There is implicit trust involved when using computer software. Open-source software attempts to inspire more trust, by giving access to the source code. Nevertheless, malicious compilers or someone with malicious intent can create malicious compiled code, even from non-malicious source code. Further, comparing source code and compiled code for equivalence is an undecidable problem. This thesis explores how software can be manipulated so that source code and compiled code are no longer equivalent and what can be done to increase the trust that they are equivalent. One such way of manipulating the compiled code is through a malicious compiler. I demonstrate this by implementing a self-replicating compiler attack against the Go language compiler, a modern industrial-strength compiler. The attack is similar to the well-known trusting trust attack and can infect a new compiler when it is being compiled, even when the compiler is compiled from non-malicious source code. In the thesis, I also discuss other, real-world, compiler attacks such as XcodeGhost and W32/Induc. The attacks show that compiler attacks are viable and a real threat. I discuss how reproducible builds can be used to increase the trust in compiled code, when the source code is available. Also discussed, is how diverse double-compiling (DDC) can be used to detect self-replicating com- piler attacks. I introduce a variant of DDC using more than two compilers for bootstrapping, this variant has not previously been described. This new variant can, by utilising parallel trust combinations, increase the trust in the verified compiler beyond regular DDC and identify which compiler has inserted a self-replicating attack. The new variant is implemented, and used to detect the previously implemented self-replicating attack.
supervisors | Martin Steffen |
IFI links | abstract, thesis, presentation |
repository | github |