On 4/18/07, Earl Lapus <[EMAIL PROTECTED]> wrote:
I came across this blog post, http://scienceblogs.com/goodmath/2007/04/strange_loops_dennis_ritchie_a.php from what I understand, the post explains a way to inject instructions in to a software without actually altering the source code. it does this by modifying the compiler and make it do funky things.
Actually Earl, it requires modifying the _compiler source code_ and not the binary per se. The modified "parent" compiler code will produce the _rogue compiler_ with the backdoor insertion code and will then be used to compile itself producing a compiler that will no longer need to be modified since it will insert backdoor code into any code it will compile. Even if the original source code will be modified again and the backdoor verification and insertion code will be removed, the compiler by this time already contains the backdoor verification and insertion code in binary form, thereby performing its task during compiler self recompilation. Illustrating: where cc = clean compiler cmb = compiler source modified with backdoor verification and code insertion cbb = compiler with backdoor verification and insertion code built in sbc = backdoor verification and insertion code routine cs = clean source cc + cmb = cbb cmb - sbc = cs cbb + cs = cbb(1) cbb(1) + cs = cbb(2) and so on... By this time, the seed is already sown on the original compiler source code. Even if the source is clean, the backdoor code will still propagate on succeeding compilations. This will also apply to applications which will then be compiled using cbb, cbb(1), or cbb(2). so my question is, if I apply this to a software that has an open
source license, would I be violating the license? Does open source licenses apply to both the source and the binary output of the source being compiled?
On applying this to opensource systems, you can only do so if you modify the GCC's source code and insert manually the backdoor verification and insertion routine generating the rogue GCC. Clean up GCC source code and recompile again and the cycle is complete. If this method will be applied to an SRC-dependent distro like Gentoo, all hell will break loose on your system. When a compromised GCC will be used on the distro, every succeeding compilation will generate app binaries with the backdoor verification and insertion routine! On GPL and opensource licenses, I dont think you will violate the license to the application. And yes, GPL and other opensource licenses apply to the source code itself and to the binary output of the source. Most opensource licenses do require you to distribute the source code along with the binary app or provide a location to obtain the source. I dunno if I am making sense throughout this post. -- "A dog that has no bite, barks loudest." Registered Linux User #400165 http://baudizm.blogsome.com http://phossil.ifastnet.com Subscribed to: LARTC, Open-ITLUG, PRUG, KLUG, sybase.public.ase.linux SHA256: 857dd62339c9fe27460b725747dfe25d5612933f7d879c35fb0cba2dadaf972f
_________________________________________________ Kagay-Anon Linux Users' Group (KLUG) Mailing List [email protected] (http://cdo.linux.org.ph) Searchable Archives: http://archives.free.net.ph
