Re: Reflections on trusting trust

From: Douglas W. Jones <jones_at_cs_dot_uiowa_dot_edu>
Date: Fri Aug 15 2003 - 14:27:00 CDT

On Friday, August 15, 2003, at 01:08 PM, David Mertz wrote:

> "Douglas W. Jones" <jones@cs.uiowa.edu> wrote:
> |Similarly, there are strong reasons to forbid all interpretive
> |execution in voting systems.
>
> Making a distinction between interpreted and compiled code in this
> manner leads to a false assurance of security. The seminal explanation
> of this is Ken Thompson's 1983 Turing Award Lecture.

I agree with this, but at the same time, the presence of interpreters
and dynamic linkage allows post-compile-time binding of new code into
the voting system, while Trojan horses inserted by the compiler will
be present in the object code.

I certainly agree that just-in-time compilation is exactly as dangerous
as interpretation or dynamic linkage, but the question is one of
binding time: At what point is the entire body of code to be run in
the voting system frozen and therefore potentially the subject to a
complete audit.

If there's no dynamic linkage, no interpretation and no
self-modification,
you can examine the object code and know you've got the whole ball of
wax. If there are any of those additional mechanisms, you've got to
broaden your search, looking at every gateway into the system through
which code subject to linkage or interpretation could be inserted.

What Ken Thompson showed is that source code auditing is not sufficient.
You've got to inspect what lands in memory. Ideally, someone ought to
disassemble the object code and check that it corresponds in a plausible
way with the source. Any software tools used for this check should
come from a different source than the development tools.

All of this is made less of a problem, though, by the presence of a paper
trail! However, secure reliable systems don't rely on just one layer of
protection, they rely on multiple layers, so we really ought to make sure
our software can be audited even if we are also maintaining a paper trail
of recountable ballots.

Part of this is a simple matter of setting a good example. We want this
system to do everything in an exemplary manner, not just to produce a
result that is adequate, if properly used.

                                Doug Jones
                                jones@cs.uiowa.edu
==================================================================
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
==================================================================
Received on Sun Aug 31 23:17:09 2003

This archive was generated by hypermail 2.1.8 : Sun Aug 31 2003 - 23:17:17 CDT