On Thu, 23 Dec 2010 00:36:03 GMT, mrx said: > I am aware that compilers can be coded to introduce "features" into binaries > that are not in the actual source code itself. > So with all due respect and possibly much ignorance on my part, what is a > code audit going to achieve if one uses the shipped compiler to > compile the source? Unless one codes ones own compiler can any binary be > trusted? Although Kargen and Schell did it during the Multics pen-test for *one* release of *one* compiler on *one* system, and Thompson referenced it in his Turing Award lecture, it's probably *not* on anybody's serious threat model. You'd have to find a way to put your backdoored compiler onto the distribution's build farm (so *all* copies got backdoored), and ensure that it stayed in place across releases - which means you probably need to re-backdoor it for each release of the compiler (code generators, especially optimizing ones, are moving targets - if your backdoor gets munched by the dead-code eliminator, or mutated by the CSE code, you don't get your backdoors). And of course, if your code inserts the backdoor-the-compiler code by recognizing 7 specific lines in one function, life gets interesting when a bugfix changes those 7 lines to 9. You either lose your backdoor, or it gets detected because the bugfix doesn't work because your code is overriding it. I'll overlook the minor detail that (for instance) today's gcc compiler is a *lot* more sophisticated, with a lot more code-generation intelligence, than what was available in 1972 when Karger and Schell and Thompson were doing this stuff - so the backdoor will have to be equally more subtle and thus fragile. You'd also have to find a clever way to deal with paranoids who rebuild their source tree with their previous toolchain - if anybody pulls down the new source and rebuilds it with their old compiler, you don't get a backdoor. And if the compiler they build doesn't binary-match the distro's, the jig is up (and you *know* that if they're paranoid to rebuild the compiler, they'll notice a difference ;) It's probably easier to get a backdoored BIOS loaded onto the target, and use the microcode-update function on many CPUs to install a backdoor that way. And at some point, you really have to ask yourself "Is this really a plausible attack method, or did I forget to take my meds again?".
Attachment:
pgp9oukR4gnbG.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/