<html>
<body>
At 05:04 PM 9/6/2009, you wrote:<br>
<blockquote type=cite class=cite cite="">Seems like with all this talk of
security and compilers, it's time to <br>
bring up Ken Thompson's paper:<br><br>
<a href="http://cm.bell-labs.com/who/ken/trust.html" eudora="autourl">
http://cm.bell-labs.com/who/ken/trust.html</a></blockquote><br>
Nice paper. Elegant and to the point. Interesting guy that
Roger Shell. I don't recognize the name P.A. Karger. The
paper that is referred to is:<br><br>
Paul A. Karger, Roger R. Schell,
<a href="http://csrc.nist.gov/publications/history/karg74.pdf"><i>Multics
Security Evaluation: Vulnerability Analysis</a></i> (Air Force Electronic
Systems Division, 1974) describes the classic attacks on Multics security
by a "<a href="http://en.wikipedia.org/wiki/Tiger_team">tiger
team</a>". <br><br>
I know I read the above paper, but I'm sorry to say I don't remember the
main concept from your Thompson reference previously from either
source.<br><br>
Perhaps now would be a good time to read:<br><br>
Paul A. Karger, Roger R. Schell,
<a href="http://www.acsac.org/2002/papers/classic-multics.pdf"><i>Thirty
Years Later: Lessons from the Multics Security Evaluation</a></i> (IBM,
2002) is an interesting retrospective which compares actual deployed
security in today's hostile environment with what was demonstrated to be
possible decades ago. It concludes that Multics offered considerably
stronger security than most systems commercially available in
2002.<br><br>
Thanks for sharing that reference. I didn't know (or didn't recall)
that such Trojan Horses can be so strongly invisible.<br><br>
I don't see how that concept provides much of a distinction for this
discussion, however, as I expect such a Trojan Horse could be placed in
either a traditional memory protected system or in a system with language
based security - if one could once get access to the compiler used to
compile the system. Perhaps this argument could suggest that,
because of this vulnerability to such Trojan Horses, traditional systems
based on memory protection are just as vulnerable as those relying on
language based protection (? - contrary to my earlier assertions?).
Namely, as Thompson says, you really can't trust any code that you didn't
build yourself up from the binary. In that case I think we're all
in trouble.<br>
<x-sigsep><p></x-sigsep>
--Jed
<a href="http://www.webstart.com/jed-signature.html" eudora="autourl">
http://www.webstart.com/jed-signature.html</a> </body>
</html>