unofficial mirror of guile-devel@gnu.org 
 help / color / mirror / Atom feed
From: Ian Grant <ian.a.n.grant@googlemail.com>
To: llvmdev@cs.uiuc.edu, "gcc@gcc.gnu.org" <gcc@gcc.gnu.org>,
	guile-devel <guile-devel@gnu.org>,
		mlton-devel@lists.sourceforge.net
Cc: "Linus Torvalds" <torvalds@osdl.org>,
	"Theo deRaadt" <deraadt@theos.com>,
	"Richard Stallman" <rms@gnu.org>, "Markus Kuhn" <mgk25@cam.ac.uk>,
	schellr <schellr@ieee.org>,
	"John Harrison" <johnh@ichips.intel.com>,
	monnier <monnier@iro.umontreal.ca>,
	"Taylan Bayırlı" <taylanbayirli@gmail.com>
Subject: Verifying Toolchain Semantics
Date: Thu, 2 Oct 2014 10:54:20 -0400	[thread overview]
Message-ID: <CAKFjmdxqdvYS8qWQ8SZsYVBjsoLysijkyYLZzvg7=QXqnMGYZw@mail.gmail.com> (raw)

Dear programming language types,

I wrote this to try once again to explain what is the nature of the
problem that one would have in verifying the integrity of _any_
software toolchain, whether it is aimed ultimately at the production
of other software, or of hardware.

    http://livelogic.blogspot.com/2014/10/the-foundation-part-i.html

This three page text is ostensively about verifying the integrity of a
communications link operating over an un-trusted transport layer, but
a compiler is really a type of communications channel.

I am sure everyone still reading this has wondered about the
possibilities of using universal programming languages (universal in
the Church-Turing sense) as communications protocols. For example, one
could establish a point-to-point connection by writing a program which,
when run, output two more programs: one which, when run, outputs a
decoding pad for the next mesage one would transmit over that channel,
and the other the decoder which prints the message text together with
another program, which was the encoder for returning an
acknowledgement. Both endpoints would do this, and so the
programs/messages would be exchanged, with each one encoding the text
of the other.  Then these programs could include decisions not only
about the encoding of data, choice of one-time pads, etc. but perhaps
also the routes of messages, sending different parts via different
trusted routes over similar channels etc. etc. The variations are
endless, and limited only by the ingenuity of the programmers
communicating over those channels.

And really, I sorely pity anyone charged with organising any kind of
surveillance of a group of people who enjoy that sort of
game. Cracking "the code" would be practically impossible, because
there need never be any fixed concrete representation whatsoever of
the fundamental encoding as it is transmitted over the transport
medium: _all_ of the knowledge about the current and future encodings
can be sent over the previous "incarnations" of that and/or another
channel, and the encoding of channels thereby made non-deterministic:
this means that there could never be _in principle,_ any mechanical
process _whatsoever_ which could decode more than a few parts of any
of those messages. After this brief success, the poor would-be spy
would be right back at square one.

What I try to explain here is the essential distinction between what I
call _actual knowledge,_ as opposed to mere _represented knowledge,_
such as a password, or an SSL certificate, or the documentation for
some file format appearing on a web page. The distinction is that only
in the case of actual knowledge does one know _how_ and _why_ one
knows.

The motivation is the idea that by using actual rather than
represented knowledge, it is possible to construct such a trustworthy
system in practice. But there's a catch! The catch is that this will
only work for an organisation whose motives and governance are
completely open and transparent. This is because the technique relies
upon mutual trust, which is something that cannot exist without
openness and transparency. Bad guys just won't get it! To understand
why (in case it is not immediately obvious to you, that is) you will
need to read (or at least think carefully about) about how
error-detection would work in such a system.

The text consists of a title page with the abstract, and two full
pages. So it should be an easy read. I earlier sent out a nine page
document entitled GNU Thunder, in which I attempted to describe what I
consider to be essentially the same idea, but with the emphasis on
compilers and interpreters, rather than communications. The Thunder
text was a concrete suggestion for an implementation. This text
however is more abstract. But these two documents could be
considered to be complementary in two different senses.

I hope everyone enjoys this, and that it stimulates some interesting
thoughts, and subsequent discussion, and that those thoughts are all
good, and the discussion open and transparent. That way we could save
ourselves an awful lot of _really hairy_ metaprogramming!

Please feel free to copy either text and/or this message and pass it
around. Neither of these two texts are copyright, and the more people
that see them the better. Bad guys in particular need to know about
this much more than the good ones do.

Ian


             reply	other threads:[~2014-10-02 14:54 UTC|newest]

Thread overview: 27+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-10-02 14:54 Ian Grant [this message]
2014-10-03  6:23 ` Verifying Toolchain Semantics Mark H Weaver
2014-10-03  7:15   ` William ML Leslie
2014-10-03 12:56     ` Taylan Ulrich Bayirli/Kammer
2014-10-03 17:13       ` Mark H Weaver
2014-10-05 13:57       ` William ML Leslie
2014-10-03  8:45   ` Nala Ginrut
2014-10-05  1:35   ` Ian Grant
2014-10-05  5:39     ` Nala Ginrut
2014-10-05 14:14       ` Ian Grant
2014-10-05 15:15         ` Nala Ginrut
2014-10-05 16:24           ` Ian Grant
2014-10-06  8:25             ` Nala Ginrut
2014-10-05  6:58     ` Mike Gerwitz
2014-10-05 16:11       ` Ian Grant
2014-10-06  4:23         ` Mike Gerwitz
     [not found]           ` <20141006042323.GA31390-iW7gFb+/I3LZHJUXO5efmti2O/JbrIOy@public.gmane.org>
2014-10-07 17:18             ` Ian Grant
     [not found]               ` <CAKFjmdx+jzfapvrq6EEO8Skx2L2UZwi-DZ22xiq9t1438E7kOw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-10-07 17:28                 ` Mark H Weaver
2014-10-07 17:56                   ` Ian Grant
     [not found]                     ` <CAKFjmdwNTjJ7nU-rKEWkA+5whsfyrpqJ6RkhU+VRbUW6rqT03A-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-10-07 19:24                       ` Philip Herron
     [not found]                         ` <CAEvRbeoEJPTtoDu0nDudJyfBoaT1vpuvHzL=t+TkJr_ZGkzYEQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-10-07 19:47                           ` Ian Grant
2014-10-08 18:26                       ` Mark H Weaver
2014-10-08  3:55               ` Mike Gerwitz
  -- strict thread matches above, loose matches on Subject: below --
2014-10-05 17:42 Ian Grant
2014-10-05 18:19 ` Ian Grant
2014-10-06  0:30 Ian Grant
     [not found] ` <CAKFjmdzxAMvcry8N6B_atM_8vGyzA1Dfz9ygWxSgh3fD7EUAuQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-10-06  8:51   ` William ML Leslie

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://www.gnu.org/software/guile/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAKFjmdxqdvYS8qWQ8SZsYVBjsoLysijkyYLZzvg7=QXqnMGYZw@mail.gmail.com' \
    --to=ian.a.n.grant@googlemail.com \
    --cc=deraadt@theos.com \
    --cc=gcc@gcc.gnu.org \
    --cc=guile-devel@gnu.org \
    --cc=johnh@ichips.intel.com \
    --cc=llvmdev@cs.uiuc.edu \
    --cc=mgk25@cam.ac.uk \
    --cc=mlton-devel@lists.sourceforge.net \
    --cc=monnier@iro.umontreal.ca \
    --cc=rms@gnu.org \
    --cc=schellr@ieee.org \
    --cc=taylanbayirli@gmail.com \
    --cc=torvalds@osdl.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).