2

Some organizations have begun offering access to servers running open-source software (mail servers, chat servers), operated and maintained by those organizations, for a nominal recurring upkeep fee.

Normally, this software's source code is available on Github, or Bitbucket, or in some easily-accessible format for people who know how to set it up and don't mind the hassle of self-hosting.

But is there any way to verify that the code being run on these remote servers is what's being kept in the version control system, preferably in a trust-free way?

In my experience hardening servers against attacks, having a secure hosting setup against attackers is usually synonymous with having a black box host, with only an exposed web API.

Anders
  • 64,406
  • 24
  • 178
  • 215
Jules
  • 1,240
  • 1
  • 10
  • 20
  • 1
    no, there's no way to tell if what they show you is what is actually running... – dandavis Jul 08 '16 at 17:51
  • 1
    Does this theoretical hosting provider allow read access to the binaries? Seems like open source or closed source SaaS has the exact same problem, why draw a distinction? – Jeff Meden Jul 08 '16 at 17:51
  • @JeffMeden I'm assuming that the SaaS is implemented using an interpreted language, like Python or Ruby, rather than from a binary. If it's a compiled binary, then the distinction's meaningless. – Jules Jul 08 '16 at 18:05
  • 3
    I would argue that if you're purchasing a SaaS solution, you're already trusting the vendor to do what they say they do, and you have a contract in place to enforce that. – Jesse K Jul 08 '16 at 18:27
  • Possible duplicate of [How to be sure content was generated on a specific software?](http://security.stackexchange.com/questions/37700/how-to-be-sure-content-was-generated-on-a-specific-software) – WhiteWinterWolf Jul 09 '16 at 16:59

1 Answers1

2

Short answer - almost no way at all to tell. The question is equivalent to black box probing. You can put certain inputs to the box and get certain results - what exactly is the box doing between input and output? Can't tell. What other processes or devices have access to the same storage devices? Can't tell.

The "almost" is because there may be sideband attacks that let you determine some aspects of the platform. For example, sideband attacks in JavaScript allow sandboxed browser code to determine activities outside the browser (recent attack), and perhaps carefully crafted code will reveal if the platform is responding at the speed and consistency and timing it should. But its unlikely to work well, not least because the server may be virtualized and timings may vary too rapidly for such an approach for that reason, also because too many code modifications and hardware setups have potential to not create user-detectable/remote-detectable variations to any measurable indicator.

Stilez
  • 1,664
  • 8
  • 13