Re: The Free Semantics Foundation

[Ian Grant <ian.a.n.grant-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org>]

[-- Attachment #1.1: Type: text/plain, Size: 7013 bytes --]

On Wed, Sep 3, 2014 at 10:21 PM, William ML Leslie

> I'm not too sure how different distributions are bootstrapping
> GCC, but I presume most all of them have been using the
> previous version of GCC to do so for a very long time.
> My recollection of the early nineties is not great, but
> I don't recall GNU being at sufficient Ghandicon that
> it would have seemed worthwhile attempting it.

Linux was more of a threat to the commercial Unix vendors that to
Microsoft. The Unix vendors must have lost billions to Linux. I don't know
if they were really evil enough to to do anything like this though. I have
the feeling that most of them have more respect for good engineering than
they have for money. And I don't know about what sort of a threat people
saw in GNU, but the point of compromising a C compiler is to get access to
the systems which use it. There are all sorts of reasons why people might
want access to OpenBSD systems which are used where good security is
needed, by an SSL certificate authority, say. I have a sample population of
one! I installed an OpenBSD machine as a firewall for a venture capital
company once.

> Besides, there are easier ways to get that kind of control of a
> system, such as with SMM or hardware - even hardware like
> graphics cards and USB sticks, if you understand how the
> system will behave when presented with out-of-spec signals.

If your aim is access to just one system, maybe, but physical security of
one machine is much easier to effect than virtual security of a system that
is connected to a wide area network. And if your aim is hacienda-style mass
surveillance, or opportunistic mass hacking or whatever those turkeys do,
or if it is to co-opt the storage, computation and communications resources
of 5 million networked machines, then going around them one by one with a
dodgy USB stick is not going to seem like a practical proposition for very
long. But if you could make a concerted attempt to hit one single point of
failure and thereby get into 10 million systems, each with a half-decent
multi-user OS installed, then it is probably worth taking the trouble to do
it right.

I wasn't so focused on the insecurity aspect when I sent this out out a
couple of weeks ago. I am much more interested in the positive things we
could do. Below is the mail I first sent out on 21 Aug. Richard was the
only one who replied. He said it was an interesting idea for research.

But I don't think we need to do any more research. It's all been done for
us. We just need to read and understand it, and the best way to do that is
to get on with implementing it.

> > Focussing on free source code is pointless, we need to focus on free
> > semantics.

> I don't see how this (any of the paragraph) followed from the above.
> If compilers used for bootstrapping have incorporated the Richie
> crack, how are patents going to make your system secure?

Why does Ritchie get the blame for this? There''s a gap in my education.

I don't think patents help at all, I am just trying to explain why I don't
think that the FSF should be expected to immediately embrace this idea
whole-heartedly. This is because he solution is to publish semantics from
which _anyone_ can generate working source code in any language. But then
whether source is open or closed, free or otherwise, is irrelevant.
But.this is the _only_ way to establish the semantic fixed-point by which
you can actually know that the system is very probably doing what you
expect with your input. This is because there is no conceivable way to make
a system identify some source-code as having a particular intension, such
as compiling a C program, if that source code can be arbitrarily
"complexified" by multiple re-interpretation in different languages. There
is no particular concrete representation of the semantics anymore: it's all
a question of actual human knowledge, and that is inaccessible to symbolic
computation.

Now Richard claims that GCC, say, achieves this, because the concrete
representation keeps changing. But it doesn't change nearly enough. It is
always still the same basic structure: because it's simply too
time-consuming to do major source-code restructuring every release. But
that is what you have to do if you want to escape having your point fixed.

It's easier to understand if you actually write some code. A good place to
start might be Reynold's paper on Definitional Interpreters. It looks like
maths, but it's really just programming. I suspect that he ran all the
code, and then just pretty-printed it in mathematical notation. So scheme
hackers would have no trouble at all implementing the records that specify
machine operations, and running them. And Guile has all the infrastructure
to do a really nice job of it.

Have a look. It's at https://cs.au.dk/~hosc/local/HOSC-11-4-pp363-397.pdf

Ian

======================

Dear Markus, Linus, Theo and Richard,

I have written this as a sort of manifesto for a project. The idea is to
develop software for automating programming. If we can automate the
production of concrete implementations of communications protocols, device
drivers, language interpreters, etc, then we can change and combine such
implementations much more easily. We could also secure systems by design:
if all the code on an exposed interface in a communications or an operating
system is automatically generated, then we can ensure that buffer overruns
etc can't happen.

What I have not mentioned explicitly is the possibility of securing
communications by automatically generating code to implement a protocol
with an arbitrary underlying representation. At a lower level, one could
simply permute the character-set one is using. But more generally one can
permute abstract syntax representations of arbitrarily complex structures
and reduce the probability of compromise to any positive epsilon. I didn't
mention this because I thought it better not to make the manifesto a
political one, but of course it is a political one.

Feel free to pass it around.

Best wishes

================

<william.leslie.ttg-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:

> On 4 September 2014 11:57, Ian Grant <ian.a.n.grant-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org> wrote:
> > Now it may seem unlikely to some that this has been done. But it is
> surely
> > obvious to *everyone* that this is *possible,* and since the advantage an
> > attacker accrues if he can pull this off effectively is incalculable, it
> > should also be obvious to *everyone* that if this has not yet been done,
> > then it will soon be done. Perhaps as a direct result of people reading
> what
> > I am writing right now.
>
>
> --
> William Leslie
>
> Notice:
> Likely much of this email is, by the nature of copyright, covered
> under copyright law.  You absolutely MAY reproduce any part of it in
> accordance with the copyright law of the nation you are reading this
> in.  Any attempt to DENY YOU THOSE RIGHTS would be illegal without
> prior contractual agreement.
>

[-- Attachment #1.2: Type: text/html, Size: 8327 bytes --]

[-- Attachment #2: Type: text/plain, Size: 159 bytes --]

_______________________________________________
Lightning mailing list
Lightning-mXXj517/zsQ@public.gmane.org
https://lists.gnu.org/mailman/listinfo/lightning