On Wed, Sep 01, 2004 at 03:29:25PM -0700, Thomas Bushnell BSG wrote: > Andrew Suffield <asuffield@debian.org> writes: > > > I would notice because there would be too much code in the binary; > > it's reasonably easy to verify with some simple automation. It would > > require hundreds of instructions to do something like this, which > > would have no corresponding source code. Yes, on occasion I have dug > > into gcc binaries while debugging modifications to gcc. > > Ok, without looking, how many instructions should GCC have? "Hundreds > of instructions" is what percentage of the total? If a new version > uploads, how would you know? > > What is the ration of source-code-lines to source lines? I have no idea. That's a script's job - pairing off basic blocks with source sequences. If you have any left over, or any that don't match the source, something funky is going on, and you go figure it out by hand. As to specific versions: no, I don't know that there has never existed a gcc version with such a trojan. But I do know that in one randomly selected by me, without advance warning or any way to predict my actions, I didn't see anything. And I doubt I'm the only person ever to have been in a position to spot it - it's really not that hard. So the chances of a significant number of binaries being so altered is slim. > And, note that Ken Thompson's point is that even your test won't > help. I can easily add cheat-code to the debugger that refuses to > display the relevant routines and misrepresents the appearance of the > binary. "Easily"? Have you *tried*? "Difficult to the point of implausibility" is how I would describe it. You've now got to teach the compiler how to recognise all variations on all the debuggers, and modify them such that they can recognise all variations on their own code and hide it. And I'm pretty sure the debugger is honest too, since on occasion I've gone around it and disassembled the code by hand or by script. I can, do, and have written one-shot code with no toolchain dependencies, because I was debugging the toolchain at the time and suspected it of being broken. It's just not that hard. You would have to confuse *every single one* of these programs. > > It would not be difficult to vary the technique and ensure there are > > no such things hiding in the file. I don't believe in conspiracies so > > large that they could stop some random perl script from spotting the > > hidden code; the sheer *quantity* of hidden trojans you'd need would > > make them rather easy to spot. > > Actually, that's the splendid thing. I have to put them only in the > compiler (if I'm clever enough), and once the system is recompiled, > they will be in all the right tools, and the whole cheat becomes > indetectable. No. You would have to be clever enough to write some code that could identify every possible program that could notice it and show the user, and hide the trojan from that, while also identifying every possible program that could execute the code, and show the trojan to that. You would have to predict the existence of tcc and a range of other compilers, java, .net, and a half dozen other VMs and identify things written in those languages, and handle them ahead of time. All else aside, that's Halting-equivalent in a number of places. It can't be done. Even being able to confuse all that code once would be difficult to the point of absurdity - and it would *still* break the next time some of it was rewritten in a sufficiently different manner. Anybody who can beat all that is so absurdly far advanced over us that we might as well welcome our new galactic overlords, and wonder why they haven't taken over before. Not a scenario worth worrying about. Doing it by exhaustive patching of every binary would introduce size discrepencies that would be noticable in the time taken for, eg, disk and network access - somebody would notice that their 'hello world' was over a megabyte in size, to carry all that trojan around. I am not willing to entertain theories that network speeds are faster than stated in order to hide this, and that every oscilloscope in the world is trojaned so as to hide *that*. -- .''`. ** Debian GNU/Linux ** | Andrew Suffield : :' : http://www.debian.org/ | `. `' | `- -><- |
Attachment:
signature.asc
Description: Digital signature