[OFFTOPIC] Re: Trusting trust [was: PARTIAL DIAGNOSIS of Installation problems]

To: debian-user@lists.debian.org
Subject: [OFFTOPIC] Re: Trusting trust [was: PARTIAL DIAGNOSIS of Installation problems]
From: Stefan Monnier <monnier@iro.umontreal.ca>
Date: Thu, 04 Mar 2021 21:50:47 -0500
Message-id: <[🔎] jwvsg5aiayq.fsf-monnier+gmane.linux.debian.user@gnu.org>
References: <[🔎] 1de55a8b-7a15-6f18-160a-cff9b5a6d08c@cloud85.net> <[🔎] 8fca87fe-d41d-30f8-e558-dff02c2ac628@cloud85.net> <[🔎] 5ff0c57d-3d3c-1515-e062-81f800b7603c@holgerdanske.com> <[🔎] jwvzgzjoqj7.fsf-monnier+gmane.linux.debian.user@gnu.org> <[🔎] e13c73c0-3a66-5e66-98b8-421f71c2c812@holgerdanske.com> <[🔎] 20210304084357.GA13822@tuxteam.de> <[🔎] d0302e0f-99d1-2653-356f-54893c700606@holgerdanske.com>

> The abstract states:
>
>     "In the DDC technique, source code is compiled twice: once with a
>     second (trusted) compiler (using the source code of the compiler’s
>     parent), and then the compiler source code is compiled using the
>     result of the first compilation. If the result is bit-for-bit
>     identical with the untrusted executable, then the source code
>     accurately represents the executable."
>
>
> I find the above to be unclear:

Of course, it's an abstract.  You can read the paper for more details.
Basically:

Take an existing untrusted compiler whose source code is A and binary is
cA.  You check that:

    cA == cA(A)

if it's not the case (or if you don't have access to the source code A),
the DDC technique can't be used.  If it is the case, you have just
checked that `A` is indeed the source code for `cA`.

Then take a trusted compiler whose source code is T.
Now compile it with `cA`:

    cT = cA(T)

and then use this new compiler binary `cT` to compile `A` a second time:

    cA2 = cT(A)

finally compare `cA` and `cA2`.
If they're bit-for-bit identical, then you're good: `cA` doesn't seem to
have any hidden trojan horse.

If they're not, then either cA is compromised, or maybe it's simply that
the compilers A and T don't agree sufficiently on the source language
in which they're both written.

> 1.  What source code is compiled twice?

The source code `A` of the untrusted compiler.

> 2.  Where do I get the second (trusted) compiler?

You write it yourself by hand.  You also have to make sure that it
matches the semantics of `A` sufficiently to avoid false negatives.
You need to not only trust that it does what you think it does, but also
that any attacker who may have infected `cA` hasn't seen that code and
can't have guessed enough of its content to be able to properly infect
`cT`.

> 7.  What if the compiler, by design, does not produce identical output for
>    identical input?

Then you can't use that technique and you're left wondering if it may
have a hidden self-perpetuating backdoor.


        Stefan

Reply to:

Follow-Ups:
- Re: [OFFTOPIC] Re: Trusting trust [was: PARTIAL DIAGNOSIS of Installation problems]
  - From: David Christensen <dpchrist@holgerdanske.com>

References:
- Installation problems
  - From: Richard Owlett <rowlett@cloud85.net>
- PARTIAL DIAGNOSIS of Installation problems
  - From: Richard Owlett <rowlett@cloud85.net>
- Re: PARTIAL DIAGNOSIS of Installation problems
  - From: David Christensen <dpchrist@holgerdanske.com>
- Re: PARTIAL DIAGNOSIS of Installation problems
  - From: Stefan Monnier <monnier@iro.umontreal.ca>
- Re: PARTIAL DIAGNOSIS of Installation problems
  - From: David Christensen <dpchrist@holgerdanske.com>
- Trusting trust [was: PARTIAL DIAGNOSIS of Installation problems]
  - From: <tomas@tuxteam.de>
- Re: Trusting trust [was: PARTIAL DIAGNOSIS of Installation problems]
  - From: David Christensen <dpchrist@holgerdanske.com>

Prev by Date: Re: Non-free firmware [was: Debian install Question]
Next by Date: Re: [OFFTOPIC] Re: Trusting trust [was: PARTIAL DIAGNOSIS of Installation problems]
Previous by thread: Re: Trusting trust [was: PARTIAL DIAGNOSIS of Installation problems]
Next by thread: Re: [OFFTOPIC] Re: Trusting trust [was: PARTIAL DIAGNOSIS of Installation problems]
Index(es):
- Date
- Thread