[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: The fixed-point project
|
From: |
Mark H Weaver |
|
Subject: |
Re: The fixed-point project |
|
Date: |
Fri, 20 Sep 2013 17:29:00 -0400 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux) |
Hi Ludovic,
address@hidden (Ludovic Courtès) writes:
> However, in theory, that doesn’t save us from trusting-trust
> attacks [1]: the bootstrap GCC could contain a trap, such that the trap
> is always preserved across recompilations of GCC, even if it’s absent
> From the GCC source being compiled.
>
> David A. Wheeler’s thesis [2] addresses this topic. Roughly, it shows
> that a compiler can be tested for traps by relying on a “trusted”
> compiler [3].
I don't think this is an adequate summary of David's technique for
defeating Thompson viruses. Under his method, one needn't trust any
single compiler. Instead, one uses several different compilers to
bootstrap a single compiler, and checking that the results of all of
those bootstraps yield the same result. One need only trust that the
first-stage compilers aren't _all_ compromised with the same Thompson
virus. This is much more reasonable than expecting everyone to trust
the Guix bootstrap tarballs. In order to defeat this method, a Thompson
virus would have to be sophisticated enough to hide itself in all of the
compilers, and be able to jump from one compiler to another.
Regards,
Mark