Jeremy Epstein wrote:
> I agree with much of what he says about the potential for
> infiltration of bad stuff into Linux, but he's comparing apples and
> oranges. He's comparing a large, complex open source product to a
> small, simple closed source product. I claim that if you ignore the
> open/closed part, the difference in trustworthiness comes from the
> difference between small and large.
It's a lot deeper than that. Here's the link to the original Ken
Thompson speech for convenience sake:
http://www.acm.org/classics/sep95
This should be required reading (with a test following) for everyone
who ever touches code IMHO. Simple, elegant, understandable and
devastating.
It's the difference between proving that there aren't problems and
hoping that there aren't problems. Linux is really a peripheral issue.
The same arguments could be used against any operating system and/or
software system that hasn't been designed and implemented from day 1
with this sort of issue in mind.
A more interesting quote is this one:
"A few people who understood Ken Thompson’s paper wrote to me saying
that every operating system has this problem, so my indictment of Linux
security on this point is meaningless. They ask: “couldn’t someone at
Green Hills Software install a binary virus in the baseline Green Hills
Software compiler distribution and corrupt Green Hills Software’s
INTEGRITY operating system?” No, the FAA DO-178B Level A certification
process systematically checks every byte of object code of our
INTEGRITY-178B operating system to ensure that if malicious code is
introduced at any point throughout the tool chain (compiler, assembler,
linker, run-time libraries, etc.) it will be detected and removed. Since
INTEGRITY has only a few thousand lines of privileged-mode code, not the
millions of lines that burden Linux, this means of preventing viruses is
feasible for INTEGRITY, but not for Linux."
How did they bootstrap their system? In other words, how did they
ensure that they could trust their entire tool chain in the first place?
They hint that the whole system was written by a few trusted persons.
Did they write the whole tool chain as well? The scheme above protects
against future attack, but not against something that was there before
they started. I'm sure that they have an answer for that question,
it's a pretty obvious one to ask... Maybe I missed it on my read-through?
That's the whole point of the Thompson lecture. The hole is really
deep. How far can you afford to dig? How do you decide what to trust?
Green Hills Software obviously has a vested interest in convincing the
reader that it's worth paying them whatever it is that they're charging
for the extra depth... In some situations, it may be... That's a risk
management decision.
Tad Anhalt
