-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Have any of you all every read this old paper? I thought it was a
rather interesting subject:
http://cm.bell-labs.com/who/ken/trust.html
I heard it mentioned on the faif-oggcast:
http://ftp.osuosl.org/pub/faif-oggcast/FaiF_0x21_Inspirational-Conf.ogg
It deals with the chicken-and-the-egg software security problem that
compilers (like gcc) are written in their own programming language,
and therefore have to be compiled at least once by a different
compiler. (bootstrapped, as they say) If you are the person that
provided that original compiler (and you also happen to be a genius)
you can include programming in your compiler that injects back door
programming into every compiler it compiles. The compiled compilers
will, in turn, compile back door programming into all the compilers
they compile, as well as all regular software that they compile, and
so on.
In other words, even if you've inspected every line of source code in
the current version of, say, gcc, and all the programs you compile
with it, you don't actually know for sure whether or not it is secure
if you don't trust the compiler that was used to compile gcc. Thompson
demonstrated that it was possible to write a compiler trojan that,
once it (eventually) infected the UNIX login program, would cause it
to accept a backdoor password as well as the one that the system provided.
What is especially interesting is that, evidently, nobody remembers
what gcc was originally compiled with (including Stallman himself).
Anyway, I guess the odds of this actually having happened are all
quite low, though I found an article about a modern compiler trojan
targeted against the Delphi development environment, whatever that is:
http://www.h-online.com/security/news/item/Virus-infects-development-environment-743003.html
Now that my curiosity is piqued, I'm downloading the gcc svn trunk to
see if there are any old changelog entries that mention the original
compiler.
- --
frigidcode.com
theologia.indicium.us
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJPKKulAAoJEI2DxlFxTtgdta8H/iZG84SKPoNfYE6xCzpfQoHx
rN6w1T+pzjae1w/CbqwNT+YFUldWZwYX+mbKHhUB7jGUIfYUWJIDkVs2XnldD1er
j9rccrL5g+eoQ8z6CLmLF9sKmHAdhKuluLgYT8iuANTAiKhvOLRHWoDzi9HF6NQX
7RbK9Ba7jEuV/c3ZmU2n9Onl7sgTYiTH692LXbKJu/ZlUPDDEuJqxTGEe75tYI7A
msz330uHNLibcjloB1BklqX9JOEcbKEmEKtA5J31BiOdR21Kp6yig55dEki2t6i/
UdauzjNASDZN5wB8+/SAYcC34wLJolbpcRFaGcJ7DP9l0pLyKzd9PMX2yqsZ+4M=
=kDtX
-----END PGP SIGNATURE-----
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Tue Jan 31 18:01:32 2012
This archive was generated by hypermail 2.1.8 : Tue Jan 31 2012 - 18:01:32 AKST