Can I rely on these GitHub repository files?Which file encryption algorithm is used by Synology's Cloud Sync feature?GitHub pages and same originAPI credentials visible when creating Github pages website?Why host third party libs instead of relying on CDN, Nuget, GitHub?Making an API repository private vs publicHow does Github preserve versioning integrity?Is it a good idea to upload your gnupg files to github?How could malicious code changes in a GitHub pull request be masked by an attacker?Github account hacked and repo wiped - Github Response

Count All Possible Unique Combinations of Letters in a Word

Do I have to explain the mechanical superiority of the player-character within the fiction of the game?

What's currently blocking the construction of the wall between Mexico and the US?

Hit the Bulls Eye with T in the Center

Has there been any indication at all that further negotiation between the UK and EU is possible?

Confusion over 220 and 230 volt outlets

When to remove insignificant variables?

Why isn't my calculation that we should be able to see the sun well beyond the observable universe valid?

Why is it easier to balance a non-moving bike standing up than sitting down?

How did Gollum enter Moria?

Methodology: Writing unit tests for another developer

How many people are necessary to maintain modern civilisation?

What does it mean to not be able to take the derivative of a function multiple times?

Term or phrase for simply moving a problem from one area to another

Did the CIA blow up a Siberian pipeline in 1982?

Hot coffee brewing solutions for deep woods camping

Can Ogre clerics use Purify Food and Drink on humanoid characters?

What happened to Steve's Shield in Iron Man 2?

Why does Linux list NVMe drives as /dev/nvme0 instead of /dev/sda?

Is "Busen" just the area between the breasts?

Android Material and appcompat Manifest merger failed in react-native or ExpoKit

Why does independence imply zero correlation?

Does a vocal melody have any rhythmic responsibility to the underlying arrangement in pop music?

How would modern naval warfare have to have developed differently for battleships to still be relevant in the 21st century?



Can I rely on these GitHub repository files?


Which file encryption algorithm is used by Synology's Cloud Sync feature?GitHub pages and same originAPI credentials visible when creating Github pages website?Why host third party libs instead of relying on CDN, Nuget, GitHub?Making an API repository private vs publicHow does Github preserve versioning integrity?Is it a good idea to upload your gnupg files to github?How could malicious code changes in a GitHub pull request be masked by an attacker?Github account hacked and repo wiped - Github Response






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








21















I recently found the GitHub repository https://github.com/userEn1gm4/HLuna, but after I cloned it I noted that the comparison between the file compiled (using g++) from source, HLuna.cxx, and the binary included in the repository (HLuna) is different: differ: byte 25, line 1. Is the provided binary file secure?



I've already analyzed that in VirusTotal without any issues, but I don't have the expertise to decompile and read the output, and I've previously executed the binary provided without thinking about the risks.






reverse-engineering c++ github







share|improve this question



















  • 3





    If you're able to compile from source, then just use your computer version.

    – Daisetsu
    Mar 25 at 5:05






  • 18





    It takes lots of effort for builds to be reproducible (deterministic) due to nature of legacy tools (because no one cared about that in past). Debian is trying to be deterministic since 2014, still not done :)

    – PTwr
    Mar 25 at 8:27






  • 1





    There is a relevant post (full disclosure: mine) on OpenSource.SE with several helpful links about deterministic and non-deterministic builds: Is there any way to assert that source code corresponds to compiled code?

    – apsillers
    Mar 25 at 13:09







  • 1





    How do you know you can trust the source code in the repo? Do you audit every single line of code? (the 175 line source code file you linked to is small enough that you can audit it, but if it were 10,000 or 100,000 lines of code, is the source code any safer than the published binaries?)

    – Johnny
    Mar 25 at 21:35

















21















I recently found the GitHub repository https://github.com/userEn1gm4/HLuna, but after I cloned it I noted that the comparison between the file compiled (using g++) from source, HLuna.cxx, and the binary included in the repository (HLuna) is different: differ: byte 25, line 1. Is the provided binary file secure?



I've already analyzed that in VirusTotal without any issues, but I don't have the expertise to decompile and read the output, and I've previously executed the binary provided without thinking about the risks.






reverse-engineering c++ github







share|improve this question



















  • 3





    If you're able to compile from source, then just use your computer version.

    – Daisetsu
    Mar 25 at 5:05






  • 18





    It takes lots of effort for builds to be reproducible (deterministic) due to nature of legacy tools (because no one cared about that in past). Debian is trying to be deterministic since 2014, still not done :)

    – PTwr
    Mar 25 at 8:27






  • 1





    There is a relevant post (full disclosure: mine) on OpenSource.SE with several helpful links about deterministic and non-deterministic builds: Is there any way to assert that source code corresponds to compiled code?

    – apsillers
    Mar 25 at 13:09







  • 1





    How do you know you can trust the source code in the repo? Do you audit every single line of code? (the 175 line source code file you linked to is small enough that you can audit it, but if it were 10,000 or 100,000 lines of code, is the source code any safer than the published binaries?)

    – Johnny
    Mar 25 at 21:35













21












21








21


2






I recently found the GitHub repository https://github.com/userEn1gm4/HLuna, but after I cloned it I noted that the comparison between the file compiled (using g++) from source, HLuna.cxx, and the binary included in the repository (HLuna) is different: differ: byte 25, line 1. Is the provided binary file secure?



