[Git][reproducible-builds/reproducible-presentations][master] 2022-10-07: Add Breaking the Chains of Trusting Trust. *Might* be

Vagrant Cascadian (@vagrant) gitlab at salsa.debian.org
Fri Oct 7 08:17:13 UTC 2022



Vagrant Cascadian pushed to branch master at Reproducible Builds / reproducible-presentations


Commits:
8875c492 by Vagrant Cascadian at 2022-10-07T01:15:38-07:00
2022-10-07: Add Breaking the Chains of Trusting Trust. *Might* be
presented at BSidesPDX.org 2022.

- - - - -


4 changed files:

- + 2022-10-07-Breaking_the_Chains_of_Trusting_Trust/Breaking_the_Chains_of_Trusting_Trust.org
- + 2022-10-07-Breaking_the_Chains_of_Trusting_Trust/Makefile
- + 2022-10-07-Breaking_the_Chains_of_Trusting_Trust/images/reproducible-builds.png
- + 2022-10-07-Breaking_the_Chains_of_Trusting_Trust/images/vagrantupsidedown.png


Changes:

=====================================
2022-10-07-Breaking_the_Chains_of_Trusting_Trust/Breaking_the_Chains_of_Trusting_Trust.org
=====================================
@@ -0,0 +1,304 @@
+#+TITLE: Breaking the Chains of Trusting Trust
+#+AUTHOR: Vagrant Cascadian <vagrant at reproducible-builds.org>
+#+EMAIL: vagrant at reproducible-builds.org
+#+DATE: BSidesPDX 2022
+#+LANGUAGE:  en
+#+OPTIONS:   H:1 num:t toc:nil \n:nil @:t ::t |:t ^:t -:t f:t *:t <:t
+#+OPTIONS:   TeX:t LaTeX:t skip:nil d:nil todo:t pri:nil tags:not-in-toc
+#+OPTIONS: ^:nil
+#+INFOJS_OPT: view:nil toc:nil ltoc:t mouse:underline buttons:0 path:http://orgmode.org/org-info.js
+#+EXPORT_SELECT_TAGS: export
+#+EXPORT_EXCLUDE_TAGS: noexport
+#+startup: beamer
+#+LaTeX_CLASS: beamer
+#+LaTeX_CLASS_OPTIONS: [bigger]
+#+latex_header: \mode<beamer>{\usetheme{Madrid}}
+#+LaTeX_CLASS_OPTIONS: [aspectratio=169]
+#+BEGIN_comment
+Breaking the Chains of Trusting Trust
+
+In 1984, Ken Thompson presented "Reflections on trusting trust" which
+described an attack on a build toolchain that would be impossible to
+detect through source code review ... in the decades since, what has
+been done to actually mitigate these types of attacks?
+
+Corrupted build environments can deliver compromised cryptographically
+signed binaries. Several exploits in in critical supply chains have
+been demonstrated in recent years, proving that this is not just
+theoretical. The most well secured build environments are still single
+points of failure when they fail.
+
+Work in the Reproducible Builds and Bootstrappable Builds communities
+has been progressing steadily in recent years, and can be used to
+significantly reduce the risks of "Trusting Trust" and other supply
+chain attacks, by making it possible to independently review not only
+the end result, but the entire toolchain used to build a given
+artifact.
+
+This talk will focus on the state of the art from several angles in
+related Free and Open Source Software projects, what works, current
+challenges and future plans for building trustworthy toolchains you do
+not need to trust.
+
+https://reproducible-builds.org
+https://bootstrappable.org
+#+END_comment
+
+* Who am I
+
+** image
+	:PROPERTIES:
+	:BEAMER_col: 0.4
+	:END:
+
+[[./images/vagrantupsidedown.png]]
+
+
+** text
+	:PROPERTIES:
+	:BEAMER_col: 0.4
+	:END:
+
+  |                     | Vagrant |
+  |---------------------+---------|
+  | debian user         |    2001 |
+  | debian developer    |    2010 |
+  | reproducible builds |    2015 |
+
+* Trust
+
+Different levels of trust:
+
+  #+ATTR_BEAMER: :overlay <+->
+- curl http://example.net/hackme | sudo sh
+- curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
+- download file, verify signature ... run code
+- download source, verify signature, compile from source
+- emerge --emptytree @world
+- rewrite everything in assembly
+- build it up from transitors
+- I have a beach, some wood, abundant sunshine, and a lot of time
+
+* Trusting Trust
+
+Ken Thompson
+
+Reflections on trusting trust, 1984
+
+https://archive.org/details/reflections-on-trusting-trust
+
+* The Moral of Trusting Trust
+
+"You can't trust code that you did not totally create yourself.
+
+(Especially code from companies that employ people like me.)
+
+No amount of source-level verification or scrutiny will protect you
+
+from using untrusted code." - Ken Thompson
+
+* Did I say 1984, I meant 1974
+
+Karger, 1974
+
+"... insert a trap door into the... compiler...
+
+the trap door can maintain itself,
+
+even when the compiler is recompiled"
+
+* Decades of Trust
+
+Since 1974
+
