Orcmid's Lair status 


Trusting Trust: Connections

On the Mostly Security Stories blog, there is an article on "The Myth of Provable Correctness as a Security Solution [1]."  Although the article goes overboard on what you'd have to prove correct, there is an important observation on how trust is always required (as opposed to proving that trust is unnecessary because trust can't be breached in the first place, an arrangement that is too easily confused with trust).

As an example of the possibility of undetectable tampering, the article mentions Ken Thompson's 1984 Turing Award Lecture, "Reflections on Trusting Trust."  Thompson proposed a way that a compiler or other tool could be built that held a Trojan that was not apparent in its own source code, but that would be re-injected into any recompilation of itself from a sufficiently-similar source code.  The purpose of the Trojan would be to inject still other Trojans into other kinds of programs that might be compiled with the compiler, or it could be used to drop a payload onto any machine on which the compiler is operated.

David A. Wheeler has since proposed a technique that, with two independently-developed compilers for the same language, one could determine whether or not there was some peculiar behavior in one or both of them that reflected undetected defects or even the possibility of hidden malicious code at the binary level in one or the other.  It might not be possible to determine which is the culprit (and both could have problems), but it would be clear that there was something amiss. 

Wheeler's proposal is not going to bring us to a point where we can avoid trust, but it is an interesting demonstration that the businesses of finding exploitable situations and of detecting suspicious code are in an arms race.   This leaves us with the not-so-satisfying but realistic conclusion that there are always exploitable conditions, and that new safeguards are also always being discovered.  For numerous practical reasons, the culprits will always have the edge. 

[1] These articles don't appear to have permalinks; I have failed to find archive pages with the individual entries.  "The Myth" was posted on Saturday, 2007-06-09 and you may have to scroll down for it.  The RSS feed only provides digests.  I have made a personal cache of the article for preservation purposes and you might want to do that too.

The connections noted in the title have to do with the following sequence of events that demonstrate the coincidental web as a conversation.  On 2007-06-23, Algosome posted a comment on my blog post about Peter Naur's Turing Award paper.  I went to Algosome's blog and was delighted to see that we have a shared interest in security topics.  When I saw the post on "The Myth" I wanted to comment, but that does not seem possible.  I also don't see any way to contact Algosome directly.  Instead, I am blogging here about Wheeler's paper as a way of commenting on Algosome's article.  In this case, the conversation is hampered and asymmetrical.  I don't normally invest this much effort in what could have been accomplished by a simple comment on someone else's blog. 

Comments: Post a Comment
Construction Zone (Hard Hat Area) You are navigating Orcmid's Lair.

template created 2002-10-28-07:25 -0800 (pst) by orcmid
$$Author: Orcmid $
$$Date: 07-02-17 11:08 $
$$Revision: 26 $