I've already analyzed that in VirusTotal without any issues, but I don't have the expertise to decompile and read the output, and I've previously executed the binary provided without thinking about the risks.






reverse-engineering c++ github







share|improve this question
















I recently found the GitHub repository https://github.com/userEn1gm4/HLuna, but after I cloned it I noted that the comparison between the file compiled (using g++) from source, HLuna.cxx, and the binary included in the repository (HLuna) is different: differ: byte 25, line 1. Is the provided binary file secure?



I've already analyzed that in VirusTotal without any issues, but I don't have the expertise to decompile and read the output, and I've previously executed the binary provided without thinking about the risks.






reverse-engineering c++ github




reverse-engineering c++ github






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Mar 25 at 7:19









Peter Mortensen

73449




73449










asked Mar 24 at 23:14









mcruz2401mcruz2401

6616




6616







  • 3





    If you're able to compile from source, then just use your computer version.

    – Daisetsu
    Mar 25 at 5:05






  • 18





    It takes lots of effort for builds to be reproducible (deterministic) due to nature of legacy tools (because no one cared about that in past). Debian is trying to be deterministic since 2014, still not done :)

    – PTwr
    Mar 25 at 8:27






  • 1





    There is a relevant post (full disclosure: mine) on OpenSource.SE with several helpful links about deterministic and non-deterministic builds: Is there any way to assert that source code corresponds to compiled code?

    – apsillers
    Mar 25 at 13:09







  • 1





    How do you know you can trust the source code in the repo? Do you audit every single line of code? (the 175 line source code file you linked to is small enough that you can audit it, but if it were 10,000 or 100,000 lines of code, is the source code any safer than the published binaries?)

    – Johnny
    Mar 25 at 21:35












  • 3





    If you're able to compile from source, then just use your computer version.

    – Daisetsu
    Mar 25 at 5:05






  • 18





    It takes lots of effort for builds to be reproducible (deterministic) due to nature of legacy tools (because no one cared about that in past). Debian is trying to be deterministic since 2014, still not done :)

    – PTwr
    Mar 25 at 8:27






  • 1





    There is a relevant post (full disclosure: mine) on OpenSource.SE with several helpful links about deterministic and non-deterministic builds: Is there any way to assert that source code corresponds to compiled code?

    – apsillers
    Mar 25 at 13:09







  • 1





    How do you know you can trust the source code in the repo? Do you audit every single line of code? (the 175 line source code file you linked to is small enough that you can audit it, but if it were 10,000 or 100,000 lines of code, is the source code any safer than the published binaries?)

    – Johnny
    Mar 25 at 21:35







3




3





If you're able to compile from source, then just use your computer version.

– Daisetsu
Mar 25 at 5:05





If you're able to compile from source, then just use your computer version.

– Daisetsu
Mar 25 at 5:05




18




18





It takes lots of effort for builds to be reproducible (deterministic) due to nature of legacy tools (because no one cared about that in past). Debian is trying to be deterministic since 2014, still not done :)

– PTwr
Mar 25 at 8:27





It takes lots of effort for builds to be reproducible (deterministic) due to nature of legacy tools (because no one cared about that in past). Debian is trying to be deterministic since 2014, still not done :)

– PTwr
Mar 25 at 8:27




1




1





There is a relevant post (full disclosure: mine) on OpenSource.SE with several helpful links about deterministic and non-deterministic builds: Is there any way to assert that source code corresponds to compiled code?

– apsillers
Mar 25 at 13:09






There is a relevant post (full disclosure: mine) on OpenSource.SE with several helpful links about deterministic and non-deterministic builds: Is there any way to assert that source code corresponds to compiled code?

– apsillers
Mar 25 at 13:09





1




1





How do you know you can trust the source code in the repo? Do you audit every single line of code? (the 175 line source code file you linked to is small enough that you can audit it, but if it were 10,000 or 100,000 lines of code, is the source code any safer than the published binaries?)

– Johnny
Mar 25 at 21:35





How do you know you can trust the source code in the repo? Do you audit every single line of code? (the 175 line source code file you linked to is small enough that you can audit it, but if it were 10,000 or 100,000 lines of code, is the source code any safer than the published binaries?)

– Johnny
Mar 25 at 21:35










3 Answers
3






active

oldest

votes


















22














Polynomial tells you what may happen, and how to solve it. Here I will illustrate it:



I ran both binaries through strings and diffed them. That enough shows some completely harmless differences, in particular, the compiler used:



GCC: (Debian 6.3.0-18) 6.3.0 20170516 | GCC: (GNU) 8.2.1 20181105 (Red Hat 8.2.1-5)
 > GCC: (GNU) 8.3.1 20190223 (Red Hat 8.3.1-2)
 > gcc 8.2.1 20181105


Some of the private names used are also different:



_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEaSEOS4_@ | _ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEaSERKS4_


And some sections seem to be shuffled, so the diff cannot match them exactly.



