, kesjh -> menu, make the changes, back through the converter, menu -> kesjh, and he'd send it back. He got to milk that for years, working just a few hours a week, from anywhere in the world, making loads more than when he was a full time slave.

Ethical it was not, but after being treated like shit and forced out he really didn't care.

 

[Nothinman]

I knew somebody who did this at a job. No oversight obviously.

After somebody above gave him a firm push out the door for personal reasons, the others developers on staff had to inherit his code were like .

So they begged him to make changes to the code that needed to be done, and he agreed to do the work for something like $1,500/hr. So they would send him the code and specs of the redesign, he would run it through his variable converter, kesjh -> menu, make the changes, back through the converter, menu -> kesjh, and he'd send it back. He got to milk that for years, working just a few hours a week, from anywhere in the world, making loads more than when he was a full time slave.

Ethical it was not, but after being treated like shit and forced out he really didn't care.

They should have taken legal action against him. If he was a full-time employee the code was likely owned by the company he was writing it for and obfuscating it like that can't be legal.