How I Compiled TrueCrypt For Windows and Matched the Official Binaries

First time accepted submitter xavier2dc writes "TrueCrypt is a popular software enabling data protection by means of encryption for all categories of users. It is getting even more attention lately following the revelations of the NSA as the authors remain anonymous and no thorough security audit have yet been conducted to prove it is not backdoored in any way. This has led several concerns raised in different places, such as this blog post, this one, this security analysis [PDF], also related on that blog post from which IsTrueCryptAuditedYet? was born. One of the recurring questions is: What if the binaries provided on the website were different than the source code and they included hidden features? To address this issue, I built the software from the official sources in a careful way and was able to match the official binaries. According to my findings, all three recent major versions (v7.1a, v7.0a, v6.3a) exactly match the sources."

But can you trust xavier2dc?

[Anonymous Coward]

But can you trust xavier2dc? It's turtles all the way down.

Re:But can you trust xavier2dc?

[javajawa]

Then follow the same steps and compile it yourself. You should come to the same results.

Re:But can you trust xavier2dc?

[Impy the Impiuos Imp]

Yah, really.

Wait! But what if I, myself, am an NSA stooge and don't realize it?

Re:

[bondsbw]

What if the NSA injected a Ken Thompson hack into our human compilers? Our DNA may have an NSA backdoor!

Re:But can you trust xavier2dc?

[Grog6]

If there's DNA on your Backdoor, you've just been rooted!

(sorry; but this IS /.) :)

Re:

[jonfr]

Just run Windows ME and then you never have to worry about NSA.

Re:

[RawsonDR]

Yah, really.

Wait! But what if I, myself, am an NSA stooge and don't realize it?

You'll need to provide us with your source code. We'll review, then recompile. If the output matches then we know we can trust (both of) you.

Re:

[geekoid]

And who did the security audit of your compilers?

Re:

[Grog6]

The NSA, of course. :)

Or NIST; same thing.

Re:But can you trust xavier2dc?

[IndustrialComplex]

You'll need to provide us with your source code.

I'll provide you my source code, but just remember, you asked for it. So no complaining to the police when it is delivered.

Re:But can you trust xavier2dc?

[tippe]

Lets give him the Voight-Kampff test and find out...

Re:

[PopeRatzo]

Lets give him the Voight-Kampff test and find out...l

Is there gonna be math on that test?

Re:But can you trust xavier2dc?

[TangoMargarine]

Yes. They give you a couple complex calculus problems and if you get them right, you're a robot.

Re:

[David_Hart]

Yes. They give you a couple complex calculus problems and if you get them right, you're a robot.

Or you have 1000 monkeys working for you...

Re:

[TangoMargarine]

I think the point of the test would be kind of nullified if it allowed extended execution length or parallelization.

Re:

[maxwell demon]

OK, but how do I compile xavier2dc? Is the source even available?

Re:But can you trust xavier2dc?

[paiute]

OK, but how do I compile xavier2dc? Is the source even available?

Step 1: Find his mother

Sarah Conner?

[dutchwhizzman]

Is his mothers name Sarah Conner?

Re:

[omtinez]

On that line of thought, trying to replicate the binaries takes a whole new meaning

Re:

[mrchaotica]

Step 1: download hacked_compiler.exe from xavier2dc.com...

(I kid, but "Reflections on Trusting Trust" shows that it's possible...)

Re:

[nani popoki]

Ken Thompson once presented a hack where he modified the C compiler to insert a backdoor in the generated code for the UNIX login code (and only that one specific module!). So trusting the compiler to do what you say is NOT an "of course".

that's not even wrong...

[Thud457]

You're not quite 40 YEARS behind the times [schneier.com]....


I think this whole NSA brouhaha will make some people start taking auditability a little more seriously.
Which means documenting the whole tool chain used and all options used. Of course, that only helps if you have access to the source. SUX to be you, Microsoft.

Re:

[gigaherz]

Microsoft offers the sources of many products for research and education purposes. You DO have to sign an NDA to get them, though, so it's not like if just anyone can do the testing.

Re:

[Russ1642]

You also need the source for the chips themselves. Maybe that's the weak link.