Even on the same computer, without optimisation and -O3 shows different files:



_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE6appendE | _ZNSt7__cxx1115basic_stringbufIcSt11char_traitsIcESaIcEED2Ev


Even shuffling of internal data:



Diccionario creado! <
MENU <
1. Generador de Diccionarios <
0. Salir <
/*** <
* $$| |$$ |$$| <
* $$| |$$ |$$| * $$| |$$ |$$| 
* $$| |$$ |$$| $$| |$$ |$$$$$$| |$$$$$$| * $$| |$$ |$$| $$| |$$ |$$$$$$| |$$$$$$| 
* $$$$$$$$ |$$| $$| |$$ |$$ __ $$| ____$$| * $$$$$$$$ |$$| $$| |$$ |$$ __ $$| ____$$| 
* $$| |$$ |$$| $$| |$$ |$$| |$$| $$$$$$$| * $$| |$$ |$$| $$| |$$ |$$| |$$| $$$$$$$| 
* $$| |$$ |$$|___ $$|_|$$ |$$| |$$| $$___$$| * $$| |$$ |$$|___ $$|_|$$ |$$| |$$| $$___$$| 
* $$| |$$ |$$$$$$$| $$$$$ |$$| |$$| $$$$$$$| * $$| |$$ |$$$$$$$| $$$$$ |$$| |$$| $$$$$$$| 
* ---------------------------------------------- * ---------------------------------------------- 
 > -------------------
 > Diccionario creado!
 > MENU
 > 1. Generador de Diccionarios
 > 0. Salir
 > /*** 
 > * $$| |$$ |$$|



This proves that differing binary files raises many false positives, and doesn't tell you anything about is safety.



In this case, I'd use the version compiled by myself because you have no way to know what version is uploaded, as the author may have forgotten to recompile before the last tweaks.






share|improve this answer


















  • 7





    I don't think those are different names - what's actually happened is that when the immediately adjoining data are printable, strings grabs slightly more text. nm might be a better tool for extracting identifiers.

    – Toby Speight
    Mar 25 at 16:14











  • @TobySpeight good point, I shall investigate and correct.

    – Davidmh
    Mar 25 at 22:06











  • …and even a honest author might be unknowingly infected by some malware.

    – spectras
    Mar 26 at 3:05






  • 2





    Protip/warning: GNU Strings was at one point vulnerable to arbitrary code execution if used on a malicious file. So it may be wise to avoid running it on untrusted files, just in case.

    – Kevin
    Mar 26 at 7:20












  • @Kevin any piece of software may be vulnerable to arbitrary code execution if used on a malicious file. That doesn't mean you can't use those tools to examine them, it just mean that you need to airgap the system that runs them.

    – Braiam
    Mar 26 at 14:51


















58














Compilation is not a directly verifiable deterministic process across compiler versions, library versions, operating systems, or a number of other different variables. The only way to verify is to perform a diff at the assembly level. There are lots of tools that can do this but you still need to put the manual work in.






share|improve this answer


















  • 35





    Even that isn't going to be reliable across optimization levels.

    – chrylis
    Mar 25 at 5:48






  • 44





    Even if the compiled object code is 100% identical, there may still be timestamps in the executable file's metadata which cause the resulting binaries to differ even though the code is identical.

    – Jörg W Mittag
    Mar 25 at 7:00






  • 2





    Reproducible builds solve this problem.

    – forest
    Mar 25 at 8:34











  • This is the real answer. Build never supposed to produce the same binary on two different machines even with same OS, compiler version and configuration. It is just stated nowhere, and no one actually assumed this, at least in C++ world. I don't like the accepted answer because it is specific to the app and does not explain this.

    – Croll
    Mar 26 at 9:07



















2














If the software is exactly the same at source level, then the question boils down to whether you can trust your compiler, system libraries and various utilities which are used during compilation. If you installed your toolchain from a trusted source and you trust your computer wasn't compromised meanwhile, then there's no reason to suspect that the binary file that you generated will be malicious, even if it differs from the "reference" build.






share|improve this answer


















  • 6





    Of course, Ken Thompson may disagree.

    – Jörg W Mittag
    Mar 25 at 15:52






  • 1





    @JörgWMittag If you can't trust trust, who can you trust?

    – apsillers
    Mar 25 at 16:52






  • 1





    @apsillers trusting trust can be countered: schneier.com/blog/archives/2006/01/countering_trus.html

    – Alex Vong
    Mar 26 at 12:01











Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f206000%2fcan-i-rely-on-these-github-repository-files%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























3 Answers
3






active

oldest

votes








3 Answers
3






active

oldest

votes









active

oldest

votes






active

oldest

votes









22














Polynomial tells you what may happen, and how to solve it. Here I will illustrate it:



I ran both binaries through strings and diffed them. That enough shows some completely harmless differences, in particular, the compiler used:



GCC: (Debian 6.3.0-18) 6.3.0 20170516 | GCC: (GNU) 8.2.1 20181105 (Red Hat 8.2.1-5)
 > GCC: (GNU) 8.3.1 20190223 (Red Hat 8.3.1-2)
 > gcc 8.2.1 20181105


Some of the private names used are also different:



_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEaSEOS4_@ | _ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEaSERKS4_


And some sections seem to be shuffled, so the diff cannot match them exactly.



Even on the same computer, without optimisation and -O3 shows different files:



_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE6appendE | _ZNSt7__cxx1115basic_stringbufIcSt11char_traitsIcESaIcEED2Ev


Even shuffling of internal data:



Diccionario creado! <
MENU <
1. Generador de Diccionarios <
0. Salir <
/*** <
* $$| |$$ |$$| <
* $$| |$$ |$$| * $$| |$$ |$$| 
* $$| |$$ |$$| $$| |$$ |$$$$$$| |$$$$$$| * $$| |$$ |$$| $$| |$$ |$$$$$$| |$$$$$$| 
* $$$$$$$$ |$$| $$| |$$ |$$ __ $$| ____$$| * $$$$$$$$ |$$| $$| |$$ |$$ __ $$| ____$$| 
* $$| |$$ |$$| $$| |$$ |$$| |$$| $$$$$$$| * $$| |$$ |$$| $$| |$$ |$$| |$$| $$$$$$$| 
* $$| |$$ |$$|___ $$|_|$$ |$$| |$$| $$___$$| * $$| |$$ |$$|___ $$|_|$$ |$$| |$$| $$___$$| 
* $$| |$$ |$$$$$$$| $$$$$ |$$| |$$| $$$$$$$| * $$| |$$ |$$$$$$$| $$$$$ |$$| |$$| $$$$$$$| 
* ---------------------------------------------- * ---------------------------------------------- 
 > -------------------
 > Diccionario creado!
 > MENU
 > 1. Generador de Diccionarios
 > 0. Salir
 > /*** 
 > * $$| |$$ |$$|



This proves that differing binary files raises many false positives, and doesn't tell you anything about is safety.



