| |||||||||||||
Countering the trusting trust attackCountering the trusting trust attackPosted Feb 3, 2010 4:22 UTC (Wed) by dwheeler (guest, #1216)In reply to: Security in the 20-teens by nix Parent article: Security in the 20-teens
My web page on countering trusting trust through diverse double-compiling (DDC) has all the details on my DDC approach. DDC uses a second compiler to detect the trusting trust attack, and it's perfectly fine if the second compiler is also subverted; DDC merely presumes that the second compiler isn't subverted in exactly the same way. Nix's posting is a nice summary its implications. As nix says, DDC 'reduces to the problem to "you can't trust compilers produced by a cooperating malevolent group, nor code compiled with those compilers". But if you have several compilers, some of which are trustworthy *or are produced by malevolent groups that are not in communication*, then those compilers will not introduce the Thompson hack into the *other* compilers when compiling them, and the attack falls apart. This is a much harder bar for attackers to leap over: from subverting one compiler, they have to subvert every compiler you might possibly use targetting that architecture if they are to go undetected.' There are lots of details on that website, including the entire dissertation. The dissertation includes mathematical proofs and demonstrations with several open source software compilers (including GCC). By the way, the DDC approach can only be applied if you have the source code. So DDC gives an advantage to compilers whose source code is publicly available, including OSS compilers.
(Log in to post comments)
Countering the trusting trust attack Posted Feb 3, 2010 8:53 UTC (Wed) by paulj (subscriber, #341) [Link]
Hi,
I've replied to Nix. The work is nice, no doubt, but it still requires 1 absolutely
Do you think the "Fully" in the title of your thesis is perhaps unfortunate
Countering the trusting trust attack Posted Feb 3, 2010 23:24 UTC (Wed) by dwheeler (guest, #1216) [Link]
> The work is nice, no doubt, but it still requires 1 absolutely trusted compiler, which would have to be written (or verified/assumed)...
It does not have to be absolutely trusted, in the sense of being perfect on all possible inputs. It can be subverted, and/or have bugs, as long as it will compile the compiler-under-test without triggering a subversion or bug.
> Do you think the "Fully" in the title of your thesis is perhaps unfortunate though? Your work seems to re-enforce Thompson's result rather than fully counter it, surely?
No, it's not unfortunate. It's intentional.
Thompson's "trusting trust" attack is dead. Thompson correctly points out a problem with compilers and other lower-level components, but his attack presumes that you can't easily use some other system that acts as a *check* on the first. It's not just that you can recompile something with a different compiler; people noted that in the 1980s.
A key is that DDC lets you *accumulate* evidence. If you want, you can use DDC 10 times, with 10 different trusted compilers; an attacker would have to subvert ALL TEN trusted compilers *AND* the original compiler-under-test executable to avoid detection. Fat chance.
Countering the trusting trust attack Posted Feb 3, 2010 23:40 UTC (Wed) by paulj (subscriber, #341) [Link]
Thanks for your reply. Again, I stress that I appreciate the practical benefits
of your approach.
I saw the caveat in the thesis about the trusted compiler-compiler only
Your approach still rests in complete trust in one compiler, according to your
See my other comment about how viruses have advanced from Thompson's
Anyway, I'll leave it there.
Countering the trusting trust attack Posted Feb 4, 2010 23:11 UTC (Thu) by bronson (subscriber, #4806) [Link]
> Your approach still rests in complete trust in one compiler
No, it doesn't. David described this in an ancestor post. It just rests on the assumption that a single group of attackers can't subvert every single one of your compilers.
Countering the trusting trust attack Posted Feb 4, 2010 23:54 UTC (Thu) by nix (subscriber, #2304) [Link]
David also described in a recent post how you can ensure that your
compiler groups weren't maliciously cooperating: make sure your compilers are very different ages. This will only get *better* as the years roll past, especially once Moore's Law grinds to a halt: if one compiler is a hundred years older than the other, unless there's an immortal on the development team there's no *way* they share members. (These days of course this gap is impractical because computers are changing too fast.)
Countering the trusting trust attack Posted Feb 5, 2010 0:30 UTC (Fri) by Baylink (subscriber, #755) [Link]
In particular, this works very well if your check-compiler was shipped *when your target compiler/platform did not even exist yet*.
It would be hard to have hot-wired an early-90s IRIX compiler to break GCC4/Linux.
Countering the trusting trust attack Posted Feb 5, 2010 19:33 UTC (Fri) by paulj (subscriber, #341) [Link]
How does it get better exactly? Old software doesn't come sandwiched,
ossified between rock strata that can further attest to its obvious age.
You're still going to have to determine whether or not the bag of bits you have
The "they old author can't have thought of future compilers" argument seems
I know David's paper frames the problem so that the attack in fact does have
Countering the trusting trust attack Posted Feb 5, 2010 19:44 UTC (Fri) by Baylink (subscriber, #755) [Link]
> How does it get better exactly? Old software doesn't come sandwiched, ossified between rock strata that can further attest to its obvious age.
Sure it does. :-)
There are lots of things which make it difficult to run really old software on newer platforms, and the more obstacles you place in the way of a notional IRIX Trusting-attack implementor, the less likely you make an outcome positive to him.
