If you have not read this paper, you probably should. I don’t have a... - Random

glyph, 2 months ago

If you have not read this paper, you probably should. I don’t have a particular comment but the parallels are obvious and you are probably going to be seeing a lot of experienced security people referencing it in discussions in the coming days

https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf

#liblzma #xz

reply

report

activity

copy /kbin url

copy original url

open original url

Loading...

Image

Image alternative text

magical, 2 months ago

@glyph

i would recommend also reading rsc's follow-up article "Running the 'Reflections on Trusting Trust' Compiler" which gives a full line-by-line breakdown of ken's original exploit code, and touches (briefly) on David A. Wheeler's countermeasure, "diverse double compiling"

https://research.swtch.com/nih

reply

report

activity

copy /kbin url

copy original url

open original url

Loading...

+ glyph

zzzeek, 2 months ago

@glyph "More precisely stated, the problem is to write a source program that, when compiled and executed, will
produce as output an exact copy of its source. "

with open(file) as f:
print(f.read())

this is why i fail job interviews

reply

report

activity

copy /kbin url

copy original url

open original url

Loading...

glyph, 2 months ago

@zzzeek because you forgot to use inspect.getsource and thus might get byte code? ;-)

reply

report

activity

copy /kbin url

copy original url

open original url

Loading...

Add comment