Oppgaven er ikke lenger tilgjengelig

Discovering the Trusting Trust Attack

Compiler security is an important field. This thesis wants to do groundwork to reproduce a known technique known as{Diverse Double-Compiling (DDC) in an new environment. Potentially with a secondary focus on writing a compiler for a mainstream language.


Background and motivation


Advocates of open-source software will often claim that open-source software is
more secure than closed-source software as it allows independent inspection of
the source code. This allows malicious code to be more easily detected through
independent review. Nevertheless, as most open-source software is typically
distributed in binary form this raises an important question: how can we tell
if a binary is actually built from the source code it claims without malicious

Reproducible builds attempt to solve this by creating a verifiable path
from source code to binary form. This will then allow for independent review to
show that a piece of software is actually built by the source code it claims

Self-hosted compilers are typically, at some point, distributed in binary form to be able to start compilations. As noted by Thompson in his famous article Reflections on Trusting Trust it is difficult to fully trust this compiler. We cannot easily tell if a self-infecting compiler is infected by way of recompilation. Though the point of this article is to highlight that you have to trust someone, it still highlights a possible preventable attack.

An approach to this problem named Diverse Double-Compiling (DDC) has
been introduced and demonstrated for the GNU project C and C++ compiler (GCC). This approach allows you to validate that a self-hosting
compiler is not self-infecting using a secondary compiler or interpreter. The
secondary compiler does not need advanced features, but can however be very
basic. Therefore a secondary compiler like this can avoid focusing on
optimisations, but can instead focus on easily understandable and reviewable

This thesis wants to use DDC to validate another self-hosted
compiler. It can also have a secondary focus on writing a ``simple'' compiler
for a mainstream language.




Problem setting

  • IIdentify a primary self-hosted compiler that is reproducible or can be easily made reproducible. 
  • Write or modify a secondary compiler or interpreter that is capable of correct compiling/interpreting the primary compiler. Preferably with a focus on easily reviewable code. Use DDC to show if the primary compiler contains self-infecting code.
Emneord: Compiler, diverse double compilation, validation, security, trust
Publisert 13. nov. 2017 12:10 - Sist endret 13. nov. 2017 12:12



  • Yrjan Skrimstad

Omfang (studiepoeng)