From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Ian Grant Newsgroups: gmane.comp.gnu.lightning.general,gmane.lisp.guile.devel Subject: Re: The Free Semantics Foundation Date: Thu, 4 Sep 2014 19:59:25 -0400 Message-ID: References: NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0329464007335436949==" X-Trace: ger.gmane.org 1409875188 16199 80.91.229.3 (4 Sep 2014 23:59:48 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Thu, 4 Sep 2014 23:59:48 +0000 (UTC) To: William ML Leslie , guile-devel-mXXj517/zsQ@public.gmane.org, lightning Original-X-From: lightning-bounces+gcglg-lightning=m.gmane.org-mXXj517/zsQ@public.gmane.org Fri Sep 05 01:59:39 2014 Return-path: Envelope-to: gcglg-lightning@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1XPgwF-0002fL-8F for gcglg-lightning@m.gmane.org; Fri, 05 Sep 2014 01:59:39 +0200 Original-Received: from localhost ([::1]:54644 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XPgwE-0000me-UU for gcglg-lightning@m.gmane.org; Thu, 04 Sep 2014 19:59:38 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:34075) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XPgw9-0000lk-KY for lightning-mXXj517/zsQ@public.gmane.org; Thu, 04 Sep 2014 19:59:36 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1XPgw7-0004sv-4J for lightning-mXXj517/zsQ@public.gmane.org; Thu, 04 Sep 2014 19:59:33 -0400 Original-Received: from mail-we0-x231.google.com ([2a00:1450:400c:c03::231]:62332) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XPgw6-0004rf-O2; Thu, 04 Sep 2014 19:59:31 -0400 Original-Received: by mail-we0-f177.google.com with SMTP id u56so10817550wes.8 for ; Thu, 04 Sep 2014 16:59:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=ZspITJ80VXQWV0TeY50LGHrPaf60Szk7/vvAMLMIaHI=; b=KvamGG19xmy2z7Gaepj8PKZOneWGm5SOLkGQPEiG2nqxpHf0RvU5vj1yRPbglWVG3W y+YD07WE9w8I6FxHWvLgX+AdK2laXS93kI/yUGw4QJHjbAFVpi4nfvU3aYNlDUfIrMw3 BDfTwoGuxQTNLF1qgpdMC10DDKj7Sn+DzFMjsg6dNyD2bz/JpkoG9fSKOdg9XRUD3t7W 0pjnGa5P8P8qVPy8rspAtEQx7j+e9mwEIh9EhLpF5UIv+v4v03ZMcSjj9XNGVpN3uB4y UoicaXKULFSvI4nKgKEjIJxr07/65Cp0xjYJQnTcPOrsVfIawX6dvFIlKXbniZZ5WdsR In4Q== X-Received: by 10.181.13.116 with SMTP id ex20mr9766086wid.31.1409875165309; Thu, 04 Sep 2014 16:59:25 -0700 (PDT) Original-Received: by 10.194.219.234 with HTTP; Thu, 4 Sep 2014 16:59:25 -0700 (PDT) In-Reply-To: X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). X-Received-From: 2a00:1450:400c:c03::231 X-BeenThere: lightning-mXXj517/zsQ@public.gmane.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: lightning-bounces+gcglg-lightning=m.gmane.org-mXXj517/zsQ@public.gmane.org Original-Sender: lightning-bounces+gcglg-lightning=m.gmane.org-mXXj517/zsQ@public.gmane.org Xref: news.gmane.org gmane.comp.gnu.lightning.general:565 gmane.lisp.guile.devel:17404 Archived-At: --===============0329464007335436949== Content-Type: multipart/alternative; boundary=f46d043be12e67ef33050246243c --f46d043be12e67ef33050246243c Content-Type: text/plain; charset=UTF-8 On Wed, Sep 3, 2014 at 10:21 PM, William ML Leslie > I'm not too sure how different distributions are bootstrapping > GCC, but I presume most all of them have been using the > previous version of GCC to do so for a very long time. > My recollection of the early nineties is not great, but > I don't recall GNU being at sufficient Ghandicon that > it would have seemed worthwhile attempting it. Linux was more of a threat to the commercial Unix vendors that to Microsoft. The Unix vendors must have lost billions to Linux. I don't know if they were really evil enough to to do anything like this though. I have the feeling that most of them have more respect for good engineering than they have for money. And I don't know about what sort of a threat people saw in GNU, but the point of compromising a C compiler is to get access to the systems which use it. There are all sorts of reasons why people might want access to OpenBSD systems which are used where good security is needed, by an SSL certificate authority, say. I have a sample population of one! I installed an OpenBSD machine as a firewall for a venture capital company once. > Besides, there are easier ways to get that kind of control of a > system, such as with SMM or hardware - even hardware like > graphics cards and USB sticks, if you understand how the > system will behave when presented with out-of-spec signals. If your aim is access to just one system, maybe, but physical security of one machine is much easier to effect than virtual security of a system that is connected to a wide area network. And if your aim is hacienda-style mass surveillance, or opportunistic mass hacking or whatever those turkeys do, or if it is to co-opt the storage, computation and communications resources of 5 million networked machines, then going around them one by one with a dodgy USB stick is not going to seem like a practical proposition for very long. But if you could make a concerted attempt to hit one single point of failure and thereby get into 10 