this post was submitted on 10 Apr 2024
4 points (100.0% liked)

Security

5018 readers
1 users here now

Confidentiality Integrity Availability

founded 4 years ago
MODERATORS
top 1 comments
sorted by: hot top controversial new old
[–] [email protected] 4 points 7 months ago

The author's own solution is not even sufficient to meet their own criteria:

2. Hand assemble the GNU stage0 hex0 monitor (280 bytes) (or a spiritual equivalent for the SBC's ISA) from printed source assembly using pen and paper and an ISA manual.

...

6. By using the terminal to communicate with the hex0 monitor, type in more sophisticated monitors as hexdecimal after hand-assembling them on pen and paper.

The source code to these programs was obtained through requirement (2):

(2) ... You may request any of the following resources:

Source code to any open source code, printed on paper

This code does not specify that it has been signed or has had its authenticity verified. Only code received digitally through requirement (3) is cryptographically verified:

(3) ... You may request further open source code (e.g. the Linux kernel) to be delivered in some digital form ... however data delivered in this manner may only be used where:

the user can verify the cryptographic identity of that data, where that verification process itself does not rely on any data obtained using this clause, and ...

So already at the start of the process, the author is using tools to bootstrap the system which could contain backdoors.

I would change the requirements so that source code printouts are already verified by the person supplying them, or that the solver has to write their own bootstrap tools to get to the point of being able to verify cryptographic hashes/signatures before they can even use any third party source code.