[TriLUG] Green Hills calls Linux 'insecure' for defense

Rick DeNatale rick at denhaven2.homeip.net
Mon Apr 12 18:54:20 EDT 2004


On Mon, 2004-04-12 at 17:31 -0400, Tanner Lovelace wrote:
> matusiak said the following on 4/12/04 5:12 PM:
> 
> > hey -- anyone in the embedded market want to comment on this?  Green  
> > Hills produces their own RTOS and is obviously tired of the competition  
> > from Linux.  they proclaim that rogue nations such as China, Russia and  
> > others are potentially putting dangerous back-door/malicious code into  
> > Linux.

> 
> They're on crack.
> 
> Inserting a back door into something that millions of people have
> source code access to is a lot more difficult than inserting a
> back door into a closed source OS.  Why do you think so many governments
> are either moving to linux or demanding MS give them their source
> code.

Regardless of the access to and vetting of source, those of us old
enough to remember Ken Thompson's Turing Award Lecture "Reflections on
Trusting Trust" from around 30 years ago will realize that backdoors and
malicious code can be hidden in an open source environment as well as in
a closed source one.

For those of you who are too young to remember, the argument went like
this.

First he showed how the C compiler could be bootstrapped so as to
compile itself including nice character constants like '\n' by first
writing the code in terms of octal codes, then changing the source and
recompiling once the compiler had been taught to recognize escaped
character literals.

Then he argued that the compiler could be hacked in a similar fashion to
compile arbitrary code when presented with the 'right' source code.
This would allow innocent looking to code to represent a back door, and
no one would know by just looking at the source code.

This is not at all an argument against open source, just a more
sophisticated view of the role of source in security auditing.




More information about the TriLUG mailing list