Slashdot Mirror
Coding Styles Survive Binary Compilation, Could Lead Investigators Back To Programmers (princeton.edu)
An anonymous reader writes: Researchers have created an algorithm that can accurately detect code written by different programmers (PDF), even if the code has been compiled into an executable binary. Because of open source coding repositories like GitHub, state agencies can build a database of all developers and their coding styles, and then easily compare the coding style used in "anti-establishment" software to detect the culprit. Despite all the privacy implications this research may have, the algorithm can also be used by security researchers to track down malware authors.
We also discussed an earlier phase of this research.
Going to be lots of false positives on this one.
People have been analyzing writing styles for a long time to try to identify authors. Expecting your coding style to be obfuscated by compiling it has proven to be as wrong as thinking your identity is shielded if you publish under a pseudonym. If you make your code publicly available you really shouldn't have any expectation of privacy.
I'm a consultant - I convert gibberish into cash-flow.
gotta change my indentation style and public void( String s1 ) whitespace habit, now the guvnmunt automagically can also get these out of binaries built from my code. O gawd, I'm afraid now.
Religous speak to God. Insane are spoken to by God. When all shut up, one can finally hear Shostakovich in peace
Aren't we being tracked enough as it is?
Why for fucks sake why?
My new years resolution will to remove all my code from all public repositories.
Good luck when your programmer pool is a couple of thousand and your samples consist out of obfuscated and underhanded software which is often produced by malware creators.
Good luck tracking me!! I copy all of my code from Stackoverflow!
90% of everything is crap. Also, crap is relative.
If you RTFA it seems their sample size was 20 programmers. Occasionally they went up to 100 and they're getting something like 60-80% accuracy. BFD.
Guys - when you've sampled the compiled, optimised binary output (with all debug info stripped) of a million coders all using different compilers on different architectures and are getting at least a 99% accuracy rate, get back to us. In the meantime, I'm sure you'll get some nice marks from your supervisors but I won't be losing any sleep.
This is why I steal most of my functional code from GitHub in the first place...
--OR--
Easy to avoid detection by simply NOT UPLOADING code to GitHub in the first place. The assumption that every dev does this is stupid.
Which has more power: the hammer, or the anvil?
As a systems admin I have been called upon at times to automate a few things. Doing so in my situation seemed easiest with vb.net. (Yes I know the actual programmers here are recoiling with horror. Stuff it, the program works, and saves me vast amounts of time)
In that program somewhere around 5% are lines that I actually coded. Everything else is snippets of code from Microsoft's help files, question/answer sites, and similar opensource programs found online. Unless they are checking for things like the fact that I included no error handling (since I am the only one that uses said program) I fail to see how this would work at all.
The variable naming conventions are many and varied, there are almost no unique lines of code in the program, and it uses only standard libraries. On top of that I don't have any other programs accredited to me floating around the interwebs, at least in vb.net, so there is nothing to compare it to.
So how exactly are they going to tell you who wrote that monstrosity? In fact it sounds like their algorithm depends upon the author having other accredited works available out there. So if you don't put anything up on public code sharing sights, you have nothing to worry about.
In that program somewhere around 5% are lines that I actually coded. Everything else is snippets of code from Microsoft's help files, question/answer sites, and similar opensource programs found online. Unless they are checking for things like the fact that I included no error handling (since I am the only one that uses said program) I fail to see how this would work at all.
I strongly suspect this is precisely the kind of code that they will most easily be able to associate to individuals.
Through their deep analysis of public code, I would strongly suspect that they have cached those segments, like any good search engine or data analysis would do. As such, they can diff and cut out any code that has been duplicated from elsewhere (just as they could with raw source code). Anything modified by you would remain.
Because your coding style is, admittedly, quite different from that in the snippets, it will stand out as if it were glowing.
That said, if you were a more competent** programmer, then it'd be more difficult to distinguish your code from everything else as it'd all follow best practices.
** or some other appropriate word that means you code in similar style to well established design patterns
At 32c3 https://www.youtube.com/watch?... , Daniel Lange and Felix Domke presented their analysis of Volkswagen's "Dieselgate" software. It seems that that one doesn't look like ordinary code at all, but rather like code patterns generated from tables that relate sensory data to engine control parameters. Think of one of the earliest motivations for building computing machines in the first place: To create parameter tables for artillery aiming!
As such, they can diff and cut out any code that has been duplicated from elsewhere (just as they could with raw source code). Anything modified by you would remain. Because your coding style is, admittedly, quite different from that in the snippets, it will stand out as if it were glowing.
The funniest thing about this is how wrong that statement is. I can take myself as an example, I've worked in multiple shops, several with different code formatting practices, not to mention potentially different languages. I generally configure my IDE to whatever code formatting requirements there are, so everything I add gets put into the current format. Naming practices are whatever is in the current codebase. So, essentially, from a source and binary perspective, my code will look like whatever the current code base should. Snippets cut from anywhere will always be refactored to fit my needs, and thus may not look at all like what was snipped.
In short, this is a whole barrel of snake oil for any one actually working professionally and not that rare lone wolf that only codes their own specific way.
The cesspool just got a check and balance.
It seems to me like the easiest way to avoid being identified in this regard would be to write code that follows any published general style guidelines or otherwise very common conventions.
As a side effect, it will make your source code more readable to others, which is beneficial if you are on a programming team.
File under 'M' for 'Manic ranting'
while i don't think you'll be able to identify an exact person, i do think this technology could be used to identify code that is prone to error and exploitation or even code that is for exploitation.
Anons need not reply. Questions end with a question mark.
I suspect the successful detection rate may be a bit lower.
Did the same team that developed that code also run an accuracy assessment? Was there a "prize" (contract payment) associated with meeting certain accuracy? I remember reading about facial recognition systems which worked well in labs, but fail in the field.
As soon as developers become aware that they might be identified, I think that they might do things (spoof, run beautify and strip comments) to throw such a system off.