[tor-bugs] #5837 [Tor bundles/installation]: Recruit volunteers with access to IDA Pro and/or BinDiff to inspect releases
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Sat May 12 03:48:53 UTC 2012
#5837: Recruit volunteers with access to IDA Pro and/or BinDiff to inspect
releases
--------------------------------------+-------------------------------------
Reporter: mikeperry | Owner: cypherpunks
Type: project | Status: new
Priority: major | Milestone:
Component: Tor bundles/installation | Version:
Keywords: | Parent:
Points: | Actualpoints:
--------------------------------------+-------------------------------------
We have some concerning issues with our build processes. It's hard to
really know for sure that the build machines are secure and not tampered
with. See for example #5689. The most likely situation there is that AV
signature engines fucking suck, and were false positives. However, the
real fix is not simply scanning the build machines with more shitty AV
software (although it was a fine, rational first step -- I'm not hating on
you, Erinn). The real fix is unfortunately much harder: We need to ensure
that the same source produces the same binaries everywhere: #3688.
Other than build reproduction, it's nearly fucking impossible to know that
the binaries you get actually come from the source you wrote and audited.
A handful of Open Source projects have figured it out (see comments in
#3688), but it's actually pretty darn hard on Windows, if not impossible.
As a stop-gap solution, it's occurred to me that we might be able to
crowdsource hobbyists and people looking to learn reversing (or if we're
really lucky, some people who already have these skills) to both help
verify previous builds, and give us the input we need to proceed on #3688.
If you have access to IDA Pro
([http://blog.zynamics.com/2011/12/05/bindiff-4-0-available-today/
BinDiff] will help, but is an extra $200 extension to IDA Pro and is not
required), you can participate as follows:
1. Download a signed TBB release from
https://www.torproject.org/dist/torbrowser/.
2. Compile your own TBB bundle. This is somewhat tricky and may require
its own instructions which Sebastian is working on writing for Windows and
Linux, and already exist in
https://gitweb.torproject.org/torbrowser.git/tree/master:/docs/buildmachine_setups
for Mac OS.
3. BinDiff the resulting packaging exe as well as the exes contained
therein.
If you lack BinDiff, you should consider focusing your efforts on MacOS
and Linux packages, which should be substantially more similar than
Windows, especially if you build on Debian/Lenny or MacOS 10.7 with Xcode
4. Start with using the 'cmp' (or hexdump and diff) Unix commands to find
the differing sections of the binaries, and then use IDA Pro to inspect
those sections.
You should be able to use IDA Pro for any platform to analyze binaries for
any other platform. You do not need to buy the MacOS copy to analyze MacOS
binaries.
4. Text diff the non-exe components (for example, conf files, shell
scripts, contents of Firefox jars and addon sources).
5. Write up the significant differences.
We need to make the above a semi-regular part of our development process
to periodically verify our build integrity.
Writing up the differences you find will also be useful for us to help us
work towards #3688, especially for Mac and Linux builds (which are likely
pretty darn close.. It's probably only some timestamps and symbol names
that differ if you use the same platform and compiler).
If you want to be extra-helpful, you can write up a detailed howto (and/or
just paste the ones you find that already exist) on the process itself to
make it even easier for others to learn and participate.
We'll need to do this often.. Perhaps not for every release, but at least
randomly on some builds every once and a while. Also, BinDiffing existing,
signed TBB copies from https://www.torproject.org/dist/torbrowser/ will be
useful, too, so no need to wait for future releases. You can start today.
Note that the above is a fantastic exercise in learning basic reverse
engineering skills. Diffing vendor patches and malware updates is a common
practice in the field. It's a useful skill to learn, if you have the time.
Good luck!
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/5837>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list