|
On Wed, 11 Dec 2002, Buck Calabro wrote: > We still haven't found a machine-enforced guaranteed chain of evidence that > THIS source is in THAT object, although manual signatures in binder source > help with service programs. Although that can be forged easily enough. > Matching the source change date/times AND the *SRVPGM signatures AND the > file signatures provides a degree of security that the executable is pretty > much what you think it is, always presuming that you have a reference object > to compare against. I think about the best you can do is keep an MD5 checksum of all your objects. Many folks in the open source world use this to gaurantee that a given binary did indeed come from the right source. This is how things like tripwire detect intruders/trojans. Of course you also have to trust that your compiler doesn't produce trojan code. Without the source to the compiler you will never know for sure. Unless you are actually flipping the bits yourself on the machine you have to trust somebody somewhere. I think there really was a case where some compiler produced trojaned code. It even could detect if it was compiling itself and insert the trojan into the new version of the compiler. James Rich
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.