Countering Trusting Trust through Diverse Double-Compiling

I haven’t yet had chance to read this properly, but it’s very exciting and impressive, and will no doubt be essential supplementary reading on the security course I’m teaching next term: Countering Trusting Trust through Diverse Double-Compiling.

Update 2006-01-26: Bruce Schneier’s lucid explanation.

2 Responses to “Countering Trusting Trust through Diverse Double-Compiling”

  1. Milan Merhar
    January 2nd, 2006 | 10:05 pm

    Hmmm…. Unlike Assemblers, which generate pure transliterations of their input, it seems to me that the output of a high level language compiler is not deterministic enough to insure that two different implementations would output the same binary sequences given the same source code. When to inline vs call, how registers are assigned, how flow structures such as while, for, and switch are implemented, all rely on the encapsulated expertise of the compiler’s author to generate code snippets, thus affecting the output code sequence.

    Now, are those differences large enough to obscure e.g. a hard-coded login backdoor routine? Unfortunately, there are not diverse Ken Thompson’s that one might poll to obtain a statistically valid answer to that question ;-)

    I’m an ongoing fan of your webpage musings; keep it up!

  2. January 26th, 2006 | 5:26 am

    Hi – I’m the author, thanks for your kind words! To the commentor: No, the technique doesn’t assume that two different compilers generate the same code. It assumes that the compiler that you have concerns about generates the same object code each time you give it the same source code (modulo timestamps and such). So if you don’t change “helloworld.c”, and you compile the file twice, it should produce the same object code. The compiler can even use a random number generator, as long as you can control the seed (gcc, for example, lets you do this–it has a command line flag for setting the seed). This requirement is true for most compilers; gcc even includes this as one of its built-in tests. See for more about that. Thanks!