[TriLUG] Green Hills calls Linux 'insecure' for defense
Tanner Lovelace
lovelace at wayfarer.org
Mon Apr 12 23:51:00 EDT 2004
Rick DeNatale said the following on 4/12/04 6:54 PM:
> Regardless of the access to and vetting of source, those of us old
> enough to remember Ken Thompson's Turing Award Lecture "Reflections on
> Trusting Trust" from around 30 years ago will realize that backdoors and
> malicious code can be hidden in an open source environment as well as in
> a closed source one.
Rick,
You are quite correct. However, this can be mitigated somewhat, if
you're *extremely* paranoid (and if you're not you should be! ;-)
by doing things like cross compiling the compiler on a different
platform using a different compiler! In other words, Ken's chain
is a tenuous one and it only takes one broken link to break it.
Still, it only takes one thing to break security too, so you do
what you can. You could also, btw, compile it to assembly and
then compare the assembly with the outputted code. Since assembly
translates almost directly into opcodes you will either see the
back door or see the huge disconnect between the assembly and the
opcodes.
But, yeah, KT's hack was quite an elegant one. :-) I still maintain
that Open Source is generally more secure than closed source and
it's much *harder* (although not impossible) to insert a back door
in it.
Cheers,
Tanner
--
Tanner Lovelace | Don't move! Or I'll fill ya full of... little
lovelace at wayfarer.org | yellow bolts of light! - Commander John Crichton
More information about the TriLUG
mailing list