Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for May 23, 2013
An "enum" for Python 3
An unexpected perf feature
LWN.net Weekly Edition for May 16, 2013
A look at the PyPy 2.0 release
No, it doesn't. David described this in an ancestor post. It just rests on the assumption that a single group of attackers can't subvert every single one of your compilers.
Countering the trusting trust attack
Posted Feb 4, 2010 23:54 UTC (Thu) by nix (subscriber, #2304)
Posted Feb 5, 2010 0:30 UTC (Fri) by Baylink (subscriber, #755)
It would be hard to have hot-wired an early-90s IRIX compiler to break GCC4/Linux.
Posted Feb 5, 2010 19:33 UTC (Fri) by paulj (subscriber, #341)
You're still going to have to determine whether or not the bag of bits you have
before you really is the same as that old compiler you want to put your faith in.
You'll have to trust your md5sum binary (oops) and you'll have to trust MD5.
Oops. And you're still trusting the original compiler author.
The "they old author can't have thought of future compilers" argument seems
weak. Viruses are much more sophisticated these days - there's no need the
attack has to be limited to specific implementations of software.
I know David's paper frames the problem so that the attack in fact does have
that limitation, but that seems an unjustified restriction of Thompson's attack.
Posted Feb 5, 2010 19:44 UTC (Fri) by Baylink (subscriber, #755)
Sure it does. :-)
There are lots of things which make it difficult to run really old software on newer platforms, and the more obstacles you place in the way of a notional IRIX Trusting-attack implementor, the less likely you make an outcome positive to him.
> You're still going to have to determine whether or not the bag of bits you have before you really is the same as that old compiler you want to put your faith in. You'll have to trust your md5sum binary (oops) and you'll have to trust MD5. Oops. And you're still trusting the original compiler author.
Yes, but what you're trusting him to do *now* is to have written a compiler which could properly identify and mangle a compiler which did not even exist at that time. And compilers are sufficiently different from each other syntactically that I don't think that attack is possible even in theory, though clearly, "I don't think" isn't good enough for our purposes here. :-).
> The "the old author can't have thought of future compilers" argument seems weak. Viruses are much more sophisticated these days - there's no need the attack has to be limited to specific implementations of software.
Well, I think that depends on which attack we're actually talking about here, and "virus" doesn't really qualify. The Trusting attack was a compiler-propagated Trojan Horse, a much more limited category of attack than "viruses these days", and therefore even harder to implement.
I'm not sure why failing to expect clairvoyance from an earlier-decade's attack author is a weak approach, either. :-)
Posted Feb 5, 2010 21:42 UTC (Fri) by paulj (subscriber, #341)
To think that Thompson's attack is only about compilers is surely to miss the
point of a classic paper.
Also, I don't expect clairvoyance. Indeed, you miss my point about which
direction the attacker is going.
I think perhaps I should properly write up my criticism...
Posted Feb 5, 2010 21:52 UTC (Fri) by Baylink (subscriber, #755)
which I *promise* I'm going to read, tonight while I wait for a server upgrade to finish. :-)
And certainly any level of the stack can be attacked, and I understand that was his point. But one either has to say "there's no practical way for me to validate the microcode of the CPU, and thus there's a practical limite to what I can verify", or one has to -- in fact -- do that validation.
If one can.
As we note on RISKS regularly, there are two issues at hand here: "pick your own low-hanging fruit", ie: make sure you apply extra security balm equally to all layers of your problem (as adjusted by your threat estimates at each layer), and "know your CBA": the amount of security at all levels you apply has to be in keeping with not only your threat estimate, but with what the bad guys can *get*.
This is, in particular, the part of the issue that terrorists throw monkey wrenches into: trying to inspire asymmetrical responses to what are, objectively, low-level threats. Your opponent wears himself out on the cape and never sees the sword. Bruce Schneier likes to address this issue.
Posted Sep 20, 2010 14:53 UTC (Mon) by paulj (subscriber, #341)
Posted Feb 5, 2010 23:05 UTC (Fri) by nix (subscriber, #2304)
Posted Feb 5, 2010 23:03 UTC (Fri) by nix (subscriber, #2304)
(And the Thompson hack *was* specifically relating to quined attacks on
compilers and other code generators. Viruses are a much larger field, with
Thompson hacks as a small subset. It is possible they are converging, but
I see little sign of it: attacking compilers isn't profitable because
they're relatively uncommon on the man in the street's machine.)
Posted Feb 10, 2010 9:45 UTC (Wed) by hppnq (guest, #14462)
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds