Re: Trusting GNAT for security software

A very swift history lesson (apologies to those who know).


Ken Thompson was one of the original creators of both the UNIX operating
system and of the C programming language it came (at an early stage) to be
based on. Several years after UNIX had started going 'public' -- and was
already to be found in use in hundreds of universities and other
organisations -- Ken revealed in a lecture (to the ACM I think) that he had
put a 'back door' into the C compiler distributed with UNIX, which detected
when it was recompiling itself ("cp5.c" or something like that), and
reinserted the back door into the compiled output. The revelation caused
'consternation', shall we say.


I believe the back door had no other effects, and was put in just to prove a
point. I don't know if it's still there!


It certainly proved how foolish it is to assume that because it's difficult
or unusual to do something, it can't or won't be done. This mistake is
considered the first deadly sin of the security advisor.


To ignore the possibility of subversion by any outside program which, in any
way, creates privileged (i.e. capable of doing insecure things) programs --
and an Ada compiler in a typical installation is almost certain to fit into
this category -- would be an unforgivable, neophitic, and indeed _most
egregious_ error on the part of a security advisor (for a secure
application!).


One possibility, if you have a trusted assembler handy, is to have the
compiler compile to assembly, inspect the code (by hairy eyeball ;-), and
then assemble it. Another possibility is to check the output code with one
of today's new fangled 'intelligent' (don't laugh) virus-checkers, which can
(usually!) tell if the code might try to do something really naughty (like
creating an executable file, for example). Neither method foolproof, of
course!


I would offer the observation that if a compiler were to be caught inserting
a black* back door, that compiler's manufacturer would be severely
embarrassed, to say the least! Nevertheless, it's a question in my mind:
could they actually be _prosecuted_ for doing this? If not, I believe this
is an area requiring legislation.


-----
*'black' means 'intended to act in a criminal (or immoral) way' -- a 'white'
back door typically consists simply of a tacit identification of the
compiler which produced the executable.




------------ Nick Roberts
---------- Croydon, UK
-------- Nick.Roberts@dial.pipex.com
------ Voicemail & Fax +44 181-405 1124
---- Proprietor, ThoughtWing Software
-- Independent Software Development Consultant


Robert Dewar wrote ...
[in answer to Markus Kuhn's mention that GNAT was funded by the DoD]
>Yes, the funds came from the DoD, but the DoD had ZERO
>control over the project. NYU will not accept any kind of restrictions
>on such projects. Early on, when we were working on Ada/Ed, NYU told
>the US Army that it would turn down $1 million, rather than accept
>a provision that publications had to be submitted to the Army for
>preapproval. The Army suggested leaving in the presubmission and
>removing the preapproval, but NYU said, no, remove the clause
>completely or take your money somewhere else. They removed it :-)
[big snip]
[Ken described this in his Turing award lecture. I never saw any evidence
that it leaked into any distributed version of Unix, and even if it did,
that was a very old PDP-11 C compiler, not one that anyone uses any more.
But it was a great hack. -John]








--

Return to the comp.compilers page.
Search the comp.compilers archives again.