mdebray/tvl-depot
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(slides): Add slide about runtimes

Browse source 
All the slide number comments are now off, but oh well.
This commit is contained in:
Vincent Ambo 2018-03-13 16:56:54 +01:00
parent 381c3722aa
commit f47b4cad07
2 changed files with 42 additions and 35 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
presentation.tex
View file

@ -23,6 +23,18 @@
\end{itemize} \end{itemize}
\end{frame} \end{frame}
\begin{frame}{Chicken, egg and ... lizard?}
It's not just compilers: Languages have runtimes, too.
\begin{itemize}
\item JVM is implemented in C++
\item Erlang-VM is C
\item Haskell runtime is C
\end{itemize}
... we can't ever get away from C, can we?
\end{frame}
%% Slide 3: %% Slide 3:
\begin{frame}{Trusting Trust} \begin{frame}{Trusting Trust}
\begin{center} \begin{center}

65
result.pdfpc
View file

@ -1,7 +1,7 @@
[file] [file]
result result
[last_saved_slide] [last_saved_slide]
15 10
[font_size] [font_size]
20000 20000
[notes] [notes]
@ -11,18 +11,15 @@ result
- unless you built it from scratch (spoiler: you haven't) you're *trusting* someone - unless you built it from scratch (spoiler: you haven't) you're *trusting* someone
Agenda: Implications of trust with focus on bootstrap paths and reproducibility, plus how you can help.### 2 Agenda: Implications of trust with focus on bootstrap paths and reproducibility, plus how you can help.### 2
self-hosting:
- C-family: GCC pre/post 4.7, Clang
- Common Lisp: Sunshine land! (with SBCL)
- rustc: Bootstrap based on previous versions (C++ transpiler underway!)
- many other languages also work this way!
- when making a new programming language, becoming self-hosted is an important milestone (Noteable counterexample: Clojure is written in Java!)### 3
- you enforce consistency & reliability for yourself as the user of your language
- you dogfeed all aspects of your language
- however: if you only have one compiler, you now need that compiler to compile itself.
This is very common! - compilers are just one bit, the various runtimes exist, too!### 4
- C compilers: GCC<4.7, Clang (itself & by gcc)
- SBCL reproducible & bootstrappable since 2004
- rustc has hard dependency on previous version
- Go has gccgo & Go compiler (one-directional)### 3
Could this be exploited? Could this be exploited?
@ -30,14 +27,14 @@ People don't think about where their compiler comes from.
Even if they do, they may only go so far as to say "I'll just recompile it using <other compiler>". Even if they do, they may only go so far as to say "I'll just recompile it using <other compiler>".
Unfortunately, spoiler alert, life isn't that easy in the computer world and yes, exploitation is possible.### 4 Unfortunately, spoiler alert, life isn't that easy in the computer world and yes, exploitation is possible.### 5
- describe what a quine is - describe what a quine is
- classic Lisp quine - classic Lisp quine
- explain demo quine - explain demo quine
- demo demo quine - demo demo quine
- this is interesting, but not useful - can quines do more than that?### 5 - this is interesting, but not useful - can quines do more than that?### 6
- quine-relay: "art project" with 128-language circular quine - quine-relay: "art project" with 128-language circular quine
@ -45,7 +42,7 @@ Unfortunately, spoiler alert, life isn't that easy in the computer world and yes
- (demo quine relay?) - (demo quine relay?)
- side-note: this program is very, very trustworthy!### 6 - side-note: this program is very, very trustworthy!### 7
Ken Thompson (designer of UNIX and a couple other things!) received Turing award in 1983, and described attack in speech. Ken Thompson (designer of UNIX and a couple other things!) received Turing award in 1983, and described attack in speech.
@ -53,7 +50,7 @@ Ken Thompson (designer of UNIX and a couple other things!) received Turing award
- make that modification a quine - make that modification a quine
- insert modification into new compiler - insert modification into new compiler
- add attack code to modification - add attack code to modification
- remove attack from source, distributed binary will still be compromised! it's like evolution :)### 7 - remove attack from source, distributed binary will still be compromised! it's like evolution :)### 8
damage potential is basically infinite: damage potential is basically infinite:
@ -64,16 +61,22 @@ damage potential is basically infinite:
- you can probably think of more!### 10 - you can probably think of more!### 10
idea being: potential vulnerability would have to work across compilers:
the more compilers we can introduce (e.g. more architectures, different versions, different compilers), the harder it gets for a vulnerability to survive all of those
The more compilers, the merrier! Lisps are pretty good at this.### 11
if we get a bit-mismatch after DDC, not all hope is lost: Maybe the thing just isn't reproducible! if we get a bit-mismatch after DDC, not all hope is lost: Maybe the thing just isn't reproducible!
- many reasons for failures - many reasons for failures
- timestamps are a classic! artifacts can be build logs, metadata in ZIP-files or whatever - timestamps are a classic! artifacts can be build logs, metadata in ZIP-files or whatever
- non-determinism is the devil - non-determinism is the devil
- sometimes people actively introduce build-randomness (NaCl)### 11 - sometimes people actively introduce build-randomness (NaCl)### 12
- Does that binary download on the project's website really match the source? - Does that binary download on the project's website really match the source?
- Your Linux packages are signed by someone - cool - but what does that mean?### 12 - Your Linux packages are signed by someone - cool - but what does that mean?### 13