Re:

[tepples]

You also need the source for the chips themselves.

Not if the diverse double compiling process includes other CPU architectures. For one thing, there exists a C compiler that runs on an Apple IIGS computer with a 65816 CPU, which doesn't have enough gates to hold a Ken Thompson backdoor.

Re:

[Score Whore]

What the hell are you talking about? The 65816 in the IIGS has more capacity/capability than the machines Ken Thompson did his work on. What it primarily lacks is an MMU.

Re:

[Tassach]

The whole point of the Thompson hack is that it would survive a source code audit. If you compiled the clean source for the compiler with a dirty compiler, it would insert the backdoor into the new executable, making it self-replicating in an virtually undetectable fashion. The code you compiled yourself would be byte-for-byte identical with the bootstrap compiler.

Re:But can you trust xavier2dc?

[Applekid]

Ken Thompson once presented a hack where he modified the C compiler to insert a backdoor in the generated code for the UNIX login code (and only that one specific module!). So trusting the compiler to do what you say is NOT an "of course".

And how can I trust the cpu to actually execute the code as compiled and not insert it's own microcode into the process? And how can I trust the memory chips that hold my data to not clandestinely copy it off someplace else?

No no, the only solution is to catch the butterflies whose wings flapped and waterboard them to learn the truth.

Diverse double compiling

[tepples]

And how can I trust the cpu to actually execute the code as compiled and not insert it's own microcode into the process?

By using free compilers and ensuring clean binaries using diverse double compiling. (Thud457 mentioned it [slashdot.org], and we discussed it a week ago [slashdot.org].) Essentially what you do is bootstrap the compiler (compile the compiler's source code with your existing compiler binary, then recompile it with itself) on several different brands of compiler. If the binaries resulting from all bootstraps match, then either none of them have a backdoor or they all have the same backdoor. The more compilation processes you use, the less likely it will be that they all have the same backdoor. To exclude CPU microcode bugs that target a particular compiler, you could try running some of the bootstraps in an emulator such as DOSBox or bootstrap them as cross-compilers on another CPU architecture.

Re:

[geekoid]

You don't see the flaw their? really?

Re:

[swillden]

You don't see the flaw their? really?

Did you miss the last sentence?

Re:Diverse double compiling

[Stuarticus]

I see the flaw their.

Re:But can you trust xavier2dc?

[Shoten]

Then follow the same steps and compile it yourself. You should come to the same results.

I think you're kind of missing his two points. One, he's joking. But two, he's also serious...yes, that is what someone can do. But will they? Probably not. I'm willing to bet that 80% minimum of those who read TFA will simply accept it as canon and move on with it a fact in their minds that the two do match. And beyond that, they will keep it as a fact in their minds even for future releases, which haven't been validated in this way. So that's really the challenge here.

And even worse, think about all the TrueCrypt users who don't have the technical ability to compile binaries, much less do it in a very specific way? Ultimately, someone has to be trusted, and trust is a web rather than something that flows from a single fountain when it comes to society.

Re:But can you trust xavier2dc?

[amicusNYCL]

One, he's joking. But two, he's also serious.

You just blew my mind.

Re:

[TangoMargarine]

http://www.catb.org/jargon/html/H/ha-ha-only-serious.html [catb.org]

Re:

[nitehawk214]

Then follow the same steps and compile it yourself. You should come to the same results.

How do you compile a person?

Re:

[cheater512]

Step 5. Insert NSA trojan in to binary.

Yep I got the exact same binary too!

Re:

[killkillkill]

Let me the compile tools used to compile it and then then I'll trust it. Oh, the source for Microsoft's build tools aren't available? Well, we'll just have to trust that Microsoft doesn't cooperate with the NSA.

Re:

[slashmydots]

You're right, I'm inventing my own encryption method from scratch. Then my anime/hollywood movie crossover fanfics will finally be safe.

Re:

[gigaherz]

The problem with custom encryption systems is that, unlike the real kind, they CAN be hacked "in seconds" by a professional. The only algorithms you could trust to be safe would be the ones the NSA themselves use to store their secrets. On the downside, the docs for those are probably encrypted using the algorithms themselves...

