1. 3

Since the Trusting Trust paper has been posted, I thought I’d share this article which I found really interesting.

  1. 2

    Since this article was written, Rust has got mitigations for this attack:

    • There’s mrustc compiler implemented in C++ which translates Rust to C11. It’s specifically designed to bootstrap the Rust compiler.
    • The rustc compiler supports reproducible builds.
    1. 1

      Neither of these two points mitigate the trusting trust attack on their own.

      There’s mrustc compiler implemented in C++ which translates Rust to C11. It’s specifically designed to bootstrap the Rust compiler.

      But are mrustc reproducible, and does it produce a reproducible compiler across different environments? (See Diverse Double Compilation from Wheeler).

      The rustc compiler supports reproducible builds.

      Is the rustc compiler reproducible or does it produce reproducible binaries?

      The only real world mitigation I know of is the GNU Mes C compiler which can bootstrap different versions of gcc which can itself reproduce the same GNU Mes C compiler.

      https://reproducible-builds.org/news/2019/12/21/reproducible-bootstrap-of-mes-c-compiler/

      1. 1

        mrustc can be built with a trusted C++ compiler and build rustc with a trusted C compiler. This changes the problem from bootstrapping Rust to bootstrapping C/C++, and that’s been solved.

        In practice people have bootstrapped Rust using both available paths: from the pre-1.0 Ocaml compiler, and from mrustc.

        1. 1

          What is a “trusted C++ compiler”? The point of Trusting Trust is the fact that achieving one is the problem.

          1. 2

            It’s a bootstrapped C++ compiler. One that has been built from a bootstrapped C compiler, which has been built from a bootstrapped assembly, which you were able to verify by hand.

            Please note that for the purpose of reliably building a compiler binary that corresponds to its source code, the Trusting Trust problem has been solved using the Diverse Double Compilation method.

            And if you mean to bring “but what about unknowable hardware backdoors, how can you trust anything at all ever?”. That is a problem with modern hardware, but it also makes the whole problem entirely meaningless, and out of scope of being Rust’s problem, as it doesn’t distinguish (not) trusting rustc from any other software running on contemporary hardware.

            1. 1

              It’s a bootstrapped C++ compiler. One that has been built from a bootstrapped C compiler, which has been built from a bootstrapped assembly, which you were able to verify by hand. Please note that for the purpose of reliably building a compiler binary that corresponds to its source code, the Trusting Trust problem has been solved using the Diverse Double Compilation method.

              You are describing the process but don’t explain how it’s implemented with mrustc. The existence of some of these pieces do not imply it’s achieved. Achieving a “bootstrapped C++ compiler” is not easy and can’t just be assumed.

              Diverse Double Compilation is a technique we haven’t actually managed to achieve except for a weak proof with the GNU Mes C compiler. If you think mrustc has made any advanced here it would be great to see.

              And if you mean to bring “but what about unknowable hardware backdoors, how can you trust anything at all ever?”.

              No, I’m ignoring this problem as it’s not really relevant to the Trusting Trust problem.

              1. 1

                I’m describing the process, because the process is the definition. A bootstrapped compiler is one that has been built using the bootstrapping process.

                For the process to be possible we have to assume there exists a computer that can be trusted to execute binaries run on it (if that step can’t be satisfied you give up on computing, and go live in the woods). From there you can manually verify and build backdoor-free compilers of gradually increasing complexity until you build a trusted C++ compiler that builds mrustc that builds rustc.

                In order words, if a trusted C++ compiler can exist, then a trusted Rust compiler can exist too, and mrustc is the key to achieve it.

    Stories with similar links:

    1. Reflections on Rusting Trust via inactive-user 5 years ago | 24 points | no comments