In this case, I'd use the version compiled by myself because you have no way to know what version is uploaded, as the author may have forgotten to recompile before the last tweaks.






share|improve this answer


















  • 7





    I don't think those are different names - what's actually happened is that when the immediately adjoining data are printable, strings grabs slightly more text. nm might be a better tool for extracting identifiers.

    – Toby Speight
    Mar 25 at 16:14











  • @TobySpeight good point, I shall investigate and correct.

    – Davidmh
    Mar 25 at 22:06











  • …and even a honest author might be unknowingly infected by some malware.

    – spectras
    Mar 26 at 3:05






  • 2





    Protip/warning: GNU Strings was at one point vulnerable to arbitrary code execution if used on a malicious file. So it may be wise to avoid running it on untrusted files, just in case.

    – Kevin
    Mar 26 at 7:20












  • @Kevin any piece of software may be vulnerable to arbitrary code execution if used on a malicious file. That doesn't mean you can't use those tools to examine them, it just mean that you need to airgap the system that runs them.

    – Braiam
    Mar 26 at 14:51















22














Polynomial tells you what may happen, and how to solve it. Here I will illustrate it:



I ran both binaries through strings and diffed them. That enough shows some completely harmless differences, in particular, the compiler used:



GCC: (Debian 6.3.0-18) 6.3.0 20170516 | GCC: (GNU) 8.2.1 20181105 (Red Hat 8.2.1-5)
 > GCC: (GNU) 8.3.1 20190223 (Red Hat 8.3.1-2)
 > gcc 8.2.1 20181105


Some of the private names used are also different:



_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEaSEOS4_@ | _ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEaSERKS4_


And some sections seem to be shuffled, so the diff cannot match them exactly.



Even on the same computer, without optimisation and -O3 shows different files:



_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE6appendE | _ZNSt7__cxx1115basic_stringbufIcSt11char_traitsIcESaIcEED2Ev


Even shuffling of internal data:



Diccionario creado! <
MENU <
1. Generador de Diccionarios <
0. Salir <
/*** <
* $$| |$$ |$$| <
* $$| |$$ |$$| * $$| |$$ |$$| 
* $$| |$$ |$$| $$| |$$ |$$$$$$| |$$$$$$| * $$| |$$ |$$| $$| |$$ |$$$$$$| |$$$$$$| 
* $$$$$$$$ |$$| $$| |$$ |$$ __ $$| ____$$| * $$$$$$$$ |$$| $$| |$$ |$$ __ $$| ____$$| 
* $$| |$$ |$$| $$| |$$ |$$| |$$| $$$$$$$| * $$| |$$ |$$| $$| |$$ |$$| |$$| $$$$$$$| 
* $$| |$$ |$$|___ $$|_|$$ |$$| |$$| $$___$$| * $$| |$$ |$$|___ $$|_|$$ |$$| |$$| $$___$$| 
* $$| |$$ |$$$$$$$| $$$$$ |$$| |$$| $$$$$$$| * $$| |$$ |$$$$$$$| $$$$$ |$$| |$$| $$$$$$$| 
* ---------------------------------------------- * ---------------------------------------------- 
 > -------------------
 > Diccionario creado!
 > MENU
 > 1. Generador de Diccionarios
 > 0. Salir
 > /*** 
 > * $$| |$$ |$$|



This proves that differing binary files raises many false positives, and doesn't tell you anything about is safety.



In this case, I'd use the version compiled by myself because you have no way to know what version is uploaded, as the author may have forgotten to recompile before the last tweaks.






share|improve this answer


















  • 7





    I don't think those are different names - what's actually happened is that when the immediately adjoining data are printable, strings grabs slightly more text. nm might be a better tool for extracting identifiers.

    – Toby Speight
    Mar 25 at 16:14











  • @TobySpeight good point, I shall investigate and correct.

    – Davidmh
    Mar 25 at 22:06











  • …and even a honest author might be unknowingly infected by some malware.

    – spectras
    Mar 26 at 3:05






  • 2





    Protip/warning: GNU Strings was at one point vulnerable to arbitrary code execution if used on a malicious file. So it may be wise to avoid running it on untrusted files, just in case.

    – Kevin
    Mar 26 at 7:20












  • @Kevin any piece of software may be vulnerable to arbitrary code execution if used on a malicious file. That doesn't mean you can't use those tools to examine them, it just mean that you need to airgap the system that runs them.

    – Braiam
    Mar 26 at 14:51













22












22








22







Polynomial tells you what may happen, and how to solve it. Here I will illustrate it:



I ran both binaries through strings and diffed them. That enough shows some completely harmless differences, in particular, the compiler used:



GCC: (Debian 6.3.0-18) 6.3.0 20170516 | GCC: (GNU) 8.2.1 20181105 (Red Hat 8.2.1-5)
 > GCC: (GNU) 8.3.1 20190223 (Red Hat 8.3.1-2)
 > gcc 8.2.1 20181105


Some of the private names used are also different:



_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEaSEOS4_@ | _ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEaSERKS4_


And some sections seem to be shuffled, so the diff cannot match them exactly.



