At 7:31 PM -0500 4/29/04, Tad Anhalt wrote: <using Green Hills as an example>
> How did they bootstrap their system? In other words, how did they >ensure that they could trust their entire tool chain in the first place? > They hint that the whole system was written by a few trusted persons. Begging the question "trusted by whom?". Some organizations require "trusted by the agency issuing security clearances" for certain (primarily non-tool) software. >Did they write the whole tool chain as well? The scheme above protects >against future attack, but not against something that was there before >they started. I'm sure that they have an answer for that question, >it's a pretty obvious one to ask... Maybe I missed it on my read-through? > > That's the whole point of the Thompson lecture. The hole is really >deep. How far can you afford to dig? How do you decide what to trust? Ideally, if you find you cannot afford to dig far enough to satisfy your need, a revision of your business plan is required. > Green Hills Software obviously has a vested interest in convincing the >reader that it's worth paying them whatever it is that they're charging >for the extra depth... In some situations, it may be... That's a risk >management decision. And one solution acceptable in many conditions is determining whether the vendor has deep enough pockets that a lawsuit after the fact would mean something. I don't know much about finance, but I know that suing Green Hills software has more potential than suing the person from whom you got a copy of Linux. Not all checks and balances are embedded in the software itself.
