At 06:44 AM 10/22/02 -0700, Mike Rosing wrote: >On Wed, 31 Dec 1969, Bill Frantz wrote: >> I have been asked to audit some source code to see if the programmer >> inserted a backdoor.
>Look for "exception processing". Anywhere the code looks for a particular >value, something like "== 0x3456352e". That usually is a passcode into >a backdoor. It only takes one line :-) Yep, but a TLA-class adversary will use much more subtle tricks. I bet you can use a language's intrinsic "exception processing" as hidden channel. And use little tricks like setting an int used like a bool to a value >1. And sign-extension crap that can catch you even when you're not trying to be evil. And of course the joys of tracing pointer chains is widely appreciated. Particularly pointers with math done to them. Intentional, *built-in* buffer games (incl. stack games) would also be subtle. Passive (passive aggressive?) tricks --failing to zero something interesting, using a RNG before its ready, having the PCI bus traces radiate your secrets away-- are useful and even better, deniable. Hard to do that with NSA_KEY in your debug variables...
