I always had issues with this particular counter, because it assumes that you cannot create a sufficiently good back door-creating AI/heuristic machine that can also fit in the unused spaces in our systems and binaries without being noticed. That’s a big ‘if’, looking ahead into the deep future especially that our knowledge of autonomous agents and storage keeps growing.
> I always had issues with this particular counter, because it assumes that you cannot create a sufficiently good back door-creating AI/heuristic machine that can also fit in the unused spaces in our systems and binaries without being noticed. That’s a big ‘if’, looking ahead into the deep future especially that our knowledge of autonomous agents and storage keeps growing.
If I understand you correctly, that doesn't counter DDC, as long as the system being generated is being covered by DDC.
If you're worrying about inserting code into "unused spaces" in the file that people typically call the "compiler", the solution is to check the compiler with DDC - that guarantees (given certain assumptions) that all of the executable can be explained by the source code. The source code could have malicious code, but developers know how to review source code.
If you're worrying about inserting code into "unused spaces" in other files of the larger system, the paper explains how to counter that too. Basically, treat the entire system as the "compiler" & regenerate it. More work, but now you've squeezed that out.
There's even a counter-example in the DDC paper. The tcc compiler had a subtle bug where 2 bytes were "free" (not controlled by the compilation process). That's because it was storing a 10-byte floating point value into a 12-byte memory area, leaving 2 bytes uncontrolled. DDC immediately detected a problem. DDC can detect 1 bit of difference. There's no "uncontrolled free space" for whatever is being verified by the DDC process.
Unlike most computer stuff, there's a mathematical proof in the DDC paper. If the assumptions hold, the conclusions necessarily follow. Attackers must take steps to invalidate at least one of the assumptions for the conclusion to fail. Of course, nothing is perfect - if an attacker subverts an assumption, then the defender can't rely on the conclusion. But the defender can take steps to make the assumptions true.
Thank you for replying David A. Wheeler. Posts and feedback from professionals like you are what make HN great, despite the community's many (rather annoying) short-comings.
