There is implicit trust involved when using computer software. Open-
source software attempts to inspire more trust, by giving access to the
source code. Nevertheless, malicious compilers or someone with malicious
intent can create malicious compiled code, even from non-malicious
source code. Further, comparing source code and compiled code for
equivalence is an undecidable problem. This thesis explores how software
can be manipulated so that source code and compiled code are no longer
equivalent and what can be done to increase the trust that they are
equivalent.
One such way of manipulating the compiled code is through a malicious
compiler. I demonstrate this by implementing a self-replicating compiler
attack against the Go language compiler, a modern industrial-strength
compiler. The attack is similar to the well-known trusting trust attack
and can infect a new compiler when it is being compiled, even when
the compiler is compiled from non-malicious source code. In the thesis,
I also discuss other, real-world, compiler attacks such as XcodeGhost and
W32/Induc. The attacks show that compiler attacks are viable and a real
threat.
I discuss how reproducible builds can be used to increase the trust in com-
piled code, when the source code is available. Also discussed, is how Di-
verse Double-Compiling (DDC) can be used to detect self-replicating com-
piler attacks. I introduce a variant of DDC using more than two compilers
for bootstrapping, this variant has not previously been described. This new
variant can, by utilising parallel trust combinations, increase the trust in the
verified compiler beyond regular DDC and identify which compiler has in-
serted a self-replicating attack. The new variant is implemented, and used
to detect the previously implemented self-replicating attack.