From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.schemamania.org (050-075-019-234.biz.spectrum.com [50.75.19.234]) by sourceware.org (Postfix) with ESMTP id 696CE3849AC0 for ; Wed, 10 Apr 2024 19:16:15 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 696CE3849AC0 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=schemamania.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=schemamania.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 696CE3849AC0 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=50.75.19.234 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712776585; cv=none; b=ZnFuwLkrlOw11Da0nLrskUYhE3a6pyXkSij1yfJE5jT6dcVQcW48ggS7B7XwNxuLAtoZY47c2NE39Vkq7Y8AX8zUhS5MAhMMqphUN3QPGzJ1FhOfpV4gCmkcTiv9Jnk3GHjX+QDYTn6jt9+uxOw6rN6Z9l/Xsc+zkBwLC/RPedg= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712776585; c=relaxed/simple; bh=wVex8V0LNCH7qf1MHHVnphrXHRio+VLnjcrjlnSUld8=; h=Date:From:To:Subject:Message-Id:Mime-Version; b=A7RF1b5msGxWGjw2IWDV7bLtsIHQFfRQKfI/oBdYB1RN1B7przokXyHZWJkELXwmOZ/n20PwoBzzhG/yKJp/+eZMX2rNTG1agVZq2dPflWzgybTSPkCUOxLnIhAOA7cVA/10sPlA0ev1jOsOzM6j0OiYL9gEWOj+ubInIb4h3tk= ARC-Authentication-Results: i=1; server2.sourceware.org Received: from oak.schemamania.org (localhost [IPv6:::1]) by mail.schemamania.org (Postfix) with ESMTP id 23F17256FAFF for ; Tue, 9 Apr 2024 17:02:59 -0400 (EDT) Date: Tue, 9 Apr 2024 17:02:58 -0400 From: "James K. Lowden" To: gcc@gcc.gnu.org Subject: Re: Sourceware mitigating and preventing the next xz-backdoor Message-Id: <20240409170258.a8503d694df4d5d36c87b1fa@schemamania.org> In-Reply-To: <20240401150617.GF19478@gnu.wildebeest.org> References: <20240329203909.GS9427@gnu.wildebeest.org> <20240401150617.GF19478@gnu.wildebeest.org> X-Mailer: Sylpheed 3.4.3 (GTK+ 2.24.28; x86_64--netbsd) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,KAM_DMARC_STATUS,NICE_REPLY_A,RDNS_DYNAMIC,SPF_HELO_PASS,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On Mon, 1 Apr 2024 17:06:17 +0200 Mark Wielaard wrote: > We should discuss what we have been doing and should do more to > mitigate and prevent the next xz-backdoor. Since we're working on a compiler, "On Trusting Trust" comes to mind. Russ Cox posted some thoughts last year that might be applicable. https://research.swtch.com/nih On a different tack, ISTM it might also be possible to use quantitative methods. AIUI the xz attack was discovered while investigating exorbitant power consumption. Could the compiler's power consumption be measured over some baseline, perhaps on a line-by-line basis? If so, each new commit could be power-measured, and deemed acceptable if it's within some threshold, perhaps 10%. That's a guess; over time we'd learn how much variation to expect. As a public organization, any would-be attacker would obviously know what we're doing, and would know to keep his attack under the threshhold. That makes his job harder, which would have the effect of encouraging him to look elsewhere. --jkl