>> You might want to read Thompson's classic "reflections on trusting
>> trust".  www.acm.org/classics/sep95
> While that is always a good read, I'm not so sure it's that relevant
> anymore.  There is a LOT of binary analysis going on these days.

Yes - but you're trusting your binary analysis tools to be intact.
You're trusting the OS to give you honest copies of what's on disk.
You're trusting lots of things which could be subverted - you could be
talking to a complete funkspiel, in theory.

At some point you have to say "the chance of the system being subverted
here is low enough I'm going to ignore it".  For example, when I buy
transistors from the electronics shop, I don't worry about the
possibility that they have enough smarts inside them to act in weird
ways when used in certain applications.  As a theoretical example of
the kind of thing I mean, consider a transistor that, when used as a
switch in a serial-line level-shifter, replaces the incoming data with
other data.  I choose to trust that the stuff inside the package is
sufficiently close to what I think it is to not introduce any
insecurities relevant to my threat model.

But if my threat model included an adversary sufficiently resourceful
and subtle to subvert the electronic-part distribution chain upstream
of me, and the price of getting subverted were high enough, I might
want to set up a small smelter/forge/whatever to make my own

/~\ The ASCII                           der Mouse
\ / Ribbon Campaign
 X  Against HTML               [EMAIL PROTECTED]
/ \ Email!           7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B
Secure Coding mailing list (SC-L)
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php

Reply via email to