Debian Linux versus the CIA
Hidden backdoors into software have long been a concern for some users as government spying has increased around the world. Now the Debian project has taken aim at the CIA and other government spy agencies with reproducible builds that aim to stop hidden backdoors.
JM Porup reports for Vice:
In response to the Snowden revelation that the CIA compromised Apple developers' build process, thus enabling the government to insert backdoors at compile time without developers realizing, Debian, the world's largest free software project, has embarked on a campaign to to prevent just such attacks. Debian's solution? Reproducible builds.
In a talk at Chaos Communication Camp in Zehdenick, Germany, earlier this month (full text here), Debian developer Jérémy Bobbio, better known as Lunar, told the audience how the Linux-based operating system is working to bring reproducible builds to all of its more than 22,000 software packages.
Reproducible builds, as the name suggests, make it possible for others to reproduce the build process. "The idea is to get reasonable confidence that a given binary was indeed produced by the source," Lunar said. "We want anyone to be able to produce identical binaries from a given source."
A software package reproducibly built should be byte for byte identical to the publicly-available package. Any difference would be evidence of tampering.
The news about Debian's efforts to stop hidden backdoors spawned a large thread on the Linux subreddit, and redditors weren't shy about sharing their opinions:
Altiris: ”Each and every time I read something about Debian, I like them more and more.”
Wbsgrepit: ”The problem is to do what they are suggesting "right" they need to go much, much deeper. https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf Is a very well known and old article about a hard to solve vector (yes, that Ken Thompson). Basically, by making small and orchestrated changes over time to a compiler chain/bootstrap it is possible to create a very very hard to find backdoor/vector inherent to an OS that can insert into any executable on the system (when they are compiled and without any telltale source).
If they don't backtrack to a known good/clean bootstrap on the compiler chain/kernel it does not matter if they create reproducible binaries -- given a clean source compiled to known bits the bits may already have a backdoor introduced by the compiler. And mind-breaking the compiler itself being compiled by the compiler could propagate the issue on bootstrap of the compiler. Basically they need to verify a compiler chain from hand coded machine language to a current version in as few steps as possible. =(”
RenaKunisaki: ”Hand coded machine language on a known good CPU. Modern CPUs are basically entire systems themselves, and could easily have code hidden away in that top secret System Management Mode that finds and tampers with certain code in memory. (Or finds and executes code marked with a particular magic signature, which might end up in memory as part of a random received packet...)”
Asnotfaw: ”Reproducible builds allow others to verify the correctness of builds. This alone helps protect against all manner of attack, from mundane malicious compilation to Trusting Trust. It's not a perfect defense, since theoretically every verifier could be compromised, but it's much safer than having no verification at all.
Hopefully, in the future, we will also build trusted compilers from scratch, enhancing our security even further. This, combined with reproducible builds, will give us even stronger guarantees about our security.”
Bloodguard: ”CPU, disk/network controller chips, BIOS, the microcode on the drives themselves. There are so many places they can hide stuff. Good effort, though.”
Khumbu: ”That doesn't mean that Debian's efforts are in vain. We need both open hardware and software, not one or the other. ”
Frownyface: ”The awesome thing about have an easy to use fully reproducible build system for your entire system would be the ability to not just modify everything, but to do so quickly and without a bunch of side effects from using a bunch of different tools, dependency versions, build configuration settings, etc, which is usually the case now with system with black-box binaries.”
TheStackSmasher: ”Backdoored compilers has always been one of the scariest stuff for me... You strategically infect one dev and, boom, it spreads to everyone, and with no practical way to detect it. Now this is a great solution! Congratulations to the Debian guys, that's why I love Debian and GNU/Linux in general. (Yes, this doesn't get rid of backdoors completely, but it is one less problem to care about.)”