+  #+ATTR_BEAMER: :overlay <+->
+- 1984: Reflections on trusting trust
+- 1980s: some papers about compiling multiple times
+- 1990s ... usenet post mumbling about multiple compilers
+- 2000s: some more papers about compiling multiple times
+- 2005: Countering Trusting Trust through Diverse Double-Compiling
+- 2009: Fully Countering Trusting Trust through Diverse Double-Compiling
+- ... and some high profile compromises!
+
+* XcodeGhost or should we say Strawhorse?
+
+  XcodeGhost, 2015
+
+  #+ATTR_BEAMER: :overlay <+->
+- Modified version of Apple's Xcode
+- Over 4000 compromised apps
+
+* SolarWhat?
+
+  SolarWinds, 2020
+
+  #+ATTR_BEAMER: :overlay <+->
+- Compromised build server...
+- ...via weak and/or leaked passphrases
+- signing certificates compromised
+- possibly 18000 affected installations
+
+* The price of Trust
+
+What is the Price...
+
+Of Trusting Trust?
+
+* Reproducible Builds
+
+** text
+    :PROPERTIES:
+    :BEAMER_col: 0.7
+    :END:
+
+https://reproducible-builds.org/docs/definition/
+
+\vspace{\baselineskip}
+
+A build is reproducible if given the same source code, build
+environment and build instructions, any party can recreate bit-by-bit
+identical copies of all specified artifacts.
+
+** image
+    :PROPERTIES:
+    :BEAMER_col: 0.3
+    :END:
+
+[[./images/reproducible-builds.png]]
+
+* Building on a solid foundation of turtles
+
+  https://bootstrappable.org
+
+Compiling your C compiler with a C compiler
+
+And a C compiler to compile the other C compiler
+
+...Ad infinitum
+
+Or any other language (rust, java, haskell, etc.)
+
+* Java bootstrap
+
+Java bootstrapping
+
+  #+ATTR_BEAMER: :overlay <+->
+- openjdk17 needs...
+- openjdk16 which needs...
+- ...
+- openjdk9 ... etc.
+
+* Rust bootstrap
+
+Rust bootstrapping
+
+  #+ATTR_BEAMER: :overlay <+->
+- rust 1.64 needs...
+- rust 1.63 which needs...
+- ...
+- rust 1.54 can be built with mrustc
+- mrustc is written in C++
+
+* Diverse Double Compiling
+
+David A. Wheeler
+
+Fully Countering Trusting Trust through Diverse Double-Compiling, 2009
+
+https://dwheeler.com/trusting-trust/dissertation/html/wheeler-trusting-trust-ddc.html
+
+* A beautiful Mes
+
+GNU Mes is a Scheme interpreter and C compiler for bootstrapping the GNU System.
+
+https://www.gnu.org/software/mes/
+
+* We made the same Mes
+
+Bit-for-bit identical Mes built on three different distributions
+
+https://reproducible-builds.org/news/2019/12/21/reproducible-bootstrap-of-mes-c-compiler/
+
+* Beginning with a Mes
+
+GNU Guix: The Reduced Binary Seed Bootstrap
+
+https://guix.gnu.org/en/manual/devel/en/guix.html#Reduced-Binary-Seed-Bootstrap
+  #+ATTR_BEAMER: :overlay <+->
+- ...
+- Reduced to 145MB of bootstrap binaries (from 250MB)
+- Using Mes and guile...
+- Builds from source GCC, binutils, glibc, etc.
+- 145MB of binaries is still not really auditable...
+
+* Before The Mes and Beyond
+
+  GNU Guix: The Full-Source Bootstrap
+
+  Now available in the "core-updates" branch!
+
+  #+ATTR_BEAMER: :overlay <+->
+- hex0 (357-byte binary)
+- hex1
+- M0
+- hex2
+- M1
+- mescc-tools
+- M2-Planet
+- Mes
+- TinyCC (patched)
+- old versions of GCC, binutils, glibc, gzip, tar ...
+- modern GCC and everything
+
+* Make it live
+
+  https://github.com/fosslinux/live-bootstrap
+
+  #+ATTR_BEAMER: :overlay <+->
+- A live environment
+- From kernel and a bit of source code
+- To a reproducibly bootstrapped toolchain
+- no pregenerated "source" code shortcuts
+- work-in-progress, but a lot of progress!
+
+* UEFI based bootstrap
+
+Work-in-progress UEFI bootstrap
+
+https://git.stikonas.eu/andrius/stage0-uefi
+
+* Bare Metal Bootstrap
+
+Stage0 on Bare Metal?
+
+https://git.savannah.nongnu.org/cgit/stage0.git/tree/
+
+* Freedom in your bits and bytes
+
+Free/Libre and Open Source Software
+
+Allows arbitrary third-party verification
+
+* Forget Trust, Verify
+
+No need to Trust, All you need is:
+
+  #+ATTR_BEAMER: :overlay <+->
+- Free/Libre and Open Source Software
+- Reproducible Builds
+- Bootstrapping
+- Diverse compilation
+- ... and lots of compile cycles
+
+* Copyright and attributions
+\addtocounter{framenumber}{-1}
+\tiny
+
+  Copyright 2019-2022 Vagrant Cascadian <vagrant at reproducible-builds.org>
+  Portions by contributors to the reproducible-builds.org website.
+
+  This work is licensed under the Creative Commons
+  Attribution-ShareAlike 4.0 International License.
+
+  To view a copy of this license, visit
+  https://creativecommons.org/licenses/by-sa/4.0/


