[E-Lang] Announcing stl-E 0.8.9k: An interim non-distributed release

Jonathan S. Shapiro shap@cs.jhu.edu
Wed, 03 Jan 2001 10:15:49 -0500

Bill Frantz wrote:
> At 11:05 PM 12/31/00 -0800, Mark S. Miller wrote:
> >I see no way for him to protect himself
> >(or us) from compilers that are out to get him.  The compiler cannot be
> >assumed to have been written with the care of the EROS kernel, so we must
> >assume it may be a baby, but we trust it not to be an attacker.  KeyKOS/360
> >avoided depending on a compiler, but it did not avoid dependence on
> >assemblers and hex dumpers and such.

Similarly, EROS depends on the hardware, on the bootstrap, and on the
particular cards installed on the machine. Also on the keyboard not
including a keystroke recorder (these are now very cheap, and can be
hidden within the keyboard shell easily). Also on the non-inversion of

> KeyKOS used what is to me a rather powerful argument that it was immune to
> the Ken Thompson attack.  We used an assembler which was released before
> the design of KeyKOS.  I believe that it is currently unfeasible to install
> a Ken Thompson attack against a system without knowing at least something
> of it's design....

There is a more persuasive argument. First, observe that assemblers are
very simple programs. Until very recently, their output is entirely
deterministic modulo a very small number of transformations on the

	1. selection of branch span sizes
	2. Introduction of delay slots (MIPS)

Further, it is possible to write a *disassembler* that generates
something very close to the original input. It is then possible to
automate the comparison of the decompiled assembler with the original
assembly input.

That is, the assembler result can be checked.

> (With powerful enough AI in the compiler, perhaps you
> could do it.  But that is currently unfeasible.)

I don't know, Bill. You strike me as a pretty powerful AI... :-)

> For EROS/KeyKOS, CDs with compilers written before the system design may be
> quite useful.  Get the SHA1 hashes of the compilers and save those widely. :-)

Quite frankly, I'm not worried about security holes in the compiler
nearly as much as I worry about *bugs* in the compiler.

But I guess you make a good case for preserving a legacy copy of GCC...