Refresher on gcc port and the executables

Dominik Reichardt domiman at gmail.com
Wed Sep 11 04:11:32 PDT 2013 

As someone else pointed out, why worty about the compiler? The OS is the very first thing you need to worry about.
And how do you know that those certifying are not ordered to secrecy and overlook nsa backdoors? ;)

Dom

> Am 11.09.2013 um 12:22 schrieb Tabitha McNerney <tabithamc at gmail.com>:
> 
> Ian and all,
> 
> I have been doing some more research and spoke with some people in the industry about certified compilers. Apparently a lot of progress has been made in the recent past and money has been flowing into the arena of certified compilers. What's preventing Apple from having a third party independent audit of their developer tools (which MacPorts depends on, and the rest of the world also depends on for a wide range of apps either for OS X or iOS)? Seriously, how hard would this be and I can't imagine it being a terrible expense to Apple to do this and show the world that its compilers are trojan free. 
> 
> Thanks,
> 
> -Tabitha
> 
> 
> 
>> On Sun, Sep 8, 2013 at 2:19 AM, Ian Wadham <iandw.au at gmail.com> wrote:
>> 
>> On 08/09/2013, at 3:56 PM, Tabitha McNerney wrote:
>> > My boss has been smiling at work a lot lately. He feels very vindicated for having reasonably healthy "paranoia" about vendor compilers (e.g., Apple's tools) just months ago before Snowden made headlines. My boss asked me and my colleagues to read this seminal article by Ken Thompson of Bell Labs in 1984 (from the Turing Award Lecture) about how a trojan can be created in a C compiler (he said he does not want the especially younger developers to be too naive and also told us about the Clipper Chip from the 1990s that never came to fore light but was very close to coming to fore):
>> >
>> > https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf
>> 
>> I think the genie got out of the bottle a long time ago, see:
>> http://seclab.cs.ucdavis.edu/projects/history/papers/karg74.pdf
>> which I think is the paper Thompson was referring to at the end of his talk.
>> 
>> In that paper, Major Schell and his team showed in the 1970s that the world's
>> supposedly most secure operating system, Multics, could be easily penetrated
>> for a modest cost in time and resources.
>> 
>> They called Trojan horses "trapdoors" and they planted several in Multics, even
>> by such simple means as walking into the manufacturer's offices, sitting down
>> somewhere and leaving a patch in the source code.  They concluded that the
>> KGB et al. would also be capable of penetrating any American O/S or compiler.
>> 
>> Schell was promoted to Colonel (please no shell/kernel puns) and then worked
>> on how to make hardware and software certifiably secure for intelligence and
>> military use.  AFAIK a version of the UNIX kernel was the only O/S to be so
>> certified.
>> 
>> It is best to assume that any O/S or compiler can be penetrated and subverted
>> by any agency, American, non-American, criminal or otherwise, with or without
>> the co-operation of the maker of that O/S or compiler, and that this has been the
>> case for 40 years or more.
>> 
>> Nor should we assume that non-commercial software, such as Open Source
>> and Linux, is immune.  It is quite easy to become part of an Open Source
>> team and I do not think there is much perusal of contributions.  Indeed, an
>> author might not know and might never have met all of his/her colleagues.
>> Maybe even SVG and git have been subverted so as to leave no trace of
>> changes to code when so "requested".
>> 
>> So I do not think your boss has much to smile about.
>> 
>> Regards, Ian W.
>> 
>> _______________________________________________
>> macports-users mailing list
>> macports-users at lists.macosforge.org
>> https://lists.macosforge.org/mailman/listinfo/macports-users
> 
> _______________________________________________
> macports-users mailing list
> macports-users at lists.macosforge.org
> https://lists.macosforge.org/mailman/listinfo/macports-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/macports-users/attachments/20130911/6dab9aba/attachment.html>

More information about the macports-users mailing list