| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
Green Hills Software on free software in the military
(Log in to post comments)
Green Hills Software on free software in the military
Posted Apr 8, 2004 22:11 UTC (Thu) by allesfresser (subscriber, #216) [Link]
Oh, good grief. Is that the best they can come up with? Do they think the DOD just plops software into defense systems without doing any checking? I'm sure they'd like conjure up the image of a shadowy figure sneaking around planting bugs like in all the movies... but unfortunately code submissions are a lot more mundane and public. Get a life.
Green Hills Software on free software in the military
Posted Apr 8, 2004 22:20 UTC (Thu) by allesfresser (subscriber, #216) [Link]
By the way, the Ken Thompson episode they refer to is documented by Thompson himself here. It involved patching the compiler so it would recognize that it was recompiling itself and reinserting the trojan horse code that it was meant to carry. Of course, that was a different era where it was easier to get away with things like that (no MD5 sums for the tarballs, etc.)
They are truly trying to pull a rabbit out of a hat on this one...the chances of being able to pull something like that these days with the vast array of people using different versions of lots of different packages would be rather small.
Green Hills Software on free software in the military
Posted Apr 8, 2004 23:30 UTC (Thu) by dmenest (guest, #4017) [Link]
Also, the problem of not being able to trust the compiler that compiled the compiler that compiled the compiler . . . is not restricted to Free/Open Source Software. Proprietary software is just as vulnerable. Even if Green Hills writes their own compiler, which compiler did they use to compile it?
Cross compiling compiler
Posted Apr 9, 2004 5:29 UTC (Fri) by libra (guest, #2515) [Link]
Althought I never tried it, I think that by using different compiler on different platforms and cross-compiling for one shall give at second iteration identical compiler codes no matter the original compiling platform.If this can be shown it will prove that no secret code is in the compiler because it would mean otherwise that all compilers on all platforms are corrupt, and that is unpossible.
Maybe someone out here as a clue on that topic, or can explain why that idea could be wrong.
Cross compiling compiler
Posted Apr 9, 2004 6:29 UTC (Fri) by pynm0001 (subscriber, #18379) [Link]
I'm not sure exactly what you mean, so I'm going to give an example, and you can tell me whether it's right or wrong.
You're saying that if you have (say) Solaris CC on Pentium compiling for Sparc, and gcc on PowerPC compiling for Sparc, that the resulting object code for Sparc should be identical on both machines?
The answer would be no, unfortunately, unless a fluke occurred. If both compilers are good, they will produce equivalent code, but the code will almost certainly not be byte-for-byte equal.
However, even if the compilers produce byte-for-byte identical code, that doesn't mean that secret code in a compiler is impossible, because I could go and write a compiler later that adds secret code. The problem with your logic is that producing identical output for two compilers doesn't imply that all compilers on all platforms are either all corrupt or all clean.
Cross compiling compiler
Posted Apr 9, 2004 7:28 UTC (Fri) by baldrick (subscriber, #4123) [Link]
Probably what he means is that you bootstrap gcc using a non-gcccompiler and also using gcc itself. If the final gcc you get is the same
in both cases then you can be pretty sure there is no Thompson trojan
lurking inside gcc. I understand that this is one of the reasons the gcc
developers work hard to make gcc compilable by a wide range of other
compilers.
Cross compiling compiler
Posted Apr 9, 2004 7:37 UTC (Fri) by pynm0001 (subscriber, #18379) [Link]
Ah, that's a good idea. Although I feel that my other argument aboutequivalent code remains. A non-gcc compiler shouldn't produce the same
exact binary that gcc itself would, merely one which works the same.
Cross compiling compiler
Posted Apr 9, 2004 12:13 UTC (Fri) by libra (guest, #2515) [Link]
That's why I added the term iteration in my post. The idea is :Compile GCC with compiler C_A on platform P_A for platform P
Compile GCC with compiler C_B on platform P_B for platform P
(with C_A != C_B and P_A != P_B but not necessary C_x != GCC or P_x != P)
Then on platform P you have GCC_A and GCC_B, they are certainly note binary equivalent, but functionally shall be. As the code has been audited, and two platforms/compiler were involved, we may assume that one of the two is not tainted. So now we do :
Compile GCC with GCC_A on P
Compile GCC with GCC_B on P
If both GCC_A and GCC_B are really functionally equivalent then the results shall now be binary identical (at that iteration, or maybe at the next one due to some cross compilation problems that may occur). If you can never reach an iteration where both results are stable and identical, then you have a problem, otherwise you nearly have the proof you want (unless all compiler of the world are tainted the same way, highly unlikely).
