On Wed, Apr 14, 2004 at 10:26:55AM +0300, Shachar Shemesh wrote: > Yedidyah Bar-David wrote: > 2. Compile GCC on a Sun Solaris using the Forte compiler. Take the > resulting binary, and use it to cross compile GCC for Linux. To be > insecure you now require that Forte have the backdoor to GCC 3.3.2 > 3. 'diff' the two binaries, and analyze all places they are different. > To be insecure, you now require that BOTH gcc 1.5 AND Forte have THE > SAME backdoor for gcc 3.3.2, OR that diff be backdoored against it. > 4. Write your own diff. Use any obfuscated programming technique you can > think of. Make the program barely readable to humans. Test it to make > sure it behaves as expected. Compile with gcc and compare the two > versions. To be secure, you require that BOTH compilers be backdoored, > OR that gcc be backdoored to alter your own custom, barely readable, > written after the compiler was released, version of diff. > > You get the picture - the idea is that you can make the cost of > attacking you arbitrary high, until you reach the point where you can > assume it doesn't make sense to try and attack you through this attack > vector. > > Attack vector 2 - hardware manipulation. What if Intel altered their CPU > to make it detect the fact you are running "login", and change the CPU > instructions handling to allow X to log into your system? > > The answer is that this attack's cost is so astoundingly high, that a > simple benchmark to check that the CPU is not running at below 50% > performance should suffice to block it. Reason: > Due to market forces, Intel is trying to make its CPUs as fast as > possible, while taking as little electricity as possible. Every line > done in sillicon is calculated. Now let's see how much performance hit > adding the backdoor will be: > 1. The CPU sees your program between one and ten instructions at a time. > Unlike a compiler, it has no "big picture" analysis of your code. In > practice each component in the CPU sees less than one command at a time. > 2. Adding "big picture" means lots and lots and lots of "data paths" > added (for all the combinations of memory layouts). These drastically > increase the power the CPU consumes. As such, if Intel would to agree to > backdoor all Linux machines through the CPUs, it would be at a > considerable comparative disadvantage to AMD. Attack costs TOO MUCH. > 3. Trojaning your specific CPU is even less of an option. It means > redesiging the CPU specifically for you. It also means that this CPU is > likely to be of worst performance than the standard.
There are other parts of hardware. For instance: assume that the disc controller has some idle time. Make it search for a pattern of the login binary of a certain distro and change it a bit. Filesystem reading code is not very large: try grub. Some disk controllers can be updated by firmware. Another possible place is a remote storage device. -- Tzafrir Cohen +---------------------------+ http://www.technion.ac.il/~tzafrir/ |vim is a mutt's best friend| mailto:[EMAIL PROTECTED] +---------------------------+ ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]