From: Taylan Ulrich Bayirli/Kammer <taylanbayirli@gmail.com>
To: William ML Leslie <william.leslie.ttg@gmail.com>
Cc: guile-devel <guile-devel@gnu.org>
Subject: Re: Verifying Toolchain Semantics
Date: Fri, 03 Oct 2014 14:56:53 +0200 [thread overview]
Message-ID: <87vbo1l3ai.fsf@taylan.uni.cx> (raw)
In-Reply-To: <CAHgd1hH2aHvUKOTQh-FMxwCrPHqFiiHaa3sYgH4JGeKh-YmD0A@mail.gmail.com> (William ML Leslie's message of "Fri, 3 Oct 2014 17:15:56 +1000")
William ML Leslie <william.leslie.ttg@gmail.com> writes:
> Oh, interesting point. Maybe we should define PDF as an abstract
> semantics that we can convert into a wide range of equivalent document
> layout languages? If the attacker can't tell exactly what xsl-fo or
> dsssl the tool will output, or what software you're using to render
> the result, it will magically make it more difficult to attack!
Come on, that snark is undue. :-)
It won't make it "magically" more difficult, it will make it actually
more difficult. Though I think your analogy is wrong. PDF is already
an abstract semantics, like any formal language spec. The question is
whether an implementation realizes precisely those semantics, or adds
"oh and insert a backdoor" to some pieces of code in that language, "as
an addition to the language semantics." This augmentation to the
semantics needn't be apparent in the source code of the implementation,
since the language it's written in might again be compiled by a compiler
that "augments" the semantics of the language it compiles, and that in
turn needn't be apparent in the compiler's source ... until you arrive
at the since long vanished initial source code that planted the virus.
That's just reiterating what the Thompson hack is. It relies on us
using a single lineage of compilers/software. (Or a couple lineages
could be compromised separately; that would still be plausible if it's
plausible for one.) Because at every layer the semantics can only be
compromised enough to propagate the compromise through one concrete
code-base. In your PDF analogy, the solution is to write a spurious
amount of PDF implementations. Or for C, to implement a spurious amount
of C compilers. That is impractical because C is complex. What might
be practical might be to write one new C compiler (guaranteed clean,
since it's new), and verify GCC with that[*]. What's more useful in the
long term is to define a much simpler language, and base our everything
on that instead of on C. Then we can verify our toolchain more often,
since we needn't write a whole freaking C compiler every time. :-)
[*] Compile version X of GCC with the Clean C Compiler™, compile version
X of GCC with some GCC binary, then compile some GCC with both GCC-X
binaries, one of which is guaranteed clean, to see if they behave same
while compiling GCC; thus we get both a guaranteed clean GCC, and we get
to know whether the other was compromised in first place, or whether we
wasted a lot of time.
I think Ian is doing himself a disservice by using many fancy abstract
terms and, if I may be blunt, acting in some tinfoil hat-like ways, when
in fact the underlying ideas are relatively sane and simple. It's all
there if you read a little between the lines, and a little around the
parts written in all-caps, like in:
http://lists.gnu.org/archive/html/guile-devel/2014-09/msg00035.html
Taylan
next prev parent reply other threads:[~2014-10-03 12:56 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-10-02 14:54 Verifying Toolchain Semantics Ian Grant
2014-10-03 6:23 ` Mark H Weaver
2014-10-03 7:15 ` William ML Leslie
2014-10-03 12:56 ` Taylan Ulrich Bayirli/Kammer [this message]
2014-10-03 17:13 ` Mark H Weaver
2014-10-05 13:57 ` William ML Leslie
2014-10-03 8:45 ` Nala Ginrut
2014-10-05 1:35 ` Ian Grant
2014-10-05 5:39 ` Nala Ginrut
2014-10-05 14:14 ` Ian Grant
2014-10-05 15:15 ` Nala Ginrut
2014-10-05 16:24 ` Ian Grant
2014-10-06 8:25 ` Nala Ginrut
2014-10-05 6:58 ` Mike Gerwitz
2014-10-05 16:11 ` Ian Grant
2014-10-06 4:23 ` Mike Gerwitz
[not found] ` <20141006042323.GA31390-iW7gFb+/I3LZHJUXO5efmti2O/JbrIOy@public.gmane.org>
2014-10-07 17:18 ` Ian Grant
[not found] ` <CAKFjmdx+jzfapvrq6EEO8Skx2L2UZwi-DZ22xiq9t1438E7kOw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-10-07 17:28 ` Mark H Weaver
2014-10-07 17:56 ` Ian Grant
[not found] ` <CAKFjmdwNTjJ7nU-rKEWkA+5whsfyrpqJ6RkhU+VRbUW6rqT03A-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-10-07 19:24 ` Philip Herron
[not found] ` <CAEvRbeoEJPTtoDu0nDudJyfBoaT1vpuvHzL=t+TkJr_ZGkzYEQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-10-07 19:47 ` Ian Grant
2014-10-08 18:26 ` Mark H Weaver
2014-10-08 3:55 ` Mike Gerwitz
-- strict thread matches above, loose matches on Subject: below --
2014-10-05 17:42 Ian Grant
2014-10-05 18:19 ` Ian Grant
2014-10-06 0:30 Ian Grant
[not found] ` <CAKFjmdzxAMvcry8N6B_atM_8vGyzA1Dfz9ygWxSgh3fD7EUAuQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-10-06 8:51 ` William ML Leslie
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/guile/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87vbo1l3ai.fsf@taylan.uni.cx \
--to=taylanbayirli@gmail.com \
--cc=guile-devel@gnu.org \
--cc=william.leslie.ttg@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).