JasonADrury 13 hours ago

Binary analysis is vastly better than source code analysis, reliably detecting bugdoors via source code analysis tends to require an unrealistically deep knowledge of compiler behavior.

Reply View 0 replies
anonymars 12 hours ago

Empirically it doesn't look like there's a meaningful difference, does it?

Not having the source code hasn't stopped people from finding exploits in Windows (or even hardware attacks like Spectre or Meltdown). Having source code didn't protect against Heartbleed or log4j

I'd conclude it comes down to security culture (look how things changed after the Trustworthy Computing initiative, or OpenSSL vs LibreSSL) and "how many people are looking" -- in that sense, maybe "many eyes [do] make bugs shallow" but it doesn't seem like "source code availability" is the deciding factor. Rather, "what are the incentives" -- both on the internal development side and the external attacker side

Reply View 0 replies
tptacek 13 hours ago

I don't agree with "vastly better" but its arguable both in the direction and magnitude. I don't think you could plausibly argue that binary analysis is "vastly harder".

Reply View 0 replies
TZubiri 13 hours ago

Nono, analyzing binaries is harder.

But it's still possible. And analyzing source code is still hard.

Reply View 0 replies