Date: Sat, 15 May 2021 15:33:42 -0700
It's not really the same issue: trusting trust is about the compiler
changing the code it's compiling (including changing a compiler it's
compiling to continue having this behavior), whereas the Rust thing is that
macros can execute arbitrary Rust including networking code. The Rust
problem is equivalent to putting arbitrary code in your makefile. It's
something that you could sandbox and disallow (say, by running the compiler
in a container). Whereas trusting trust is very hard to detect because the
compiler's output binary is what's been compromised and you can't easily
tell.
On Sat, May 15, 2021 at 3:24 PM Herb Sutter via SG7 <sg7_at_[hidden]>
wrote:
> Below, I emailed the “Trusting Trust” reference during our SG7 session on
> Circle in Prague, because SG7 was in the middle of discussing concerns
> about Circle’s approach of linking arbitrary libraries and executing them
> at compile time.
>
>
>
> Since yesterday, I noticed the following tweets about Rust…
>
>
>
> Tony “Abolish ICE” Arcieri 🦀 on Twitter: "Exfiltrating secrets with
> @rustlang macros: leveraging macro expansion in IDEs to exfiltrate secrets
> without compiling the code or even opening a file https://t.co/M2qhsfaLdX"
> / Twitter
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fbascule%2Fstatus%2F1393228285056741376&data=04%7C01%7Chsutter%40microsoft.com%7C0c4586b71132437afdf408d917e9c9f5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637567115143029064%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=onRXBBnDkqB1SbyYbfZ4lRvH5dbmubrTxX4aKvf4dOE%3D&reserved=0>
>
>
>
> Ralf (RPW) on Twitter: "„Open innocent_app in VSCode*, and the contents of
> your .ssh/id_rsa file will be sent over TCP to localhost:8080. You don't
> even need to open any files in the project!“ https://t.co/eKx2CWrirD" /
> Twitter
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fesizkur%2Fstatus%2F1393477018474459137&data=04%7C01%7Chsutter%40microsoft.com%7C0c4586b71132437afdf408d917e9c9f5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637567115143039059%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=he0yoYBzo1zn0xGN7EGMH1TYVnnIrFEI0qTS0XuyYBg%3D&reserved=0>
>
>
>
> Björk on Twitter: "@hankadusikova ... Wait, what? You can do compile-time
> I/O (networking) in Rust, or is this because of plugins executing arbitrary
> code? https://t.co/soA3bD9vT2" / Twitter
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2F__phantomderp%2Fstatus%2F1393553321177321473&data=04%7C01%7Chsutter%40microsoft.com%7C0c4586b71132437afdf408d917e9c9f5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637567115143049055%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=zVdfPyz66vFGF0l4xV9aIlgxb5wqH5axljfzd1UDTkI%3D&reserved=0>
>
>
>
> David "Bear Feeder" Pollak🐈 on Twitter: "Oh crap! This will be 2021’s
> side channel attack… guess we have to run our compilers in containers with
> no network access…" / Twitter
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fdpp%2Fstatus%2F1393614418269802501&data=04%7C01%7Chsutter%40microsoft.com%7C0c4586b71132437afdf408d917e9c9f5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637567115143059050%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=%2F2RC7MZ1swPTIpw%2FLv%2FOT6Cd052iVfzJf%2FbOz%2B7BA9k%3D&reserved=0>
>
>
>
> This sounds a lot like the same issue… is it?
>
>
>
> (Ah, I just saw Hana’s tweet
> <https://twitter.com/hankadusikova/status/1393532440120074243?s=20>
> before hitting Send – yup, sounds like it is the same issue, thank you
> Hana.)
>
>
>
>
>
>
>
> *From:* Herb Sutter
> *Sent:* Thursday, February 13, 2020 7:59 AM
> *To:* sg7_at_[hidden]
> *Subject:* Thompson Turing lecture
>
>
>
>
> https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf
>
>
>
> As we we think about extensible compilers and JITs, this is a classic
> paper worth remembering about supply chain issues with just ordinary closed
> compilers.
