[SC-L] Countering Trusting Trust through Diverse Double-Compiling
Kenneth R. van Wyk
Ken at krvw.com
Wed Dec 14 19:41:46 EST 2005
On Wednesday 14 December 2005 16:40, David A. Wheeler wrote:
> I've written a paper on an approach to counter this attack. See:
> "Countering Trusting Trust through Diverse Double-Compiling"
> http://www.acsa-admin.org/2005/abstracts/47.html
Thanks for sharing it here, David.
> Here's the abstract:
> "... Simply recompile the purported source code twice: once with a second
> (trusted) compiler, and again using the result of the first compilation.
> If the result is bit-for-bit identical with the untrusted
> binary, then the source code accurately represents the binary. ..."
This reminded me of an old class of PC viruses (circa 1992) that evaded
detection by file scanners by hooking the S-DOS file read interrupt and
returning the original, uninfected version of infected files whenever a
program opened up an infected file for reading. It tricked a lot of file
scanners at the time. If I'm not mistaken, it was the DIR-II family of
viruses. I'm sure that you've taken that sort of evasive action into
account, but I thought that I'd mention it here for the SC-L folks.
Heck, by today's rather loose definitions of what a rootkit is, perhaps the
DIR-II family was the first malware to feature rootkit-like stealth
techniques.
Cheers,
Ken van Wyk
--
KRvW Associates, LLC
http://www.KRvW.com
More information about the SC-L
mailing list