Presentation is loading. Please wait.

Presentation is loading. Please wait.

Countering Trusting Trust with Diverse Double-Compiling (by David A Wheeler) Dan Frohlich.

Published byLily Thomas Modified over 9 years ago

Similar presentations

Presentation on theme: "Countering Trusting Trust with Diverse Double-Compiling (by David A Wheeler) Dan Frohlich."— Presentation transcript:

1 Countering Trusting Trust with Diverse Double-Compiling (by David A Wheeler) Dan Frohlich

2 Trusting Trust  “…compilers can be subverted to insert malicious Trojan horses into critical software, including themselves.” –Thompson “Reflection on Trusting Trust”

3 What does Trusting Trust do?  The attack uses 2 triggers: 1 to subvert system access and 1 to propagate the attack when re-compiled

4 Features of Trusting Trust Attack.  Trigger –A condition determined by an attacker in which a malicious event is to occur  Payload –The code that performs the malicious event –The inserted code and the code that causes the insertions  Non-Discovery –Binary files are non-transparent. Therefore the attack is difficult to identify.

5 The threat of Trusting Trust.  An attacker who subverted a few of the most widely-used operating systems could effectively control, directly or indirectly almost every computer in existence. –This could be aggravated by a monoculture in computing platforms.  Wheeler claims that many persons in the community believe that the risk of these kinds of attacks are increasing.

6 Detecting the Trusting Trust Attack is problematic.  Security evaluations examine source code under the assumption that it accurately represents the product being examined.  But, an attacker who can control the compiler binary can render source code evaluations worthless.  For source code security evaluations to be strongly credible, there needs to be a way to justify that the source code being examined accurately represents the files being executed.

7 Diverse Double-Compiling (defined.)  In DDC, if the final result is bit-for-bit identical to the original compiler binary, then the compiler source code accurately represents the binary. –c(sA, A) == c(sA, c(sA, T )) c(s,X) is the result of compiling s with X. sA is the untrusted compiler source A is the untrusted compiler T is the trusted compiler

8 c(sA, A) == c(sA, c(sA, T ))

9 Inadequate solutions to Trusting Trust defense  Manually compare binary to source  Compare binary to source by an automated process  Use second compiler –test semantic equivalence of the two binaries.  Only receive source –compile everything yourself  Interpreted languages –Simply changes the target of attack.

10 Why not compare the binary to the source?  Manual comparison is impractical due to resource requirements.  Automated comparison is difficult due to optimizing compilers. –Doesn’t DDC suffer from the very same issues?

11 Use a trusted compiler.  Use second compiler and compare binaries. –Testing the semantic equivalence of the two binaries is very difficult.  Only receive source / compile yourself –fails when receivers compiler is already malicious. But this only fails if receiver compiler T has a trigger on A. –Doesn’t DDC have the same issue if T has a trigger on A?

12  These approaches require the defender to insert themselves into the compiler creation process (to recompile it themselves before using it. This is often impractical. –But with DDC I have to compile it twice then debug it, then compare the binaries for equivalence. How is this an improvement? The problems with the other solutions to Trusting Trust

13  It can be completely automated. –After debugging each compiler involved.  Doesn’t require proofs –Doesn’t guarantee the attack will be found either.  Reveals defects in the compilers involved. –A beneficial side effect, but not why I’m doing this.  Can be expanded to cover all software running on a system. Why use DDC to detect Trusting trust?

14  Is there any value to discovering this attack as opposed to blindly destroying it with the trusted compiler alternative? Questions?

Download ppt "Countering Trusting Trust with Diverse Double-Compiling (by David A Wheeler) Dan Frohlich."

Similar presentations

Security Issues in Mobile Code Systems David M.Chess, High Integrity Computing Lab, IBM T.J. Watson Research Center Hawthorne, NY, USA Mobile code systems.

Security Issues in Mobile Code Systems David M.Chess, High Integrity Computing Lab, IBM T.J. Watson Research Center Hawthorne, NY, USA Mobile code systems.
Malicious Logic What is malicious logic Types of malicious logic Defenses Computer Security: Art and Science ©2002-2004 Matt Bishop.

Malicious Logic What is malicious logic Types of malicious logic Defenses Computer Security: Art and Science © Matt Bishop.
RUGRAT: Runtime Test Case Generation using Dynamic Compilers Ben Breech NASA Goddard Space Flight Center Lori Pollock John Cavazos University of Delaware.

RUGRAT: Runtime Test Case Generation using Dynamic Compilers Ben Breech NASA Goddard Space Flight Center Lori Pollock John Cavazos University of Delaware.
Software Security Threats Threats have been an issue since computers began to be used widely by the general public.

Software Security Threats Threats have been an issue since computers began to be used widely by the general public.
Chapter 14 Computer Security Threats Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,

Chapter 14 Computer Security Threats Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,
Security: Attacks. 2 Trojan Horse Malicious program disguised as an innocent one –Could modify/delete user’s file, send important info to cracker, etc.

Security: Attacks. 2 Trojan Horse Malicious program disguised as an innocent one –Could modify/delete user’s file, send important info to cracker, etc.
1 Software Testing and Quality Assurance Lecture 30 – Testing Systems.

1 Software Testing and Quality Assurance Lecture 30 – Testing Systems.
Copyright © 1995-2009 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.
Describing Syntax and Semantics

Describing Syntax and Semantics
Virtual Machine approach to Security Gautam Prasad and Sudeep Pradhan 10/05/2010 CS 239 UCLA.

Virtual Machine approach to Security Gautam Prasad and Sudeep Pradhan 10/05/2010 CS 239 UCLA.
1 The Problem o Fluid software cannot be trusted to behave as advertised unknown origin (must be assumed to be malicious) known origin (can be erroneous.

1 The Problem o Fluid software cannot be trusted to behave as advertised unknown origin (must be assumed to be malicious) known origin (can be erroneous.
Adversaries in Clouds: Protecting Data in Cloud-Based Applications Nick Feamster Georgia Tech.

Adversaries in Clouds: Protecting Data in Cloud-Based Applications Nick Feamster Georgia Tech.
Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden
1GMS-VU : Module 2 Introduction to Information and Communication Technologies Module 2 Computer Software.

1GMS-VU : Module 2 Introduction to Information and Communication Technologies Module 2 Computer Software.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Chapter 15: Security (Part 1). The Security Problem Security must consider external environment of the system, and protect the system resources Intruders.

Chapter 15: Security (Part 1). The Security Problem Security must consider external environment of the system, and protect the system resources Intruders.
UNIT 4 ASSIGNMENT VIRUSES & DESTRUCTIVE PROGRAMS.

UNIT 4 ASSIGNMENT VIRUSES & DESTRUCTIVE PROGRAMS.
Malware  Viruses  E-mail Virus  Worms  Trojan Horses  Spyware –Keystroke Loggers  Adware.

Malware  Viruses  Virus  Worms  Trojan Horses  Spyware –Keystroke Loggers  Adware.
Test plans CSCI102 - Systems ITCS905 - Systems MCS9102 - Systems.

Test plans CSCI102 - Systems ITCS905 - Systems MCS Systems.
“Assuring Reliable and Secure IT Services”. IT Redundancy: Its Value How much reliability to buy? Customer Service impacted as a result of 15 minutes.

“Assuring Reliable and Secure IT Services”. IT Redundancy: Its Value How much reliability to buy? Customer Service impacted as a result of 15 minutes.

Similar presentations

Ads by Google