Table: Finding Backdoors in Freedom Software vs Non-Freedom Software

	Non-Freedom Software (precompiled binaries)	Freedom Software (source-available)
Original source code is reviewable	No	Yes
Compiled binary file can be decompiled into disassembly	Yes	Yes
Regular pre-compiled binaries	Depends ^[1]	Yes
Obfuscation (anti-disassembly, anti-debugging, anti-VM) ^[2] is usually not used	Depends ^[3]	Yes ^[4]
Price for security audit searching for backdoors	Very high ^[5]	Lower
Difference between precompiled version and self-compiled version	Unavailable ^[6]	Small or none ^[7]
Reverse-engineering is not required	No	Yes
Assembler language skills required	Much more	Less
Always legal to decompile / reverse-engineer	No ^[8] ^[9]	Yes ^[10]
Possibility of catching backdoors via observing incoming/outgoing Internet connections	Very difficult ^[11]	Very difficult ^[11]
Convenience of spotting backdoors	Lowest convenience ^[12]	Very high convenience ^[13]
Difficulty of spotting intentional, malicious backdoors ^[14] ^[15]	Much higher difficulty ^[16]	Much lower difficulty ^[17]
Difficulty of spotting a "bugdoor" ^[18]	Much higher difficulty ^[19]	Lower difficulty
Third parties can legally release a software fork, a patched version without the backdoor	No ^[20]	Yes ^[21]
Third parties can potentially make (possibly illegal) modifications like disabling serial key checks ^[22]	Yes	Yes
Software is always modifiable	No ^[23]	Yes
Third parties can use static code analysis tools	No	Yes
Third parties can judge source code quality	No	Yes
Third parties can find logic bugs in the source code	No	Yes
Third parties can find logic bugs in the disassembly	Yes	Yes
Benefits from population-scale scrutiny	No	Yes
Third parties can benefit from debug symbols during analysis	Depends ^[24]	Yes
Display source code intermixed with disassembly	No	Yes ^[25]
Effort to audit subsequent releases	Almost same ^[26]	Usually lower ^[27]
Forum discussion: Finding Backdoors in Freedom Software vs Non-Freedom Software

Spotting backdoors is already very difficult in Freedom Software where the full source code is available to the general public. Spotting backdoors in non-freedom software composed of obfuscated binaries is exponentially more difficult. ^[28] ^[29] ^[30] ^[31] ^[32] ^[33] ^[34] ^[35] ^[36]

To further improve the situation in the future, the Freedom Software community is working on the Reproducible Builds project. Quote:

Reproducible builds are a set of software development practices that create an independently-verifiable path from source to binary code.

Whilst anyone may inspect the source code of free and open source software for malicious flaws, most software is distributed pre-compiled with no method to confirm whether they correspond.
This incentivises attacks on developers who release software, not only via traditional exploitation, but also in the forms of political influence, blackmail or even threats of violence.
This is particularly a concern for developers collaborating on privacy or security software: attacking these typically result in compromising particularly politically-sensitive targets such as dissidents, journalists and whistleblowers, as well as anyone wishing to communicate securely under a repressive regime.
Whilst individual developers are a natural target, it additionally encourages attacks on build infrastructure as an successful attack would provide access to a large number of downstream computer systems. By modifying the generated binaries here instead of modifying the upstream source code, illicit changes are essentially invisible to its original authors and users alike.
The motivation behind the Reproducible Builds project is therefore to allow verification that no vulnerabilities or backdoors have been introduced during this compilation process. By promising identical results are always generated from a given source, this allows multiple third parties to come to a consensus on a “correct” result, highlighting any deviations as suspect and worthy of scrutiny.
This ability to notice if a developer has been compromised then deters such threats or attacks occurring in the first place as any compromise would be quickly detected. This offers comfort to front-liners that they not only can be threatened, but they would not be coerced into exploiting or exposing their colleagues or end-users.

Several free software projects already, or will soon, provide reproducible builds.

url]
Copy as phpBB Click below ↴ = Open social URL with share data We don't use embedded scripts This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also Social Share Button.

