[deckarep]

Is it just me…or does article seem a bit contrived? I was expecting to read this to learn about a really powerful hijacking technique when in reality it’s just a program that manipulates your input program.

This is something that could easily occur with scripting languages, backend systems, open source, closed source, etc.

Basically any black-box system that takes in some input could pre-manipulate the input yielding an unknown/unexpected output.

[awelm]

> This is something that could easily occur with scripting languages, backend systems, open source, closed source, etc. Basically any black-box system that takes in some input could pre-manipulate the input yielding an unknown/unexpected output.

IMO thats why it's a scary attack. It's a really simple idea and there are so many ways to apply it

[josephcsible]

The key point is that if your system has an evil compiler, building your own compiler from known-good source code will just give you another evil compiler, no matter how many times you do it. It creates a bootstrapping problem for the victim that doesn't have easy solutions.

[deckarep]

Perhaps another way to say it-using an evil compiler could bootstrap any kind of malicious code in the compiled artifact whether it’s a compiler or not.

[josephcsible]

No, because if that's all it did, just rebuilding your compiler twice would free you from it.