Re: But can you trust xavier2dc?

[wo1verin3]

I would watch the hell out of that.

Re:

[NatasRevol]

Unfortunately, yes he does.

Re:

[wonkey_monkey]

I'm sorry, but your Sailor Moon vs. Iron Man stories have already been stolen

It wasn't "vs." You don't want to know what it was, but it wasn't that.

Re:

[djmurdoch]

Sure you can trust him. An AC said he found the same thing.

Re:

[superwiz]

Hey, first time submitter... just one question: From what IP?

Re:

[bobbied]

Until you personally have inspected the source code for everything down to the BIOS and microcode in your hardware there will always be a chance there is a backdoor.

BUT, it all depends on how far away you go with your trust. Don't trust the application? Build from source. Don't trust the build chain? Build it from source. Don't trust your OS? Build it from source using your built compiler... On and on, until you have literally built everything yourself. The good news is that the farther you get away f

Little Let Down

[Anrego]

I was kinda hoping he'd built some elaborate timing setup to somehow match the exact timestamps and compile speed as the official binaries were built with.

This is still a great analysis though, and the detail provided is a fun read and useful insight into the general mindset and method of how this kind of analysis is done.

Re:Little Let Down

[IamTheRealMike]

He did as much as was necessary to establish trust and no more.

I just want to say to Xavier - thanks. Great work.

Re:Little Let Down

[wonkey_monkey]

He did as much as was necessary to establish trust and no more.

Or so he has led you to believe...

Re:Little Let Down

[Anonymous Coward]

Everything in that link only applies to secondary volumes, it doesn't appear to apply if you've encrypted your system volume.
Also, everything being talked about has little to do with windows, and more to do with the pointers/shortcuts external applications make to the "hidden" encrypted filesystem.
Linux would likely have the same number of "Hey! Look! An encrypted filesystem over there!" red flags.

worst grammar mistake they could make

[slashmydots]

"It is getting even more attention lately following the revelations of the NSA as the authors remain anonymous and no thorough security audit have yet been conducted to prove it is not backdoored in any way."

What they mean is:
It is getting even more attention lately[,] following the revelations of the NSA[,] as the authors remain anonymous and no thorough security audit [has] yet been conducted to prove it is not backdoored in any way.

Oh, you know, so it doesn't say: "revelations of the NSA as the aut

Ugh, not "a software" again.

[jabberw0k]

"TrueCrypt is a popular software enabling data protection...

No, TrueCrypt is a popular piece of software. You don't have "a hardware" or "a clothing" or "an information" — and likewise you cannot have "a software."

Re:

[freeze128]

I'm just glad that they don't call it a "Progrum".

Re:

[Desler]

Even better that it's not a "pogrom".

Re:

[ZombieBraintrust]

I don't think you can have a "piece" of software. You don't have half of TrueCrypt or a 3rd of it. Should be "TrueCrypt is popular software enabling data protection"

Re:

[Chuckstar]

Now you're going to tell me there's no such thing as a single scissor, either. ;-)

Re:

[sconeu]

What is half a pair of scissors, but a single sciz [youtube.com]!!!

Re:

[Suiggy]

Thanks for this. It's one of my pet peeves as well. Same with how certain people refer to the plural of data as datas, etc. The plural of data is data.

Re:

[Pseudonym Authority]

Actually, `data' is uncountable, much like `soap' or `money'. To demonstrate, say the following: `It's too much data!' and `It's too many data!'. Were it countable, you would use `many' rather than `much'. Normally, uncountable nouns are not pluralized. But when they are, it refers to different kinds of the object. For example: `soaps' means that there are different types of soaps, `peoples' means that there are at least two distinct subgroups that merit distinction within a larger group of people. As such,

Re:Ugh, not "a software" again.

[geekoid]

The plural of datum is data.
The singular of data is datum.

Re:

[grqb]

Translate to french and then we'll let the OP nitpick your grammar.

Re:

[Valdrax]

I'm guessing you only wear pairs of pants and listen to MP3 files.

