On 18 March 2015 at 12:36, Lennart Sorensen <[email protected]> wrote: > On Wed, Mar 18, 2015 at 12:07:10PM -0400, Christopher Browne wrote: >> - Oh dear, that means we need to recompile the Perl, Python, and >> Ruby distributions every time. Should we be running the test >> suites, too, to verify that they're working as predicted? > > Sure, but why trust the test suites haven't been tampered with?
Yep, that means we need to download the sources of *everything*, from trusted sources, and check the checksums. Recursively. And it doesn't really validate that the test suites are any good, which is distinct from tampered with... The only way to be totally confident the test suites are any good is if you wrote them yourself. >> But I guess that since *everything* is really computer >> security, then the plans must be already well under way >> for Debian to recompile everything, from the kernel to >> Grub to all the scripting engines during the boot >> process. > > But why trust your compiler? All such a stupid idea is doing is moving > the problem, while putting some stuff in front that sounds like they > are doing something to improve security, while doing no such thing. > > There are ways to make sure you are booting trusted code. Recompiling > from source at boot is not one of them. It does the opposit in fact. Yep, it shuffles around the problem, pretending that the compiling process is a grand protection. This properly steps us back to Ken Thompson's paper on trust http://cm.bell-labs.com/who/ken/trust.html where he points out an exploit (discovered by MULTICS folk somewhat earlier) where a suitably hacked compiler might put arbitrary exploits anywhere into this process. And there's actually a tale in the last week pointing to attempts to do exactly what Thompson is pointing at; it seems as though some TLA agencies have tried such stunts with some of the Apple compiler toolchain called XCode. http://www.macrumors.com/2015/03/10/leaked-cia-documents-hacked-xcode/ Gentoo, at one time, had proponents that would claim no end of benefits from compiling everything from scratch. I don't think that's what it's about now, but at one time, there were plenty of "fanboys" claiming that they were making their system better and understanding it better just by virtue of watching the successive series of "make" output, lines of logs indicating what file GCC most recently compiled, and with what flags, scroll by. Pointing back to those fun times, with maximum sarcasm... http://funroll-loops.teurasporsaat.org/ Watching the compiler 'logging' scroll past doesn't represent actual understanding. (And if someone pulled Thompson's exploit on your compiler toolchain, recompiling ensures INsecurity!) Instead, I'll step back to Thompson's paper... "The moral is obvious. You can't trust code that you did not totally create yourself." That's a deeper statement than it seems; deep trust requires that you write your own compiler, your own libraries, your own linker, your own bootloader, and so forth. But the shallow interpretation also works decently. Recompiling someone else's code using someone else's compiler using someone else's control scripts doesn't provide deep trust. -- When confronted by a difficult problem, solve it by reducing it to the question, "How would the Lone Ranger handle this?" --- Talk Mailing List [email protected] http://gtalug.org/mailman/listinfo/talk
