[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: The fixed-point project
From: |
Ludovic Courtès |
Subject: |
Re: The fixed-point project |
Date: |
Fri, 20 Sep 2013 23:44:29 +0200 |
User-agent: |
Gnus/5.130007 (Ma Gnus v0.7) Emacs/24.3 (gnu/linux) |
Mark H Weaver <address@hidden> skribis:
> Hi Ludovic,
>
> address@hidden (Ludovic Courtès) writes:
>
>> However, in theory, that doesn’t save us from trusting-trust
>> attacks [1]: the bootstrap GCC could contain a trap, such that the trap
>> is always preserved across recompilations of GCC, even if it’s absent
>> From the GCC source being compiled.
>>
>> David A. Wheeler’s thesis [2] addresses this topic. Roughly, it shows
>> that a compiler can be tested for traps by relying on a “trusted”
>> compiler [3].
>
> I don't think this is an adequate summary of David's technique for
> defeating Thompson viruses. Under his method, one needn't trust any
> single compiler. Instead, one uses several different compilers to
> bootstrap a single compiler, and checking that the results of all of
> those bootstraps yield the same result.
Right.
> One need only trust that the first-stage compilers aren't _all_
> compromised with the same Thompson virus. This is much more
> reasonable than expecting everyone to trust the Guix bootstrap
> tarballs. In order to defeat this method, a Thompson virus would have
> to be sophisticated enough to hide itself in all of the compilers, and
> be able to jump from one compiler to another.
Yes, you’re right (I may have been fooled by the wording in
<http://www.dwheeler.com/trusting-trust/dissertation/html/wheeler-trusting-trust-ddc.html#4.2.Informal%20description%20of%20DDC>.)
In Guix we can use different variants of the bootstrap compiler to build
the tarballs, but in practice I suspect these would have to remain
variants of the same thing (GCC), not completely different compilers.
Ludo’.