Secure Coding mailing list archives

Countering Trusting Trust through Diverse Double-Compiling

From: Ken at krvw.com (Kenneth R. van Wyk)
Date: Wed, 14 Dec 2005 19:41:46 -0500

On Wednesday 14 December 2005 16:40, David A. Wheeler wrote:

I've written a paper on an approach to counter this attack. See:
  "Countering Trusting Trust through Diverse Double-Compiling"
  http://www.acsa-admin.org/2005/abstracts/47.html


Thanks for sharing it here, David.

Here's the abstract:
"... Simply recompile the purported source code twice: once with a second
(trusted) compiler, and again using the result of the first compilation.
If the result is bit-for-bit identical with the untrusted
binary, then the source code accurately represents the binary. ..."


This reminded me of an old class of PC viruses (circa 1992) that evaded 
detection by file scanners by hooking the S-DOS  file read interrupt and 
returning the original, uninfected version of infected files whenever a 
program opened up an infected file for reading.  It tricked a lot of file 
scanners at the time.  If I'm not mistaken, it was the DIR-II family of 
viruses.  I'm sure that you've taken that sort of evasive action into 
account, but I thought that I'd mention it here for the SC-L folks.

Heck, by today's rather loose definitions of what a rootkit is, perhaps the 
DIR-II family was the first malware to feature rootkit-like stealth 
techniques.

Cheers,

Ken van Wyk
-- 
KRvW Associates, LLC
http://www.KRvW.com

Current thread:

Countering Trusting Trust through Diverse Double-Compiling David A. Wheeler (Dec 14)
- Countering Trusting Trust through Diverse Double-Compiling Kenneth R. van Wyk (Dec 14)
- <Possible follow-ups>
- Countering Trusting Trust through Diverse Double-Compiling Steven M. Bellovin (Dec 14)