Re: OpenBSD has Open Backdoored Software Distribution - admitted by Theo

[Valdis.Kletnieks () vt edu]

On Thu, 23 Dec 2010 00:36:03 GMT, mrx said:

> I am aware that compilers can be coded to introduce "features" into binaries that are not in the actual source code 
> itself.
> So with all due respect and possibly much ignorance on my part, what is a code audit going to achieve if one uses the 
> shipped compiler to
> compile the source? Unless one codes ones own compiler can any binary be trusted?

Although Kargen and Schell did it during the Multics pen-test for *one* release
of *one* compiler on *one* system, and Thompson referenced it in his Turing
Award lecture, it's probably *not* on anybody's serious threat model.

You'd have to find a way to put your backdoored compiler onto the
distribution's build farm (so *all* copies got backdoored), and ensure that it
stayed in place across releases - which means you probably need to re-backdoor
it for each release of the compiler (code generators, especially optimizing
ones, are moving targets - if your backdoor gets munched by the dead-code
eliminator, or mutated by the CSE code, you don't get your backdoors).  And of
course, if your code inserts the backdoor-the-compiler code by recognizing 7
specific lines in one function, life gets interesting when a bugfix changes
those 7 lines to 9. You either lose your backdoor, or it gets detected because
the bugfix doesn't work because your code is overriding it.

I'll overlook the minor detail that (for instance) today's gcc compiler is a *lot*
more sophisticated, with a lot more code-generation intelligence, than what
was available in 1972 when Karger and Schell and Thompson were doing
this stuff - so the backdoor will have to be equally more subtle and thus fragile.

You'd also have to find a clever way to deal with paranoids who rebuild their
source tree with their previous toolchain - if anybody pulls down the new source
and rebuilds it with their old compiler, you don't get a backdoor.  And if the
compiler they build doesn't binary-match the distro's, the jig is up (and you *know*
that if they're paranoid to rebuild the compiler, they'll notice a difference ;)

It's probably easier to get a backdoored BIOS loaded onto the target, and use the
microcode-update function on many CPUs to install a backdoor that way.

And at some point, you really have to ask yourself "Is this really a plausible attack
method, or did I forget to take my meds again?".

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/