diff --git a/presentation.tex b/presentation.tex index c4101fe67..6ccea6712 100644 --- a/presentation.tex +++ b/presentation.tex @@ -23,6 +23,18 @@ \end{itemize} \end{frame} + \begin{frame}{Chicken, egg and ... lizard?} + It's not just compilers: Languages have runtimes, too. + + \begin{itemize} + \item JVM is implemented in C++ + \item Erlang-VM is C + \item Haskell runtime is C + \end{itemize} + + ... we can't ever get away from C, can we? + \end{frame} + %% Slide 3: \begin{frame}{Trusting Trust} \begin{center} diff --git a/result.pdfpc b/result.pdfpc index a2bb72a56..b0fa6c9a0 100644 --- a/result.pdfpc +++ b/result.pdfpc @@ -1,7 +1,7 @@ [file] result [last_saved_slide] -15 +10 [font_size] 20000 [notes] @@ -11,18 +11,15 @@ result - unless you built it from scratch (spoiler: you haven't) you're *trusting* someone Agenda: Implications of trust with focus on bootstrap paths and reproducibility, plus how you can help.### 2 +self-hosting: +- C-family: GCC pre/post 4.7, Clang +- Common Lisp: Sunshine land! (with SBCL) +- rustc: Bootstrap based on previous versions (C++ transpiler underway!) +- many other languages also work this way! -- when making a new programming language, becoming self-hosted is an important milestone -- you enforce consistency & reliability for yourself as the user of your language -- you dogfeed all aspects of your language -- however: if you only have one compiler, you now need that compiler to compile itself. +(Noteable counterexample: Clojure is written in Java!)### 3 -This is very common! - -- C compilers: GCC<4.7, Clang (itself & by gcc) -- SBCL reproducible & bootstrappable since 2004 -- rustc has hard dependency on previous version -- Go has gccgo & Go compiler (one-directional)### 3 +- compilers are just one bit, the various runtimes exist, too!### 4 Could this be exploited? @@ -30,14 +27,14 @@ People don't think about where their compiler comes from. Even if they do, they may only go so far as to say "I'll just recompile it using ". -Unfortunately, spoiler alert, life isn't that easy in the computer world and yes, exploitation is possible.### 4 +Unfortunately, spoiler alert, life isn't that easy in the computer world and yes, exploitation is possible.### 5 - describe what a quine is - classic Lisp quine - explain demo quine - demo demo quine -- this is interesting, but not useful - can quines do more than that?### 5 +- this is interesting, but not useful - can quines do more than that?### 6 - quine-relay: "art project" with 128-language circular quine @@ -45,7 +42,7 @@ Unfortunately, spoiler alert, life isn't that easy in the computer world and yes - (demo quine relay?) -- side-note: this program is very, very trustworthy!### 6 +- side-note: this program is very, very trustworthy!### 7 Ken Thompson (designer of UNIX and a couple other things!) received Turing award in 1983, and described attack in speech. @@ -53,7 +50,7 @@ Ken Thompson (designer of UNIX and a couple other things!) received Turing award - make that modification a quine - insert modification into new compiler - add attack code to modification -- remove attack from source, distributed binary will still be compromised! it's like evolution :)### 7 +- remove attack from source, distributed binary will still be compromised! it's like evolution :)### 8 damage potential is basically infinite: @@ -64,16 +61,22 @@ damage potential is basically infinite: - you can probably think of more!### 10 +idea being: potential vulnerability would have to work across compilers: + +the more compilers we can introduce (e.g. more architectures, different versions, different compilers), the harder it gets for a vulnerability to survive all of those + +The more compilers, the merrier! Lisps are pretty good at this.### 11 + if we get a bit-mismatch after DDC, not all hope is lost: Maybe the thing just isn't reproducible! - many reasons for failures - timestamps are a classic! artifacts can be build logs, metadata in ZIP-files or whatever - non-determinism is the devil -- sometimes people actively introduce build-randomness (NaCl)### 11 +- sometimes people actively introduce build-randomness (NaCl)### 12 - Does that binary download on the project's website really match the source? -- Your Linux packages are signed by someone - cool - but what does that mean?### 12 +- Your Linux packages are signed by someone - cool - but what does that mean?### 13 Two things should be achieved - gross oversimplification - to get to the ideal "desired state of the union": @@ -81,11 +84,11 @@ Two things should be achieved - gross oversimplification - to get to the ideal " 2. when packages are distributed, we should be able to know the expected output of a source package beforehand -=> suddenly binary distributions become a cache! But more on Nix later.### 13 +=> suddenly binary distributions become a cache! But more on Nix later.### 14 - Debian project does not seem as concerned with bootstrapping as with reproducibility - Debian mostly bootstraps on new architectures (using cross-compilation and similar techniques, from an existing binary base) -- core bootstrap (GCC & friends) is performed with previous Debian version and depending on GCC### 14 +- core bootstrap (GCC & friends) is performed with previous Debian version and depending on GCC### 15 ... however! Debian cares about reproducibility. @@ -95,40 +98,32 @@ Two things should be achieved - gross oversimplification - to get to the ideal " < show reproducible builds website > -Debian is still fundamentally a binary distribution though, but it doesn't have to be that way.### 15 +Debian is still fundamentally a binary distribution though, but it doesn't have to be that way.### 16 Nix - a purely functional package manager It's not a new project (10+ years), been discussed here before, has multiple components: package manager, language, NixOS. -Instead of describing *how* to build a thing, Nix describes *what* to build:### 16 -### 17 - -- Nix creates repeatable, environments for builds with only the things requested in the build configuration - -- Nothing "leaks" in from the outside: no "works on my machine", pinned timestamps, etc. - -- packages and all their inputs can be hashed together and used to address a cache -> binary distribution is a side effect of having a cache - -- NixOS specifically has some other cool features we can look at later!### 18 +Instead of describing *how* to build a thing, Nix describes *what* to build:### 17 +### 19 In Nix, it's impossible to say "GCC is the result of applying GCC to the GCC source", because that happens to be infinite recursion. Bootstrapping in Nix works by introducing a binary pinned by its full-hash, which was built on some previous Nix version. -Unfortunately also just a magic binary blob ... ### 19 +Unfortunately also just a magic binary blob ... ### 20 NixOS is not actively porting all of Debian's reproducibility patches, but builds are fully repeatable: - introducing a malicious compiler would produce a different input hash -> different package -Future slide: hope is not lost! Things are underway.### 20 +Future slide: hope is not lost! Things are underway.### 21 - bootstrappable.org (demo?) is an umbrella page for several projects working on bootstrappability - stage0 is an important piece: manually, small, auditable Hex programs to get to a Hex macro expander -- end goal is a full-source bootrap, but pieces are missing### 21 +- end goal is a full-source bootrap, but pieces are missing### 22 MES is out of the GuixSD circles (explain Guix, GNU Hurd joke) @@ -137,11 +132,11 @@ MES is out of the GuixSD circles (explain Guix, GNU Hurd joke) - includes MesCC in Scheme -> can *almost* make a working tinyCC -> can *almost* make a working gcc 4.7 - minimal Scheme interpreter, currently built in C to get the higher-level stuff to work, goal is rewrite in hex -- bootstrapping Guix is the end goal### 22 +- bootstrapping Guix is the end goal### 23 - userspace in Darwin has a Nix project - unsure about other BSDs, but if anyone knows - input welcome! - F-Droid has reproducible Android packages, but that's also userspace only - All other mobile platforms are a lost cause -Generally, all closed-source software is impossible to trust.### 23 +Generally, all closed-source software is impossible to trust.