Re: Reflections on trusting trust

From: David Mertz <voting-project_at_gnosis_dot_cx>
Date: Fri Aug 15 2003 - 22:02:24 CDT

"Douglas W. Jones" <jones@cs.uiowa.edu> wrote:
|I have long speculated that use of interpreters can defend an
|application against an untrusted runtime platform, but I don't
|believe that this is the case for statically defined interpreted
|languages with static code for the interpreter. If, on the other
|hand, the interpreter itself is wildly dynamic, and therefore,
|unrecognizable as an interpreter to the underlying platform,

This is a quite interesting concept. But what I have in mind is
probably simpler. Certainly I don't think that using a language
interpreter prevents the need to audit the underlying platform, it just
saves work at a higher level:

 +------------+ +------------+
 | OS+drivers | | OS+drivers | <--- requires audit/verification
 +------------+ +------------+
      | |
      V V
 +------------+ +------------+
 | Compilr(C) | | Interp(py) | <--- audit/sign compiler/interpreter
 +------------+ +------------+
      | |
      V V
 +------------+ +------------+
 | Applicatn | | Applicatn | <--- audit/sign
 +------------+ +------------+

In both cases, the same basic stages of verification are needed. The
compiler is not distributed to the end-user systems, while the
interpreter must be. However, using a secure hash can assure that the
audited interpreter is the actual installed code. In both cases, the
runtime platform (OS+drivers) also needs to be examined.

The differences is in the audit of the application itself. It's just
easier to audit high level code than it is to audit machine code. For
that matter, it's easier to audit Python than it is C (although both are
much higher level than is machine code). Since the e.g. Python
application consists of readable lines of code, the behavior is as good
as those lines (once the interpreter and runtime platform are secured).
It's easier to disguise malicious machine codes.

Of course, at a certain level of type safety and provability, neither
Python nor C, nor Java, C#, Perl, etc. are really good enough. Certain
provable features really need Ada, or better still, Haskell. But I
think the demands of a voting machine are different from those of, e.g.,
and airplane. We don't need a "cannot trap", or "will complete in N
milliseconds" guarantee; just proof against tampering. A crashed
machine means a voter needs to use another one, not that the plane hits
the ground.

Yours, David...

--
    _/_/_/ THIS MESSAGE WAS BROUGHT TO YOU BY: Postmodern Enterprises _/_/_/
   _/_/    ~~~~~~~~~~~~~~~~~~~~[mertz@gnosis.cx]~~~~~~~~~~~~~~~~~~~~~  _/_/
  _/_/  The opinions expressed here must be those of my employer...   _/_/
 _/_/_/_/_/_/_/_/_/_/ Surely you don't think that *I* believe them!  _/_/
==================================================================
= The content of this message, with the exception of any external 
= quotations under fair use, are released to the Public Domain    
==================================================================
Received on Sun Aug 31 23:17:10 2003

This archive was generated by hypermail 2.1.8 : Sun Aug 31 2003 - 23:17:18 CDT