[E-Lang] Announcing stl-E 0.8.9k: An interim
non-distributed release
Bill Frantz
frantz@communities.com
Wed, 03 Jan 2001 12:12:56 -0800
At 10:15 AM 1/3/01 -0500, Jonathan S. Shapiro wrote:
>> KeyKOS used what is to me a rather powerful argument that it was immune to
>> the Ken Thompson attack. We used an assembler which was released before
>> the design of KeyKOS. I believe that it is currently unfeasible to install
>> a Ken Thompson attack against a system without knowing at least something
>> of it's design....
>
>There is a more persuasive argument. First, observe that assemblers are
>very simple programs.
Note that there was a C version of KeyKOS. We used the same argument there.
>Until very recently, their output is entirely
>deterministic modulo a very small number of transformations on the
>input:
>
> 1. selection of branch span sizes
> 2. Introduction of delay slots (MIPS)
>
>Further, it is possible to write a *disassembler* that generates
>something very close to the original input. It is then possible to
>automate the comparison of the decompiled assembler with the original
>assembly input.
>
>That is, the assembler result can be checked.
Compiler output can be checked as well. For a high assurance project, with
a small security kernel, it might be worth while to hand examine the
compiler output to see if it is a "reasonable" implementation of the source
code.
I fully agree that assembler is easier to examine by hand, and the
examination can possibly be automated. (The KeyKOS assembler -- IBM
Assembler H -- was a very powerful macro assembler, and the KeyKOS source
made use of some of the advanced macro features. Decompiling it would
certainly require the symbol table.
>
>> (With powerful enough AI in the compiler, perhaps you
>> could do it. But that is currently unfeasible.)
>
>I don't know, Bill. You strike me as a pretty powerful AI... :-)
Wait a minute! I'm all natural. (Except for my fillings. And the DDT in
my fat. And...) :-)
I think the point here is that a Ken Thompson compiler written before the
system it was attacking would have to recognize common patterns (e.g. trap
handlers), and install a universal back door.
>Quite frankly, I'm not worried about security holes in the compiler
>nearly as much as I worry about *bugs* in the compiler.
After my recent experience with the JVM, I can't argue a bit.
I think that coding style can help a lot in avoiding the bugs. You need to
know what the compiler test suites check, and try to limit yourself to the
checked subset of the language. I suspect the less optimization you use,
the safer you are. Only optimizing your performance kernel, and hand
checking it might be attractive, and a lot less work than hand checking the
whole thing.