Subject: requesting proposals -- change detection
From: "Stephen J. Turnbull" <>
Date: Mon, 28 Jun 1999 22:06:23 +0900 (JST)

>>>>> "jss" == shapj  <> writes:

    jss> How might one go about "stamping" a distribution is such a
    jss> way that you can reliably *detect* when a customer has
    jss> altered it?  I have a recollection of some sort of signing
    jss> proposal, but I don't recall how it actually worked.

I don't see how you could do this, without installing signed binaries
into ROMs yourself.  You could theoretically demand that they provide
you with authenticated documentation to allow you to reproduce the
bits in the ROM, but that seems unreliable.

Signing the source is trivial---most big projects do that these
days---but I don't see how you can prevent the customer from altering
it and compiling a different copy.  It wouldn't even have to be
intentional.  For example, suppose the media they load the source onto
is defective, and the change is not detected by the build process.
They load the defective binary onto a machine, the worst happens, and
they sue you.

So the above "unreliable" method, requiring that they preserve the
build process, so that the binaries on the "gold master" can be
reproduced from signed source and compared to the binaries that caused
the failure, seems like the only way to go.  But this would be a real
headache in systems that put internal timestamps into objects, for
example: you'd need special checking software that stripped out the
timestamps.  So you probably in practice need to fall back to signed
binary distributions.

That would probably be acceptable to most customers, but I doubt all.
Eg, if they are statically linking with a proprietary library, you
would need to know addresses for any callbacks and which addresses
your code occupied, etc.  Again the verification process is
theoretically possible, but practically hairy.

University of Tsukuba                Tennodai 1-1-1 Tsukuba 305-8573 JAPAN
Institute of Policy and Planning Sciences       Tel/fax: +81 (298) 53-5091
What are those two straight lines for?  "Free software rules."