[Arm-netbook] Questioning The Holy War

Pablo Rath pablo at parobalth.org
Sun Dec 9 21:09:02 GMT 2018

On Sat, Dec 08, 2018 at 10:28:18AM -0500, Chris Tyler wrote:
> On Sat, Dec 8, 2018 at 7:07 AM Pablo Rath <pablo at parobalth.org> wrote:
> > On Fri, Dec 07, 2018 at 04:52:22PM -0500, Hendrik Boom wrote:
> > > On Fri, Dec 07, 2018 at 12:59:44PM +0100, Pablo Rath wrote:
> > > >
> > > > How do you know if the source is closed? :)
> > >
> > > Let's assume this is a real question.
> >
> > Hendrik, I am sorry. I see, I have phrased my (rhetoric) question
> > poorly. What I meant and should have written is mor like: "How can you
> > know if a
> > software behaves well and doesn't shoot the cat when you can't audit the
> > source code?"
> >
> I must point out an error here: Ken Thompson proved that auditing source
> code (of software and the toolchain used to build it) is meaningless in his
> paper "Reflections on Trusting Trust". 

Chris, I have to admit that I find your reply a bit unfair as we were
not (yet) discussing such sophisticated details. Especially as the
initial question was more in the direction of a comparison of
proprietary, open source (with blobs) and completely libre systems and
why everyone on this list is so focussed on "libre".

I did some reading on the "trusting trust" topic and want to share
what I found:
I have never heard of that paper before so I had to look that up. A
blogpost by Bruce Schneier led me to David A. Wheeler's 2009 PhD
dissertation "Fully Countering Trusting Trust through Diverse
Double-Compiling". The dissertation and a lot of additional information
can be found at [1]. 
The dissertation explains how to fully counter the "trusting trust" attack
by using the “Diverse Double-Compiling” (DDC) technique. 
"DDC, in contrast, uses additional compilers as a check on the first.
This fundamentally changes things, because now an attacker must
simultaneously subvert both the original compiler, and all of the
compilers used in DDC. Subverting multiple compilers is much harder than
subverting one, especially since the defender can choose which compilers
to use in DDC and can choose the compilers used in DDC after the attack
has been performed." ([1], section "DDC’s use of trusted compiler(s)
fundamentally increases trustworthiness")

I also recommend the section "Reproducible (deterministic) builds" in [1]: 
"Deterministic builds aren’t enough if the compiler executable is
subverted, but thankfully, DDC enables multi-party verification of
compiler executables (you still have to check the source, but that is a
much easier problem)." 

So according to David A. Wheeler the "trusting trust" attack can be
fully countered and we are back in a state where auditing source is not

[1] https://dwheeler.com/trusting-trust/

> (That said, I still prefer to be able to read the source -- just saying we
> shouldn't attribute disproven benefits to source reading!).

There are many attack vectors that make checking the source look
ridiculous (compromised hardware, evil maid attack, ...). 
We can also question if the auditing process is working well enough but I think
thats is not the point of this thread as it doesn't help to answer the
initial questions.

kind regards

More information about the arm-netbook mailing list