Even on the same computer, without optimisation and -O3 shows different files:



_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE6appendE | _ZNSt7__cxx1115basic_stringbufIcSt11char_traitsIcESaIcEED2Ev


Even shuffling of internal data:



Diccionario creado! <
MENU <
1. Generador de Diccionarios <
0. Salir <
/*** <
* $$| |$$ |$$| <
* $$| |$$ |$$| * $$| |$$ |$$| 
* $$| |$$ |$$| $$| |$$ |$$$$$$| |$$$$$$| * $$| |$$ |$$| $$| |$$ |$$$$$$| |$$$$$$| 
* $$$$$$$$ |$$| $$| |$$ |$$ __ $$| ____$$| * $$$$$$$$ |$$| $$| |$$ |$$ __ $$| ____$$| 
* $$| |$$ |$$| $$| |$$ |$$| |$$| $$$$$$$| * $$| |$$ |$$| $$| |$$ |$$| |$$| $$$$$$$| 
* $$| |$$ |$$|___ $$|_|$$ |$$| |$$| $$___$$| * $$| |$$ |$$|___ $$|_|$$ |$$| |$$| $$___$$| 
* $$| |$$ |$$$$$$$| $$$$$ |$$| |$$| $$$$$$$| * $$| |$$ |$$$$$$$| $$$$$ |$$| |$$| $$$$$$$| 
* ---------------------------------------------- * ---------------------------------------------- 
 > -------------------
 > Diccionario creado!
 > MENU
 > 1. Generador de Diccionarios
 > 0. Salir
 > /*** 
 > * $$| |$$ |$$|



This proves that differing binary files raises many false positives, and doesn't tell you anything about is safety.



In this case, I'd use the version compiled by myself because you have no way to know what version is uploaded, as the author may have forgotten to recompile before the last tweaks.






share|improve this answer













Polynomial tells you what may happen, and how to solve it. Here I will illustrate it:



I ran both binaries through strings and diffed them. That enough shows some completely harmless differences, in particular, the compiler used:



GCC: (Debian 6.3.0-18) 6.3.0 20170516 | GCC: (GNU) 8.2.1 20181105 (Red Hat 8.2.1-5)
 > GCC: (GNU) 8.3.1 20190223 (Red Hat 8.3.1-2)
 > gcc 8.2.1 20181105


Some of the private names used are also different:



_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEaSEOS4_@ | _ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEaSERKS4_


And some sections seem to be shuffled, so the diff cannot match them exactly.



Even on the same computer, without optimisation and -O3 shows different files:



_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE6appendE | _ZNSt7__cxx1115basic_stringbufIcSt11char_traitsIcESaIcEED2Ev


Even shuffling of internal data:



Diccionario creado! <
MENU <
1. Generador de Diccionarios <
0. Salir <
/*** <
* $$| |$$ |$$| <
* $$| |$$ |$$| * $$| |$$ |$$| 
* $$| |$$ |$$| $$| |$$ |$$$$$$| |$$$$$$| * $$| |$$ |$$| $$| |$$ |$$$$$$| |$$$$$$| 
* $$$$$$$$ |$$| $$| |$$ |$$ __ $$| ____$$| * $$$$$$$$ |$$| $$| |$$ |$$ __ $$| ____$$| 
* $$| |$$ |$$| $$| |$$ |$$| |$$| $$$$$$$| * $$| |$$ |$$| $$| |$$ |$$| |$$| $$$$$$$| 
* $$| |$$ |$$|___ $$|_|$$ |$$| |$$| $$___$$| * $$| |$$ |$$|___ $$|_|$$ |$$| |$$| $$___$$| 
* $$| |$$ |$$$$$$$| $$$$$ |$$| |$$| $$$$$$$| * $$| |$$ |$$$$$$$| $$$$$ |$$| |$$| $$$$$$$| 
* ---------------------------------------------- * ---------------------------------------------- 
 > -------------------
 > Diccionario creado!
 > MENU
 > 1. Generador de Diccionarios
 > 0. Salir
 > /*** 
 > * $$| |$$ |$$|



This proves that differing binary files raises many false positives, and doesn't tell you anything about is safety.



In this case, I'd use the version compiled by myself because you have no way to know what version is uploaded, as the author may have forgotten to recompile before the last tweaks.







share|improve this answer












share|improve this answer



share|improve this answer










answered Mar 25 at 8:46









DavidmhDavidmh

33615




33615







  • 7





    I don't think those are different names - what's actually happened is that when the immediately adjoining data are printable, strings grabs slightly more text. nm might be a better tool for extracting identifiers.

    – Toby Speight
    Mar 25 at 16:14











  • @TobySpeight good point, I shall investigate and correct.

    – Davidmh
    Mar 25 at 22:06











  • …and even a honest author might be unknowingly infected by some malware.

    – spectras
    Mar 26 at 3:05






  • 2





    Protip/warning: GNU Strings was at one point vulnerable to arbitrary code execution if used on a malicious file. So it may be wise to avoid running it on untrusted files, just in case.

    – Kevin
    Mar 26 at 7:20












  • @Kevin any piece of software may be vulnerable to arbitrary code execution if used on a malicious file. That doesn't mean you can't use those tools to examine them, it just mean that you need to airgap the system that runs them.