Two things should be achieved - gross oversimplification - to get to the ideal "desired state of the union": Two things should be achieved - gross oversimplification - to get to the ideal "desired state of the union":
@ -81,11 +84,11 @@ Two things should be achieved - gross oversimplification - to get to the ideal "
2. when packages are distributed, we should be able to know the expected output of a source package beforehand 2. when packages are distributed, we should be able to know the expected output of a source package beforehand
=> suddenly binary distributions become a cache! But more on Nix later.### 13 => suddenly binary distributions become a cache! But more on Nix later.### 14
- Debian project does not seem as concerned with bootstrapping as with reproducibility - Debian project does not seem as concerned with bootstrapping as with reproducibility
- Debian mostly bootstraps on new architectures (using cross-compilation and similar techniques, from an existing binary base) - Debian mostly bootstraps on new architectures (using cross-compilation and similar techniques, from an existing binary base)
- core bootstrap (GCC & friends) is performed with previous Debian version and depending on GCC### 14 - core bootstrap (GCC & friends) is performed with previous Debian version and depending on GCC### 15
... however! Debian cares about reproducibility. ... however! Debian cares about reproducibility.
@ -95,40 +98,32 @@ Two things should be achieved - gross oversimplification - to get to the ideal "
< show reproducible builds website > < show reproducible builds website >
Debian is still fundamentally a binary distribution though, but it doesn't have to be that way.### 15 Debian is still fundamentally a binary distribution though, but it doesn't have to be that way.### 16
Nix - a purely functional package manager Nix - a purely functional package manager
It's not a new project (10+ years), been discussed here before, has multiple components: package manager, language, NixOS. It's not a new project (10+ years), been discussed here before, has multiple components: package manager, language, NixOS.
Instead of describing *how* to build a thing, Nix describes *what* to build:### 16 Instead of describing *how* to build a thing, Nix describes *what* to build:### 17
### 17 ### 19
- Nix creates repeatable, environments for builds with only the things requested in the build configuration
- Nothing "leaks" in from the outside: no "works on my machine", pinned timestamps, etc.
- packages and all their inputs can be hashed together and used to address a cache -> binary distribution is a side effect of having a cache
- NixOS specifically has some other cool features we can look at later!### 18
In Nix, it's impossible to say "GCC is the result of applying GCC to the GCC source", because that happens to be infinite recursion. In Nix, it's impossible to say "GCC is the result of applying GCC to the GCC source", because that happens to be infinite recursion.
Bootstrapping in Nix works by introducing a binary pinned by its full-hash, which was built on some previous Nix version. Bootstrapping in Nix works by introducing a binary pinned by its full-hash, which was built on some previous Nix version.
Unfortunately also just a magic binary blob ... ### 19 Unfortunately also just a magic binary blob ... ### 20
NixOS is not actively porting all of Debian's reproducibility patches, but builds are fully repeatable: NixOS is not actively porting all of Debian's reproducibility patches, but builds are fully repeatable:
- introducing a malicious compiler would produce a different input hash -> different package - introducing a malicious compiler would produce a different input hash -> different package
Future slide: hope is not lost! Things are underway.### 20 Future slide: hope is not lost! Things are underway.### 21
- bootstrappable.org (demo?) is an umbrella page for several projects working on bootstrappability - bootstrappable.org (demo?) is an umbrella page for several projects working on bootstrappability
- stage0 is an important piece: manually, small, auditable Hex programs to get to a Hex macro expander - stage0 is an important piece: manually, small, auditable Hex programs to get to a Hex macro expander
- end goal is a full-source bootrap, but pieces are missing### 21 - end goal is a full-source bootrap, but pieces are missing### 22
MES is out of the GuixSD circles (explain Guix, GNU Hurd joke) MES is out of the GuixSD circles (explain Guix, GNU Hurd joke)
@ -137,11 +132,11 @@ MES is out of the GuixSD circles (explain Guix, GNU Hurd joke)
- includes MesCC in Scheme -> can *almost* make a working tinyCC -> can *almost* make a working gcc 4.7 - includes MesCC in Scheme -> can *almost* make a working tinyCC -> can *almost* make a working gcc 4.7
- minimal Scheme interpreter, currently built in C to get the higher-level stuff to work, goal is rewrite in hex - minimal Scheme interpreter, currently built in C to get the higher-level stuff to work, goal is rewrite in hex
- bootstrapping Guix is the end goal### 22 - bootstrapping Guix is the end goal### 23
- userspace in Darwin has a Nix project - userspace in Darwin has a Nix project
- unsure about other BSDs, but if anyone knows - input welcome! - unsure about other BSDs, but if anyone knows - input welcome!
- F-Droid has reproducible Android packages, but that's also userspace only - F-Droid has reproducible Android packages, but that's also userspace only
- All other mobile platforms are a lost cause - All other mobile platforms are a lost cause
Generally, all closed-source software is impossible to trust.### 23 Generally, all closed-source software is impossible to trust.