dChan
Anonymous ID: 4a94ab Nov. 13, 2020, 8:46 a.m. No.11627353   🗄️.is 🔗kun   >>7429

>>11627046 (lb)

Interesting read. Guy is essentially saying that he found a way to hack the old C compiler in a way that it could inject malicious code WHEN COMPILING. This would not be seen in the src files that say Dominion devs were writing, assuming their compilers had been compromised. Basically you can't trust any software you didn't write yourself.

 

Here's his summary:

The moral is obvious. You can't trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code. In demonstrating the possibility of this kind of attack, I picked on the C compiler. I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs will be harder and harder to detect. A well-installed microcode bug will be almost impossible to detect.

Anonymous ID: 4a94ab Nov. 13, 2020, 8:59 a.m. No.11627517   🗄️.is 🔗kun   >>7566 >>7706 >>7717

>>11627429

I do not know who is currently reviewing the source or attempting to decompile. I haven't seen anything but references to it being 'available'.

 

Here's the problem. The Dominion system is built (from what I can tell) using .NET 3.5 and F#. That means that all the code that the Dominion dev write is compiled by the .NET compiler. If Microsoft was shipping a compromised .NET compiler, it's unlikely the Dominion devs would know. The 3.5 framework is old an does have many vulnerabilities associated with it. At the very least they should update that.

https://www.cvedetails.com/vulnerability-list.php?vendor_id=26&product_id=2002&version_id=82466&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=0&cweid=0&order=1&trc=18&sha=2e69e2f55d12bd3d0cba21b052e3d43f952865e4

 

I'd wage that if we we pressed hard enough, we could see some PenTest results. They would fail just being on .NET 3.5 alone.

Anonymous ID: 4a94ab Nov. 13, 2020, 9:02 a.m. No.11627550   🗄️.is 🔗kun

>>11627429

There's plenty of people that are this smart and could put this into play at any of the big tech companies providing a compiler or a developer studio. IE MS, Goog, IBM