Full Disclosure mailing list archives
Re: re: eeye temporary patch for current IEvulnerability
From: Valdis.Kletnieks () vt edu
Date: Tue, 28 Mar 2006 12:30:32 -0500
On Tue, 28 Mar 2006 12:07:19 EST, "Krpata, Tyler" said:
If only someone would invent some sort of software that would generate a binary from source code...
It's called a compiler. And that's not foolproof - first off, different versions of the compiler often generate different code. I've personally seen gcc 3.2 and gcc 4.1 generate code that's 10% or more different - and that's *plenty* of difference to sneak a one-line backdoor in. Second off, even if you compile with the same compiler, it doesn't mean you're off the hook. Go read Ken Thompson's Turing Award Lecture "On Trusting Trust" (http://www.acm.org/classics/sep95/). Although Ken actually implemented it, the concept wasn't original with him - the "unnamed Air Force document" he references is Karger&Schell's 1974 paper on Multics security: http://csrc.nist.gov/publications/history/karg74.pdf Thirty years later, they did a retrospective on what we've learned: http://www.acsac.org/2002/papers/classic-multics.pdf (Summary - we're going backwards....)
Attachment:
_bin
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- RE: re: eeye temporary patch for current IEvulnerability Krpata, Tyler (Mar 28)
- Re: re: eeye temporary patch for current IEvulnerability Javor Ninov (Mar 28)
- Re: re: eeye temporary patch for current IEvulnerability Valdis . Kletnieks (Mar 28)
- <Possible follow-ups>
- RE: re: eeye temporary patch for current IEvulnerability 0x80 (Mar 28)
- Re: re: eeye temporary patch for current IEvulnerability list srv (Mar 28)