On Trojan Horses in Compiler Implementations

This paper is to present a security-related motivation for compiler veriication, and in particular for binary compiler implementation veriication. We will prove that source level veriication is not suu-cient in order to guarantee compiler correctness. For this, we will adopt the scenario of a well-known attack to Unix operating system programs due to intruded Trojan Horses in compiler executables. Such a compiler will pass nearly every test, state of the art compiler validation, the strong bootstrap test, any amount of source code inspection and veriication, but for all that, it nevertheless might eventually cause a catastrophe. We will show such a program in detail, and it is surprisingly easy to construct. In that, we share a common experience with Ken Thompson, who initially documented this kind of attack.

[1]  Jeffrey S. Moore Piton: a verified assembly level language , 1988 .

[2]  P. Curzon The Verified Compilation of Vista Programs , 1994 .

[3]  Robert S. Boyer,et al.  A verified code generator for a subset of gypsy , 1988 .

[4]  Wilfried Brauer,et al.  Foundations of computer science : potential--theory--cognition , 1997 .

[5]  J. Strother Moore Piton: A Mechanically Verified Assembly-Level Language , 1996 .

[6]  Wolfgang Goerigk,et al.  Rigorous Compiler Implementation Correctness: How to Prove the Real Thing Correct , 1998, FM-Trends.

[7]  J. S. MooreTechnical,et al.  Design Goals for Acl2 , 1994 .

[8]  S. L. Gerhart,et al.  Toward a theory of test data selection , 1975, IEEE Transactions on Software Engineering.

[9]  Hans Langmaack,et al.  Contribution to Goodenough's and Gerhart's Theory of Software Testing and Verification: Relation between Strong Compiler Test and Compiler Implementation Verification , 1997, Foundations of Computer Science: Potential - Theory - Cognition.

[10]  Ulrich Hoffmann,et al.  The Compiling Specification from ComLisp to Executable Machine Code , 1998 .

[11]  Ulrich Hoffmann,et al.  Compiling ComLisp to Executable Machine Code: Compiler Construction , 1998 .

[12]  Thilo S. Gaul,et al.  Correct Programs without Proof? On Checker-Based Program Verification , 1998, Tool Support for System Specification, Development and Verification.

[13]  David F. Martin,et al.  Toward compiler implementation correctness proofs , 1986, TOPL.

[14]  Ulrich Hoffmann Compiler implementation verification through rigorous syntactical code inspection , 1998 .

[15]  Manuel Blum,et al.  Software reliability via run-time result-checking , 1997, JACM.

[16]  Hans Langmaack,et al.  Softwareengineering zur Zertifizierung von Systemen: Spezifikations-, Implementierungs-, Ubersetzerkorrektheit , 1997, Informationstechnik Tech. Inform..