Re: Trusting GNAT for security software

[dewar@merv.cs.nyu.edu (Robert Dewar)]

Marcus syas

<<I know the following is paranoid, so consider it more as an
intellectual exercise than as a real concern. GNAT was financed
by the DoD, the same institution that operates NSA, an organization
well known for tampering with the production of cryptographic
systems all over the world to leave backdoors for their access.
Now if I ship my security software in Ada source code to allow
users to evaluate and trust it at a very high level, then what
real trust do I get if I compile this carefully scrutinized
backdoor free paranoid's dream softare with a compiler that I
can only bootstrap with a binary from a single DoD related source.

>>


YOu obviously know little about the way in which university projects
are financed. Yes, the funds came from the DoD, but the DoD had ZERO
control over the project. NYU will not accept any kind of restrictions
on such projects. Early on, when we were working on Ada/Ed, NYU told
the US Army that it would turn down $1 million, rather than accept
a provision that publications had to be submitted to the Army for
preapproval. The Army suggested leaving in the presubmission and
removing the preapproval, but NYU said, no, remove the clause 
completely or take your money somewhere else. They removed it :-)

Actually I think a university project, particularly one working with
openly available sources, would be extremely hard to subvert in the manner
that Marcus' paranoid thinking suggests. Many students had full access to
every bit of information throughtout the development.

Actually an interesting bit of archeological data is that we have the
complete history of the GNAT project in terms of source development.
The semantics processing for chapter 3 is now at version 1145, and
you can look at all 1,144 previous versions, going back to the days
when we bootstrapped with Alsys.

As I said earlier, it always amuses me when people hypothesize that
free software is somehow especially subject to intrusion of this kind,
when in fact the exact opposite is true. There are freely distributed
Ada compilers being copied across the net now which are entirely
proprietary and you have no way of knowing what is inside them. Even
there I think the probability of any kind of deliberate Trojan horse
etc is very small, but note that in areas other than compilers there
have been concerns with proprietary software, e.g. Microsoft collecting
system information surreptitiously during installation, and various Web
sites installing cookies of dubious recipe. So these kind of concerns
are certainly not entirely frivolous.

I think the general recommendations here are to make sure you are dealing
with a reputable company and to be a little hesitant in using freeware,
shareware, or other unsupported software on critical projects. One thing
that is a bit worrisome is to see large critical porojects using unsupported
software, and that does happen sometimes. Actually the larger risk is simply
running into problems, rather than deliberate subversions.

Finally, as I noted in earlier mail, you can if you like examine GNAT
relatively easily at the code level to ensure absolutely that the code
generated is what is expected. The only way to protect a Ken Tompson type
Trojan Horse would be to enlist a huge suite of tools, both proprietary
and free software in the conspiracy, and *that* is getting a little 
far-fetched, even for conspiracy buffs :-)

Robert Dewar
Ada Core Technologies