I implemented Ken Thompson’s Reflections on Trusting Trust (1984 Turing Award Lecture) compiler #backdoor for the GNU Compiler Collection (GCC). The backdoor maintains persistence by re-injecting itself to any new versions of the compiler built. The secondary payload modifies a test application by adding a backdoor password to allow authentication bypass:
I spent most time (around two hours) writing the generalized tooling that produces the final quine version of the malicious payload. Now that this is done, the actual code can be adjusted trivially to exploit more target code without any need to adjust the self-reproducing section of the code. This method of exploitation could be extended to target various binaries: SSH Server, Linux Kernel, Setuid binaries and similar. While itself written in C, the secondary payloads can target any programming languages supported by GCC.
It should be noted that GCC build checks for malicious compiler changes such as this. This check can – of course – also be bypassed. However, most serious projects have measures in place to avoid hacks of this nature.
David A. Wheeler: "Fully Countering Trusting Trust through Diverse Double-Compiling (DDC) - Countering Trojan Horse attacks on Compilers" https://dwheeler.com/trusting-trust/
@harrysintonen You mentioned: "However, most serious projects have measures in place to avoid hacks of this nature."
Do you have some examples of publicly available implementations of such measures?
(I'm researching what could be added to protect the Go compilers)
@harrysintonen Thanks for the links.
I'm looking into going further for compilers, especially self-hosted: if we assume that the compiler's repository is already backdoored (ex: like xz, adding/modifying a test file affects the final binary) for a few generations since being built from a more trusted toolchain that has multiple implementations (C compiler), how could we detect such backdoor in order to block it from being propagated to the next generation? #BootstrappableBuilds
@harrysintonen Cool! Another link: Karger and Schell, “Multics Security Evaluation: Vulnerability Analysis,” 1974.¹ That’s the “Unknown Air Force Document” Thompson borrowed the idea from!²
@ZTarantov I assumed as much, but I wrote my version from scratch before looking at it. The usability of the old code is questionable anyway as the code is very much tied to the way that old UNIX C compiler works. The original is also much more of a hack while my version is much cleaner. I developed it for gcc 13 on Debian unstable, but my injector should apply cleanly to gcc versions 3 to 14.