IRC channel logs

2023-10-26.log

back to list of logs

<muurkha>holy shit, did Russ Cox get the historical Thompson attack running? https://research.swtch.com/nih
<muurkha>because, holy shit, he emailed ken and asked him to please send codez
<muurkha>and it's in the TUHS tapes Ritchey gave Toomey in 01997
<muurkha>> It’s short! When Ken sent me nih.a and I got it running, my immediate reaction was disbelief at the size of the change: 99 lines of code, plus a 20-line shell script. If you already know how to make a program print itself, the biggest surprise is that there are no surprises!
<muurkha>> It’s one thing to say “I know how to do it in theory” and quite another to see how small and straightforward the backdoor is in practice. In particular, hooking into source code reading makes it trivial. Somehow, I’d always imagined some more complex pattern matching on an internal representation in the guts of the compiler, not a textual substitution. Seeing it run, and seeing how tiny
<muurkha>it is, really drives home how easy it would be to make a change like this and how important it is to build from trusted sources using trusted tools.
<muurkha>> I don’t say any of this to put down Ken’s doing it in the first place: it seems easy because he did it and explained it to us. But it’s still very little code for an extremely serious outcome.
<muurkha>There's a bit there about how straightforward it is to bootstrap Golang with a C compiler: https://research.swtch.com/nih#go
<muurkha>perhaps especially relevant here!
<nektro>funny u mention that because i actually started https://github.com/nektro/go14 as a testing ground to try and bootstrap go with mes
<nektro>since i find go and zig easier to grasp i wanted to try an alternative chain route
<nektro>this was only a couple days ago but i didnt get far outside starting the initial fork since i havent got mes working yet
<nektro>but its something ill be keeping an eye on
<lanodan>I'd say Go is trivial to bootstrap, at least I made https://hacktivis.me/git/overlay/file/dev-lang/go/go-1.4_p20171003.ebuild.html years ago (gentoo recipe btw) and from time to time I compile Go's latest compiler with it.
<lanodan>Another path being possible via GCCGO as well
<nektro>nice :)
<nektro>yeah for https://git.sr.ht/~nektro/wifilylinux i do go latest <- 1.17 <- 1.4 from source
<matrix_bridge><Andrius Štikonas> lanodan: go 1.4 can't build the newest, I made some intermediate version in my gentoo overlay
<matrix_bridge><Andrius Štikonas> Oh I see nektro is already doing that
<matrix_bridge><Andrius Štikonas> Though that path won't work for riscv, I guess we need gccgo then
<oriansj>muurkha: I guess we can safely assume this class of attack has been in the wild since 1997 then and treat all generated code as suspect.
<oriansj>janneke: I think the reason, he didn't mention bootstrappable builds or guix was that he was more concerned about source code published by strangers on the internet than binary blobs.
<oriansj>but then it is strange, that code review signing infrastructure isn't mentioned either.
<ekaitz>muurkha: I saw the post this morning! really cool stuff
<lanodan>RIght, I heard about that but always forgot if they actually went with it, at least it means you can jump from 1.4 to near-latest via go1.14
<lanodan>s;go1.14;go1.4;
<theruran>figured this would have been posted here already: https://research.swtch.com/nih "Running the “Reflections on Trusting Trust” Compiler" (Posted on Wednesday, October 25, 2023.)
<matrix_bridge><Andrius Štikonas> It's a pity they don't mention bootstrappable builds
<theruran>oh. muurkha posted it above :D
<oriansj>theruran: thank you for trying to share ^_^
<oriansj>not everyone is constantly logged into this channel and so they would benefit if they missed out ^_^
<pabs3>HN discussion for it: https://news.ycombinator.com/item?id=38020792
<oriansj>the neat compiler's generated C code however just makes me shake my head