Note that for better results it shall be done with 3 or 4 different compiler. Also note that if you find a small binary difference at some point you may very well gain the key of the backdoor (in GCC or in C_x) by analyzing that difference, unless it is just a bug you would have to point out for the improvement of GCC.
Sorry not to have been clear the first time. Hope it is OK now.
Cross compiling compiler
Posted Apr 9, 2004 19:54 UTC (Fri) by pynm0001 (subscriber, #18379) [Link]
I see what you're saying now (I was up too late last night :-( ).Indeed, it sounds like a very good idea, I can't see any flaws in the
logic.
Of course, we can't even apply that test to MSVC, so I guess Open Source
wins another security battle due to the other side's forfeit. :-)
Cross compiling compiler
Posted Apr 11, 2004 21:27 UTC (Sun) by flewellyn (subscriber, #5047) [Link]
This could only happen if the code-generating back-ends for all of the different compilers were identical. Unless the different compilers were derived from a common base, this is unlikely.I think a better means of ensuring the security of a compiler is simply to examine its source code. Of course, with proprietary compilers (the type that Green Hills is pushing), you can't do that, so you just have to trust them. Which is what Green Hills is saying is the problem with free software...sounds like someone has their brain on backwards.
Pentagon-speak
Posted Apr 8, 2004 23:33 UTC (Thu) by ncm (subscriber, #165) [Link]
This is just a veiled way of warning that if Gcc gets too popular, the trojanned version of GH's compiler (trojan supplied by the spooks) will lose its foreign customers, and that there's no way to get that trojan into the Gcc that those (former) foreign customers will use in its place.
Green Hills Software on free software in the military
Posted Apr 9, 2004 0:55 UTC (Fri) by clugstj (subscriber, #4020) [Link]
Last time I used Green Hills compiler (about 10 years ago), it was reallylame. I wished I was using GCC.
Since Wind River ships GCC with vxWorks, I'd say that quite a few defense
systems already use GCC.
Green Hills Software needs to read Crypto-Gram
Posted Apr 9, 2004 0:55 UTC (Fri) by bajw (subscriber, #11712) [Link]
It sounds to me like the fine folks at Green Hills aren't too aware of the concepts and principles of security. Maybe they need to learn a few things from someone who does understand security principles, such as Bruce Schneier, who seems to think that Free Software is the preferred choice for security purposes. Of course, I am not Bruce and cannot speak for him, but that's my take on those of his writings that I've read.
Do they think nobody has read the Mitre report?
Posted Apr 9, 2004 1:12 UTC (Fri) by BrucePerens (subscriber, #2510) [Link]
They're just silly. Do they think that nobody has read the MITRE report on Open Source, sponsored by the Department of Defense?Bruce
Green Hills Software on free software in the military
Posted Apr 9, 2004 3:40 UTC (Fri) by mikesalib (subscriber, #17162) [Link]
This is just sad...I'm now kind of glad that they just rejected me since I wouldn't want to be associated with a company that pulls stunts like this.The worst part is that having spent a few days interviewing with them, it seems like they have a pretty good understanding of open source; they certainly use it a lot internally. That suggests that this wasn't a mistake based on ignorance.
Green Hills Software on free software in the military
Posted Apr 9, 2004 6:29 UTC (Fri) by freethinker (guest, #4397) [Link]
Actually, in a way it was. They made the mistake of issuing easily-refuted FUD, based on ignorance of how good the open source community is at picking such things to pieces :)
Green Hills Software on free software in the military
Posted Apr 9, 2004 8:31 UTC (Fri) by beejaybee (subscriber, #1581) [Link]
Next thing you know they'll be blaming OSS for the shooting down of a British Tornado jet by a Patriot missile system during Gulf 2 (Today, BBC Radio 4, 09 Apr 2004 - apparently the software in the Patriot couldn't tell the difference between a friendly jet fighter and an incoming ballistic missile, which I find astonishing).Of course, if the Patriot turns out to be using proprietary software, we could stand the argument on its head.
