Countering the trusting trust attack
Posted Feb 3, 2010 4:22 UTC (Wed) by dwheeler
In reply to: Security in the 20-teens
Parent article: Security in the 20-teens
My web page on countering trusting trust through diverse double-compiling (DDC) has all the details on my DDC approach.
DDC uses a second compiler to detect the trusting trust attack, and it's perfectly fine if the second compiler is also subverted; DDC merely presumes that the second compiler isn't subverted in exactly the same way.
Nix's posting is a nice summary its implications. As nix says, DDC
'reduces to the problem to "you can't trust compilers produced by a cooperating malevolent group, nor code compiled with those compilers". But if you have several compilers, some of which are trustworthy *or are produced by malevolent groups that are not in communication*, then those compilers will not introduce the Thompson hack into the *other* compilers when compiling them, and the attack falls apart. This is a much harder bar for attackers to leap over: from subverting one compiler, they have to subvert every compiler you might possibly use targetting that architecture if they are to go undetected.'
There are lots of details on that website, including the entire dissertation.
The dissertation includes mathematical proofs and demonstrations with several open source software compilers (including GCC).
By the way, the DDC approach can only be applied if you have the source code. So DDC gives an advantage to compilers whose source code is publicly available, including OSS compilers.
to post comments)