On Thu, Oct 09, 2003 at 07:45:01PM -0700, Bill Frantz wrote: > At 8:18 AM -0700 10/7/03, Rich Salz wrote: > >Are you validating the toolchain? (See Ken Thompson's > >Turing Aware lecture on trusting trust). > > With KeyKOS, we used the argument that since the assembler we were using > was written and distributed before we designed KeyKOS, it was not feasible > to include code to subvert KeyKOS. How do people feel about this form of > argument?
Not too good. If I knew what the target processor were, I think I could arrange to do some damage to most general-purpose operating systems; they all have to do some of the same fundamental things. This is a bit more sophisticated than what Thompson's compiler did, but it's the same basic idea. There are some basic operations (in particular on the MMU) that you can recognize regardless of their specific form and subvert in a progammatic manner such that it's highly likely that you can exploit the resulting weakness at a later date, I think. Thor --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]