undefined | Better HN

0 pointsacqq12y ago0 comments

Exactly. Even more interesting, all of the source code can be OK and just some subtle configuration tweaks can be enough to compromise you. Or just some build flag that you don't even see in sources. Often you don't know the build flags of every binary as soon as you use binaries. You also don't know if the compiler is tweaked to do some preprocessing you don't know about (see Reflections on Trusting Trust by Ken Thompson):

http://cm.bell-labs.com/who/ken/trust.html

For security conscious the prefect state is the OS which changes very, very slowly, fixing only security bugs and having binaries used by as many people as possible and which change so seldom that more people can even check them by disassembling them. You don't want to only check sources, you want to disassemble the binaries and decide if they match the sources.

And only then you want to be sure that all configurations are what they should be. Not easy at all.

0 comments

dllthomas12y ago

You can (which is not, necessarily, to say do) know if the compiler is tweaked: http://www.dwheeler.com/trusting-trust

This only works if you are building things yourself or trust the group building things, of course, but it's way easier than audit by disassembling binaries.

flyinRyan12y ago

How does this deal with [1]? Also, how do you know that your disassembler isn't compromised?

[1] http://programmers.stackexchange.com/questions/184874/is-ken...

acqqOP12y ago

Disassemblers produce assembly code, not the HLL code, so they are many orders of magnitude easier to write from the scratch than modern compilers. They typically expect human involvement as soon as there's non-trivial assembly-level engineered self-modifying code. Hopefully there's no much of such code in the results of the compilers we use.

Also if you check the whole discussion you'll see I already discussed Ken's work.

1 more reply

j / k navigate · click thread line to collapse