[E-Lang] Announcing stl-E 0.8.9k: An interim
non-distributed release
Bill Frantz
frantz@communities.com
Tue, 02 Jan 2001 15:15:42 -0800
At 11:05 PM 12/31/00 -0800, Mark S. Miller wrote:
>I propose that the reasoning chain by which we come to believe that *any*
>UTCB is immune to, for example, the Ken Thompson attack is a reasoning chain
>that uses this baby vs attacker distinction. For example, while Jonathan
>may be protecting himself in some ways from plausible accidental compiler
>bugs in compiling the EROS kernel, I see no way for him to protect himself
>(or us) from compilers that are out to get him. The compiler cannot be
>assumed to have been written with the care of the EROS kernel, so we must
>assume it may be a baby, but we trust it not to be an attacker. KeyKOS/360
>avoided depending on a compiler, but it did not avoid dependence on
>assemblers and hex dumpers and such.
KeyKOS used what is to me a rather powerful argument that it was immune to
the Ken Thompson attack. We used an assembler which was released before
the design of KeyKOS. I believe that it is currently unfeasible to install
a Ken Thompson attack against a system without knowing at least something
of it's design. (With powerful enough AI in the compiler, perhaps you
could do it. But that is currently unfeasible.)
For EROS/KeyKOS, CDs with compilers written before the system design may be
quite useful. Get the SHA1 hashes of the compilers and save those widely. :-)