    – Braiam
    Mar 26 at 14:51












  • 7





    I don't think those are different names - what's actually happened is that when the immediately adjoining data are printable, strings grabs slightly more text. nm might be a better tool for extracting identifiers.

    – Toby Speight
    Mar 25 at 16:14











  • @TobySpeight good point, I shall investigate and correct.

    – Davidmh
    Mar 25 at 22:06











  • …and even a honest author might be unknowingly infected by some malware.

    – spectras
    Mar 26 at 3:05






  • 2





    Protip/warning: GNU Strings was at one point vulnerable to arbitrary code execution if used on a malicious file. So it may be wise to avoid running it on untrusted files, just in case.

    – Kevin
    Mar 26 at 7:20












  • @Kevin any piece of software may be vulnerable to arbitrary code execution if used on a malicious file. That doesn't mean you can't use those tools to examine them, it just mean that you need to airgap the system that runs them.

    – Braiam
    Mar 26 at 14:51







7




7





I don't think those are different names - what's actually happened is that when the immediately adjoining data are printable, strings grabs slightly more text. nm might be a better tool for extracting identifiers.

– Toby Speight
Mar 25 at 16:14





I don't think those are different names - what's actually happened is that when the immediately adjoining data are printable, strings grabs slightly more text. nm might be a better tool for extracting identifiers.

– Toby Speight
Mar 25 at 16:14













@TobySpeight good point, I shall investigate and correct.

– Davidmh
Mar 25 at 22:06





@TobySpeight good point, I shall investigate and correct.

– Davidmh
Mar 25 at 22:06













…and even a honest author might be unknowingly infected by some malware.

– spectras
Mar 26 at 3:05





…and even a honest author might be unknowingly infected by some malware.

– spectras
Mar 26 at 3:05




2




2





Protip/warning: GNU Strings was at one point vulnerable to arbitrary code execution if used on a malicious file. So it may be wise to avoid running it on untrusted files, just in case.

– Kevin
Mar 26 at 7:20






Protip/warning: GNU Strings was at one point vulnerable to arbitrary code execution if used on a malicious file. So it may be wise to avoid running it on untrusted files, just in case.

– Kevin
Mar 26 at 7:20














@Kevin any piece of software may be vulnerable to arbitrary code execution if used on a malicious file. That doesn't mean you can't use those tools to examine them, it just mean that you need to airgap the system that runs them.

– Braiam
Mar 26 at 14:51





@Kevin any piece of software may be vulnerable to arbitrary code execution if used on a malicious file. That doesn't mean you can't use those tools to examine them, it just mean that you need to airgap the system that runs them.

– Braiam
Mar 26 at 14:51













58














Compilation is not a directly verifiable deterministic process across compiler versions, library versions, operating systems, or a number of other different variables. The only way to verify is to perform a diff at the assembly level. There are lots of tools that can do this but you still need to put the manual work in.






share|improve this answer


















  • 35





    Even that isn't going to be reliable across optimization levels.

    – chrylis
    Mar 25 at 5:48






  • 44





    Even if the compiled object code is 100% identical, there may still be timestamps in the executable file's metadata which cause the resulting binaries to differ even though the code is identical.

    – Jörg W Mittag
    Mar 25 at 7:00






  • 2





    Reproducible builds solve this problem.

    – forest
    Mar 25 at 8:34











  • This is the real answer. Build never supposed to produce the same binary on two different machines even with same OS, compiler version and configuration. It is just stated nowhere, and no one actually assumed this, at least in C++ world. I don't like the accepted answer because it is specific to the app and does not explain this.

    – Croll
    Mar 26 at 9:07
















58














Compilation is not a directly verifiable deterministic process across compiler versions, library versions, operating systems, or a number of other different variables. The only way to verify is to perform a diff at the assembly level. There are lots of tools that can do this but you still need to put the manual work in.






share|improve this answer


















  • 35





    Even that isn't going to be reliable across optimization levels.

    – chrylis
    Mar 25 at 5:48






  • 44





    Even if the compiled object code is 100% identical, there may still be timestamps in the executable file's metadata which cause the resulting binaries to differ even though the code is identical.

    – Jörg W Mittag
    Mar 25 at 7:00






  • 2





    Reproducible builds solve this problem.

    – forest
    Mar 25 at 8:34











  • This is the real answer. Build never supposed to produce the same binary on two different machines even with same OS, compiler version and configuration. It is just stated nowhere, and no one actually assumed this, at least in C++ world. I don't like the accepted answer because it is specific to the app and does not explain this.

    – Croll
    Mar 26 at 9:07














58












58








58







Compilation is not a directly verifiable deterministic process across compiler versions, library versions, operating systems, or a number of other different variables. The only way to verify is to perform a diff at the assembly level. There are lots of tools that can do this but you still need to put the manual work in.






share|improve this answer













Compilation is not a directly verifiable deterministic process across compiler versions, library versions, operating systems, or a number of other different variables. The only way to verify is to perform a diff at the assembly level. There are lots of tools that can do this but you still need to put the manual work in.







share|improve this answer












share|improve this answer



share|improve this answer










answered Mar 24 at 23:20









PolynomialPolynomial

103k36252344




103k36252344







  • 35





    Even that isn't going to be reliable across optimization levels.

    – chrylis
    Mar 25 at 5:48






  • 44





    Even if the compiled object code is 100% identical, there may still be timestamps in the executable file's metadata which cause the resulting binaries to differ even though the code is identical.