↑ Some use binary obfuscators.
↑ https://resources.infosecinstitute.com/topic/anti-disassembly-anti-debugging-and-anti-vm/
↑ Some use obfuscation.
↑ An Open Source application binary could be obfuscated in theory. However, depending on the application and the context -- like not being an Open Source obfuscator -- that would be highly suspicious. An Open Source application using obfuscators would probably be criticized in public, get scrutinized, and lose user trust.
↑
This is because non-freedom software is usually only available as a pre-compiled, possibly obfuscated binary. Using an anti-decompiler:
- Auditors can only look at the disassembly and cannot compare a pre-compiled version from the software vendor with a self-compiled version from source code.
- There is no source code that is well-written, well-commented, and easily readable by design.
↑ Since there is no source code, one cannot self-build one's own binary.
↑
- small: for non-reproducible builds (or reproducible builds with bugs)
- none: for reproducible builds
↑ Decompilation is often expressly forbidden by license agreements of proprietary software.
↑ Skype used DMCA (Digital Millenium Copyright Act) to shut down reverse engineering of Skype
↑ Decompilation is always legal and permitted in the license agreements of Freedom Software.
↑ ^{Jump up to: 11.0} ^11.1 This is very difficult because most outgoing connections are encrypted by default. At some point the content must be available to the computer in an unencrypted (plain text) format, but accessing that is not trivial. When running a suspected malicious application, local traffic analyzers like Wireshark cannot be trusted. The reason is the malicious application might have compromised the host operating system and be hiding that information from the traffic analyzer or through a backdoor. One possible option might be running the application inside a virtual machine, but many malicious applications actively attempt to detect this configuration. If a virtual machine is identified, they avoid performing malicious activities to avoid being detected. Ultimately this might be possible, but it is still very difficult.
↑ It is necessary to decompile the binary and read "gibberish", or try to catch malicious traffic originating from the software under review. As an example, consider how few people would have decompiled Microsoft Office and kept doing that for every upgrade.
↑
It is possible to:
1. Audit the source code and confirm it is free of backdoors.
2. Compare the precompiled binary with a self-built binary and audit the difference. Ideally, and in future, there will be no difference (thanks to the Reproducible Builds project) or only a small difference (due to non-determinism introduced during compilation, such as timestamps).
↑ An example of a malicious backdoor is a hardcoded username and password or login key only known by the software vendor. In this circumstance there is no plausible deniability for the software vendor.
↑ List of malicious backdoors in wikipedia.
↑ Requires strong disassembly auditing skills.
↑ If for example hardcoded login credentials were in the published source code, that would be easy to spot. If the published source code is different from the actual source code used by the developer to compile the binary, that difference would stand out when comparing pre-compiled binaries from the software vendor with self-compiled binaries by an auditor.
↑ A "bugdoor" is a vulnerability that can be abused to gain unauthorized access. It also provides plausible deniability for the software vendor. See also: Obfuscated C Code Contest.
↑ Such issues are hard to spot in the source code, but even harder to spot in the disassembly.
↑ This is forbidden in the license agreement. Due to lack of source code, no serious development is possible.
↑ Since source code is already available under a license that permits software forks and redistribution.
↑ This entry is to differentiate from the concept immediately above. Pre-compiled proprietary software is often modified by third parties for the purposes of privacy, game modifications, and exploitation.
↑ For example, Intel ME could not be disabled in Intel CPUs yet. At the time of writing, a Freedom Software re-implementation of Intel microcode is unavailable.
↑ Some may publish debug symbols.
↑
- objdump with parameter -S / --source
- How does objdump manage to display source code with the -S option?
↑ It is possible to review the disassembly, but that effort is duplicated for subsequent releases. The disassembly is not optimized to change as little as possible or to be easily understood by humans. If the compiled version added new optimizations or compilation flags changed, that creates a much bigger diff of the disassembly.
↑ After the initial audit of a source-available binary, it is possible to follow changes in the source code. To audit any newer releases, an auditor can compare the source code of the initially audited version with the new version. Unless there was a huge code refactoring or complete rewrite, the audit effort for subsequent versions is lower.
↑ The consensus is the assembler low level programming language is more difficult than other higher level abstraction programming languages. Example web search terms: assembler easy, assembler easier, assembler difficult.
↑
Source code written in higher level abstraction programming languages such as C and C++ are compiled to object code using a compiler. See this article for an introduction and this image. Source code written in lower level abstraction programming language assembler is converted to object code using an assembler. See the same article above and this image. Reverse engineering is very difficult for a reasonably complex program that is written in C or C++, where the source code is unavailable; that can be deduced from the high price for it. It is possible to decompile (meaning re-convert) the object code back to C with a decompiler like Boomerang. To put a price tag on it, consider this quote -- Boomerang: Help! I've lost my source code:
How much will it cost? You should expect to pay a significant amount of money for source recovery. The process is a long and intensive one. Depending on individual circumstances, the quality, quantity and size of artifacts, you can expect to pay upwards of US$15,000 per man-month.
- convert executable back to C source code
↑
The following resources try to solve the question of how to disassemble a binary (byte code) into assembly source code and re-assemble (convert) to binary.
1. Take a hello world assembler source code.
2. Assemble.
Click = Copy Copied to clipboard! nasm -felf64 hello.asm
3. Link.
Click = Copy Copied to clipboard! ld hello.o -o hello
4. objdump (optional).
Click = Copy Copied to clipboard! objdump -d hello
5. Exercise for the reader: disassemble hello and re-assemble.
↑
The GNU Hello program source file hello.c at the time of writing contains 170 lines. The objdump -d /usr/bin/hello on Debian buster has 2757 lines.
Install package(s) hello following these instructions
Platform specific notice.
- Kicksecure: No special notice.
- Kicksecure-Qubes: In Template.
Update the package lists and upgrade the system.
Click = Copy Copied to clipboard! sudo apt update && sudo apt full-upgrade
Install the hello package(s).
Using apt command line --no-install-recommends option is in most cases optional.
Click = Copy Copied to clipboard! sudo apt install --no-install-recommends hello
Platform specific notice.
- Kicksecure: No special notice.
- Kicksecure-Qubes: Shut down Template and restart App Qubes based on it as per Qubes Template Modification.
Done.
The procedure of installing package(s) hello is complete.
Click = Copy Copied to clipboard! objdump -d /usr/bin/hello
```
2757
```

