On Wed, Sep 01, 2004 at 06:38:17PM +0200, Kurt Roeckx wrote: > On Wed, Sep 01, 2004 at 05:02:49PM +0100, Andrew Suffield wrote: > > > > Don't be absurd. We build gcc from published sources that the whole > > world can look at, and which a large number of people *do* look at on > > a regular basis. It is not plausible for an exploit to be concealed in > > there; too many people would have to know about it. > > You really should read "Reflections on Trusting Trust" by Ken > Thompson, written in 1984. It's a cute idea, that gets a lot of attention from uninformed people, but it can't work in practice. I for one should have noticed if gcc were miscompiling itself in such a fashion - there would be a big chunk of inexplicable code. And I'm not the only one. It's the many eyes principle again, but on a smaller scale - here we only have to validate *one* binary. Also, while it is easy to construct an attack like this against a single version of a compiler, it is extremely hard to construct the attack against a compiler that is undergoing heavy development, like gcc. On fairly short order, your induced miscompilation would either stop being applied entirely, because the code being matched has changed, or cause the compiler to stop working, because the code being inserted no longer matches the API. In short: I am quite aware of this attack and of effectives defences against it, and I do not consider it to be a viable threat. -- .''`. ** Debian GNU/Linux ** | Andrew Suffield : :' : http://www.debian.org/ | `. `' | `- -><- |
Attachment:
signature.asc
Description: Digital signature