Re: Trusting GNAT for security software

[kilgallen@eisner.decus.org (Larry Kilgallen)]

In article <dewar.888758710@merv>, dewar@merv.cs.nyu.edu (Robert Dewar) writes:
> Marcus says

> Now if I ship my security software in Ada source code to allow
> users to evaluate and trust it at a very high level, then what
> real trust do I get if I compile this carefully scrutinized
> backdoor free paranoid's dream softare with a compiler that I
> can only bootstrap with a binary from a single DoD related source.

Well just because GNAT is written to rely on GNAT-specific features,
that doesn't mean your security software should be that way.  In fact,
I would be quite suspicious of a security product delivered in source
form allegedly for reasons of security if the instructions were that
I had to use a particular compiler even though it was written in an
internationally standardized language.

Robert says:

> YOu obviously know little about the way in which university projects
> are financed. Yes, the funds came from the DoD, but the DoD had ZERO
> control over the project.

This really is only of concern to those outside the US.  Those who pay
taxes to support the DoD know they are not that organized :-).

> Actually I think a university project, particularly one working with
> openly available sources, would be extremely hard to subvert in the manner
> that Marcus' paranoid thinking suggests. Many students had full access to
> every bit of information throughtout the development.

But those involved in security work are supposed to think paranoid.
If you don't have a list of possible attacks against which you do not
have a provable defense, then you haven't thought hard enough.  AMD
might have a special circuit inside their chips that recognizes code
generated by GNAT and if it finds it is doing triple-DES squirrels
away the key in a secret register.  One doesn't have to think a long
time about such attacks, but realizing what is possible is important
for realizing what is probable.  When some folks did this for Netscape
Navigatory they came up with "what if they used a crude random number
generator" and bingo, there was a vulnerability.

> As I said earlier, it always amuses me when people hypothesize that
> free software is somehow especially subject to intrusion of this kind,
> when in fact the exact opposite is true.

I don't think people theorize this any more about free software than
commercial software, nor any less.  With sufficient funding I could
set up higher bandwidth "mirror" sites for GNAT distribution, and
lacking signatures who would know if I had tampered?  Initially
someone would compare, but eventually they would grow tired.

On the other hand, I could use the same funding to become a "distributor"
of Microsoft software, giving them their full royalties but sending modified
CD-ROMs to the unwitting customers who would not know that I had inserted
bugs in the software.  Microsoft would get a reputation for buggy software.
Who could tell the difference :-).

Larry Kilgallen