0

I wrote a program. I want to publish a compiled executable for downloading by the public.

How can I compile and distribute it without contact with my (presumably insecure and infected) operating system? How do software vendors ensure that their software packages are malware-free?

The absence of relevant information on the web is pretty disturbing. It’s as if nobody in the world except me cared about safe and responsible distribution of software. Why are there no clean compilation services on the web? I’m not going to buy a separate computer only to compile and upload one little application.

Anders
  • 64,406
  • 24
  • 178
  • 215
7vujy0f0hy
  • 103
  • 2
  • 2
    how would a virus on your machine infect the compilation process? how would you be able to trust a 3rd party to compile for you? – schroeder Oct 21 '17 at 18:40
  • 1
    the simplest form is to compile on 2 different computers and check the hashes - if they match, then one machine has not tampered with it – schroeder Oct 21 '17 at 18:41
  • **1.** Computer viruses replicate themselves by infecting executables, such as my newly compiled executable. **2.** A third party would have expertise, reputation and infrastructure. I would trust them in the same way the society trusts auditors, solicitors and banks. **3.** It’s not even about trusting them, it’s about outsourcing liability. So, if anything happens, I’m not the one to blame. **4.** Your solution is quite elegant but I fear that achieving identical binaries can be hard on two different PCs unless their configs are also identical. I can’t afford 2 same PCs just for this. – 7vujy0f0hy Oct 21 '17 at 18:52
  • You missed my point: how would the virus infect *the compilation process*? You can easily see if the binary has been tampered with after compilation .... \ – schroeder Oct 21 '17 at 18:55
  • @schroeder: I’ve never implied that a virus would alter the compilation process. I expect that it would infect the newly compiled executable instantly after compilation. How can I detect such tampering? – 7vujy0f0hy Oct 21 '17 at 19:00
  • 1
    Well, the first thing that comes to mind is that the compiler will tell you how big the output file is. If it suddenly becomes bigger on the file system, then a highly unlikely virus has altered it. – schroeder Oct 21 '17 at 19:02
  • @schroeder: That’s a very nice test. Even though it’s not bullet-proof, I agree that it’s good enough for my purpose. I think your comment solves my problem. Thank you. – 7vujy0f0hy Oct 21 '17 at 19:05
  • 2
    Then you are afraid of a virus 'bullet' that constantly scans your filesystem looking for binaries that it has not infected yet and infects them instantly. That just doesn't happen quietly and is not the common case. If you do have to deal with this level of threat, you have other bigger risks to deal with. – schroeder Oct 21 '17 at 19:08
  • *I’m not going to buy a separate computer only to compile and upload one little application.* - even if you did: since you don't trust yourself in keeping your main system clean how will you make sure that you get the compile system clean? If you don't consider this a problem then why not use a virtual machine instead of buying additional hardware? – Steffen Ullrich Oct 21 '17 at 19:23
  • *"Why are there no clean compilation services on the web?"* - how will you make sure that the source code you've uploaded for compilation is not already modified by some malware on your machine? – Steffen Ullrich Oct 21 '17 at 19:27
  • @SteffenUllrich: **1.** I believe there’s a huge difference in terms of security between an all-purpose PC and a single-purpose machine. Proof of concept: offline Bitcoin wallets. **2.** A VM guest running on an infected VM host isn’t safe. **3.** It would take a very special virus to infect custom source code. I’m concerned with old-school malware. **4.** My source code is pretty compact and transparent. **5.** Although you’re right, some malware could infect libraries and common include files. Do you know a remedy? – 7vujy0f0hy Oct 21 '17 at 19:47
  • @7vujy0f0hy: Since you consider external services more secure than your own system you can rent a system in the cloud and install your build chain there. If there would be demand somebody might maybe offer such a service. But at the moment companies probably have their own infrastructure for this and would not send there source code somewhere else anyway. And small developers might consider such a service too expensive. – Steffen Ullrich Oct 21 '17 at 19:54
  • @SteffenUllrich: True. It’s much more economic than buying a separate PC. However, unless you’re already a user of cloud computing, it’s still cumbersome for microscopic projects because you have to pay rent and then install the whole environment. An online compiling service that’s preconfigured for the purpose and free for tiny applications would be ideal. – 7vujy0f0hy Oct 21 '17 at 20:04
  • @SteffenUllrich: In fact, I have always wondered why Sourceforge or GitHub don’t offer such a service. They would be ideal vendors, and it’s in their own business interest that software they host is clean. – 7vujy0f0hy Oct 21 '17 at 20:16
  • 2
    *and free for tiny applications* - probably because of this there is no sustainable business model. Most developers will refrain from uploading their valuable complex private source code to such a service because this code has a big monetary value. And the ones with simpler and less-valuable code have no interest in paying for this service. – Steffen Ullrich Oct 21 '17 at 20:21

1 Answers1

2

It's important to think about what kind of threat you are trying to protect against. Your questions could be taken to imply two different threat levels:

  1. A general virus that just injects itself into any executables it happends to stumble over.
  2. Malware designed specifically to infect your build process and embed itself in freashly compiled executables.

To protect yourself against the first category, schroeder has a good suggestion - just check the filesize. Your compiler probably already outputs that. Or have your compiler output a hash and use that, or sign the file in the build flow.

If you are up against a theat of the second type, the above is no good. If the attacker is sofisticated enought, nothing can help you at that point. As soon as your system is compromised, you are owned.

In the end, it comes down to how advanced threats you want to protect yourself against. Using a separate machine could help, and so could a VM (or a "trusted third party", even though I am not sure I would trust one). But a sufficiently advanced attacker could overcome those obstacles as well.

Anders
  • 64,406
  • 24
  • 178
  • 215
  • Yeah, I’m concerned about old-school malware (therefore type 1). Therefore @schroeder’s solution is good enough for my little app. However, I believe that a properly managed separate machine would be effective even against type 2 threat. Proof of concept: offline Bitcoin wallets. – 7vujy0f0hy Oct 21 '17 at 19:58
  • Maybe I was making it to simple by setting a binary scale. A well maintained separate machine would perhaps be safe against 1.5 threats. If it is worth the trouble depends on how likely you think such a threat is. – Anders Oct 21 '17 at 20:01