Coding Styles Survive Binary Compilation, Could Lead Investigators Back To Programmers

An anonymous reader writes: Researchers have created an algorithm that can accurately detect code written by different programmers (PDF), even if the code has been compiled into an executable binary. Because of open source coding repositories like GitHub, state agencies can build a database of all developers and their coding styles, and then easily compare the coding style used in "anti-establishment" software to detect the culprit. Despite all the privacy implications this research may have, the algorithm can also be used by security researchers to track down malware authors. We also discussed an earlier phase of this research.

Privacy implications?

[Registered+Coward+v2]

People have been analyzing writing styles for a long time to try to identify authors. Expecting your coding style to be obfuscated by compiling it has proven to be as wrong as thinking your identity is shielded if you publish under a pseudonym. If you make your code publicly available you really shouldn't have any expectation of privacy.

Re:Privacy implications?

I doubt it. Your code once compiled will be very similar to most other similarly skilled programmers in that language, unless you go out of your way to be obfuscate things - i.e. a poor coder. Compilers, libraries, APIs, language versions and proprietary extensions are beyond your coding style. This entire premise assumes there will be no false-positives, which will be the vast majority of hits. So basically, they're casting nets, and claiming success when they get one, ignoring the other thousand. Once you're at the binary, coding style has all but gone (assuming you're not doing assembler, which even then, will come down to the same few solutions to a given functional requirement).

Heck

[vikingpower]

gotta change my indentation style and public void( String s1 ) whitespace habit, now the guvnmunt automagically can also get these out of binaries built from my code. O gawd, I'm afraid now.

Re:Heck

[JaredOfEuropa]

Ideally there is such an enforced coding standard, but I have worked in situations with merged teams or projects where coding styles were rather mixed. From what I could see, cosmetic stuff like braces and indentations caused some annoyance but it didn't really lead to much lost coding time, increased effort in fixing or changing things, or an increase in bugs.

Anyway, brace placement won't survive compilation so this method is useless for rooting out the K&R traitors.

Fuck that.

Aren't we being tracked enough as it is?
Why for fucks sake why?

My new years resolution will to remove all my code from all public repositories.

Accuracy 52% with 600 programmers and 8 samples

[El_Muerte_TDS]

Good luck when your programmer pool is a couple of thousand and your samples consist out of obfuscated and underhanded software which is often produced by malware creators.

Stackoverflow is the culprit!

[WarmBoota]

Good luck tracking me!! I copy all of my code from Stackoverflow!

Oh really?

[Viol8]

If you RTFA it seems their sample size was 20 programmers. Occasionally they went up to 100 and they're getting something like 60-80% accuracy. BFD.

Guys - when you've sampled the compiled, optimised binary output (with all debug info stripped) of a million coders all using different compilers on different architectures and are getting at least a 99% accuracy rate, get back to us. In the meantime, I'm sure you'll get some nice marks from your supervisors but I won't be losing any sleep.

Re:I doubt this

[Lab+Rat+Jason]

This is why I steal most of my functional code from GitHub in the first place...

--OR--

Easy to avoid detection by simply NOT UPLOADING code to GitHub in the first place. The assumption that every dev does this is stupid.

Re:I doubt this

As a systems admin I have been called upon at times to automate a few things. Doing so in my situation seemed easiest with vb.net. (Yes I know the actual programmers here are recoiling with horror. Stuff it, the program works, and saves me vast amounts of time)

In that program somewhere around 5% are lines that I actually coded. Everything else is snippets of code from Microsoft's help files, question/answer sites, and similar opensource programs found online. Unless they are checking for things like the fact that I included no error handling (since I am the only one that uses said program) I fail to see how this would work at all.

The variable naming conventions are many and varied, there are almost no unique lines of code in the program, and it uses only standard libraries. On top of that I don't have any other programs accredited to me floating around the interwebs, at least in vb.net, so there is nothing to compare it to.

So how exactly are they going to tell you who wrote that monstrosity? In fact it sounds like their algorithm depends upon the author having other accredited works available out there. So if you don't put anything up on public code sharing sights, you have nothing to worry about.

What if the style was "idiomatic"?

[mark-t]

It seems to me like the easiest way to avoid being identified in this regard would be to write code that follows any published general style guidelines or otherwise very common conventions.

As a side effect, it will make your source code more readable to others, which is beneficial if you are on a programming team.

possible upside

[Gravis+Zero]

while i don't think you'll be able to identify an exact person, i do think this technology could be used to identify code that is prone to error and exploitation or even code that is for exploitation.

Re:Frist!

[ShanghaiBill]

False positives are not a problem if you deal with them rationally. If a woman is murdered, and the DNA matches one in a million, then in a country of 300 million, there will be 300 matches, and 299 false positives. But if only one lives in the same city, and it happens to be her ex-boyfriend, then the DNA match is useful information.