The Free Semantics Foundation

The Free Semantics Foundation

[Ian Grant]

[-- Attachment #1.1: Type: text/plain, Size: 4133 bytes --]

> That hack recognized specific syntax.  Any change in the wrong
> place would break it.

Which hack was that? The one Thompson is reported to have actually
implemented in Unix? You are assuming what you are trying to prove: you are
assuming there has only ever been one instance of this class of attack, and
you are trying to prove that this class of attack is unlikely. That used to
be called "Begging the Question" but nowadays the general level of
understanding of logic is so poor that most uses of that phrase are not in
this sense.

It may *seem* unlikely, but to anyone who has given serious thought to the
possibilities of such an attack it seems more than wildly probable.

I suppose everyone know that Roger Schell spent several years in the office
of deputy director of the NSA's National Computer Security Centre?  If he
did not alert the NSA to the possibility of this sort of attack then he was
not doing his job properly. Having read some of the Computer Security
History Project interview with him, I do not think Roger Schell is the sort
of person who doesn't do his job properly.

Thompson wrote that paper in 1984, and I don't think that was a
coincidence. What he shows is that if you control the semantics of a
language, that is if you control the meaning of what people say, then you
control what they *see,* and so you also control what they think. And that
was a theme in Orwell's book "1984." By controlling the meaning of what
people say, Big Brother controlled their thought.

In programming terms, if you control the semantics of the compiler, then
you can control what people see. For example, you can insert code into
libc.so and ld.so that looks for certain signatures and then changes the
data that system calls like read and stat return to certain programs, such
as sha256sum and objdump for example, according to some predicate. You can
also monitor the behaviour of other programs. If you see that there is a
program that reads mainly C source and writes mainly a.out executables,
then you know those executables should contain a certain signature, and if
they don't then you know you have a C compiler on the system which is not
bugged, at least, one which has not got *your* bug (it may have any number
of other such bugs however, because this semantics generalises.) So you can
call for help, or you can even insert code to call for help into
the binaries that program creates. Basically, your power over the system
appears to be total. Of course it's not, because there are any number of
other such bugs in there with you. In the end the only person who is
guaranteed not to have control over what the system does is the program
source code.

Now it may seem unlikely to some that this has been done. But it is surely
obvious to *everyone* that this is *possible,* and since the advantage an
attacker accrues if he can pull this off effectively is incalculable, it
should also be obvious to *everyone* that if this has not yet been done,
then it will soon be done. Perhaps as a direct result of people reading
what I am writing right now.

So I hope people will focus on this problem, in spite of what Richard says.
He will change his mind in due course, quite shortly I think :-)

Focussing on free source code is pointless, we need to focus on free
semantics. Of course this negates certain fairly fundamental principles of
the Free Software Foundation. One of these is the idea of "Copyleft." By
taking concrete representation of algorithms as the stock-in-trade of
computer programmers, it is able to use the copyright laws to effect a kind
of viral copyright status which automatically infects any program which
uses that particular source code representation. The problem is that once
one concentrates on free semantics rather than free source code, there is
no longer any recourse to the copyright laws: the copyright laws protect
only one particular concrete representation of an idea. The only legal
protection sematics have is through patent law. So the Free Software
Foundation, if it's to 'own' anything at all anymore, will have to register
and defend its assets as patents.

Ian

[-- Attachment #1.2: Type: text/html, Size: 4317 bytes --]

[-- Attachment #2: Type: text/plain, Size: 159 bytes --]

_______________________________________________
Lightning mailing list
Lightning-mXXj517/zsQ@public.gmane.org
https://lists.gnu.org/mailman/listinfo/lightning

Re: The Free Semantics Foundation

[William ML Leslie]

On 4 September 2014 11:57, Ian Grant <ian.a.n.grant@googlemail.com> wrote:
> Now it may seem unlikely to some that this has been done. But it is surely
> obvious to *everyone* that this is *possible,* and since the advantage an
> attacker accrues if he can pull this off effectively is incalculable, it
> should also be obvious to *everyone* that if this has not yet been done,
> then it will soon be done. Perhaps as a direct result of people reading what
> I am writing right now.

I'm not too sure how different distributions are bootstrapping GCC,
but I presume most all of them have been using the previous version of
GCC to do so for a very long time.  My recollection of the early
nineties is not great, but I don't recall GNU being at sufficient
Ghandicon that it would have seemed worthwhile attempting it.

