[Tfug] Let's play "ID this code"! (serious issue actually)

Mon Aug 24 09:43:28 MST 2009

> > *All* code is "interpreted" by something.  Even "machine level"
> > code is interpreted by the hardware "machine".  There is nothing
> > that inherently makes "interpreted code" (in the sense you
> > intend it here) more vulnerable to tampering than "compiled code"
> > (again, playing fast and loose with terminology here)
> 
> I think what Jim is getting at is having a logical split between the
> data and how the data is modified, kind of like how in the MVC
> programming methodology the data is encapsulated by the Model, whereas
> all the logic is stored in the Controller.

Yes.  But the code cited doesn't appear to *modify* any data
but, rather, just (possibly) alters the way it is scanned, presented,
etc.

I.e., I see no "decision logic" that pertains to the values
of the "vote-related data" (e.g., nothing that changes a
vote, the "contest" it was cast in, etc.).

> That said, because this is a database dump, the vendor may consider
> the "hash checked" system to be the original state of the program with
> an "empty" database, which in reality contains the schema
> and a bit of program logic.

But, I think Jim's point is:  that "check" must be verifiable
AT ANY POINT IN TIME.  I.e., the scheme you hypothesized would
require the "auditor" to empty the database (vacuuming all
tables -- including system tables, etc.) to be able to
"vouch" for the integrity of the "system".

E.g., I once hacked a system diagnostic (which was used as
part of the official "sell-off" of the product) to say
"Go for coffee" at the start of a certain lengthy subtest.
The test itself wasn't altered -- just the prompt displayed
to the operator (testing a 600 bit-wide memory array
exhaustively takes a fair bit of time  :>  ).

Needless to say, the vendor gave me a stern frown when the
message appeared on the screen and insisted on rerunning
*all* of the tests with a "fresh (from vendor) copy" of the
diagnostics.  (not that he distrusted me, but *he* had to
attest to the validity of the test procedure which *clearly*
had been put at risk by my indiscretion  :-(  )

OTOH, I'm not sure this sort of static "checksum" could
ever apply in this situation (RDBMS) except on the "TEXT image".
(and then, how do you verify that the contents of your DATA
segment aren't going to alter the resulting operation of the
program?  It wouldn't be the first/last time uninitialized
data was used/referenced by a piece of production code...)

The whole voting system appears to be a horrible abortion
designed by folks clueless to the real issues involved.

Like the DTV mess:  Gee, what sort of simulations did you
"experts" run BEFORE settling on this scheme?  why are so
many average joes having problems now that it has been
deployed?  (perhaps all of the experts work for the CATV
companies!  ;-)