[GTALUG] MP BIOS Toshiba - semi revival

Christopher Browne cbbrowne at gmail.com
Wed Mar 18 16:59:08 UTC 2015


On 18 March 2015 at 12:36, Lennart Sorensen
<lsorense at csclub.uwaterloo.ca> wrote:
> On Wed, Mar 18, 2015 at 12:07:10PM -0400, Christopher Browne wrote:
>> - Oh dear, that means we need to recompile the Perl, Python, and
>>   Ruby distributions every time.  Should we be running the test
>>   suites, too, to verify that they're working as predicted?
>
> Sure, but why trust the test suites haven't been tampered with?

Yep, that means we need to download the sources of *everything*,
from trusted sources, and check the checksums.  Recursively.
And it doesn't really validate that the test suites are any good,
which is distinct from tampered with...  The only way to be
totally confident the test suites are any good is if you wrote them
yourself.

>> But I guess that since *everything* is really computer
>> security, then the plans must be already well under way
>> for Debian to recompile everything, from the kernel to
>> Grub to all the scripting engines during the boot
>> process.
>
> But why trust your compiler?  All such a stupid idea is doing is moving
> the problem, while putting some stuff in front that sounds like they
> are doing something to improve security, while doing no such thing.
>
> There are ways to make sure you are booting trusted code.  Recompiling
> from source at boot is not one of them.  It does the opposit in fact.

Yep, it shuffles around the problem, pretending that the compiling
process is a grand protection.

This properly steps us back to Ken Thompson's paper on trust
http://cm.bell-labs.com/who/ken/trust.html
where he points out an exploit (discovered by MULTICS folk somewhat
earlier) where a suitably hacked compiler might put arbitrary
exploits anywhere into this process.

And there's actually a tale in the last week pointing to attempts to do
exactly what Thompson is pointing at; it seems as though some TLA
agencies have tried such stunts with some of the Apple compiler
toolchain called XCode.

http://www.macrumors.com/2015/03/10/leaked-cia-documents-hacked-xcode/

Gentoo, at one time, had proponents that would claim no end of
benefits from compiling everything from scratch.  I don't think that's
what it's about now, but at one time, there were plenty of "fanboys"
claiming that they were making their system better and understanding
it better just by virtue of watching the successive series of "make"
output, lines of logs indicating what file GCC most recently compiled,
and with what flags, scroll by.

Pointing back to those fun times, with maximum sarcasm...
http://funroll-loops.teurasporsaat.org/

Watching the compiler 'logging' scroll past doesn't represent
actual understanding.  (And if someone pulled Thompson's exploit
on your compiler toolchain, recompiling ensures INsecurity!)

Instead, I'll step back to Thompson's paper...

"The moral is obvious. You can't trust code that you did not totally
create yourself."

That's a deeper statement than it seems; deep trust requires that
you write your own compiler, your own libraries, your own linker, your own
bootloader, and so forth.

But the shallow interpretation also works decently.  Recompiling
someone else's code using someone else's compiler using
someone else's control scripts doesn't provide deep trust.
-- 
When confronted by a difficult problem, solve it by reducing it to the
question, "How would the Lone Ranger handle this?"


More information about the talk mailing list