>
>
>
> Herb
>
>
> --
> SG7 mailing list
> SG7_at_[hidden]
> https://lists.isocpp.org/mailman/listinfo.cgi/sg7
>
changing the code it's compiling (including changing a compiler it's
compiling to continue having this behavior), whereas the Rust thing is that
macros can execute arbitrary Rust including networking code. The Rust
problem is equivalent to putting arbitrary code in your makefile. It's
something that you could sandbox and disallow (say, by running the compiler
in a container). Whereas trusting trust is very hard to detect because the
compiler's output binary is what's been compromised and you can't easily
tell.
On Sat, May 15, 2021 at 3:24 PM Herb Sutter via SG7 <sg7_at_[hidden]>
wrote:
> Below, I emailed the “Trusting Trust” reference during our SG7 session on
> Circle in Prague, because SG7 was in the middle of discussing concerns
> about Circle’s approach of linking arbitrary libraries and executing them
> at compile time.
>
>
>
> Since yesterday, I noticed the following tweets about Rust…
>
>
>
> Tony “Abolish ICE” Arcieri 🦀 on Twitter: "Exfiltrating secrets with
> @rustlang macros: leveraging macro expansion in IDEs to exfiltrate secrets
> without compiling the code or even opening a file https://t.co/M2qhsfaLdX"
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fbascule%2Fstatus%2F1393228285056741376&data=04%7C01%7Chsutter%40microsoft.com%7C0c4586b71132437afdf408d917e9c9f5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637567115143029064%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=onRXBBnDkqB1SbyYbfZ4lRvH5dbmubrTxX4aKvf4dOE%3D&reserved=0>
>
>
>
> Ralf (RPW) on Twitter: "„Open innocent_app in VSCode*, and the contents of
> your .ssh/id_rsa file will be sent over TCP to localhost:8080. You don't
> even need to open any files in the project!“ https://t.co/eKx2CWrirD" /
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fesizkur%2Fstatus%2F1393477018474459137&data=04%7C01%7Chsutter%40microsoft.com%7C0c4586b71132437afdf408d917e9c9f5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637567115143039059%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=he0yoYBzo1zn0xGN7EGMH1TYVnnIrFEI0qTS0XuyYBg%3D&reserved=0>
>
>
>
> Björk on Twitter: "@hankadusikova ... Wait, what? You can do compile-time
> I/O (networking) in Rust, or is this because of plugins executing arbitrary
> code? https://t.co/soA3bD9vT2" / Twitter
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2F__phantomderp%2Fstatus%2F1393553321177321473&data=04%7C01%7Chsutter%40microsoft.com%7C0c4586b71132437afdf408d917e9c9f5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637567115143049055%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=zVdfPyz66vFGF0l4xV9aIlgxb5wqH5axljfzd1UDTkI%3D&reserved=0>
>
>
>
> David "Bear Feeder" Pollak🐈 on Twitter: "Oh crap! This will be 2021’s
> side channel attack… guess we have to run our compilers in containers with
> no network access…" / Twitter
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fdpp%2Fstatus%2F1393614418269802501&data=04%7C01%7Chsutter%40microsoft.com%7C0c4586b71132437afdf408d917e9c9f5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637567115143059050%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=%2F2RC7MZ1swPTIpw%2FLv%2FOT6Cd052iVfzJf%2FbOz%2B7BA9k%3D&reserved=0>
>
>
>
> This sounds a lot like the same issue… is it?
>
>
>
> (Ah, I just saw Hana’s tweet
> <https://twitter.com/hankadusikova/status/1393532440120074243?s=20>
> before hitting Send – yup, sounds like it is the same issue, thank you
> Hana.)
>
>
>
>
>
>
>
> *From:* Herb Sutter
> *Sent:* Thursday, February 13, 2020 7:59 AM
> *To:* sg7_at_[hidden]
> *Subject:* Thompson Turing lecture
>
>
>
>
> https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf
>
>
>
> As we we think about extensible compilers and JITs, this is a classic
> paper worth remembering about supply chain issues with just ordinary closed
> compilers.
>
>
>
> Herb
>
>
> --
> SG7 mailing list
> SG7_at_[hidden]
> https://lists.isocpp.org/mailman/listinfo.cgi/sg7
>
Received on 2021-05-15 17:33:56