[TriLUG] Green Hills calls Linux 'insecure' for defense

Tue Apr 13 07:28:41 EDT 2004

On Mon, 2004-04-12 at 21:47 -0400, Mike M wrote:
> On Mon, Apr 12, 2004 at 09:10:48PM -0400, Chris Knowles wrote:
> > On Mon, 2004-04-12 at 20:49, Mike M wrote:
> > > On Mon, Apr 12, 2004 at 06:54:20PM -0400, Rick DeNatale wrote:
> > > > This is not at all an argument against open source, just a more
> > > > sophisticated view of the role of source in security auditing.
> > > 
> > > Requesting more clarity here please.  I can't tell what is open or
> > > closed in your description: the compiler source, the source the compiler
> > > is compiling, or both, or neither.
> > 
> > <SNIP>
> > 
> > Both are open.
> > 
> > And he shouldn't have presented it as if this were theoretical wanking. 
> > Ken Thompson actually did this.  
> > 
> > http://www.catb.org/~esr/jargon/html/B/back-door.html

Well, I wouldn't have had I known of the follow-on. Thompson's original
article only hints that he actually did it.
> 
> Thanks for the link.  That cleared up a lot.  In the description the
> possibility of using yet another compiler was not raised.  The
> dilemma arose from the lack of an alternative compiler that was
> untainted. Maybe back in
> kt's early days, yet another untainted compiler was not an easy 
> option.  Today, it is trivial.

But how do you know you are using an untainted compiler? Lets say you
are using GCC?  Have you followed it from it's inception? Did you
compile it from the initial bootstrap code or did you install a binary
originally? If you always installed updates from source, how do you know
that the apparently untainted source code has been itself compiled with
a compiler which was tainted by a downstream binary? You never took a
shortcut and updated the compiler with a binary did you?

> 
> Perusing the source would detect the evil and this is 
> recognized in link article.  

Which source code? Thompson's point was that you can't really trust the
compiler, or even the compiler's source code. And as he pointed out the
compiler is just one point in the OS and tool chain which could be
subject to such an attack.

> Again, back when this evil scheme was 
> devised, the concept of world-wide code review was not in effect.  If
> this sort of thing were detected today, the www and lists would be lively 
> with its presentation, analysis, and discussion.
> 

Only if the effects of the hack were obvious. It's conceivable that a
long time could transpire before anyone noticed that something was
wrong, if ever.

> The commercial concerns have a built in motivation to plant and/or find
> evil in F/OSS.  They have not be terribly successful at it from what I
> can tell.
> > 
> > And yup, it's fiendish and really scary.  But I'm not convinced that OSS
> > is more vulnerable to this than say certain proprietary network hardware
> > OS's.  (*cough* CISCO *cough*)
> 
> Hmmm.  That's _closed_ source, right?  Nobody reviews it without
> getting paid, right?  You can't profit by reviewing code, right? The
> profit picture is not robust right now, right?  So there's probably
> not a lot of code reviewing for the heck of it, right? OTH, people
> review F/OSS for the glory of finding holes - wierd as it may sound.
> I sleep better knowing such geeks exist though.

So do I, but not as well as you. Source code analysis is good, but it's
imperfect. Binary analysis is much harder, and it therefore tends not to
be done as much.

As I said, if someone wanted to use such an attack, open source isn't
nearly as much of a defense as some would believe. If the source doesn't
accurately represent what's going to be executed, then it really doesn't
matter whether it's available or not.

Finally, others have pointed out the concern about security and
electronic voting. This is something which really has me worried,
regardless of whether the source is open or closed. We know that the
Diebold voting code is closed, and has no audit trail. I applaud the guy
who want's to vote absentee so as to have a paper trail of his vote, but
unfortunately that's a drop in the bucket. In fact at least in Wake
County, if they do things the way they have in the past, voting on
election day with the paper mark sense machines is better than the early
voting which used the cartridges and touchscreens.