    – Jörg W Mittag
    Mar 25 at 7:00






  • 2





    Reproducible builds solve this problem.

    – forest
    Mar 25 at 8:34











  • This is the real answer. Build never supposed to produce the same binary on two different machines even with same OS, compiler version and configuration. It is just stated nowhere, and no one actually assumed this, at least in C++ world. I don't like the accepted answer because it is specific to the app and does not explain this.

    – Croll
    Mar 26 at 9:07













  • 35





    Even that isn't going to be reliable across optimization levels.

    – chrylis
    Mar 25 at 5:48






  • 44





    Even if the compiled object code is 100% identical, there may still be timestamps in the executable file's metadata which cause the resulting binaries to differ even though the code is identical.

    – Jörg W Mittag
    Mar 25 at 7:00






  • 2





    Reproducible builds solve this problem.

    – forest
    Mar 25 at 8:34











  • This is the real answer. Build never supposed to produce the same binary on two different machines even with same OS, compiler version and configuration. It is just stated nowhere, and no one actually assumed this, at least in C++ world. I don't like the accepted answer because it is specific to the app and does not explain this.

    – Croll
    Mar 26 at 9:07








35




35





Even that isn't going to be reliable across optimization levels.

– chrylis
Mar 25 at 5:48





Even that isn't going to be reliable across optimization levels.

– chrylis
Mar 25 at 5:48




44




44





Even if the compiled object code is 100% identical, there may still be timestamps in the executable file's metadata which cause the resulting binaries to differ even though the code is identical.

– Jörg W Mittag
Mar 25 at 7:00





Even if the compiled object code is 100% identical, there may still be timestamps in the executable file's metadata which cause the resulting binaries to differ even though the code is identical.

– Jörg W Mittag
Mar 25 at 7:00




2




2





Reproducible builds solve this problem.

– forest
Mar 25 at 8:34





Reproducible builds solve this problem.

– forest
Mar 25 at 8:34













This is the real answer. Build never supposed to produce the same binary on two different machines even with same OS, compiler version and configuration. It is just stated nowhere, and no one actually assumed this, at least in C++ world. I don't like the accepted answer because it is specific to the app and does not explain this.

– Croll
Mar 26 at 9:07






This is the real answer. Build never supposed to produce the same binary on two different machines even with same OS, compiler version and configuration. It is just stated nowhere, and no one actually assumed this, at least in C++ world. I don't like the accepted answer because it is specific to the app and does not explain this.

– Croll
Mar 26 at 9:07












2














If the software is exactly the same at source level, then the question boils down to whether you can trust your compiler, system libraries and various utilities which are used during compilation. If you installed your toolchain from a trusted source and you trust your computer wasn't compromised meanwhile, then there's no reason to suspect that the binary file that you generated will be malicious, even if it differs from the "reference" build.






share|improve this answer


















  • 6





    Of course, Ken Thompson may disagree.

    – Jörg W Mittag
    Mar 25 at 15:52






  • 1





    @JörgWMittag If you can't trust trust, who can you trust?

    – apsillers
    Mar 25 at 16:52






  • 1





    @apsillers trusting trust can be countered: schneier.com/blog/archives/2006/01/countering_trus.html

    – Alex Vong
    Mar 26 at 12:01















2














If the software is exactly the same at source level, then the question boils down to whether you can trust your compiler, system libraries and various utilities which are used during compilation. If you installed your toolchain from a trusted source and you trust your computer wasn't compromised meanwhile, then there's no reason to suspect that the binary file that you generated will be malicious, even if it differs from the "reference" build.






share|improve this answer


















  • 6





    Of course, Ken Thompson may disagree.

    – Jörg W Mittag
    Mar 25 at 15:52






  • 1





    @JörgWMittag If you can't trust trust, who can you trust?

    – apsillers
    Mar 25 at 16:52






  • 1





    @apsillers trusting trust can be countered: schneier.com/blog/archives/2006/01/countering_trus.html

    – Alex Vong
    Mar 26 at 12:01













2












2








2







If the software is exactly the same at source level, then the question boils down to whether you can trust your compiler, system libraries and various utilities which are used during compilation. If you installed your toolchain from a trusted source and you trust your computer wasn't compromised meanwhile, then there's no reason to suspect that the binary file that you generated will be malicious, even if it differs from the "reference" build.






share|improve this answer













If the software is exactly the same at source level, then the question boils down to whether you can trust your compiler, system libraries and various utilities which are used during compilation. If you installed your toolchain from a trusted source and you trust your computer wasn't compromised meanwhile, then there's no reason to suspect that the binary file that you generated will be malicious, even if it differs from the "reference" build.







share|improve this answer












share|improve this answer



share|improve this answer










answered Mar 25 at 13:27









Dmitry GrigoryevDmitry Grigoryev

7,9322246




7,9322246







  • 6





    Of course, Ken Thompson may disagree.

    – Jörg W Mittag
    Mar 25 at 15:52






  • 1





    @JörgWMittag If you can't trust trust, who can you trust?

    – apsillers
    Mar 25 at 16:52






  • 1





    @apsillers trusting trust can be countered: schneier.com/blog/archives/2006/01/countering_trus.html

    – Alex Vong
    Mar 26 at 12:01












  • 6





    Of course, Ken Thompson may disagree.

    – Jörg W Mittag
    Mar 25 at 15:52






  • 1





    @JörgWMittag If you can't trust trust, who can you trust?

