Security ressources article about compiler

Au cours de mes pérégrinations concernant NaCL,
je suis tombé sur un article qui va sans aucun doute faire son effet.

Article avec l’interview de Mr Kenneth Lane Thompson
qui est ce monsieur, joli CV :wink: => http://wiki.c2.com/?KenThompson
le sujet complet ici => http://wiki.c2.com/?TheKenThompsonHack

Document qui nous plonge vers 1984 dont je veux relater ici quelques passages croustillants tellement c’est magnifique =)


Extraits :

Ken describes how he injected a virus into a compiler.

The Hack easily propagates into the binaries of all the inspectors, debuggers, disassemblers, and dumpers a programmer would use to try to detect it . And defeats them.

Unless you’re coding in binary, or you’re using tools compiled before the KTH was installed, you simply have no access to an uncompromised tool.

Every piece of software on the planet can be KTH bugged without any possibility of detection by any mortal engineer anywhere.
Well, maybe with the diligent use of an electron microscope.

the really frightening thing is via linkers and below this hack can propagate transparently across languages and language generations

KTH demonstrates that we are not able to fully trust any binary even when we have compiled it ourselves from trustworthy sources on a system we have compiled ourselves

I correctly recall his fundamental point: UNIX, and every system like it, can NEVER be “secure”.
Systems like UNIX (including all versions of Linux, Macintosh OSX, and all versions of WinXP) will NEVER be secure.

The only way you’re going to get a clean compiler executable now is to build your computer yourself out of TTL logic

2 « J'aime »

Si ce sujet t’intéresse, je recommande la lecture de son discours lorsqu’il a eu le prix Turing https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf

1 « J'aime »