Re: Dijkstra's Methodology for Secure Systems Development

[Taylan Ulrich Bayirli/Kammer]

Panicz Maciej Godek <address@hidden> writes:

> How can we know that the enemy isn't using some laws of physics that
> we weren't taught at school (and that he deliberately keeps that
> knowledge out of schools)? Then our enemy will always be in control!
> This reasoning, although paranoid, seems completely valid, but it does
> abuse the notion of "enemy", by putting it in an extremely asymmetical
> situation.

That's too far a fetch.  I think it's implausible.

That being said, I have no clear criteria for what is and isn't
plausible so far, other than personal intuition.  Does anyone have
something better?

> So if I get it right, the assumption is that the infected compiler
> detects some pattern in the source code, and once we write the same
> logic differently, we can be more certain that after compilation, our
> new compiler is no longer infected?

I think that's what it boils down to.

> And couldn't we, for instance, take e.g. the Tiny C Compiler, compile
> it with GCC, and look at the binaries to make sure that there are no
> suspicious instructions, and then compile GCC with TCC?

If the Tiny C Compiler is really tiny enough to make inspecting its
binary plausible, then that should work, AFAIUI.

> Or do we assume that the author of the Thompson virus was clever
> enough that all the programs that are used for viewing binaries (that
> were compiled with infected GCC) are also mean and show different
> binary code, hiding anything that could be suspicious? [But if so,
> then we could detect that by generating all possible binary sequences
> and checking whether the generated ones are the same as the viewed
> ones. Or could this process also be sabotaged?]

That also is possible but seems implausible to me.

All in all, the TCC should work for a one-time verification, though a
more general verification mechanism might be useful in the long term?

> Actually the direction the discussion eventually took surprised me a
> bit.
> So maybe to discharge the atmosphere, I shall include the reference to
> XKCD strip (plainly it was made up to lull our vigilance):
> http://xkcd.com/792/

That's a hilarious one. :-)

Still, one last political remark from me:

Things are more complicated.  Google might be incapable of evil, but
then they might be a tool of the US government.  Not calling the US
government "evil" either, but consider people like Julian Assange or
Edward Snowden.  Things get unpleasant, and someone with good ideals
ends up being dubbed a terrorist.  And they might not be able to become
part of the government to push their ideals into acceptance, so they
should at least have the ability to discuss them anonymously without
ending up on a watch list.

That's part of the reason I think free software is important, and I
think many people would agree.  (If you don't, or think my reasoning is
flawed, then let's just agree to disagree so we don't continue with OT.)

Taylan