Refresher on gcc port and the executables

Ian Wadham iandw.au at gmail.com
Sun Sep 8 05:19:32 PDT 2013


On 08/09/2013, at 3:56 PM, Tabitha McNerney wrote:
> My boss has been smiling at work a lot lately. He feels very vindicated for having reasonably healthy "paranoia" about vendor compilers (e.g., Apple's tools) just months ago before Snowden made headlines. My boss asked me and my colleagues to read this seminal article by Ken Thompson of Bell Labs in 1984 (from the Turing Award Lecture) about how a trojan can be created in a C compiler (he said he does not want the especially younger developers to be too naive and also told us about the Clipper Chip from the 1990s that never came to fore light but was very close to coming to fore):
> 
> https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf

I think the genie got out of the bottle a long time ago, see:
http://seclab.cs.ucdavis.edu/projects/history/papers/karg74.pdf
which I think is the paper Thompson was referring to at the end of his talk.

In that paper, Major Schell and his team showed in the 1970s that the world's
supposedly most secure operating system, Multics, could be easily penetrated
for a modest cost in time and resources.

They called Trojan horses "trapdoors" and they planted several in Multics, even
by such simple means as walking into the manufacturer's offices, sitting down
somewhere and leaving a patch in the source code.  They concluded that the
KGB et al. would also be capable of penetrating any American O/S or compiler.

Schell was promoted to Colonel (please no shell/kernel puns) and then worked
on how to make hardware and software certifiably secure for intelligence and
military use.  AFAIK a version of the UNIX kernel was the only O/S to be so
certified.

It is best to assume that any O/S or compiler can be penetrated and subverted
by any agency, American, non-American, criminal or otherwise, with or without
the co-operation of the maker of that O/S or compiler, and that this has been the
case for 40 years or more.

Nor should we assume that non-commercial software, such as Open Source
and Linux, is immune.  It is quite easy to become part of an Open Source
team and I do not think there is much perusal of contributions.  Indeed, an
author might not know and might never have met all of his/her colleagues.
Maybe even SVG and git have been subverted so as to leave no trace of
changes to code when so "requested".

So I do not think your boss has much to smile about.

Regards, Ian W.



More information about the macports-users mailing list