Snowden and Compilers

Wed Feb 12 04:26:40 PST 2014

On 02/11/2014 02:32 PM, Rich Jones wrote:
> In all of the Snowden docs that have been released so far, has anybody
> seen any mention of any NSA programs designed to subvert compilers?
>
> Compilers seems like an extremely prime target for manipulation, but
> as far as I am aware there hasn't been anything mentioned about this
> yet. Has anybody here heard anything that I haven't?

My guess would be things like network card drivers, or the firmware in
network cards - anything that has supervisor level access to the entire
machine is a prime target, but as more NICs get things like iSCSI
support/ToE and the like, have both opportunity to hide something in the
onboard acceleration engines as well as a mechanism to communicate
upstream. 

As we've seen there are plenty of "open source" linux kernel drivers for
NICs and video cards that are really binaries.  Plenty of room to hide
stuff there, but the hardware itself is a better target, especially if
the firmware they carry cannot be downloaded by the computer for
forensic analysis, and especially if there's some sort of open DMA
access from the device to the full memory of the machine that the OS
cannot detect.

Maybe they'd add stuff to tcp/udp packets as an out of band channel, or
in the case of wireless stuff transmit on unused nearby frequencies that
the hardware is capable of transmitting on, but cannot be detected with
normal wifi/bluetooth sniffers.

Bluetooth, and wifi would also be great targets because they can
communicate with the outside world, or maybe the USB controllers
themselves because stuff like bluetooth modules are often implemented as
on-board USB devices - at least they are on Mac notebooks.  On Mac
notebooks, the keyboard, bluetooth controller, camera and IR receiver
all run off the USB bus - so that would be a great place to sniff such
traffic, and would also be able to transmit it out to nearby bugs. 

Even if the OS thinks the device is disabled and not in use, it could
still be able to function as a sniffer/transmitter, and it's power
consumption hidden in a low-power mode.

If you have access to the kernel, or firmware in some critical part of a
machine or the hardware itself, that's more than enough - no need to
subvert the compilers.  There's plenty of out of band access/theft
recovery stuff in most notebooks/servers these days, and compiler
generated output could always be analyzed by folks looking for
vulnerabilities to exploit.

Since there are only a handful of chip manufacturers, subverting those
would be the path of least resistance and most gain, and companies like
Dell, HP, or Apple wouldn't even have to know, nor detect the presence
of such stuff.

The other path is that 90% of the stuff out there runs windows, so you
could always hide stuff as a worm/trojan, which we've seen with stuxnet
and the like.