Compiling Source

Live presentation @ http://averageradical.github.io/compile/#/

Source of this presentation @ https://github.com/averageradical/compile

Agenda

• Why?
• Limitations
• How?
• Examples

Why compile?

• Learn/Play.
• Make modifications.
• Improve and contribute.
• Verify what you're running.

Limitations

Open source doesn't necessarily mean it's more secure.

The Heartbleed Bug was in the wild for more than 2 years.

At the time, OpenSSL was a popular package and the vulnerability affected more than 15% of all secure websites.

Limitations

Difficult to verify anything you download.

If attacker has server's TLS private key.

If attacker manipulates certificate authority.

Corollary: How do you know the Tor browser or Tails LiveCD you downloaded is legitimate?

Limitations

“You can't trust code that you did not totally create yourself... No amount of source-level verification or scrutiny will protect you from using untrusted code. In demonstrating the possibility of this kind of attack, I picked on the C compiler. I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs will be harder and harder to detect. A well installed microcode bug will be almost impossible to detect.” - Ken Thompson (Bell Labs, Unix, Go, UTF-8)

How?

Compile in Linux. In general, easier, problems less likely.

If you're on Mac or Windows, run Linux in a Virtual Machine:

• VirtualBox (Linux/Mac/Windows)
• QEMU/KVM (Linux/Mac)
• Windows Virtual PC (Windows)

Linux

Many flavors of Linux. Compilation instructions vary.

I prefer Fedora+KDE. Examples:

• Fedora
• Ubuntu
• Mint
• Tails
• Gentoo

What

• Bitcoin Core: bitcoind and bitcoin-qt
• Bitcoin Armory: Desktop Bitcoin Wallet
• bitcoin-wallet: Android Bitcoin Wallet

Compile Steps

1. Review License
2. Download Source(s)
3. Read Instructions
4. Compile
5. Install

Licenses

Projects have license in README, COPYING or LICENSE file.

If no license, view website's terms (e.g. Github is impermissive).

• MIT and BSD: Permissive. Attribute.
• GPL: Share modifications if distributed.
• AGPL: Share modifications if distributed or served.
• Apache: Permissive. Grants patent rights.
• Public Domain (e.g. CC0): Permissive.
• Others: LGPL, Mozilla, Eclipse, Berne, etc.

Download Source(s)

Sources either ZIPs/Tarballs or in a repository (e.g. Github.com).

Project websites/READMEs often have instructions.

e.g., BitcoinArmory.com > Download > Building From Source

Optionally, verify signature (remember caveats from first slides).

Instructions

Instructions usually on the website or in the source package.

In package, text file often called README, NOTES, or INSTALL.

Instructions often list dependencies you need to install (compiler, libraries, etc.).

Compile

Compilers depend on the type of code. GUI:

• Android: Java/AndroidSDK
• iOS: Objective-C/Xcode
• Windows: C++/.NET/Visual Studio
• Linux-Gnome: C++/GTK+
• Linux-KDE: C++/QT
• Linux-Python: Python/QT
• Java/Swing/SWT, Maven

Install

Compilers produce executables or binaries:

• Android: APK. Download, enable "Unknown Sources," open.
• iOS: IPA. Installation complicated.
• Windows: EXE or MSI.
• Linux: ELF EXE, Shell script, Python script, etc.
• Mac: DMG.

DEMO

Demo Environment

1. Install VirtualBox
2. Download Fedora KDE 64-bit ISO
3. Start VirtualBox > New > Type=Linux/Fedora (64-bit)
4. Create Virtual Hard Drive (VirtualBox Disk Image), 40GB
5. Click Start and select the ISO file
6. Once Fedora starts, click Install to Hard Drive
7. Install with defaults, create root password and normal user (check 'Make Administrator')
8. Click Start > Leave > Shut down
9. Right Click on VM > Settings > Storage > Select the ISO under Controller:IDE > On the right, click the CD button > Remove disk > OK > Start
10. Login with normal user/password
11. Click Start and type Konsole

Fedora Dependencies

Dependencies needed for this presentation:

$ sudo yum update -y
$ reboot # If kernel was updated
$ sudo yum groupinstall -y "Development Tools" "Development Libraries"
$ sudo yum install -y gcc-c++ libtool swig pyqt4-devel python-psutil python-twisted wget protobuf-devel maven glibc.i686 glibc-devel.i686 libstdc++.i686 zlib-devel.i686 ncurses-devel.i686 libX11-devel.i686 libXrender.i686 libXrandr.i686

Example: bitcoind/bitcoin-qt

$ wget -qO- 'http://download.oracle.com/berkeley-db/db-4.8.30.NC.tar.gz' | tar -xzv && cd db*/build_unix
$ ../dist/configure --enable-cxx --disable-shared --with-pic --prefix=/usr/local/
$ make
$ sudo make install
$ cd; wget -qO- https://www.openssl.org/source/openssl-1.0.1i.tar.gz | tar -xzv && cd o*
$ export CFLAGS="-fPIC"; ./config --prefix=/usr/local shared enable-ec enable-ecdh enable-ecdsa
$ make depend && make all
$ sudo make install
$ cd; git clone git://github.com/bitcoin/bitcoin.git; cd bitcoin
$ ./autogen.sh && ./configure LDFLAGS="-Wl,-rpath=/usr/local/lib64 -L/usr/local/lib/ -L/usr/local/lib64/" CPPFLAGS="-I/usr/local/include/"
$ make
$ sudo make install
$ mkdir ~/.bitcoin; wget -O ~/.bitcoin/bitcoin.conf https://raw.githubusercontent.com/averageradical/compile/gh-pages/example/bitcoin.conf
$ bitcoin-qt # or nohup bitcoind &
$ bitcoin-cli help

Example: BitcoinArmory

• Download Sources:

  $ cd; git clone git://github.com/etotheipi/BitcoinArmory.git
  $ cd BitcoinArmory

• Compile:

  $ make

• Run:

  $ python ArmoryQt.py

Modify

Learning all the code takes time. Reverse engineer at first.

Recursive grep is a good place to start. Let's change the title:

$ grep -R "Bitcoin Wallet Management" *

Edit ArmoyQt.py, go to line 97, change it, and re-run.

Example: bitcoin-wallet

• Download Android SDK:

  $ cd; wget -qO- https://dl.google.com/android/android-sdk_r23.0.2-linux.tgz | tar xzv
  $ android-sdk-linux/tools/android update sdk --no-ui --filter platform,platform-tool,tool,build-tools-20.0.0

• Download Sources:

  $ git clone https://github.com/schildbach/bitcoin-wallet.git
  $ cd bitcoin-wallet

• Patch (why):

  $ sed -i 's/3.7.0/3.8.2/g' pom.xml

• Compile:

  $ mvn clean install -Dandroid.sdk.path=/home/`whoami`/android-sdk-linux/

• APKs under wallet/target

Tips

• Building is a game of whac-a-mole with errors. When searching online, some answers are bad, so a VM is good.
• When using ./configure, it often bails with an error. Install the required dependency and re-run.
• After making a change, run the build again (e.g. make) and it should only recompile what's necessary.
• It's not easy to interpret compiler output. In general, "warning" is okay, "error" is bad.

THE END

Questions: averageradical@gmail.com

Donations @ 1QDEf7xr33aHGPZUHg9WHQkyGLcYKXcv4i