Hacker News new | ask | show | jobs
by jorgeortiz85 4663 days ago
Is it harder to sneak in junk in open source projects? I'm reminded of Ken Thompson's Turing Award lecture, "Reflections on Trusting Trust". http://cm.bell-labs.com/who/ken/trust.html

Could someone add a backdoor to git that hides backdoors from showing up in git? Could gcc be backdoored to add backdoors to arbitrary software? How likely is it that NSA has a few zero-days lying around they could use to hack into the servers that host git or gcc or any other tool you rely on? What if they had agents among the committers and maintainers of these projects?

Security against a well-armed, well-funded, well-organized, secretive adversary is hard.
2 comments
hyperpape 4663 days ago
There are countermeasures concerning the Trusting Trust attack: http://www.schneier.com/blog/archives/2006/01/countering_tru..., though I'm not sure if anyone has ever seriously attempted to deploy them.
link
betterunix 4663 days ago
I have given some thought to this kind of thing, and one thing I realized is that the limits of the trusting trust attack can be exploited as well. Let's support you only have one compiler. Now, it is going to try to insert the worm into any compiler it compiles, right? The problem is that it must be able to detect that it is actually compiling a compiler.

This, however, is not a decidable problem. It is possible to construct a program that will fool the worm and thus you can create a compiler that you know you can trust for this test. It will probably be a hard compiler to use, but you will need it at most twice -- once to check for an attack, and if there is an attack once more to bootstrap a clean compiler.

link
Yen 4663 days ago
But in order to create a disguised compiler, you need to know what method a compromised system uses to decide whether something is a compiler.

i.e., you actually have to have an example of a compromised compiler, which pretty much solves the problem in the first place.

If you decidedly don't-trust the only compiler on your system, and don't trust outside sources, the only solution is to hand-assemble a new compiler on the system, and hope that at least the hardware is trustworthy. which it isn't, necessarily.

link
regularfry 4663 days ago
Could you spot a "trusting-trust"-style backdoor in an FPGA you were offloading crypto to? How would you even start?
link