↑ For example, consider how difficult it was to reverse engineer Skype: Skype Reverse Engineering : The (long) journey ;)..

↑

Consider all the Debian package maintainer scripts. Clearly these are easier to review as is, since most of them are written in sh or bash. Review would be difficult if these were converted to a program written in C, and were closed source and precompiled.
Similarly, it is far preferable for OnionShare to stay Open Source and written in python, rather than the project being turned into a precompiled binary.

↑ Salary comparison ($K):

low - median - high
Python: 77 - 92 - 108
Python: 51 - 79 - 107
C: 56 - 80 - 100
C: 49 - 80 - 112
Malware reverse engineering: 101 - 124 - 149
Assembler: 81 - 104 - 131
Malware Analyst: 75 - 115 - 141

↑ It is obvious the cost of a security audit involving reverse engineering will be far greater than for source-available code.

↑

Quote research paper Android Mobile OS Snooping By Samsung, Xiaomi, Huawei and Realme Handsets:
Reverse Engineering A fairly substantial amount of non-trivial reverse engineering is generally required in order to decrypt messages and to at least partially decode the binary plaintext. 1) Handset Rooting: The first step is to gain a shell on the handset with elevated privileges, i.e. in the case of Android to root the handset. This allows us then to (i) obtain copies of the system apps and their data, (ii) use a debugger to instrument and modify running apps (e.g. to extract encryption keys from memory and bypass security checks), and (iii) install a trusted SSL root certificate to allow HTTPS decryption, as we explain below. Rooting typically requires unlocking the bootloader to facilitate access to the so-called fastboot mode, disabling boot image verification and patching the system image. Unlocking the bootloader is often the hardest of these steps, since many handset manufacturers discourage bootloader unlocking. Some, such as Oppo, go so far as to entirely remove fastboot mode (the relevant code is not compiled into the bootloader). The importance of this is that it effectively places a constraint on the handset manufacturers/ mobile OSes that we can analyse. Xiaomi and Realme provide special tools to unlock the bootloader, with Xiaomi requiring registering user details and waiting a week before unlocking. Huawei require a handset-specific unlock code, but no longer supply such codes. To unlock the bootloader on the Huawei handset studied here, we needed to open the case and short the test point pads on the circuit board, in order to boot the device into the Huawei equivalent of Qualcomm’s Emergency Download (EDL) mode. In EDL mode, the bootloader itself can be patched to reset the unlock code to a known value (we used a commercial service for this), and thereby enable unlocking of the bootloader.

Decompiling and Instrumentation On a rooted handset, the Android application packages (APKs) of the apps on the /system disk partition can be extracted, unzipped and decompiled. While the bytecode of Android Java apps can be readily decompiled, the code is almost always deliberately obfuscated in order to deter reverse engineering. As a result, reverse engineering the encryption and binary encoding in an app can feel a little like exploring a darkened maze. Perhaps unsurprisingly, this is frequently a time-consuming process, even for experienced researchers/practitioners. It is often very helpful to connect to a running system app using a debugger, so as to view variable values, extract encryption keys from memory, etc.

The research paper describes in far more detail the highly complicated technical challenges of reverse engineering.

Kicksecure

A secure by default operating system with the latest security research in place.

