From: "Ian Farquhar" <ianf@sydney.sgi.com>
Recompile the binary from newly uploaded source each time. MD5 source isn't more than about 10K long. That's all of a few seconds of upload time.
Irritating [...] ??? An upload can be automated, just like anything other solution. [...] and also insecure (system admin intercepts the upload and replaces it with source of his or her own). _Every_ solution to this problem is insecure, when it comes down to it. What you asked for is something that makes things more difficult. Interception can be made quite difficult. Make the "upload" consist of simulating a keyboard typing the source code into emacs. Change the file name each time. Obfuscate the source by redefining variables each time. Pipe the output directly into the compiler; hell, compile straight from stdin! You can't go about protecting against the modification of binaries by relying upon one of your binaries being better protected than the rest. There's an infinite regress involved here. The solution is to go outside the regress. Recreating the binary from scratch is one way. I'm sure there are others.
I am pretty much certain that to make such a system perfectly secure under these conditions is impossible.
Is there a standard proof for this, though? I suspect that there is, but have not discovered it. Get the essay that Perry mentioned and start there. Keep in mind that object code can be interpreted in many different ways, only one of them typically expected. Eric