This is the mail archive of the
gcc@gcc.gnu.org
mailing list for the GCC project.
Re: Of Bounties and Mercenaries
> From: Joe Buck <Joe.Buck@synopsys.COM>
> On Wed, Apr 07, 2004 at 01:40:53PM -0700, Tom Lord wrote:
> > > You misunderstand. "same bits" means "same bits". gcc's three-stage
> > > bootstrap should produce identical bits regardless of the bootstrap
> > > compiler. It is designed to eliminate effects caused by different
> > > starting compilers. The compiler compiles itself with itself.
> > I don't misunderstand. That's what I meant by saying that the "fixed
> > point" part is easy but the "secure" part is not.
> > By injecting other compilers in the bootstrapping phase, which
> > incidentally most customers won't currently bother to do, you're just
> > raising the bar by a very small amount from a 1-stage thompson virus
> > to an n-stage thompson virus.
> Which is why I said that you could prove either that no compiler in the
> set has a Thompson bug, or they all do.
Right. We agree about that (which is trivial --- it's a pretty basic
factual thing). I'm just saying that from published existing
practice, "they all" is a disturbingly small set, for practical
purposes.
Let's get more paranoid, shall we? Better compare those binaries a
few different ways to be sure the tools you use to compare them aren't
also hosed. Is that already done with GCC? Where's the web page
with results?
> > You say: "or else [...] all the free and proprietary compilers you
> > tried have the same hack" and I'm saying --- that's not currently
> > far-fetched enough to make me comfortable. There aren't that many
> > other compilers I can throw in the mix there and many of them are
> > centrally controlled.
> You're off in tinfoil hat land now, I'm afraid.
Don't be afraid. I hope and suspect you are right. At the same time,
I think I have a not completely loony fear that you are wrong. If I
had to bet a dollar, I'd bet you're right. If I had to bet a million
dollars -- mmm.... I'd look for some hedges. Is any org out there
betting a million dollars on the security of GCC as deployed across
the world?
> Without a theory as to how someone could have gotten the same
> Thompson hack into Microsoft's compiler, Sun's compiler, HP's
> compiler, and gcc, and then made sure that the bug would keep
> functioning over the course of years of compiler evolution,
> that's simply ridiculous.
Hrm. For one thing, I'm not aware of any ongoing effort to compare
the results of GCC bootstrapping via all those paths. Are you?
For another thing: a 3-way attack vector? That's not huge. Let's
compare attack costs vs. attack rewards. How many gazillions of
dollars are modulated by GCC-generated code?
> Remember, for the Thompson hack to work, the compiler has to recognize
> that it's compiling the compiler, and hack the output to reinsert two sets
> of bugs into the output code. But Thompson only had to recognize pcc.
> Your hypothetical hack would have to recognize every C compiler in
> existence, propagating the bugs into each one, every time, no matter
> how they change.
Yeah, right. Since the Thompson paper, noboby at all has worked on
higher-level programming techniques. Sure.
We agree about the factual issues -- just not about our guestimates of
how they measure up against the economics. I concede .... I'm
expressing a paranoia. I assert: it's not so far fetched as to be
worth ignoring.
-t