4

Can a running interpreted program, for example in languages like python, javascript, ruby, java or php, cryptographically prove that it is the same as a published source code version in a way that could not be tampered with?

Said another way, is there a way to ensure that the commands/code executed by such a program are all and only the commands and code specified in a publicly disclosed repository?

The motivation for this question is the following: In an age of highly sophisticated hackers as well as pressures from government agencies for "backdoors" that allow them to snoop on private transactions and exchanges, can we ensure that an application has been neither been hacked nor had a backdoor added?

For example, consider a server running python code like PyBitMessage (Bitmessage/PyBitmessage on github) for secure messaging.

Or consider an open source-based nodejs application like lesspass (lesspass/lesspass on github) which is used to manage passwords and available for use here (https://lesspass.com/#/).

Or an alternative program for a similar purpose encryptr (SpiderOak/Encryptr on github) with its downloadable version (https://spideroak.com/solutions/encryptr).

Is there a way to ensure that the versions available on their sites to download/use/install are running exactly the same code as is presented in the open source code?

Even if we have 100% faith in the integrity of the the teams behind applications like these, how can we be sure they have not been coerced by anyone to alter the running/downloadable version of their program to create a backdoor for example?

Thank you for your help with this important issue.

Note: Since this question concerns interpreted programs, the conversation on deterministic or reproducible builds did not seem to apply and seemed worth a new question.

bmiller59
  • 79
  • 6
  • Even if your program is interpreted, if it is verified you can have some level of assurance of the running code. – Limit Nov 26 '16 at 04:59
  • 1
    See https://en.m.wikipedia.org/wiki/Verifiable_computing – mikeazo Nov 27 '16 at 11:27
  • @mikeazo Your wikipedia link states that verifiable computing is not yet practical. Does that imply that it is not possible to achieve the desired tamper detection described in my question? Thanks. – bmiller59 Nov 29 '16 at 20:02
  • @bmiller59, I haven't followed this area of research close enough to really be able to answer your question. – mikeazo Nov 29 '16 at 20:10

1 Answers1

2

While it is not possible to do so at run time, applications can be verified at load time (FIPS compliant OpenSSL does so).

Said another way, is there a way to ensure that the commands/code executed by such a program are all and only the commands and code specified in a publicly disclosed repository?

Possible but not the way that you imagine. One of the requirements of a trusted software is that it needs to be verifiable. It can be verified either manually or using static analysis. If a code is not verifiable, then you can't really ensure that the code that you are running is actually the code that you see in a repository.

When a library is loaded into the memory, you can run it's signature against a known good signature of the library and ensure that the library that is loaded is indeed the one that you got from a repository.

How do we verify?
Well, there was a time when the verification was done manually by code review and generating all possible test cases but as systems grow larger, this becomes more and more difficult. There are several static analysis tools available that ensure that a source code doesn't have any possible program flow that will cause a failure or an unexpected scenario. (Coverity has a free static analysis service for Open Source projects).
Once we have ensured that the code cannot be misused at run time, our job will be to ensure that it is not tampered with in our machine.

How do we ensure that it is not tampered?
There is a concept of secure boot. What it does is that every time a module is loaded, it verifies the signature of the module against a known good value and if it is fine, then it lets the boot to continue otherwise the boot fails. Similar concept is used over here. When a program is loaded, we compare the hash of the loaded module against a known good value and ensure that it is indeed the program that we received.

This way, ensuring that the program cannot be misused at run time and then ensuring that a known good program is loaded, we get an assurance that the program is indeed what we want.

Limit
  • 3,236
  • 1
  • 16
  • 35
  • I have read up on verifiable computing and secure boot through the links and references provided and I am still left with the question how to achieve the desired result in practice. On the verifiable computing wikipedia page it says that it is not yet practical. And Windows secure boot is not obviously transferrable to the types of examples I provided in which a user is seeking to verify that a web service hosted remotely by an untrusted third party has not been tampered with. Can you provide an example, reference or process showing how to do that? Thank you. – bmiller59 Nov 29 '16 at 19:59
  • @bmiller59 whether a code on someone else's machine is working fine or not can be done via software attestation. Unfortunately I don't have an example on the top of my head. But if you want to test if the code is running fine on your machine, you can do a boot time test like https://www.openssl.org/docs/fips/UserGuide-2.0.pdf. The section 2.2 in this tells about the integrity test. – Limit Nov 29 '16 at 20:06
  • In order to ensure that your code cannot be tampered with at run time, you do a static analysis. One of the tools is coverity. Coverity gives free static analysis for open source code. So like I said in the answer, you do a two step process. Ensure that the code cannot be played with at run time and the verified code is what is launched at startup. Mind you static analysis is not fool proof. There can be some inputs that are missed. – Limit Nov 29 '16 at 20:09
  • Thank you for your response. It is clear and answers my question well. For for future readers who might be hoping to implement or use a tamper-proof web-hosted (interpreted) application, it is seems that it is not yet practical. Even if you can verify a program at load time, at run time any code can be inspected, data intercepted/modified, etc. by an operating system root user with the right tools. What seems to be required is a complete chain of hardware and software attestation with reproducible builds for the operating server and its application code that is not yet widely available. – bmiller59 Dec 04 '16 at 06:53