    – apsillers
    Mar 25 at 16:52






  • 1





    @apsillers trusting trust can be countered: schneier.com/blog/archives/2006/01/countering_trus.html

    – Alex Vong
    Mar 26 at 12:01







6




6





Of course, Ken Thompson may disagree.

– Jörg W Mittag
Mar 25 at 15:52





Of course, Ken Thompson may disagree.

– Jörg W Mittag
Mar 25 at 15:52




1




1





@JörgWMittag If you can't trust trust, who can you trust?

– apsillers
Mar 25 at 16:52





@JörgWMittag If you can't trust trust, who can you trust?

– apsillers
Mar 25 at 16:52




1




1





@apsillers trusting trust can be countered: schneier.com/blog/archives/2006/01/countering_trus.html

– Alex Vong
Mar 26 at 12:01





@apsillers trusting trust can be countered: schneier.com/blog/archives/2006/01/countering_trus.html

– Alex Vong
Mar 26 at 12:01

















draft saved

draft discarded
















































Thanks for contributing an answer to Information Security Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f206000%2fcan-i-rely-on-these-github-repository-files%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Kamusi Yaliyomo Aina za kamusi | Muundo wa kamusi | Faida za kamusi | Dhima ya picha katika kamusi | Marejeo | Tazama pia | Viungo vya nje | UrambazajiKuhusu kamusiGo-SwahiliWiki-KamusiKamusi ya Kiswahili na Kiingerezakuihariri na kuongeza habari

Image
Pages using ISBN magic linksMbegu za lughaKamusiIsimu nenoKiarabukitabulughaKiswahilialfabetimaanaufafanuzimanenomuhtasarisarufividahizoalfabeti Kamusi Kutoka Wikipedia, kamusi elezo huru Jump to navigation Jump to search Kamusi za Kiswahili Kamusi ya Kiswahili-Kiswahili (kamusi wahidiya) Kamusi ya Kiswahili - Kiingereza (kamusi thania) Kamusi (kutoka neno la Kiarabu قاموس qamus ) ni kitabu ambacho kinaorodhesha maneno ya lugha yaliyokusanywa kutoka kwa watumiaji wa lugha fulani, kwa mfano lugha ya Kiswahili. Maneno hupangwa kwa mtindo wa alfabeti, hutoa maana, asili na ufafanuzi wa utumizi wa maneno na jinsi yanavyotumika au yanavyotamkwa. [1] Yaliyomo 1 Aina za kamusi 2 Muundo wa kamusi 2.1 1. Utangulizi wa kamusi 2.2 2. Matini ya kamusi 2.3 3. Sherehe ya kamusi 3 Faida za kamusi 4 Dhima ya picha katika kamusi 5 Marejeo 6 Tazama pia 7 Viungo vya nje Aina za kamusi | Kuna aina mbalimbali za kamusi ambazo ni: Kamusi wahidiya yaani ya l
Read more

Swift 4 - func physicsWorld not invoked on collision? The Next CEO of Stack OverflowHow to call Objective-C code from Swift#ifdef replacement in the Swift language@selector() in Swift?#pragma mark in Swift?Swift for loop: for index, element in array?dispatch_after - GCD in Swift?Swift Beta performance: sorting arraysSplit a String into an array in Swift?The use of Swift 3 @objc inference in Swift 4 mode is deprecated?How to optimize UITableViewCell, because my UITableView lags

Image
Strange use of "whether ... than ..." in official text Could a dragon use its wings to swim? Car headlights in a world without electricity How to avoid supervisors with prejudiced views? Is the offspring between a demon and a celestial possible? If so what is it called and is it in a book somewhere? Can I board the first leg of the flight without having final country's PR card? subequations: How to continue numbering within subequation? How do you define an element with an ID attribute using LWC? Relevant Part for a Badminton Serve What CSS properties can the br tag have? What are the unusually-enlarged wing sections on this P-38 Lightning? Why did early computer designers eschew integers? Is it a bad idea to plug the other end of ESD strap to wall ground? Magento 1.9 observer on only new product added ( no updated product ) Airplane gently rocking its wings during whole flight It is correct to match light sources with the same color temperat
Read more

Access current req object everywhere in Node.js ExpressWhy are global variables considered bad practice? (node.js)Using req & res across functionsHow do I get the path to the current script with Node.js?What is Node.js' Connect, Express and “middleware”?Node.js w/ express error handling in callbackHow to access the GET parameters after “?” in Express?Modify Node.js req object parametersAccess “app” variable inside of ExpressJS/ConnectJS middleware?Node.js Express app - request objectAngular Http Module considered middleware?Session variables in ExpressJSAdd properties to the req object in expressjs with Typescript

Image
What steps should I take to lawfully visit the United States as a tourist immediately after visiting on a B-1 visa? Would dual wielding daggers be a viable choice for a covert bodyguard? For a hashing function like MD5, how similar can two plaintext strings be and still generate the same hash? Using Newton's shell theorem to accelerate a spaceship Why doesn't sea level show seasonality? What prevents someone from claiming to be the murderer in order to get the real murderer off? Has anyone in space seen or photographed a simple laser pointer from Earth? What does (void *)1 mean Why does the U.S. tolerate foreign influence from Saudi Arabia and Israel on its domestic policies while not tolerating that from China or Russia? Modulus Operandi What's the point of having a RAID 1 configuration over incremental backups to a secondary drive? How to ask for a LinkedIn endorsement? Good resources for solving techniques (Metaheuristics, MILP, CP etc) How woul
Read more