Blog post about a talk by Ken Thompson and the original Trusting Trust attack finally released
David A. Wheeler
dwheeler at dwheeler.com
Mon Oct 30 18:26:35 UTC 2023
> On Oct 30, 2023, at 7:04 AM, Orians, Jeremiah (DTMB) <OriansJ at michigan.gov> wrote:
> DDC only works if either a) you have a trusted compiler or b) 2 compilers that don't share a common
> compromise. Bootstrappable builds ensures we do have a trusted suite of compilers. So, unless you
> have proof of one of those, you have not in any way contributed to solving the problem.
My PhD dissertation discusses in detail how to acquire either a trusted compiler or compilers that are unlikely to share a common compromise.
In any case, there's no need to demand just one approach, as each aids the others:
* Verified reproducible builds are greate for countering attacks on the build process & results, presuming that the tools aren't subverted by a "trusting trust" attack.
* Diverse double-compiling (DDC) counters the trusting trust attack, but depends on the trustworthiness or at least independence-of-subversion of the compilers. This isn't crazy, as you can take steps to greatly increase the odds of this.
* Bootstrappable builds counters the trusting trust attack, but you have to be willing to only use its result (no fair using a different system).
Note that bootstrappable builds create an *excellent* starting point for creating a toolsuite to be used in DDC for verifying *other* tools. These can then be used for verified reproducible builds. These are hard problems; the fact that they can be used together is good news.
My webpage on DDC has become a complicated meander of cross-references to many works that are DDC-adjacent, including reproducible builds, bootstrappable builds, quines, and recreating Thompson's attack demonstration. As always, you can see more here: <https://dwheeler.com/trusting-trust/>
--- David A. Wheeler
More information about the rb-general
mailing list