Re: re: eeye temporary patch for current IEvulnerability

[Valdis.Kletnieks () vt edu]

On Tue, 28 Mar 2006 12:07:19 EST, "Krpata, Tyler" said:
> If only someone would invent some sort of software that would generate a
> binary from source code... 

It's called a compiler.  And that's not foolproof - first off, different
versions of the compiler often generate different code.  I've personally
seen gcc 3.2 and gcc 4.1 generate code that's 10% or more different - and
that's *plenty* of difference to sneak a one-line backdoor in.

Second off, even if you compile with the same compiler, it doesn't mean you're
off the hook.  Go read Ken Thompson's Turing Award Lecture "On Trusting Trust"
(http://www.acm.org/classics/sep95/).  Although Ken actually implemented it,
the concept wasn't original with him - the "unnamed Air Force document" he
references is Karger&Schell's 1974 paper on Multics security:

http://csrc.nist.gov/publications/history/karg74.pdf

Thirty years later, they did a retrospective on what we've learned:

http://www.acsac.org/2002/papers/classic-multics.pdf

(Summary - we're going backwards....)

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/