Re: Trusting GNAT for security software

[dewar@merv.cs.nyu.edu (Robert Dewar)]

Larry said

<<I don't think people theorize this any more about free software than
commercial software, nor any less.  With sufficient funding I could
set up higher bandwidth "mirror" sites for GNAT distribution, and
lacking signatures who would know if I had tampered?  Initially
someone would compare, but eventually they would grow tired.

On the other hand, I could use the same funding to become a "distributor"
of Microsoft software, giving them their full royalties but sending modified
CD-ROMs to the unwitting customers who would not know that I had inserted
bugs in the software.  Microsoft would get a reputation for buggy software.
Who could tell the difference :-).
>>


Actually here, operating in paranoid mode, you are ahead with GNAT, since,
assuming you are using the commercial version of the product, you get it
directly from the vendor, with no intervening distributors. Yes, it is
possible that the public versions could be compromised, although I think
it is more likely that would happen through an accident, than through
design -- but one cannot imagine a paranoid security-concious project
using unsupported freeware of unknown provenance, can one???

<<Well just because GNAT is written to rely on GNAT-specific features,
that doesn't mean your security software should be that way.  In fact,
I would be quite suspicious of a security product delivered in source
form allegedly for reasons of security if the instructions were that
I had to use a particular compiler even though it was written in an
internationally standardized language.
>>

Surely you have not been dazzled into believing that because something
is written in a standardized language, it is automatically portable!
There are many legitimate implementation dependencies in almost all
languages. It is actually very unusual for a large project to be
100% portable from one compiler to another without any changes of
any kind at all -- not impossible, but most certainly unusual.

Probably the most secure way of distributing security type products is
to deliver the binary, together with the corresponding source. That way
the customer can, if they like, repeat the entire certification process,
or at least that part of the procedures that are related to the code itself,
as opposed to the procedures used to generate the code.

The danger of depending on source distribution for a high security product
without any reference binary, is that you do not have a 100% guarantee that
you have correctly compiled the product and got a version that corresponds
to the one that has been certififed. FOr exampled in a nasty case, the compiler
might have a previously undetected bug that causes it to generate bad code
on the 29th of March, due to the date routine making a wild store.