How to prove that given binary files are compiled from provided source code?
-
20-03-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
Let's assume I want to use an open-source software, the developer says that the software is open-source and provides the source code.
Now my question is, how can I be 100% sure that the given binary files are compiled from the given source code?
Of course I could always compile the source code of every open source project I want to make use of but that is quite time-consuming if I want to use more than just one program or even not possible if I want to use for example an iPhone and do not have a macbook.
So do I have to trust the developer that the binary files are truly from that source code or is there another way?
For example: Let's assume I want to use the messenger app Signal. How can I be sure that there is not a built-in backdoor in the binary files which is not in the provided source code?
Solution
how can I be 100% sure that the given binary files are compiled from the given source code?
The only way is to compile it yourself using the exact same environment that has been used to build the given binary, and compare. This is easier if the open source project has setup a CI/CD chain. That said, if you manage to compile, you no longer need pre-built binaries.
So do I have to trust the developer that the binary files are truly from that source code or is there another way?
No, you have to trust the distribution channel, be it the download section of the source code repository or the official software distribution channel (RedHat repo, Apple's App Store or whatever).
How can I be sure that there is not a built-in backdoor in the binary files which is not in the provided source code?
You can't. And you can't be sure that there is not a built-in backdoor in the source code itself. I mean, you'll never have the time to check every piece of open source software that you want to use.
OTHER TIPS
The keyword you'd want to put in the search engine here is "reproducible build". What this means is that whenever you build the same version of the software under a well known configuration, the build output is always bit-to-bit identical. Anyone can rebuild the software and then attest that the published build are built from the same source.
Some security sensitive software like Torbrowser and OpenSSL have made attempts at reproducible build to varying degree of success, and some Linux Distros have made a large proportion of the packages in their repositories reproducible, but supporting this generally requires a significant investment into the software ecosystem.
