Mason Archival Repository Service

Fully Countering Trusting Trust through Diverse Double-Compiling

Show simple item record

dc.contributor.author Wheeler, David A.
dc.creator Wheeler, David A.
dc.date 2009-12-02
dc.date.accessioned 2010-01-11T19:13:24Z
dc.date.available NO_RESTRICTION en_US
dc.date.available 2010-01-11T19:13:24Z
dc.date.issued 2010-01-11T19:13:24Z
dc.identifier.uri https://hdl.handle.net/1920/5667
dc.description.abstract An Air Force evaluation of Multics, and Ken Thompson’s Turing award lecture (“Reflections on Trusting Trust”), showed that compilers can be subverted to insert malicious Trojan horses into critical software, including themselves. If this “trusting trust” attack goes undetected, even complete analysis of a system’s source code will not find the malicious code that is running. Previously-known countermeasures have been grossly inadequate. If this attack cannot be countered, attackers can quietly subvert entire classes of computer systems, gaining complete control over financial, infrastructure, military, and/or business systems worldwide. This dissertation’s thesis is that the trusting trust attack can be detected and effectively countered using the “Diverse Double-Compiling” (DDC) technique, as demonstrated by (1) a formal proof that DDC can determine if source code and generated executable code correspond, (2) a demonstration of DDC with four compilers (a small C compiler, a small Lisp compiler, a small maliciously corrupted Lisp compiler, and a large industrial-strength C compiler, GCC), and (3) a description of approaches for applying DDC in various real-world scenarios. In the DDC technique, source code is compiled twice: the source code of the compiler’s parent is compiled using a trusted compiler, and then the putative compiler source code is compiled using the result of the first compilation. If the DDC result is bit-for-bit identical with the original compiler-under-test’s executable, and certain other assumptions hold, then the compiler-under-test’s executable corresponds with its putative source code.
dc.language.iso en_US en_US
dc.subject trusting en_US
dc.subject compiler en_US
dc.subject Trojan en_US
dc.subject trust en_US
dc.subject subversion en_US
dc.subject DDC en_US
dc.title Fully Countering Trusting Trust through Diverse Double-Compiling en_US
dc.type Dissertation en
thesis.degree.name Doctor of Philosophy in Information Technology en_US
thesis.degree.level Doctoral en
thesis.degree.discipline Information Technology en
thesis.degree.grantor George Mason University en


Files in this item

This item appears in the following Collection(s)

Show simple item record

Search MARS


Browse

My Account

Statistics