million systems, each with a half-decent multi-user OS installed, then it is probably worth taking the trouble to do it right. I wasn't so focused on the insecurity aspect when I sent this out out a couple of weeks ago. I am much more interested in the positive things we could do. Below is the mail I first sent out on 21 Aug. Richard was the only one who replied. He said it was an interesting idea for research. But I don't think we need to do any more research. It's all been done for us. We just need to read and understand it, and the best way to do that is to get on with implementing it. > > Focussing on free source code is pointless, we need to focus on free > > semantics. > I don't see how this (any of the paragraph) followed from the above. > If compilers used for bootstrapping have incorporated the Richie > crack, how are patents going to make your system secure? Why does Ritchie get the blame for this? There''s a gap in my education. I don't think patents help at all, I am just trying to explain why I don't think that the FSF should be expected to immediately embrace this idea whole-heartedly. This is because he solution is to publish semantics from which _anyone_ can generate working source code in any language. But then whether source is open or closed, free or otherwise, is irrelevant. But.this is the _only_ way to establish the semantic fixed-point by which you can actually know that the system is very probably doing what you expect with your input. This is because there is no conceivable way to make a system identify some source-code as having a particular intension, such as compiling a C program, if that source code can be arbitrarily "complexified" by multiple re-interpretation in different languages. There is no particular concrete representation of the semantics anymore: it's all a question of actual human knowledge, and that is inaccessible to symbolic computation. Now Richard claims that GCC, say, achieves this, because the concrete representation keeps changing. But it doesn't change nearly enough. It is always still the same basic structure: because it's simply too time-consuming to do major source-code restructuring every release. But that is what you have to do if you want to escape having your point fixed. It's easier to understand if you actually write some code. A good place to start might be Reynold's paper on Definitional Interpreters. It looks like maths, but it's really just programming. I suspect that he ran all the code, and then just pretty-printed it in mathematical notation. So scheme hackers would have no trouble at all implementing the records that specify machine operations, and running them. And Guile has all the infrastructure to do a really nice job of it. Have a look. It's at https://cs.au.dk/~hosc/local/HOSC-11-4-pp363-397.pdf Ian ====================== Dear Markus, Linus, Theo and Richard, I have written this as a sort of manifesto for a project. The idea is to develop software for automating programming. If we can automate the production of concrete implementations of communications protocols, device drivers, language interpreters, etc, then we can change and combine such implementations much more easily. We could also secure systems by design: if all the code on an exposed interface in a communications or an operating system is automatically generated, then we can ensure that buffer overruns etc can't happen. What I have not mentioned explicitly is the possibility of securing communications by automatically generating code to implement a protocol with an arbitrary underlying representation. At a lower level, one could simply permute the character-set one is using. But more generally one can permute abstract syntax representations of arbitrarily complex structures and reduce the probability of compromise to any positive epsilon. I didn't mention this because I thought it better not to make the manifesto a political one, but of course it is a political one. Feel free to pass it around. Best wishes ================ wrote: > On 4 September 2014 11:57, Ian Grant wrote: > > Now it may seem unlikely to some that this has been done. But it is > surely > > obvious to *everyone* that this is *possible,* and since the advantage an > > attacker accrues if he can pull this off effectively is incalculable, it > > should also be obvious to *everyone* that if this has not yet been done, > > then it will soon be done. Perhaps as a direct result of people reading > what > > I am writing right now. > > > -- > William Leslie > > Notice: > Likely much of this email is, by the nature of copyright, covered > under copyright law. You absolutely MAY reproduce any part of it in > accordance with the copyright law of the nation you are reading this > in. Any attempt to DENY YOU THOSE RIGHTS would be illegal without > prior contractual agreement. > --f46d043be12e67ef33050246243c Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
On Wed, Sep 3, 2014 at 10:21 PM, William ML Lesl= ie