Dark mode

Supported by Power Up Privacy

Kicksecure is proudly supported until 2025 by Power Up Privacy, a privacy advocacy group that seeks to supercharge privacy projects with resources so they can complete their mission of making our world a better place. (Strictly subject to our sponsorship policy.)

At Kicksecure we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint

2012- 2025 ENCRYPTED SUPPORT LLC

Your support makes
all the difference!

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 13 year success story and maybe DONATE!

[1] Some use binary obfuscators.

[2] ttps://resources.infosecinstitute.com/topic/anti-disassembly-anti-debugging-and-anti-vm/

[3] Some use obfuscation.

[4] An Open Source application binary could be obfuscated in theory. However, depending on the application and the context -- like not being an Open Source obfuscator -- that would be highly suspicious. An Open Source application using obfuscators would probably be criticized in public, get scrutinized, and lose user trust.

[5] This is because non-freedom software is usually only available as a pre-compiled, possibly obfuscated binary. Using an anti-decompiler:
Auditors can only look at the disassembly and cannot compare a pre-compiled version from the software vendor with a self-compiled version from source code.

There is no source code that is well-written, well-commented, and easily readable by design.

[6] Auditors can only look at the disassembly and cannot compare a pre-compiled version from the software vendor with a self-compiled version from source code.

[7] There is no source code that is well-written, well-commented, and easily readable by design.

[6] Since there is no source code, one cannot self-build one's own binary.

[7] 
small: for non-reproducible builds (or reproducible builds with bugs)

none: for reproducible builds

[10] small: for non-reproducible builds (or reproducible builds with bugs)

[11] : for reproducible builds

[8] Decompilation is often expressly forbidden by license agreements of proprietary software.

[skype-dmca-9] Skype used DMCA (Digital Millenium Copyright Act) to shut down reverse engineering of Skype

[10] Decompilation is always legal and permitted in the license agreements of Freedom Software.

[internet-connections-11] {Jump up to: 11.0} ^11.1 This is very difficult because most outgoing connections are encrypted by default. At some point the content must be available to the computer in an unencrypted (plain text) format, but accessing that is not trivial. When running a suspected malicious application, local traffic analyzers like Wireshark cannot be trusted. The reason is the malicious application might have compromised the host operating system and be hiding that information from the traffic analyzer or through a backdoor. One possible option might be running the application inside a virtual machine, but many malicious applications actively attempt to detect this configuration. If a virtual machine is identified, they avoid performing malicious activities to avoid being detected. Ultimately this might be possible, but it is still very difficult.

[12] It is necessary to decompile the binary and read "gibberish", or try to catch malicious traffic originating from the software under review. As an example, consider how few people would have decompiled Microsoft Office and kept doing that for every upgrade.

[13] It is possible to:
Audit the source code and confirm it is free of backdoors.

Compare the precompiled binary with a self-built binary and audit the difference. Ideally, and in future, there will be no difference (thanks to the Reproducible Builds project) or only a small difference (due to non-determinism introduced during compilation, such as timestamps).

[18] Audit the source code and confirm it is free of backdoors.

[19] Compare the precompiled binary with a self-built binary and audit the difference. Ideally, and in future, there will be no difference (thanks to the Reproducible Builds project) or only a small difference (due to non-determinism introduced during compilation, such as timestamps).

[14] An example of a malicious backdoor is a hardcoded username and password or login key only known by the software vendor. In this circumstance there is no plausible deniability for the software vendor.

[15] List of malicious backdoors in wikipedia.

[16] Requires strong disassembly auditing skills.

[17] If for example hardcoded login credentials were in the published source code, that would be easy to spot. If the published source code is different from the actual source code used by the developer to compile the binary, that difference would stand out when comparing pre-compiled binaries from the software vendor with self-compiled binaries by an auditor.

[18] A "bugdoor" is a vulnerability that can be abused to gain unauthorized access. It also provides plausible deniability for the software vendor. See also: Obfuscated C Code Contest.

[19] Such issues are hard to spot in the source code, but even harder to spot in the disassembly.

[20] This is forbidden in the license agreement. Due to lack of source code, no serious development is possible.

[21] Since source code is already available under a license that permits software forks and redistribution.

[22] This entry is to differentiate from the concept immediately above. Pre-compiled proprietary software is often modified by third parties for the purposes of privacy, game modifications, and exploitation.

[23] For example, Intel ME could not be disabled in Intel CPUs yet. At the time of writing, a Freedom Software re-implementation of Intel microcode is unavailable.

[24] Some may publish debug symbols.

[25] 
objdump with parameter -S / --source

How does objdump manage to display source code with the -S option?

