Re: NANO: Hacking assembler security

From: hal@finney.org
Date: Wed Feb 09 2000 - 18:05:07 MST


Charlie Stross writes:

> The Thompson hack basically lets you create compilers that scan their
> input stream for some signature and snitch on you (or execute some
> arbitrary payload) if they see it. The nasty sting in the tail of
> this idea is that the scanner/payload isn't visible in the source code
> to the compiler; because one of the scanner/payload combinations in a
> contaminated compiler is designed to add the patch whenever it recognizes
> its own source code being re-compiled. With application to assemblers
> (or, more likely, their control software aboard the nanocomputers used
> to direct them), this would mean that if you try to assemble some grey
> goo, the assembler will recognize the grey goo, and assemble something
> else instead -- probably a pair of handcuffs. And you can't build an
> assembler that _won't_ snitch on you without doing it by hand, without
> involving any off-the-shelf assemblers in the process: because they'll
> try to propagate the Thompson hack into your new "clean" assembler.

This is one way things may go, but I'm not sure the "Thompson hack"
would be the preferred way to prevent assemblers from building dangerous
objects. The unique aspect of Thompson's idea was that the compiler
would recognize when it was compiling itself, and build the hack into
the new compiler, even though it wasn't present in the source code.

It does seem reasonable that assemblers would be limited in some ways,
but this particular method has disadvantages. It relies on secrecy,
and if everyone knows it's there you might as well do things openly.
It also is somewhat brittle in that the code can't change much or the
hack won't recognize where it has to insert itself in the new version.

I suspect it would be more likely that an assembler (by which I mean
a large device which might be in a home and used to build clothes,
furnishings, electronics, etc.) will have a catalog of devices it can
build, with variations that can be programmed in. Maybe one assembler
can build another, but you wouldn't have control at the level of making
changes to remove limitations on what it could build, any more than a
MUD program lets you drop into assembly language.

An interesting example though of where secrecy is used for somewhat
similar purposes to what you desribe: recently there have been articles
revealing that color copiers each have a unique digital "fingerprint"
which they embed into copies. Given a copy it is possible to trace it
back to the exact machine which made it. This is intended as an anti
counterfeiting measure. Most people have been unaware of this (although
rumors have been around for years). See the well respected Privacy
Forum Digest at http://www.vortex.com/privacy/priv.08.18.

Hal



This archive was generated by hypermail 2b29 : Thu Jul 27 2000 - 14:03:36 MDT