Besides, there are easier ways to get that kind of control of a
system, such as with SMM or hardware - even hardware like graphics
cards and USB sticks, if you understand how the system will behave
when presented with out-of-spec signals.

> Focussing on free source code is pointless, we need to focus on free
> semantics.

I don't see how this (any of the paragraph) followed from the above.
If compilers used for bootstrapping have incorporated the Richie
crack, how are patents going to make your system secure?

-- 
William Leslie

Notice:
Likely much of this email is, by the nature of copyright, covered
under copyright law.  You absolutely MAY reproduce any part of it in
accordance with the copyright law of the nation you are reading this
in.  Any attempt to DENY YOU THOSE RIGHTS would be illegal without
prior contractual agreement.

Re: The Free Semantics Foundation

[Stefan Monnier]

> Focussing on free source code is pointless, we need to focus on free
> semantics.

There I lost you.  I'm quite aware of what "semantics" mean in the
context of computer science (and programming languages in particular),
but I really can't see what the above means.

Last I checked, all semantics is described "in some other language"
(whose own semantics is assumed to be known).

So there's still always the same loophole: the program's description is
"source code" and its interpretation is vulnerable because the semantics
of the language in which the description is written may be modified.

And of course, I agree with William that it's probably easier to get
that kind of control nowadays from SMM or one of the many "security"
hardware "features", some of which are even designed to be used remotely.


        Stefan

Re: The Free Semantics Foundation

[Ian Grant]

[-- Attachment #1.1: Type: text/plain, Size: 7013 bytes --]

On Wed, Sep 3, 2014 at 10:21 PM, William ML Leslie

> I'm not too sure how different distributions are bootstrapping
> GCC, but I presume most all of them have been using the
> previous version of GCC to do so for a very long time.
> My recollection of the early nineties is not great, but
> I don't recall GNU being at sufficient Ghandicon that
> it would have seemed worthwhile attempting it.

Linux was more of a threat to the commercial Unix vendors that to
Microsoft. The Unix vendors must have lost billions to Linux. I don't know
if they were really evil enough to to do anything like this though. I have
the feeling that most of them have more respect for good engineering than
they have for money. And I don't know about what sort of a threat people
saw in GNU, but the point of compromising a C compiler is to get access to
the systems which use it. There are all sorts of reasons why people might
want access to OpenBSD systems which are used where good security is
needed, by an SSL certificate authority, say. I have a sample population of
one! I installed an OpenBSD machine as a firewall for a venture capital
company once.

> Besides, there are easier ways to get that kind of control of a
> system, such as with SMM or hardware - even hardware like
> graphics cards and USB sticks, if you understand how the
> system will behave when presented with out-of-spec signals.

If your aim is access to just one system, maybe, but physical security of
one machine is much easier to effect than virtual security of a system that
is connected to a wide area network. And if your aim is hacienda-style mass
surveillance, or opportunistic mass hacking or whatever those turkeys do,
or if it is to co-opt the storage, computation and communications resources
of 5 million networked machines, then going around them one by one with a
dodgy USB stick is not going to seem like a practical proposition for very
long. But if you could make a concerted attempt to hit one single point of
failure and thereby get into 10 million systems, each with a half-decent
multi-user OS installed, then it is probably worth taking the trouble to do
it right.

I wasn't so focused on the insecurity aspect when I sent this out out a
couple of weeks ago. I am much more interested in the positive things we
could do. Below is the mail I first sent out on 21 Aug. Richard was the
only one who replied. He said it was an interesting idea for research.

But I don't think we need to do any more research. It's all been done for
us. We just need to read and understand it, and the best way to do that is
to get on with implementing it.

> > Focussing on free source code is pointless, we need to focus on free
> > semantics.

> I don't see how this (any of the paragraph) followed from the above.
> If compilers used for bootstrapping have incorporated the Richie
> crack, how are patents going to make your system secure?

Why does Ritchie get the blame for this? There''s a gap in my education.

