What Ken Thompson's seminal (terrifying!) "On Trusting Trust" tells us about the Spectre and Meltdown bugs

Originally published at: https://boingboing.net/2018/01/29/trust-no-one-2.html

1 Like

I don’t care about the vulnerability, if the fix is going to make my games all slow. I mean, I’ve got priorities here. (only half joking, tbh…)

I agree. You basically, or literally, need to be root to exploit it, that’s really not vulnerable. Is it going to give you ‘super’-root or something? What’s the point when you can just log into a mac with a blank password.
It would be great to be able to disable some protections if it would increase performance (yes, disabling your virus check will speed things up). I at least hope they are just checking for code misusing it than just turning it off.

It’s not called super root, it’s called kernel mode, and you could conceivably use these vulns to break out of a cloud container or even a paravirtualized VM.

Paralleling this with Thompson’s work is however senseless. These bugs are a well understood consequence of shaving everything that can be shaved for performance.

Furthermore, the compiler-to-compiler backdoor was only a thought exercise. We now have at least two independant free C compilers, countless proprietary ones, symbolic execution of binaries… making this undetectable would require a level of sophistication far superior to what known APT groups are doing.

4 Likes

It’s actually not that simple if only because you can’t know which compilers are compromised and how. In fact, solving this exact problem was good enough to award a PhD for.

The value of this work is in the formal proof of the completeness of their technique, in a defined attack model. It does not mean that implementing an attack undetectable by weaker (and much simpler) setups is trivial (nor does it mean the attack model is always representative of reality).

Furthermore, much progress has been achieved in symbolic execution since then. Will you start backdooring symbolic execution systems so that they can disregard the backdoors you insert elsewhere ? in a consistent way ?

In any case, I forgot to make my main point in the last post, so here it is: The article claims that it would be viable to design a self-backdooring C compiler, to compromise a Verilog compiler, to insert secret hardware backdoors. Why would anyone go through all this trouble, when there already is a backdoor hidden in plain sight ? Have people forgotten about the Intel Management Engine ? If i’d wager a guess, I would say that is what would make NSA people laugh at such a question.

4 Likes

This topic was automatically closed after 5 days. New replies are no longer allowed.