Slashdot Mirror

← Back to Stories (view on slashdot.org)

Coding Styles Survive Binary Compilation, Could Lead Investigators Back To Programmers (princeton.edu)

Posted by Soulskill on from the making-a-list-and-checking-it-twice dept.

An anonymous reader writes: Researchers have created an algorithm that can accurately detect code written by different programmers (PDF), even if the code has been compiled into an executable binary. Because of open source coding repositories like GitHub, state agencies can build a database of all developers and their coding styles, and then easily compare the coding style used in "anti-establishment" software to detect the culprit. Despite all the privacy implications this research may have, the algorithm can also be used by security researchers to track down malware authors. We also discussed an earlier phase of this research.

6 of 164 comments (clear)

  1. Frist! by Anonymous Coward · · Score: 2, Insightful

    Going to be lots of false positives on this one.

  2. Privacy implications? by Registered+Coward+v2 · · Score: 3, Insightful

    People have been analyzing writing styles for a long time to try to identify authors. Expecting your coding style to be obfuscated by compiling it has proven to be as wrong as thinking your identity is shielded if you publish under a pseudonym. If you make your code publicly available you really shouldn't have any expectation of privacy.

    --
    I'm a consultant - I convert gibberish into cash-flow.
    1. Re:Privacy implications? by Anonymous Coward · · Score: 4, Insightful

      I doubt it. Your code once compiled will be very similar to most other similarly skilled programmers in that language, unless you go out of your way to be obfuscate things - i.e. a poor coder. Compilers, libraries, APIs, language versions and proprietary extensions are beyond your coding style. This entire premise assumes there will be no false-positives, which will be the vast majority of hits. So basically, they're casting nets, and claiming success when they get one, ignoring the other thousand. Once you're at the binary, coding style has all but gone (assuming you're not doing assembler, which even then, will come down to the same few solutions to a given functional requirement).

  3. Fuck that. by Anonymous Coward · · Score: 3, Insightful

    Aren't we being tracked enough as it is?
    Why for fucks sake why?

    My new years resolution will to remove all my code from all public repositories.

  4. Accuracy 52% with 600 programmers and 8 samples by El_Muerte_TDS · · Score: 4, Insightful

    Good luck when your programmer pool is a couple of thousand and your samples consist out of obfuscated and underhanded software which is often produced by malware creators.

  5. Oh really? by Viol8 · · Score: 4, Insightful

    If you RTFA it seems their sample size was 20 programmers. Occasionally they went up to 100 and they're getting something like 60-80% accuracy. BFD.

    Guys - when you've sampled the compiled, optimised binary output (with all debug info stripped) of a million coders all using different compilers on different architectures and are getting at least a 99% accuracy rate, get back to us. In the meantime, I'm sure you'll get some nice marks from your supervisors but I won't be losing any sleep.