LWN.net Logo

Advertisement

Writers Wanted

Front, Kernel, Security, Distributions, Development. See your byline here on LWN.net.

Advertise here

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for February 16, 2012

Book review: Open Advice

Linux support for ARM big.LITTLE

LWN.net Weekly Edition for February 9, 2012

XBMC 11 "Eden"

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Problems: Fewer alternative C++ compilers, so harder to test against 'Trusting Trust' attack

Problems: Fewer alternative C++ compilers, so harder to test against 'Trusting Trust' attack

Posted Jun 18, 2008 18:55 UTC (Wed) by dwheeler (guest, #1216)
In reply to: Converting GCC to C++ by pynm0001
Parent article: Converting GCC to C++

There is a downside: Countering the "Trusting Trust" attack (as made well-known by Ken Thompson). There _IS_ a counter to this attack, but it requires have a second C++ compiler that isn't subverted the same way.

It's relatively easy to develop a C compiler that generates running code (may not be efficient, but it runs). It's harder to create a C++ compiler. Thus, there are more C compilers, which can act as a check on the gcc C compiler.

(Log in to post comments)

Problems: Fewer alternative C++ compilers, so harder to test against 'Trusting Trust' attack

Posted Jun 18, 2008 19:12 UTC (Wed) by pynm0001 (guest, #18379) [Link]

Um, fair enough, but this is like using autoconf so that your program can build on 10 year old AIX machines... it's optimizing for a problem that only precious few people care about, and the other 99% of people who could benefit would instead have to suffer. Which is why we have the explosion in new build systems... :-/

Those who are really worried that Ubuntu has corrupted their g++ binaries can use pcc to compile an older version of gcc I suppose.

But you leave out one thing. Can an ANSI C compiler build gcc? I'm pretty sure that gcc requires gcc-extensions to C to build at this point anyways so you already need to trust gcc if you use it as your compiler. In addition if you look at Ian's slides on how things could look I would claim that a C++ implementation would at least be easier to perform code review on, and even static analysis.

Actually you could simply build a current g++ and place it on read-only media and use it to build the new C++-based gcc. If it's different from the installed version then perhaps there has been the malware code slipped into the compiler as described in Thompson's article. But I don't see how simply having the compiler in C helps in this case. You still need a "safe" version of gcc, and that already compiles C++.

Problems: Fewer alternative C++ compilers, so harder to test against 'Trusting Trust' attack

Posted Jun 18, 2008 19:19 UTC (Wed) by willy (subscriber, #9762) [Link] 

> Can an ANSI C compiler build gcc?

Yes.  Indeed, until a few years ago, GCC could be compiled with pre-ANSI compilers.
Thankfully, functions now have prototypes.

On the trusting trust issue, there's nothing to stop you starting with your own trusted C
compiler, compiling gcc/g++ 4.3, then using those to compile gcc/g++ 5.0.

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds