Debian Project Aims to Keep the CIA Off Our Computers
One of the big advantages of open source software is that third parties can inspect the code to ensure it does what it's supposed to. If any malicious code is present, it can be detected and eliminated. But when software is distributed in the form of a binary executable, there is a risk that malicious code (not present in the original source code) has been added.
This doesn't necessarily mean that the developer intended to distribute corrupted code. If the developer is using a compromised compiler, it could introduce the malware as the source code is turned into an executable.
This may sound a little far-fetched, but in actual fact it is a real security concern. The Snowden leak has revealed that the CIA is working on ways to exploit these weaknesses to install snooping software onto consumer devices all over the world.
At a recent conference organized by the CIA, a team of developers presented a proof of concept. They had managed to bypass Apple's digital certificates to produce a corrupted version of XCode, Apple's proprietary compiler. This compiler is used to by independent developers to make OS X and IOS apps. The corrupted version embeds spyware into any application compiled by the developer without their knowledge.
These apps could find their way into the app stores, and potentially onto millions of consumer devices. This would allow security agencies to snoop on the conversations and private messages of millions of innocent users all over the world.
If Apple is a hot target, then Linux is an even more tempting one. Security conscious users who understand the risk of commercial platforms often use Linux for its tighter security features. This includes people who the security agencies are VERY interested in spying on.
Anti-virus software can detect fragments of known malware, but this is only possible after instances of the malware have been discovered and analyzed. It doesn't protect against new or previously undetected malware infections. In short, anti-virus software is not enough to protect against this type of attack.
The only way to be sure that a binary executable does not include any unexpected code is to compile the source code and compare the two files. If the freshly compiled file does not match the binary executable under test, it could have added code, possibly malware.
While this is a basically sound idea, there is a major fly in the ointment. The source code for the majority of Linux packages is written in such a way that it doesn't always compile to produce an identical binary file.
There are several reasons why a compiled file may be different. This includes:
- Timestamps embedded in the code.
- Incremental build numbers.
- Differences between different file systems, so a binary compiled on my computer is different from one compiled on yours.
- File paths from the build machine are embedded into the binary - different computers could store resources and code in different locations.
- Random data from memory or the CPU embedded into the compiled file. And so on.
The problem of producing reproducible builds requires a number of changes to be made:
1: The source code must be changed so that variables are always initialized to static values (not dynamic values from memory, which can be random).
2: Eliminate the use of timestamps, source code file paths, and build numbers.
3: Specify the exact build environment, so that it can be reproduced on different computers.
As you can imagine, this could be painstaking work on a single project. But the Debian project has over 20,000 packages, and the majority of them need to be overhauled. This is a major undertaking, to say the least.
But it has to be done. A single corrupted package could result in thousands of infected computers.
You can read more about the project at:
Fast/Flexible Linux OS Recovery
On Demand Now
In this live one-hour webinar, learn how to enhance your existing backup strategies for complete disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible full-system recovery solution for UNIX and Linux systems.
Join Linux Journal's Shawn Powers and David Huffman, President/CEO, Storix, Inc.
Free to Linux Journal readers.Register Now!
|Secure Desktops with Qubes: Introduction||May 27, 2016|
|Chris Birchall's Re-Engineering Legacy Software (Manning Publications)||May 26, 2016|
|ServersCheck's Thermal Imaging Camera Sensor||May 25, 2016|
|Petros Koutoupis' RapidDisk||May 24, 2016|
|The Italian Army Switches to LibreOffice||May 23, 2016|
|PeaZip||May 20, 2016|
- Download "Linux Management with Red Hat Satellite: Measuring Business Impact and ROI"
- Secure Desktops with Qubes: Introduction
- Chris Birchall's Re-Engineering Legacy Software (Manning Publications)
- The Italian Army Switches to LibreOffice
- Linux Mint 18
- Petros Koutoupis' RapidDisk
- ServersCheck's Thermal Imaging Camera Sensor
- Oracle vs. Google: Round 2
- The FBI and the Mozilla Foundation Lock Horns over Known Security Hole