On Tue, 28 Mar 2006 12:07:19 EST, "Krpata, Tyler" said: > If only someone would invent some sort of software that would generate a > binary from source code...
It's called a compiler. And that's not foolproof - first off, different versions of the compiler often generate different code. I've personally seen gcc 3.2 and gcc 4.1 generate code that's 10% or more different - and that's *plenty* of difference to sneak a one-line backdoor in. Second off, even if you compile with the same compiler, it doesn't mean you're off the hook. Go read Ken Thompson's Turing Award Lecture "On Trusting Trust" (http://www.acm.org/classics/sep95/). Although Ken actually implemented it, the concept wasn't original with him - the "unnamed Air Force document" he references is Karger&Schell's 1974 paper on Multics security: http://csrc.nist.gov/publications/history/karg74.pdf Thirty years later, they did a retrospective on what we've learned: http://www.acsac.org/2002/papers/classic-multics.pdf (Summary - we're going backwards....)
pgp88O73LDAEZ.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