=====================================
2022-10-07-Breaking_the_Chains_of_Trusting_Trust/Makefile
=====================================
@@ -0,0 +1,16 @@
+# thanks to dima for walking me through this!
+#
+# needs: apt install emacs texlive-latex-extra texlive-plain-generic
+
+export FORCE_SOURCE_DATE = 1
+export SOURCE_DATE_EPOCH := $(shell date --utc --date '2022-10-07 00:00 UTC' +%s)
+
+all: $(patsubst %.org,%.pdf,$(wildcard *.org))
+
+%.pdf: %.org
+	emacs -Q --batch --eval '(progn (random "0") (find-file "$<") (org-beamer-export-to-pdf))'
+
+clean:
+	rm -f *.pdf *.tex *.png
+
+.PHONY:clean


=====================================
2022-10-07-Breaking_the_Chains_of_Trusting_Trust/images/reproducible-builds.png
=====================================
@@ -0,0 +1 @@
+../../2020-05-LFNW-beyond-trusting-open-source-software/images/reproducible-builds.png
\ No newline at end of file


=====================================
2022-10-07-Breaking_the_Chains_of_Trusting_Trust/images/vagrantupsidedown.png
=====================================
@@ -0,0 +1 @@
+../../2020-05-LFNW-beyond-trusting-open-source-software/images/vagrantupsidedown.png
\ No newline at end of file



View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-presentations/-/commit/8875c49294a524b2f89289562b1b6cf15a4d7a95

-- 
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-presentations/-/commit/8875c49294a524b2f89289562b1b6cf15a4d7a95
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20221007/1edb1e6d/attachment.htm>


More information about the rb-commits mailing list