Re: Trusting GNAT for security software

Pierre Mai <dent@cs.tu-berlin.de>
7 Mar 1998 22:34:41 -0500

          From comp.compilers

Related articles
Re: Trusting GNAT for security software Nick.Roberts@dial.pipex.com (Nick Roberts) (1998-03-06)
Re: Trusting GNAT for security software dent@cs.tu-berlin.de (Pierre Mai) (1998-03-07)
Re: Trusting GNAT for security software albaugh@agames.com (1998-03-07)
| List of all articles for this month |

From: Pierre Mai <dent@cs.tu-berlin.de>
Newsgroups: comp.lang.ada,comp.compilers
Followup-To: comp.compilers
Date: 7 Mar 1998 22:34:41 -0500
Organization: Technical University of Berlin, Germany
References: <34F421F6.3A5FFF59@towson.edu> <34F5A906.1704@gsfc.nasa.gov> <34F68913.2FF865DA@cl.cam.ac.uk> <6d67j5$474$1@news.nyu.edu> <34F9444D.D2F588@cl.cam.ac.uk> <dewar.888758710@merv> 98-03-031
Keywords: design, practice, history
X-PGP-Fingerprint: 17 2D 00 93 8B C8 57 57 A7 D7 CD E9 3A EA 6E 4C

Nick Roberts <Nick.Roberts@dial.pipex.com> writes:


        NR> [ Ken Thompson put a self-replicating back door into a version
        NR> of cc and login in Unix ]


        NR> [big snip] [Ken described this in his Turing award lecture. I
        NR> never saw any evidence that it leaked into any distributed
        NR> version of Unix, and even if it did, that was a very old
        NR> PDP-11 C compiler, not one that anyone uses any more. But it
        NR> was a great hack. -John]


AFAIK the C compiler also (primarily) detected when one was
recompiling the login source (login.c), and inserted into _that_ a
backdoor. The backdoor in the C compiler was only intended to protect
the mechanism which mangled login.c, so that it was "impossible" to
get out of this mechanism, unless one used another C compiler, or
so...


But the problem remains, that it is all but impractical to check for
this kind of thing in todays language enivronemnts (not only the
compiler, but the assembler, the librarian, the loader, the OS,
etc. have to be scrutinized, to assure correct operation). And much
more relevantly, one has to check for simple _bugs_. This has only
been done for small environments, which can be proved correct, or
probably for more complex environments by large government agencies.


Regs, Pierre.


--
Pierre Mai <dent@cs.tu-berlin.de> http://home.pages.de/~trillian/
--


Post a followup to this message

Return to the comp.compilers page.
Search the comp.compilers archives again.