The Mother of all Software Vulnerabilities

In August last year I wrote a document describing how we could secure the GNU toolchain from possible subversion, as well as make all the software a lot better,

I sent it first by e-mail to Richard Stallman, Linus Torvalds and Theo deRaadt, amongst others. Then when I received no meaningful response from any of these people, I sent it to the public guile-devel mailing list.

Stallman's response (by private e-mail to me) was rather feeble. He did not seem to understand the security problem. So I explained it more explicitly in another post to guile-devel, hoping to widen the discussion to include people who might actually provide better-considered responses to the document.

That didn't work either, so I tried to explain it yet more clearly in a blog post, where I pointed out the original publication of the problem often mis-attributed to Ken Thompson.

To my pleasant surprise Roger Schell responded shortly afterwards, referring us to a paper he had written a decade earlier, which corroborated everything I had claimed.

To make the point, I gave some details to show how easy it would be to devise an object code trap-door that would survive all but a major restructuring of the compiler source code.

Stallman's feeble response was that he did not have time to read the 100 or so lines of program code I had given which implemented a PROLOG interpreter which could search for the relevant patterns in the compiler source to identify the target source even when it's structure was altered from version to version. I responded in private that he seemed to think I had time to read over 60MB [correction: that should read 600MB] of source code that comprises the GCC compiler source distribution. He had nothing to say in response to that.

It didn't go much further than that. There was a lot of smoke on the guile-devel list from people who thought they knew what I was saying, but who made it very clear that they had actually missed the point entirely. But clearly some people did understand exactly what I was saying.

I also explained how we can solve the problem of harware subversion using similar techniques.

Then a few months later, Edward Snowden dug around his "archives" and came up with this lovely little snippet, describing how "researchers" at Sandia National Labs. had actually done exactly this, to hack Apple's XCode development toolchain, and this was the origin of the MacOS and iOS hacks described here.

It is clear then that subversion by object code trap-doors is a real, extant threat, and so probably is subversion by system initialization trap-doors, though there are very few people capable of understanding what that might be. Given the difficulty of detection of these things, we have no good reason to believe that any toolchain based on the GNU C compiler has not been effectively subverted. The same "whacking" that the little boys at Sandia gave the Apple XCode gcc compiler, will be an easy-enough port to OpenBSD, Debian Linux etc.

So I pointed out the problem, and it was subsequently confirmed to be a real extant exploit. But I also pointed out the solution, which is to formally specify programs using intensional semantics as application-specific languages, and then automate the actual generation of programs implementing those specifications.

Now there is a bit of a hoo-hah about unreliable insecure commercial and open-source software, and I wonder why no-one still has any response to my suggestions? What is the problem? Can anyone tell me what I've missed? Is there a big metaprogramming project that will soon solve all this?