* Posts by David Litchfield

1 publicly visible post • joined 6 Feb 2008

Veracode hunts for backdoors in outsourced code

David Litchfield

1st Anonymous Coward: Source vs Binary

Someone said, "A debugger or disassembler, is no substitute for source code, and in many cases is now illegal to apply."

You have to remember that it is not the source which executes on the computer but rather a compiled binary and the two don't necessarily "match". This may be due to a number of reasons such as compiler optomizations. Flaws that don't appear in the source can manifest themselves in the binary and vice versa. A good example of this is the source calling memset() on some memory to scrub a cleartext password; yet this is optomized out by the compiler and so a security flaw is introduced in the binary. Thus reviewing the source would turn up nothing whereas reviewing the binary would.