FYI: Diverse Double-Compiling DDC presentation now on Youtube
David A. Wheeler
dwheeler at dwheeler.com
Mon May 3 16:43:30 UTC 2021
FYI, my original public defense presentation about "Diverse Double-Compiling” (DDC) is now on Youtube:
Here’s some quick context:
Reproducible builds, as discussed in this mailing list,
counters many build attacks by ensuring that the same tools produce the same resulting package.
But how do you know the tools are not subverted in *their* build processes?
Well, you can use reproducible builds on those tools as well. However,
compilers are a special case. Since compilers (and similar tools) compile themselves, they create a “loop”
that’s harder to deal with. (In general, cycles create many problems in computer science.)
The attack was originally discussed in the Multics security evaluation of 1974,
and popularized by Ken Thompson’s discussion & demonstration of the attack as explained in his
1984 Turing Award presentation “Reflections on Trusting Trust”.
A strong way to counter this “trusting trust” attack is "Diverse Double-Compiling” (DDC).
The video above is my PhD public defense that it works. More details available here:
Another countermeasure is to use bootstrappable builds (e.g., GNU Mes).
Bootstrappable builds & DDC aren’t really competitors, because
they can work well together to even-more-powerfully counter such attacks.
The recording is wiggly (it wasn’t professionally recorded), but it should be understandable.
--- David A. Wheeler
More information about the rb-general