Languages shorten common phrases. Get used to it.

Valid English:Fuck the Fucking Fuckers!

[Grog6]

I diagrammed this Sentence in Sophomore English in HS, following up, "Jesus wept." :)

Mr. Countiss really liked that, IIRC.

Did same, found same

[Anonymous Coward]

I did the exact same thing as in TFA a few days earlier and ended up finding the exact same variations and causes for those variations.
My conclusion was also identical, binaries are indeed coming from the provided sources and can be trusted if no further backdoor is found in the sources themselves.

A cryptographic and coding oriented audit is still much required.

Generic problem to solve?

[Okian Warrior]

This thing about TrueCrypt has turned into a test-case for software security practices.

Loosely, the security audit has three sections: 1) Look at the sources, 2) Look at the license agreement, 3) Verify that the binaries match the sources.

Item #3 above seems to be a generic problem: assuming that the source is correct, how can people verify that binaries were compiled from the source? Any minor change to the compiler can generate different instructions for the same code, and many compilers insert time-stamp

Re:

[ledow]

Include source with the binary, in a non-executable section.

On first run, the machine builds the source (running as a very limited user) and compares the result against the rest of the binary. If it doesn't match, it simply ignores the binary supplied, replaces it with the new compiled version and signs it with a key unique to your own computer/compiler.

Of course, there are myriad problems here (not least that commercial software will never be released in that format), but that's the only way "to be sure".

Re:

[bill_mcgonigle]

The real question is, when will Debian/Ubuntu/Redhat/Suse be verified?

Redhat has been verified by the CentOS team. If you read the -devel mailing list from back when it was done, it was a real pain in the ass. "Compile this SRPM on this version of Fedora with this version of this library installed", etc.

But they did it, after a long effort, and got binary matches.

Obligatory Ken Thompson Lecture

[SplawnDarts]

http://cm.bell-labs.com/who/ken/trust.html [bell-labs.com]

Won't stop the NSA produced FUD

[Anonymous Coward]

The NSA wages a massive psychological warfare campaign in yearly psy-ops that are budgeted at multiple billions of dollars. Telling people that good, cheap, easy solutions are 'bad' is very very effective. Most people are very easily manipulated, when messages are regularly inserted into their media of choice.

Take one real-life NSA project:
- years ago, the US government passed laws insisting that ALL mobile phones in the USA could be location tracked using ANY viable technology solution. In reality, this m

Backdoor in the source?

[kbg]

But did this guy check why the Windows version writes mysterious random bytes in the header but not in the Linux version?

Compiler can not be trusted

[kbg]

There is one problem with his findings. In order to compile TrueCrypt you have to use Microsoft Visual C++ compiler, which is made by Microsoft from a closed source. If I was the NSA I would but the backdoor in the compiler and it would get injected into the binary whenever TrueCrypt was compiled.

Re:

[grub]

Not just that, you need a very old Microsoft Visual C++: V 1.52

Why so old? Weaknesses or backdoored? TINFOIL HAT!

Re:

[xavier2dc]

Visual C++ 1.52c is the last version that could generate 16-bit code, which is needed to compile part of the boot loader for full disk/system encryption. The other solution would have been to write all the thing in assembly (or replaced the portion with the pre-compiled code instead), but that wouldn't have made more people happy to reverse-engineer more assembly, would it?

Re:And why should we trust you?

[asmkm22]

He provides pretty clear instructions on how to duplicate the process he used. He's not just saying "I did it and it's safe, trust me."

Re:

[Anonymous Coward]

I'm a little suspect of this ./configure --enable-backdoor option.

Re:

[icebike]

Then he puts it on Windows?

Today's captcha is horsefly

If Truecrypt calls ANY windows APIs, especially the crypto APIs, putting it on is exactly the wrong thing to do.

If on the other hand it has its own built in crypto functions in the source code you might feel a little better about it.

(I haven't looked, so I actually don't know if it uses MS APIs or not.)

