Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://functional.cafe/users/rml/statuses/111176094799306500">blake shaw 🇵🇸 (rml@functional.cafe)'s status on Thursday, 05-Oct-2023 02:56:35 JST</a><a href="https://functional.cafe/@rml" title="rml@functional.cafe"><img src="https://gnusocial.jp/avatar/118671-48-20230514073845.webp" width="48" height="48" alt="blake shaw 🇵🇸" style="position: absolute; left: 0; top: 0;">blake shaw 🇵🇸</a><div><a href="https://gnusocial.net/notice/15831487" rel="in-reply-to">in reply to</a><ul><li></ul></div></section><article><p><a href="https://gnusocial.net/lxo">@lxo</a> I don't think its so simple as starting from two independent compiler binaries. with Thompson's attack, the trick was of course a matter of introducing changes to what constitutes legal C code in phases, so that a seed compiler has been "trained" to interpret the backdoor of an attacker as legal C code, and that "knowledge" is then propagated from binary to binary, without the user's knowledge. and its not just GCC, but also coreutils, binutils, glibc and others that make up around 200mb of boostrap binaries on any given free operating system distribution. if you recompile these tools with pcc or clang, from source and then again with GCC, all coming from different distributors, you're just assuming that one of compilers breaks the chain of the attack. but nothing actually suggests that, considering those tools are all similarly built from blobs that may contain generational backdoors. you have to trust not only your source, but whatever they trusted as well.</p><p>this isn't purely hypothetical, these attacks have been uncovered in the wild it <a href="https://www.wired.com/2009/08/induc/" rel="nofollow noreferrer">https://www.wired.com/2009/08/induc/</a></p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/2086958#notice-4198291">In conversation</a><time datetime="2023-10-05T02:56:35+09:00" title="Thursday, 05-Oct-2023 02:56:35 JST">about a year ago</time> <span>from <span><a href="https://functional.cafe/@rml/111176094799306500" rel="external" title="Sent from functional.cafe via ActivityPub">functional.cafe</a></span></span><a href="https://functional.cafe/@rml/111176094799306500">permalink</a><h4>Attachments</h4><ol><li><article><header><div>Domain not in remote thumbnail source whitelist: media.wired.com</div><h5><a href="https://www.wired.com/2009/08/induc/">Malware Turns Software Compilers into Virus Breeders</a></h5><div> from <span>Kevin Poulsen</span></div></header><div>Security experts seem more intrigued than alarmed over a newly-discovered virus that inserts itself into a Delphi compiler, and replicates itself in every program compiled. Sophos says its seen 3,000 instances of the Induc virus in the wild, where it’s popped up in some production software. “This makes us believe that the malware has been […]</div><footer></footer></article></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
blake shaw 🇵🇸 (rml@functional.cafe)'s status on Thursday, 05-Oct-2023 02:56:35 JSTblake shaw 🇵🇸
in reply to
- Alexandre Oliva
@lxo I don't think its so simple as starting from two independent compiler binaries. with Thompson's attack, the trick was of course a matter of introducing changes to what constitutes legal C code in phases, so that a seed compiler has been "trained" to interpret the backdoor of an attacker as legal C code, and that "knowledge" is then propagated from binary to binary, without the user's knowledge. and its not just GCC, but also coreutils, binutils, glibc and others that make up around 200mb of boostrap binaries on any given free operating system distribution. if you recompile these tools with pcc or clang, from source and then again with GCC, all coming from different distributors, you're just assuming that one of compilers breaks the chain of the attack. but nothing actually suggests that, considering those tools are all similarly built from blobs that may contain generational backdoors. you have to trust not only your source, but whatever they trusted as well.
this isn't purely hypothetical, these attacks have been uncovered in the wild it https://www.wired.com/2009/08/induc/
In conversationabout a year ago from functional.cafepermalink
Attachments
1. Domain not in remote thumbnail source whitelist: media.wired.com
  Malware Turns Software Compilers into Virus Breeders
  from Kevin Poulsen
  Security experts seem more intrigued than alarmed over a newly-discovered virus that inserts itself into a Delphi compiler, and replicates itself in every program compiled. Sophos says its seen 3,000 instances of the Induc virus in the wild, where it’s popped up in some production software. “This makes us believe that the malware has been […]

Public

Embed Notice

HTML Code

Corresponding Notice