Green Hills Software on free software in the military
Posted Apr 9, 2004 19:06 UTC (Fri) by grund (guest, #830) [Link]
This has nothing to do with security and everything to do with GH getting their butts kicked in the embedded marketplace by all things Linux. The last desparate gasps of ISVs trying to maintain a vice-grip lock on their customers. Just blowing a lot of doom around trying to scare folks. It reminds me of something else, what was it? Oh, yeah:"Do not arouse the wrath of The Great and Powerful Oz! I said come back tomorrow! The Great Oz has spoken! Pay no attention to that man behind the curtain!"
O'Dowd did not learn Thompson's lesson
Posted Apr 9, 2004 22:18 UTC (Fri) by brouhaha (subscriber, #1698) [Link]
Mr. O'Dowd of Green Hills Software obviously didn't really learn anything when reading Ken Thompson's paper, or he would realize that the trust problem Thompson described is just as severe with commercial closed-source software. Actually, the compiler trojan Thompson described was for commercial, closed source software.In fact, open-source software may have a slight advantage here, because it's less of a monoculture. Presumably Microsoft always uses their own Visual C++ compiler to build Windows, so if there were a trojan in the compiler that compromised the resulting Windows executables, it would be present in all copies of Windows that Microsoft distributed. But open source software is by its nature built on many different platforms using different compilers, so a compiler trojan would only affect a portion of the deployed copies of the open source software. And it is possible that a trojan introduced by one particular compiler would be found due to the executable it produces being different in some noticable way from the executable produced by a different compiler. For instance, strace might show the trojaned executable making extra system calls.
How does Mr. O'Dowd propose to assure us that his company's operating systems and compilers are more secure than Linux, xBSD, GCC, etc? Is he certain that none of his employess who have written code incorporated into his products have ever installed trojans? If so, how has he gained this certainty? Has he scrutinized every line of source code himself? Including those of the compilers that compiled the compilers, back all the way to the machine-code only origin of the system? Somehow I doubt it.
It is a matter of historical fact that far more trojan and back door exploits have been present in commercial, closed source software than in open source software. Just two days ago Cisco had to issue a security advisory regarding a back door found in their WLSE and HSE products. Would Mr. O'Dowd conclude that foreign agents and terrorists are responsible for that? Would he really have us believe that these shadowy figures can compromise open source software developed in the public eye more easily than they could subvert a commercial closed-source software package for which the source code and development process get no public scrutiny?
One is forced to conclude that Mr. O'Dowd feels his company's business model is threatened, and rather than change that model to reflect changes in the marketplace, he prefers to use "the sky is falling" proclamations in an attempt to scare customers into sticking with his products.
Green Hills Software on free software in the military
Posted Apr 10, 2004 3:25 UTC (Sat) by fjf33 (subscriber, #5768) [Link]
Another funny is that he keeps mentioning companies that are offshoring programming. Is he against the offshore movement? I think almost ALL of the big players have equipment/personel offshore. Is that a security risk? Hell yeah and when nworking on sensitive programs you are audited up the ying yang, but mainly to make sure you are not stealing from the government.
Green Hills Software on free software in the military
Posted Apr 10, 2004 23:47 UTC (Sat) by walters (subscriber, #7396) [Link]
The defense industry requires security clearances, and those are presumably harder to get for non-US citizens. So outsourcing is probably restricted to mostly unclassified low-level stuff (making bolts or whatever).
Green Hills Software on free software in the military
Posted Apr 10, 2004 8:36 UTC (Sat) by marble (subscriber, #2719) [Link]
What stood out from the quote to me was that "everyone is invited tocontribute" yet the malicious people would use "fake identities" to get
their code in. It is because everyone is invited to contribute that patches
are applied based on the merit of the CODE not the identity of the person
submitting it. Fake identities are useless here.
Green Hills Software on free software in the military
Posted Apr 11, 2004 5:18 UTC (Sun) by skybrian (subscriber, #365) [Link]
There is FUD in the article, but I don't understand why it's so unreasonable to believe that Linuxis not the most secure operating system out there. The question is what your standards are for
code quality, and it's certainly possible to have higher standards than Linux, for those situations
where security is more important than functionality. There are good reasons why folks run
OpenBSD on firewalls, after all.
Green Hills Software on free software in the military
Posted Apr 11, 2004 10:56 UTC (Sun) by dvdeug (subscriber, #10998) [Link]
Actually, neither of the forms of security discussed in the article had anything to do with code quality. OpenBSD lets the same set of people work on it as Linux does, especially for shared stuff like the compiler. Furthermore, OpenBSD is a Unix, just like Linux is, and shares the same (fairly insecure) Unix security model.