This is the mail archive of the gcc@gcc.gnu.org mailing list for the GCC project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Of Bounties and Mercenaries


    > From: Joe Buck <Joe.Buck@synopsys.COM>

    > On Wed, Apr 07, 2004 at 01:40:53PM -0700, Tom Lord wrote:
    > >     > You misunderstand.  "same bits" means "same bits".  gcc's three-stage
    > >     > bootstrap should produce identical bits regardless of the bootstrap
    > >     > compiler.  It is designed to eliminate effects caused by different
    > >     > starting compilers.  The compiler compiles itself with itself.

    > > I don't misunderstand.   That's what I meant by saying that the "fixed
    > > point" part is easy but the "secure" part is not.

    > > By injecting other compilers in the bootstrapping phase, which
    > > incidentally most customers won't currently bother to do, you're just
    > > raising the bar by a very small amount from a 1-stage thompson virus
    > > to an n-stage thompson virus.

    > Which is why I said that you could prove either that no compiler in the
    > set has a Thompson bug, or they all do.

Right.  We agree about that (which is trivial --- it's a pretty basic
factual thing).  I'm just saying that from published existing
practice, "they all" is a disturbingly small set, for practical
purposes.

Let's get more paranoid, shall we?   Better compare those binaries a
few different ways to be sure the tools you use to compare them aren't
also hosed.  Is that already done with GCC?  Where's the web page
with results?


    > > You say: "or else [...] all the free and proprietary compilers you
    > > tried have the same hack" and I'm saying --- that's not currently
    > > far-fetched enough to make me comfortable.  There aren't that many
    > > other compilers I can throw in the mix there and many of them are
    > > centrally controlled.

    > You're off in tinfoil hat land now, I'm afraid.  

Don't be afraid.  I hope and suspect you are right.  At the same time,
I think I have a not completely loony fear that you are wrong.  If I
had to bet a dollar, I'd bet you're right.  If I had to bet a million
dollars -- mmm.... I'd look for some hedges.  Is any org out there
betting a million dollars on the security of GCC as deployed across
the world?


    > Without a theory as to how someone could have gotten the same
    > Thompson hack into Microsoft's compiler, Sun's compiler, HP's
    > compiler, and gcc, and then made sure that the bug would keep
    > functioning over the course of years of compiler evolution,
    > that's simply ridiculous.

Hrm.  For one thing, I'm not aware of any ongoing effort to compare
the results of GCC bootstrapping via all those paths.  Are you?

For another thing: a 3-way attack vector?   That's not huge.  Let's
compare attack costs vs. attack rewards.   How many gazillions of
dollars are modulated by GCC-generated code?


    > Remember, for the Thompson hack to work, the compiler has to recognize
    > that it's compiling the compiler, and hack the output to reinsert two sets
    > of bugs into the output code.  But Thompson only had to recognize pcc.
    > Your hypothetical hack would have to recognize every C compiler in
    > existence, propagating the bugs into each one, every time, no matter
    > how they change.

Yeah, right.   Since the Thompson paper, noboby at all has worked on
higher-level programming techniques.  Sure.

We agree about the factual issues -- just not about our guestimates of
how they measure up against the economics.   I concede .... I'm
expressing a paranoia.  I assert: it's not so far fetched as to be
worth ignoring.

-t


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]