[148639] in cryptography@c2.net mail archive
Re: [Cryptography] how reliably do audits spot backdoors? (was: Re:
daemon@ATHENA.MIT.EDU (Bill Frantz)
Mon Dec 23 18:13:36 2013
X-Original-To: cryptography@metzdowd.com
Date: Mon, 23 Dec 2013 09:36:11 -0800
From: Bill Frantz <frantz@pwpconsult.com>
To: cryptography@metzdowd.com
In-Reply-To: <CAOLP8p6MZ_SnDOeNeEji2C04FrCneOmjGCeic5fmeqE+uYKu_A@mail.gmail.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On 12/23/13 at 10:06 PM, waywardgeek@gmail.com (Bill Cox) wrote:
>Well, first, It's David Wagner. Had we set up this test with me inserting
>the bugs and David Wagner finding them, I think the results would have been
>different.
A minor correction: This is Ka Ping Yee's work. David Wagner was
one of his thesis advisors.
I know some of the people who doing the code review. They are
very good at finding obscure bugs in pieces of code, including
timing bugs and overflow bugs. The small number of bugs actually
found is quite scary.
BTW, Ping has done some excellent work in the area of UIs and
secure systems.
>However, IMO, David Wagner's bugs would not have survived a year of open
>source review, given that it was confined to 100 lines of code. That code
>might be a serious mess, but people can usually grok that kind of
>complexity.
Note that the bugs were limited to 100 lines of code because of
the limited amount of time available for the code review. A real
system would probably consist of many times 100 lines of code,
especially if the compiler and runtime environments are
included. Since backdoors can be designed that depend on
"innocent" insertions in several separate parts of the code, the
complexity of the search goes up faster than linearly with code size.
>... If I do say so myself, I am awesome at reading and
>groking code, and gksu is one of the only Linux projects I've had to read
>that I could not understand. Code like that in the crypto system makes me
>want to set my hair on fire.
Obscure code has no place in any security system.
Cheers - Bill
-------------------------------------------------------------------------
Bill Frantz | Airline peanut bag: "Produced | Periwinkle
(408)356-8506 | in a facility that processes | 16345
Englewood Ave
www.pwpconsult.com | peanuts and other nuts." - Duh | Los Gatos,
CA 95032
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