[32] objdump with parameter -S / --source

[33] How does objdump manage to display source code with the -S option?

[26] It is possible to review the disassembly, but that effort is duplicated for subsequent releases. The disassembly is not optimized to change as little as possible or to be easily understood by humans. If the compiled version added new optimizations or compilation flags changed, that creates a much bigger diff of the disassembly.

[27] After the initial audit of a source-available binary, it is possible to follow changes in the source code. To audit any newer releases, an auditor can compare the source code of the initially audited version with the new version. Unless there was a huge code refactoring or complete rewrite, the audit effort for subsequent versions is lower.

[28] The consensus is the assembler low level programming language is more difficult than other higher level abstraction programming languages. Example web search terms: assembler easy, assembler easier, assembler difficult.

[29] Source code written in higher level abstraction programming languages such as C and C++ are compiled to object code using a compiler. See this article for an introduction and this image. Source code written in lower level abstraction programming language assembler is converted to object code using an assembler. See the same article above and this image. Reverse engineering is very difficult for a reasonably complex program that is written in C or C++, where the source code is unavailable; that can be deduced from the high price for it. It is possible to decompile (meaning re-convert) the object code back to C with a decompiler like Boomerang. To put a price tag on it, consider this quote -- Boomerang: Help! I've lost my source code:
How much will it cost? You should expect to pay a significant amount of money for source recovery. The process is a long and intensive one. Depending on individual circumstances, the quality, quantity and size of artifacts, you can expect to pay upwards of US$15,000 per man-month.

convert executable back to C source code

[38] vert executable back to C source code

[30] The following resources try to solve the question of how to disassemble a binary (byte code) into assembly source code and re-assemble (convert) to binary.
Tricks to Reassemble Disassembly

IDA pro asm instructions change

Why there are not any disassemblers that can generate re-assemblable asm code?

Recompile the asm file IDA pro created

Superset Disassembly: Statically Rewriting x86 Binaries Without Heuristics

GitHub: Guide to disassemble - disassemble.md

How to disassemble a binary executable in Linux to get the assembly code?

Use GCC and objdump to disassemble any hex to assembly code

1. Take a hello world assembler source code.
2. Assemble.
Click = Copy Copied to clipboard! nasm -felf64 hello.asm
3. Link.
Click = Copy Copied to clipboard! ld hello.o -o hello
4. objdump (optional).
Click = Copy Copied to clipboard! objdump -d hello
5. Exercise for the reader: disassemble hello and re-assemble.

[40] Tricks to Reassemble Disassembly

[41] IDA pro asm instructions change

[42] Why there are not any disassemblers that can generate re-assemblable asm code?

[43] Recompile the asm file IDA pro created

[44] Superset Disassembly: Statically Rewriting x86 Binaries Without Heuristics

[45] GitHub: Guide to disassemble - disassemble.md

[46] How to disassemble a binary executable in Linux to get the assembly code?

[47] Use GCC and objdump to disassemble any hex to assembly code

[31] The GNU Hello program source file hello.c at the time of writing contains 170 lines. The objdump -d /usr/bin/hello on Debian buster has 2757 lines.

Install package(s) hello following these instructions
Platform specific notice.

Kicksecure: No special notice.

Kicksecure-Qubes: In Template.

Update the package lists and upgrade the system.
Click = Copy Copied to clipboard! sudo apt update && sudo apt full-upgrade
Install the hello package(s).
Using apt command line --no-install-recommends option is in most cases optional.
Click = Copy Copied to clipboard! sudo apt install --no-install-recommends hello
Platform specific notice.

Kicksecure: No special notice.

Kicksecure-Qubes: Shut down Template and restart App Qubes based on it as per Qubes Template Modification.

Done.
The procedure of installing package(s) hello is complete.

Click = Copy Copied to clipboard! objdump -d /usr/bin/hello

2757

[49] Kicksecure: No special notice.

[50] Kicksecure-Qubes: In Template.

[51] Kicksecure: No special notice.

[52] Kicksecure-Qubes: Shut down Template and restart App Qubes based on it as per Qubes Template Modification.

[53] Audit the source code and confirm it is free of backdoors.

[54] Compare the precompiled binary with a self-built binary and audit the difference. Ideally, and in future, there will be no difference (thanks to the Reproducible Builds project) or only a small difference (due to non-determinism introduced during compilation, such as timestamps).

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19]

[20]

[21]

[22]

[23]

[24]

[25]

[26]

[27]

[28]

[29]

[30]

[31]

[32]

[33]

[34]

[35]

[36]

Template:Backdoors

Navigation menu

Search

Disable server cache for this browser

Debug vis URL