> I'm not too sure how different= distributions are bootstrapping
> GCC, but I presume most all of the= m have been using the
> previous version of GCC to do so for a very = long time.
> My recollection of the early nineties is not great, but<= br>> I don't recall GNU being at sufficient Ghandicon that
> i= t would have seemed worthwhile attempting it.

Linux was more of a threat to the commercial Unix vendors th= at to Microsoft. The Unix vendors must have lost billions to Linux. I don&#= 39;t know if they were really evil enough to to do anything like this thoug= h. I have the feeling that most of them have more respect for good engineer= ing than they have for money. And I don't know about what sort of a thr= eat people saw in GNU, but the point of compromising a C compiler is to get= access to the systems which use it. There are all sorts of reasons why peo= ple might want access to OpenBSD systems which are used where good security= is needed, by an SSL certificate authority, say. I have a sample populatio= n of one! I installed an OpenBSD machine as a firewall for a venture capita= l company once.

> Besides, there are easier ways to get that kind of control of a> system, such as with SMM or hardware - even hardware like
> gr= aphics cards and USB sticks, if you understand how the
> system will= behave when presented with out-of-spec signals.

If your aim is access to just one system, maybe, but physica= l security of one machine is much easier to effect than virtual security of= a system that is connected to a wide area network. And if your aim is haci= enda-style mass surveillance, or opportunistic mass hacking or whatever tho= se turkeys do, or if it is to co-opt the storage, computation and communica= tions resources of 5 million networked machines, then going around them one= by one with a dodgy USB stick is not going to seem like a practical propos= ition for very long. But if you could make a concerted attempt to hit one s= ingle point of failure and thereby get into 10 million systems, each with a= half-decent multi-user OS installed, then it is probably worth taking the = trouble to do it right.

I wasn't so focused on the insecurity as= pect when I sent this out out a couple of weeks ago. I am much more interes= ted in the positive things we could do. Below is the mail I first sent out = on 21 Aug. Richard was the only one who replied. He said it was an interest= ing idea for research.

But I don't think we need to do any= more research. It's all been done for us. We just need to read and und= erstand it, and the best way to do that is to get on with implementing it.=

> > Focussing on free source code is pointless, we need to fo= cus on free
> > semantics.

> I don't see how this (any of the paragraph) followed from th= e above.
> If compilers used for bootstrapping have incorporated the Richie
> crack, how are patents going to make your system secure?

Why does Ritchie get the blame= for this? There''s a gap in my education.

I don't thin= k patents help at all, I am just trying to explain why I don't think th= at the FSF should be expected to immediately embrace this idea whole-hearte= dly. This is because he solution is to publish semantics from which _anyone= _ can generate working source code in any language. But then whether source= is open or closed, free or otherwise, is irrelevant. But.this is the _only= _ way to establish the semantic fixed-point by which you can actually know = that the system is very probably doing what you expect with your input. Thi= s is because there is no conceivable way to make a system identify some sou= rce-code as having a particular intension, such as compiling a C program, i= f that source code can be arbitrarily "complexified" by multiple = re-interpretation in different languages. There is no particular concrete r= epresentation of the semantics anymore: it's all a question of actual h= uman knowledge, and that is inaccessible to symbolic computat= ion.

Now Richard claims that GCC, say, achieves this, bec= ause the concrete representation keeps changing. But it doesn't change = nearly enough. It is always still the same basic structure: because it'= s simply too time-consuming to do major source-code restructuring every rel= ease. But that is what you have to do if you want to escape having your poi= nt fixed.

It's easier to understand if you= actually write some code. A good place to start might be Reynold's pap= er on Definitional Interpreters. It looks like maths, but it's really j= ust programming. I suspect that he ran all the code, and then just pretty-p= rinted it in mathematical notation. So scheme hackers would have no trouble= at all implementing the records that specify machine operations, and runni= ng them. And Guile has all the infrastructure to do a really nice job of it= .


Ian

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D

Dear Markus, Linus, Theo and Richard,

I have=20 written this as a sort of manifesto for a project. The idea is to=20 develop software for automating programming. If we can automate the=20 production of concrete implementations of communications protocols,=20 device drivers, language interpreters, etc, then we can change and=20 combine such implementations much more easily. We could also secure=20 systems by design: if all the code on an exposed interface in a=20 communications or an operating system is automatically generated, then=20 we can ensure that buffer overruns etc can't happen.

What I have not mentioned explicitly is the=20 possibility of securing communications by automatically generating code to implement a protocol with an arbitrary underlying representation. At a lower level, one could simply permute the character-set one is using. But more generally one can permute abstract syntax representations of=20 arbitrarily complex structures and reduce the probability of compromise=20 to any positive epsilon. I didn't mention this because I thought it=20 better not to make the manifesto a political one, but of course it is a=20 political one.

Feel free to pass it around.

Best wishes

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=
<william.leslie.ttg-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
On 4 September 2014 11:57, Ian Grant <ian.a.n.grant-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org> wrote:
> Now it may seem unlikely to some that this has been done. But it is su= rely
> obvious to *everyone* that this is *possible,* and since the advantage= an
> attacker accrues if he can pull this off effectively is incalculable, = it
> should also be obvious to *everyone* that if this has not yet been don= e,
> then it will soon be done. Perhaps as a direct result of people readin= g what
> I am writing right now.


--
William Leslie

Notice:
Likely much of this email is, by the nature of copyright, covered
under copyright law.=C2=A0 You absolutely MAY reproduce any part of it in accordance with the copyright law of the nation you are reading this
in.=C2=A0 Any attempt to DENY YOU THOSE RIGHTS would be illegal without
prior contractual agreement.

--f46d043be12e67ef33050246243c-- --===============0329464007335436949== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Lightning mailing list Lightning-mXXj517/zsQ@public.gmane.org https://lists.gnu.org/mailman/listinfo/lightning --===============0329464007335436949==--