Re:

[bobbied]

Try reading the source perhaps? Some code is amazingly readable, even when you don't understand the language.

submitter told you how to check it yourself

[raymorris]

TFA painstakingly explained how you can check it yourself. I'm sure several people will, including enough people that I trust enough. Especially given that there is zero evidence of a backdoor. Nobody is claiming there is a backdoor, so it's a question if yyou trust the testers more than you trust - nobody.

Re:submitter told you how to check it yourself

[mlts]

I would say that TC is above almost all security software in that the source is available at all. There are a lot of utilities out there that there is no source available for unless one is a large government.

TC at least has a level playing field. China might have the source code, but at least you do too.

Re:

[Defenestrar]

Cant remember who or when, but it was observed that it's the pizza delivery guy.

Re:"According to my findings"

[Zerth]

You don't have to trust this person, they've given you the exact steps to do it yourself.

Re:

[djdanlib]

And how do you propose to know if any particular compiler or library is or isn't compromised?

Re:Now for extra credit

[Thud457]

Define the universe.
Give two examples. ;-)

Re:

[Qzukk]

At this point it means that if you go through the source code and understand it, you know what the truecrypt binaries are doing, because you can be pretty sure (modulo built-in compiler exploits affecting both your and their compiler the same way) their binaries match the source code.

Re:But can you trust Microsoft Visual C++

[shawn(at)fsu]

If you're that worried about a ken thompson attack (which this topic always devolves in to) then why even use a computer at all?

Re:But can you trust Microsoft Visual C++

[Dishevel]

I don't. I build all of code in hardware. That is rendered in MineCraft.

Re:

[Suiggy]

Why even live if you have file taxes?

Re:

[gman003]

He actually brings this up in TFA. He makes a note of two things that are "beyond the scope of this article": verifying that the compiler is not inserting any backdoors, and verifying that the source code has no security holes.

Re:

[MaskedSlacker]

That reminds me of a very old hack described in http://cm.bell-labs.com/who/ken/trust.html [bell-labs.com]

I would hope so since that's what he was referring to. What worries me is that it took this long in the comments for someone to reference "Trusting Trust." That should have been the obvious problem from the end of the first sentence of the summary.

Re:

[asmkm22]

He made very clear that he didn't audit the source code. Only that the binaries match the source code.

Re:

[YesIAmAScript]

Agreed there, but if he didn't audit the source code why did he make the statement it is not backdoored? He can't know if he didn't even look.

Re:

[YesIAmAScript]

Trust me, I'll audit it before I state that I know it isn't backdoored.

I wouldn't hold your breath for either to happen.

Re:

[ledow]

Er. No. It doesn't.

Re:

[ledow]

How is breaking a 2048-bit key encrypted by your password any less difficult than breaking a less-than-2048-bit password? (Hint: It's not. Quite the opposite).

The key is there to make it so that just the password, on its own, does not allow you to decrypt part of the data without also having the partition header (so getting a random sector off a storage device - say by doing magnetic history recovery if such a thing has ever existed - and having the password leaves you with NOTHING, you'd need the key se

Re:

[TangoMargarine]

TrueCrypt doesn't actually use public key encryption for the main de/encryption process (as it would apparently be hellaciously slow or something). It just uses PKE to encrypt the symmetric key, which I would guess is what must then be stored in the partition.

And you can't sign anything with either the public or private key and still be able to decrypt it unless you have the other half of the key pair.

Re:Can you trust the compiler?

[surmak]

The compiler (and support stack) is a MS compiler, and MS is already owned by "the man", so as Kernighan demonstrated you still can't trust it.

The disassembler he used is not. So it is (at least theoretically) possible to see if there is a back door. The compiler has a very low-level view of what it is doing. In order to add a back door, it would need to recognize when it is compiling TC. This could be a much more difficult technical problem than what Kernighan did to login, and, if discovered, would be devastating to MS from a PR standpoint.

Re:

[godrik]

Well, you can't trust any software you do not have the source code of. So of course you can not trust the MS compiler.

Re:

[Desler]

Do you have the attention span of a gnat? What you ask about is covered In the second sentence of the summary.

Re:

[nurb432]

It was a joke. Apparently not a successful one.

Re:

[geekoid]

It might have been if it already hadn't been said 127 times.