> You're still going to have to determine whether or not the bag of bits you have before you really is the same as that old compiler you want to put your faith in. You'll have to trust your md5sum binary (oops) and you'll have to trust MD5. Oops. And you're still trusting the original compiler author.
Yes, but what you're trusting him to do *now* is to have written a compiler which could properly identify and mangle a compiler which did not even exist at that time. And compilers are sufficiently different from each other syntactically that I don't think that attack is possible even in theory, though clearly, "I don't think" isn't good enough for our purposes here. :-).
> The "the old author can't have thought of future compilers" argument seems weak. Viruses are much more sophisticated these days - there's no need the attack has to be limited to specific implementations of software.
Well, I think that depends on which attack we're actually talking about here, and "virus" doesn't really qualify. The Trusting attack was a compiler-propagated Trojan Horse, a much more limited category of attack than "viruses these days", and therefore even harder to implement.
I'm not sure why failing to expect clairvoyance from an earlier-decade's attack author is a weak approach, either. :-)
Countering the trusting trust attack Posted Feb 5, 2010 21:42 UTC (Fri) by paulj (subscriber, #341) [Link]
Thompson implementing his attack as a compiler attack is a detail, primarily
because source code was the normal form of software interchange but the basic compiler toolchain obviously still required passing around binaries. In short it was the *only* place he could have implemented an attack by subverting binaries. His paper is explicit that the compiler attack is merely a demonstration of a more fundamental problem of having to place trust in computer systems. Particularly, he mentions microcode as a possible level of attack - clearly a completely different thing from compiler level and indication that Thompson was making a very general point.
To think that Thompson's attack is only about compilers is surely to miss the
Also, I don't expect clairvoyance. Indeed, you miss my point about which
I think perhaps I should properly write up my criticism...
Countering the trusting trust attack Posted Feb 5, 2010 21:52 UTC (Fri) by Baylink (subscriber, #755) [Link]
Because I am a believer in the traditions of science, yes, I think it would be an excellent idea if you wrote up formally your problems with his paper...
which I *promise* I'm going to read, tonight while I wait for a server upgrade to finish. :-)
And certainly any level of the stack can be attacked, and I understand that was his point. But one either has to say "there's no practical way for me to validate the microcode of the CPU, and thus there's a practical limite to what I can verify", or one has to -- in fact -- do that validation.
If one can.
As we note on RISKS regularly, there are two issues at hand here: "pick your own low-hanging fruit", ie: make sure you apply extra security balm equally to all layers of your problem (as adjusted by your threat estimates at each layer), and "know your CBA": the amount of security at all levels you apply has to be in keeping with not only your threat estimate, but with what the bad guys can *get*.
This is, in particular, the part of the issue that terrorists throw monkey wrenches into: trying to inspire asymmetrical responses to what are, objectively, low-level threats. Your opponent wears himself out on the cape and never sees the sword. Bruce Schneier likes to address this issue.
Countering the trusting trust attack Posted Feb 5, 2010 23:05 UTC (Fri) by nix (subscriber, #2304) [Link]
Of course paulj's attack is possible in theory. We just need strong AI
first.
Countering the trusting trust attack Posted Feb 5, 2010 23:03 UTC (Fri) by nix (subscriber, #2304) [Link]
You misunderstand. I'm not saying 'if you prove that this compiler is old
then you will invariably detect the Thompson hack' I'm saying 'if it is likely that this compiler is old then your chances of detecting the Thompson hack go way up'.
(And the Thompson hack *was* specifically relating to quined attacks on
Countering the trusting trust attack Posted Feb 10, 2010 9:45 UTC (Wed) by hppnq (guest, #14462) [Link] So, how about "yum update"? ;-)
Countering the trusting trust attack Posted Feb 3, 2010 17:50 UTC (Wed) by Baylink (subscriber, #755) [Link]
I will admit up front to not having yet checked out your site, I'm at work just now. But if your test is "both compilers produce the same object code", then even both compilers *not* being subverted will not guarantee that.
If I use compilers A and B to build G(cc), the A-G and B-G objects will not necessarily be byte-identical, and it doesn't *matter* what object they each in turn produce, because that would have to be am exhaustive search, which is impossible.
Or are you suggesting that A-G and B-G then be used to again compile Gcc, and *those* binaries be compared? That would tell you that either A and B were not subverted, or were subverted in exactly the same way...
but how are you authenticating your GCC sources?
(If the answer is "read the damn paper, idiot", BTW, just say that. :-)
Countering the trusting trust attack Posted Feb 3, 2010 23:29 UTC (Wed) by dwheeler (guest, #1216) [Link]
Ummm... let me just say "read the paper, please" :-). I'm fully aware that compiling the same source with different compilers will (normally) produce different executables.
> Or are you suggesting that A-G and B-G then be used to again compile Gcc, and *those* binaries be compared? That would tell you that either A and B were not subverted, or were subverted in exactly the same way...
That's the basic idea, sort of. Given certain preconditions, you can even recreate the original executable with a different starting compiler.
|
|||||||||||||