Re: if you guys are really worried about a Ken Thompson-style hack in gcc
On Fri, Sep 03, 2004 at 08:42:08PM +1000, Robert Collins wrote:
> On Thu, 2004-09-02 at 16:58 -0700, Joe Buck wrote:
> > In a recent thread entitled "Re: Unofficial buildd network has been shut
> > down", several people started tossing around FUD about the possibility of
> > a Ken Thompson-style hack in gcc.
> >
> > If any of you are seriously worried about this, please do the following:
> >
> > 1) prove that there is no KT-style hack on the Solaris version of gcc:
> > a) bootstrap gcc from source, starting from Sun's C compiler.
> > b) bootstrap gcc from source, starting from any version of gcc
>
> This presumes that suns cc is clean.
No, it does not. The Ken Thompson hack is not magic. It is not possible
to do it without detailed knowledge of the compiler source code, and it
is not possible to maintain it without constantly changing the hack code
as the compiler itself changes (and gcc has undergone massive
restructuring over the last 15 years). Also, to fool my test, a hack
inserted by Sun's cc has to result in object code that is byte-for-byte
identical as a hack inserted by the corrupted gcc binary.
I could repeat the argument, bringing in HP's compiler, Microsoft's
compiler, and every other compiler; you would then have to resort to a
world-wide conspiracy of compiler developers to keep all their compilers
in sync, so they could keep inserting perfect Thompson hacks in their
compilers.
Ken Thompson's hack only worked because, at the time, he had control of
the world's only widely used C compiler, and it was a small, simple
compiler at that (C had the "register" keyword because this compiler had
no clue about efficient register allocation, for example).
Reply to: