Countering trusting trust through diverse double-compiling

An air force evaluation of Multics, and Ken Thompson's famous Turing award lecture "reflections on trusting trust, " showed that compilers can be subverted to insert malicious Trojan horses into critical software, including themselves. If this attack goes undetected, even complete analysis of a system's source code can not find the malicious code that is running, and methods for detecting this particular attack are not widely known. This paper describes a practical technique, termed diverse double-compiling (DDC), that detects this attack and some compiler defects as well. Simply recompile the source code twice: once with a second (trusted) compiler, and again using the result of the first compilation. If the result is bit-for-bit identical with the untrusted binary, then the source code accurately represents the binary. This technique has been mentioned informally, but its issues and ramifications have not been identified or discussed in a peer-reviewed work, nor has a public demonstration been made. This paper describes the technique, justifies it, describes how to overcome practical challenges, and demonstrates it

[1]  David A. Wheeler,et al.  Secure Programming for Linux and Unix HOWTO , 2003 .

[2]  Alan Robinson,et al.  The Inverse Method , 2001, Handbook of Automated Reasoning.

[3]  David Maynor The compiler as attack vector , 2005 .

[4]  John McDermott A Technique for Removing an Important Class of Trojan Horses from High-Order Languages , 1988 .

[5]  Maulik A. Dave,et al.  Compiler verification: a bibliography , 2003, SOEN.

[6]  Fred Cohen,et al.  Computer viruses—theory and experiments , 1990 .

[7]  Roy G. Saltman Accuracy, integrity and security in computerized vote-tallying , 1988, CACM.

[8]  K. Thompson Reflections on trusting trust , 1984, CACM.

[9]  Jay Earley,et al.  A formalism for translator interactions , 1970, CACM.

[10]  Xavier Leroy,et al.  Formal Verification of a C Compiler Front-End , 2006, FM.

[11]  Nancy G. Leveson,et al.  A reply to the criticisms of the Knight & Leveson experiment , 1990, SOEN.

[12]  Kendra J Kratkiewicz,et al.  Evaluating Static Analysis Tools for Detecting Buffer Overflows in C Code , 2005 .

[13]  Eugene H. Spafford,et al.  The design and implementation of tripwire: a file system integrity checker , 1994, CCS '94.

[14]  Dan S. Wallach,et al.  Analysis of an electronic voting system , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[15]  Alan S. Perelson,et al.  Self-nonself discrimination in a computer , 1994, Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy.

[16]  Edward D. Lazowska,et al.  Cyber Security: A Crisis of Prioritization , 2005 .

[17]  Arun Lakhotia,et al.  Analysis and detection of computer viruses and worms: an annotated bibliography , 2002, SIGP.

[18]  Thomas W. Reps,et al.  WYSINWYX: What You See Is Not What You eXecute , 2005, VSTTE.

[19]  Cynthia E. Irvine,et al.  Subversion as a Threat in Information Warfare , 2004 .

[20]  R. M. Ritter The Oxford guide to style , 2002 .

[21]  Ariel J. Feldman,et al.  Security Analysis of the Diebold AccuVote-TS Voting Machine , 2007, EVT.

[22]  Wolfgang Goerigk,et al.  Rigorous Compiler Implementation Correctness: How to Prove the Real Thing Correct , 1998, FM-Trends.

[23]  Winn Schwartau,et al.  Information Warfare: Chaos on the Electronic Superhighway , 1994 .

[24]  Robert Roth Stoll,et al.  Set theory and logic , 1963 .

[25]  Dirk Siefkes,et al.  Association For Symbolic Logic , 2000, Bulletin of Symbolic Logic.

[26]  William McCune,et al.  Ivy: a preprocessor and proof checker for first-order logic , 2000 .

[27]  Paul A. Karger,et al.  Thirty years later: lessons from the Multics security evaluation , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[28]  David H. Ackley,et al.  Building diverse computer systems , 1997, Proceedings. The Sixth Workshop on Hot Topics in Operating Systems (Cat. No.97TB100133).

[29]  Andrei Voronkov,et al.  Handbook of Automated Reasoning: Volume 1 , 2001 .

[30]  Xavier Leroy,et al.  Formal certification of a compiler back-end or: programming a compiler with a proof assistant , 2006, POPL '06.

[31]  David William John Stringer-Calvert,et al.  Mechanical verification of compiler correctness , 1998 .

[32]  Brian W. Kernighan,et al.  The C Programming Language , 1978 .

[33]  Christopher Miller,et al.  Defense Acquisitions: Knowledge of Software Suppliers Needed to Manage Risks , 2004 .

[34]  Harvey Bratman A alternate form of the “UNCOL diagram” , 1961, CACM.

[35]  Christian Payne,et al.  On the security of open source software , 2002, Inf. Syst. J..

[36]  Diomidis Spinellis,et al.  Reflections on trusting trust revisited , 2003, CACM.

[37]  José Ferreirós,et al.  The Road to Modern Logic—An Interpretation , 2001, Bulletin of Symbolic Logic.

[38]  Richard Lippmann,et al.  Testing static analysis tools using exploitable buffer overflows from open source code , 2004, SIGSOFT '04/FSE-12.

[39]  Wolfgang Goerigk On Trojan Horses in Compiler Implementations , 1999 .

[40]  Wolfgang Goerigk Compiler verification revisited , 2000 .

[41]  James E. Bessen,et al.  The software patent experiment , 2004 .

[42]  P. A. Karger,et al.  Multics security evaluation: vulnerability analysis , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[43]  Dennis E. Hesseling Gnomes in the Fog: The Reception of Brouwer's Intuitionism in the 1920s , 2003 .

[44]  Somesh Jha,et al.  Static Analysis of Executables to Detect Malicious Patterns , 2003, USENIX Security Symposium.

[45]  David Icove,et al.  Computer crime - a crimefighter's handbook , 1995, Computer security.

[46]  David A. Wheeler,et al.  Why Open Source Software / Free Software (OSS/FS, FLOSS, or FOSS)? Look at the Numbers! , 2005 .

[47]  F. W. von Henke,et al.  A Mechanically Verified Compiling Specification for a Realistic Compiler ∗ , 2002 .

[48]  Nancy G. Leveson,et al.  An experimental evaluation of the assumption of independence in multiversion programming , 1986, IEEE Transactions on Software Engineering.

[49]  李幼升,et al.  Ph , 1989 .

[50]  Axel Dold,et al.  A Mechanically Verified Compiling Specification for a Lisp Compiler , 2001, FSTTCS.

[51]  Mark Ryan,et al.  Logic in Computer Science: Modelling and Reasoning about Systems , 2000 .

[52]  Bjarne Stroustrup,et al.  The C++ programming language (2nd ed.) , 1991 .

[53]  Gerhard Goos,et al.  Verification of Compilers , 1999, Correct System Design.

[54]  Calton Pu,et al.  The Cracker Patch Choice: An Analysis of Post Hoc Security Techniques , 2000 .

[55]  Gregory N. Larsen,et al.  Techniques for Cyber Attack Attribution , 2003 .

[56]  David A. Duffy,et al.  Principles of automated theorem proving , 1991, Wiley professional computing.

[57]  J. J. Horning,et al.  A compiler generator , 1970 .