I don't think patents help at all, I am just trying to explain why I don't
think that the FSF should be expected to immediately embrace this idea
whole-heartedly. This is because he solution is to publish semantics from
which _anyone_ can generate working source code in any language. But then
whether source is open or closed, free or otherwise, is irrelevant.
But.this is the _only_ way to establish the semantic fixed-point by which
you can actually know that the system is very probably doing what you
expect with your input. This is because there is no conceivable way to make
a system identify some source-code as having a particular intension, such
as compiling a C program, if that source code can be arbitrarily
"complexified" by multiple re-interpretation in different languages. There
is no particular concrete representation of the semantics anymore: it's all
a question of actual human knowledge, and that is inaccessible to symbolic
computation.

Now Richard claims that GCC, say, achieves this, because the concrete
representation keeps changing. But it doesn't change nearly enough. It is
always still the same basic structure: because it's simply too
time-consuming to do major source-code restructuring every release. But
that is what you have to do if you want to escape having your point fixed.

It's easier to understand if you actually write some code. A good place to
start might be Reynold's paper on Definitional Interpreters. It looks like
maths, but it's really just programming. I suspect that he ran all the
code, and then just pretty-printed it in mathematical notation. So scheme
hackers would have no trouble at all implementing the records that specify
machine operations, and running them. And Guile has all the infrastructure
to do a really nice job of it.

Have a look. It's at https://cs.au.dk/~hosc/local/HOSC-11-4-pp363-397.pdf

Ian

======================

Dear Markus, Linus, Theo and Richard,

I have written this as a sort of manifesto for a project. The idea is to
develop software for automating programming. If we can automate the
production of concrete implementations of communications protocols, device
drivers, language interpreters, etc, then we can change and combine such
implementations much more easily. We could also secure systems by design:
if all the code on an exposed interface in a communications or an operating
system is automatically generated, then we can ensure that buffer overruns
etc can't happen.

What I have not mentioned explicitly is the possibility of securing
communications by automatically generating code to implement a protocol
with an arbitrary underlying representation. At a lower level, one could
simply permute the character-set one is using. But more generally one can
permute abstract syntax representations of arbitrarily complex structures
and reduce the probability of compromise to any positive epsilon. I didn't
mention this because I thought it better not to make the manifesto a
political one, but of course it is a political one.

Feel free to pass it around.

Best wishes

================

<william.leslie.ttg-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:

> On 4 September 2014 11:57, Ian Grant <ian.a.n.grant-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org> wrote:
> > Now it may seem unlikely to some that this has been done. But it is
> surely
> > obvious to *everyone* that this is *possible,* and since the advantage an
> > attacker accrues if he can pull this off effectively is incalculable, it
> > should also be obvious to *everyone* that if this has not yet been done,
> > then it will soon be done. Perhaps as a direct result of people reading
> what
> > I am writing right now.
>
>
> --
> William Leslie
>
> Notice:
> Likely much of this email is, by the nature of copyright, covered
> under copyright law.  You absolutely MAY reproduce any part of it in
> accordance with the copyright law of the nation you are reading this
> in.  Any attempt to DENY YOU THOSE RIGHTS would be illegal without
> prior contractual agreement.
>

[-- Attachment #1.2: Type: text/html, Size: 8327 bytes --]

[-- Attachment #2: Type: text/plain, Size: 159 bytes --]

_______________________________________________
Lightning mailing list
Lightning-mXXj517/zsQ@public.gmane.org
https://lists.gnu.org/mailman/listinfo/lightning

Re: The Free Semantics Foundation

[Stefan Monnier]

> I have written this as a sort of manifesto for a project. The idea is to
> develop software for automating programming. If we can automate the
> production of concrete implementations of communications protocols, device
> drivers, language interpreters, etc, then we can change and combine such
> implementations much more easily. We could also secure systems by design:
> if all the code on an exposed interface in a communications or an operating
> system is automatically generated, then we can ensure that buffer overruns
> etc can't happen.

People have been doing that for ages.  E.g. describe your protocol in
some language, then auto-generate an implementation from it.
The "some language" needs to be precise enough that an implementation
can be generated from it, so typically this language ends up looking
pretty much like a programming language.  Maybe specialized to the task
at hand (that's called a Domain Specific Language, and is routine in the
Lisp world) or with a slightly different feel (e.g. logic programming),
but in the end, because it needs to be precise enough, it ends up
constraining the "autogenerated implementation" rather tightly.

Coding in C or Scheme is "writing a spec", and passing it to GCC or
Guile is "automatic generation of an implementation".


        Stefan