[amelius]

But what if the malicious code is time activated? (just an example)

[swegg]

This is actually addressed in the paper. Basically you can use testing to detect the timebomb, up to a negligible probability.

This paper is approachable, it's understandable without too much background if you're interested in the topic.