Secure Coding mailing list archives
Countering Trusting Trust through Diverse Double-Compiling
From: dwheeler at ida.org (David A. Wheeler)
Date: Wed, 14 Dec 2005 16:40:27 -0500
Everyone here should be familiar with Ken Thompson's famous "Reflections on Trusting Trust." If not, see: http://www.acm.org/classics/sep95/ The "trusting trust" attack subverts the compiler binary; if the attacker succeeds, you're doomed. Well, til now. I've written a paper on an approach to counter this attack. See: "Countering Trusting Trust through Diverse Double-Compiling" http://www.acsa-admin.org/2005/abstracts/47.html You can get data to reproduce this, and some related material, from my personal site: http://www.dwheeler.com/trusting-trust Here's the abstract: "An Air Force evaluation of Multics, and Ken Thompson's famous Turing award lecture "Reflections on Trusting Trust," showed that compilers can be subverted to insert malicious Trojan horses into critical software, including themselves. If this attack goes undetected, even complete analysis of a system's source code will not find the malicious code that is running, and methods for detecting this particular attack are not widely known. This paper describes a practical technique, termed diverse double-compiling (DDC), that detects this attack and some unintended compiler defects as well. Simply recompile the purported source code twice: once with a second (trusted) compiler, and again using the result of the first compilation. If the result is bit-for-bit identical with the untrusted binary, then the source code accurately represents the binary. This technique has been mentioned informally, but its issues and ramifications have not been identified or discussed in a peer-reviewed work, nor has a public demonstration been made. This paper describes the technique, justifies it, describes how to overcome practical challenges, and demonstrates it." I think you'll find this interesting. (Note: I posted a similar message to Bugtraq earlier, but I thought some of you might not have seen it.) --- David A. Wheeler
Current thread:
- Countering Trusting Trust through Diverse Double-Compiling David A. Wheeler (Dec 14)
- Countering Trusting Trust through Diverse Double-Compiling Kenneth R. van Wyk (Dec 14)
- <Possible follow-ups>
- Countering Trusting Trust through Diverse Double-Compiling Steven M. Bellovin (Dec 14)