Please explain how source code can be used to confirm the legitimacy of firmware?

[Deleted member 22229]

Very interesting thread i have wondered this for quite awhile myself. Also lets say you were running a third party firmware and it was discovered that it did have a back door or malware attached would doing a complete reset and installing another firmware completely get rid of all the bad stuff or could it be somehow hard coded in the memory itself and continue to run even though you have reset and went with a known safe code ?

 

[sfx2000]

You can't use the source code to verify a released binary with such a complex project, unless you were to disassemble and study the code itself. The compiled binary will never directly match between two different build environments.

The best you can do is compile it yourself - only then can you be almost sure that the generated binary does not contain any additions. And with this project it makes it trickier because, as pointed out, some closed source bits are involved.

I always get anything closed source either from Asus's own website, or from a link provided by an Asus employee in a private Email. I've never taken anything from a public source or a forum link. So as far as I'm concerned, it goes down to the chain of trust between myself and Asus (and the chain of trust between Asus and Trend Micro, Tuxera and Broadcom, providers of closed source bits of their own).

Personally, I'm quite confident in the generated code, as I trust everyone involved upstream from myself.

Much of it does come down to trust and reputation - RMerlin is a known contributor and member here - I'll vouch for him if that helps.

1) RMerlin posts his code and changes, along with toolchains in a public accessable location - his Github repository
2) For his compiled builds - his posts the SHA256 signatures, which can be used to verify his compiled images

He's done as much as he can do, and more than others - above and beyond what many OEM's do.

 

[sfx2000]

And yes, there are ways to pick apart a firmware image and get some information - security experts do this from time to time to reverse engineer and understand bugs (like the D-Link HNAP bug - nice walk-thru here)

 

[lancethepants]

Given the level of concern the OP shows, surely he wouldn't run anything like Windows or OSX

If you're looking for a good way to justify your concern - Richard Stallman wouldn't touch asuswrt with a 10 foot pole. But then you have to ask yourself... could you really commit to the Stallman lifestyle? (answer: I highly doubt it.)

 

[RMerlin]

And yes, there are ways to pick apart a firmware image and get some information - security experts do this from time to time to reverse engineer and understand bugs (like the D-Link HNAP bug - nice walk-thru here)

Another article that's interesting: http://w00tsec.blogspot.ca/2013/09/analyzing-and-running-binaries-from.html

EDIT: Sorry - right blog, wrong article. Here it is:

http://w00tsec.blogspot.ca/2013/12/binwally-directory-tree-diff-tool-using.html

 

[Deleted member 27741]

I want to reiterate that I do trust rmerlin's firmware. I do run open source programs. I am actually not very paranoid about it. I will not be uninstalling john's firmware, notepad++, 7-zip, filezilla, etc.

What amazes me is the false sense of security we have about open source. To a very large degree it means pretty much nothing or could even be worse than nothing. In fact, and again I AM NOT being accusatory of anyone here or elsewhere, if I wanted to infect hardware I would absolutely release clean source code. Why not? Only the very few (if any) people that compile it themselves and install remain uninfected. No big deal, because I have a backdoor into all other installations. Even better, the people that vet the code and compile it themselves lend credibility to my HUGE BOTNET since they likely unwittingly confirm the download is clean.**

**Please note the humor and hyperbole of this post. I guess I need more freakin' emojis?

 

[wuyanxu]

What amazes me is the false sense of security we have about open source.

No, only the internet have this false sense of security.

I work in a defense electronics company, policy is no open-source software from the internet.

Want to use Eclipse? use the EDK version from Xilinx. Want to use open source IP core? no, you can't do that, use slower/bigger Altera or Xilinx versions.

 

[HallStevenson]

If you're looking for a good way to justify your concern - Richard Stallman wouldn't touch asuswrt with a 10 foot pole. But then you have to ask yourself... could you really commit to the Stallman lifestyle? (answer: I highly doubt it.)

Have you ever read how he maintains his privacy? The guy is, uhhh, interesting.

 

[sfx2000]

Have you ever read how he maintains his privacy? The guy is, uhhh, interesting.

Let's leave Stallman out of this - as most people wouldn't touch him with a 10 foot pole, lol...

 

[kvic]

The RMS post is not complete without a link. Somewhere in the middle. To some who accidentally land on this thread, hope that gives you a piece of more fun.