At 06:44 AM 10/22/02 -0700, Mike Rosing wrote:
On Wed, 31 Dec 1969, Bill Frantz wrote:
I have been asked to audit some source code to see if the programmer
inserted a backdoor.
Look for exception processing. Anywhere the code looks for a
particular
value, something like == 0x3456352e. That usually is a passcode into
a backdoor. It only takes one line :-)
Yep, but a TLA-class adversary will use much more subtle tricks.
I bet you can use a language's intrinsic exception processing as
hidden channel.
And use little tricks like setting an int used like a bool to a value
1.
And sign-extension crap that can catch you even when you're not trying
to be evil.
And of course the joys of tracing pointer chains is widely
appreciated. Particularly pointers with math done to them.
Intentional, *built-in* buffer games (incl. stack games) would also be
subtle.
Passive (passive aggressive?) tricks --failing to zero something
interesting, using a RNG before its ready,
having the PCI bus traces radiate your secrets away-- are useful and
even better, deniable. Hard to do
that with NSA_KEY in your debug variables...
