[E-Lang] Announcing stl-E 0.8.9k: An interim non-distributed release

Bill Frantz frantz@communities.com
Tue, 02 Jan 2001 15:15:42 -0800

At 11:05 PM 12/31/00 -0800, Mark S. Miller wrote:
>I propose that the reasoning chain by which we come to believe that *any* 
>UTCB is immune to, for example, the Ken Thompson attack is a reasoning chain 
>that uses this baby vs attacker distinction.  For example, while Jonathan 
>may be protecting himself in some ways from plausible accidental compiler 
>bugs in compiling the EROS kernel, I see no way for him to protect himself 
>(or us) from compilers that are out to get him.  The compiler cannot be 
>assumed to have been written with the care of the EROS kernel, so we must 
>assume it may be a baby, but we trust it not to be an attacker.  KeyKOS/360 
>avoided depending on a compiler, but it did not avoid dependence on 
>assemblers and hex dumpers and such.

KeyKOS used what is to me a rather powerful argument that it was immune to
the Ken Thompson attack.  We used an assembler which was released before
the design of KeyKOS.  I believe that it is currently unfeasible to install
a Ken Thompson attack against a system without knowing at least something
of it's design.  (With powerful enough AI in the compiler, perhaps you
could do it.  But that is currently unfeasible.)

For EROS/KeyKOS, CDs with compilers written before the system design may be
quite useful.  Get the SHA1 hashes of the compilers and save those widely. :-)