Hacker News new | past | comments | ask | show | jobs | submit login

On a technical level, the hack has been demonstrated to work, but actually hacking someone via the technique has not, in my understanding.



It's obvious that the hack would work on a technical level, that's fundamental to the whole idea. The question is how complex the logistics of doing it in the real world would be; how you insert the tampered code, how you avoid anyone noticing, etc.

For example, I run Gentoo Linux, and haven't reinstalled my OS since 2004 or so. That means that, modulo a few binary packages, I have a direct source lineage to the state of Linux in 2004. If you want to pull off that attack against my system (and you didn't already back in 2004), you'd have to tamper with source archives. That would both imply changes that are easy to analyze (more than binary patches), and it would involve changing the archive hashes in the Portage tree. That tree is in Git, which means that it would create an immutable public record of what happened (Git is the original blockchain, remember), modulo forced pushes which people would, again, notice all over the place.

In practice, if you want to persistently backdoor a new system (supply chain attack), it's usually easier to do that in hardware or firmware than trying to do a RoTT attack on the distro and its compiler. In fact, it's users of binary distributions (or proprietary OSes) that should be more worried, as it is much easier to do a binary-based RoTT attack that self-updates to handle new versions consistently when all your users run the exact same binaries. Source code users should be more worried about compromise upstream than local persistence. And those attacks are a review / auditing issue, unrelated to RoTT.

In the end, if you are worried about being personally targeted, it's easy enough to make that impractical by re-bootstrapping your computing from an unpredictable source (e.g. walk into a random shop and buy a PC, walk into a net cafe and download your favorite distro and check the hashes there). And if you are worried about large-scale attacks, RoTT style ones aren't practical without someone somewhere noticing; you should be worried about traditional compromise instead.


Does https://en.m.wikipedia.org/wiki/XcodeGhost count? It's not targeting compiler developers, so it can't worm forever, but it is a malicious compiler that weaponizes its output.


As far as we know.

Thompson's hack relies on the Halting Problem, and the space for deviousness within the Halting Problem is infinitely large.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: