Was (s)he able to provide any evidence at all?20 years ago, some random dude i met insisted that GCC added hidden backdoors to every program it compiles. I liked the idea of evil compilers.
Does OpenBSD still use GCC? If so, it's possible that the version included in base may have undergone an audit. Agree that the effort to audit it is non trivial.Nope. But the source of GCC is a beast. I doubt there is one person in the world who audited it in a whole.
No, they switched to Clang, just like FreeBSD.Does OpenBSD still use GCC?
Ross Anderson is a well known security researcher. For me the question is not that he found that threat, but how long this might have been in use by the bad guys under the radar.
That is what concerns me. One can certainly get some security benefits from compiling sources from yourself instead of relying on binary distributions but if this is a source code level thing then yeah... shit.The threat vector obviously would be hiding malicious code in well known OSS programs. Hidden in plain sight in the GIT repositories and such alike.
Making gifs like that is just PERFECT for teaching UNIX in general, not just showing off gcchijack!!!Found a tool which can insert backdoors in code compiled by GCC by hijacking its temporary files on disk, if anyone is interested.
GitHub - hstocks/gcchijack: Tool to backdoor binaries compiled by gcc/g++ by hijacking their temporary files
Tool to backdoor binaries compiled by gcc/g++ by hijacking their temporary files - GitHub - hstocks/gcchijack: Tool to backdoor binaries compiled by gcc/g++ by hijacking their temporary filesgithub.com
View attachment 11877
I thought the claim is that the bidi override can be used to trick the human, not the compiler, because the display order may be different from what is actually in the code! In any case, the solution is to a) allow unicode in strings and comments only, ascii elsewhere and b) unicode aware editors and display programs need to be syntax aware and take care to prevent this. If you stick to vi, you'll never have this problemMatthew Green, an associate professor at the Johns Hopkins Information Security Institute, said the Cambridge research clearly shows that most compilers can be tricked with Unicode into processing code in a different way than a reader would expect it to be processed.
Conspiracy idiots are never able to proof anything.Was (s)he able to provide any evidence at all?
Try addressing each and every one of them - now that's "Programming in Hell".The fact is that you can introduce backdoors at so many levels....
You can't be serious, modern code needs unicode!!!a) allow unicode in strings and comments only, ascii elsewhere
The wikipedia link also points out that support is limited among domain registrars, and ASCII equivalents are already taken up by pornosquatters.Emojis are even allowed in domain names nowadays: https://en.wikipedia.org/wiki/Emoji_domain
Security holes?given punycode for "hiding" unicode in DNS records, I wonder how Emojis could not be supported?
Interesting question, what would our german powers-that-be react to a domain name consisting of swastikas?I mean, technically? Punycode is set for years now, so you can use any unicode character in a domain name.