On Oct 29, 2015, at 3:20 PM, Richard Hipp <d...@sqlite.org> wrote: > > Each check-in manifest also has a hash over all content of all files > in the R card. It's an MD5 hash, but that still means the attacker > would have to find replacement source code that (a) matched both SHA1 > and MD5 hashes and (b) was valid C code. Good luck with that.
MD5 collisions can be found in about a second on modern hardware: https://tools.ietf.org/html/rfc6151 With that work to build on, the only remaining tricky bit is working out a perturbation algorithm for C source code that doesn’t introduce so much noise that the code will be flagged as obviously-bad. I mean, you could just put random UTF-8 text into a C comment to force the collision, but that will jump out to even one casually scanning the code. > Any > malicious code would also have to preserve all current functionality > and also preserve 100% branch coverage to escape detection. If the attack trigger can rely on a new feature, it won’t be caught by the existing tests. Say, a new SQL function. The evildoer might instead be doing something like exfiltrating user data over a TCP socket on every VACUUM call. Again, not something the tests are likely to catch. And realize that I’m not very motivated, nor am I trained to do this. I assume a motivated expert could come up with much better ideas than these. > (3) We also do 100% inspection of all code changes between each > release using "fossil diff --from release --to trunk --tk”. Glad to hear it. > You don’t think we would see unauthorized code? That depends on how well the C perturbation algorithm works, and how clever the attack is. Have you studied the winners of the Underhanded C Contest? How many of those jump out at you as obviously evil? http://www.underhanded-c.org/ I can’t quite talk myself into believing these contestants were less motivated than a true black hat. Pride and social standing may be stronger motivations than money and love of country. But still, I think I’m comparing top-10 motives here, not wildly incomparable ones. > I think if the bad guys wanted to break into phones, they'd probably > go after the Linux kernel first Not first. That comes after convincing the local lawmakers that “I sees it so I wants it” and the $5 wrench attack. :) https://xkcd.com/538/ _______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users