From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=0.2 required=5.0 tests=BAYES_00,INVALID_MSGID, REPLYTO_WITHOUT_TO_CC autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: 103376,caa8ecf96e8cf189 X-Google-Attributes: gid103376,public From: kilgallen@eisner.decus.org (Larry Kilgallen) Subject: Re: Trusting GNAT for security software Date: 1998/03/01 Message-ID: <1998Mar1.142220.1@eisner>#1/1 X-Deja-AN: 329780125 X-Nntp-Posting-Host: eisner.decus.org References: <34F421F6.3A5FFF59@towson.edu> <34F5A906.1704@gsfc.nasa.gov> <34F68913.2FF865DA@cl.cam.ac.uk> <6d67j5$474$1@news.nyu.edu> <34F9444D.D2F588@cl.cam.ac.uk> X-Trace: news.decus.org 888780142 16503 KILGALLEN [192.67.173.2] Organization: LJK Software Reply-To: Kilgallen@eisner.decus.org.nospam Newsgroups: comp.lang.ada Date: 1998-03-01T00:00:00+00:00 List-Id: In article , dewar@merv.cs.nyu.edu (Robert Dewar) writes: > Marcus says > Now if I ship my security software in Ada source code to allow > users to evaluate and trust it at a very high level, then what > real trust do I get if I compile this carefully scrutinized > backdoor free paranoid's dream softare with a compiler that I > can only bootstrap with a binary from a single DoD related source. Well just because GNAT is written to rely on GNAT-specific features, that doesn't mean your security software should be that way. In fact, I would be quite suspicious of a security product delivered in source form allegedly for reasons of security if the instructions were that I had to use a particular compiler even though it was written in an internationally standardized language. Robert says: > YOu obviously know little about the way in which university projects > are financed. Yes, the funds came from the DoD, but the DoD had ZERO > control over the project. This really is only of concern to those outside the US. Those who pay taxes to support the DoD know they are not that organized :-). > Actually I think a university project, particularly one working with > openly available sources, would be extremely hard to subvert in the manner > that Marcus' paranoid thinking suggests. Many students had full access to > every bit of information throughtout the development. But those involved in security work are supposed to think paranoid. If you don't have a list of possible attacks against which you do not have a provable defense, then you haven't thought hard enough. AMD might have a special circuit inside their chips that recognizes code generated by GNAT and if it finds it is doing triple-DES squirrels away the key in a secret register. One doesn't have to think a long time about such attacks, but realizing what is possible is important for realizing what is probable. When some folks did this for Netscape Navigatory they came up with "what if they used a crude random number generator" and bingo, there was a vulnerability. > As I said earlier, it always amuses me when people hypothesize that > free software is somehow especially subject to intrusion of this kind, > when in fact the exact opposite is true. I don't think people theorize this any more about free software than commercial software, nor any less. With sufficient funding I could set up higher bandwidth "mirror" sites for GNAT distribution, and lacking signatures who would know if I had tampered? Initially someone would compare, but eventually they would grow tired. On the other hand, I could use the same funding to become a "distributor" of Microsoft software, giving them their full royalties but sending modified CD-ROMs to the unwitting customers who would not know that I had inserted bugs in the software. Microsoft would get a reputation for buggy software. Who could tell the difference :-). Larry Kilgallen