On Wednesday 14 December 2005 16:40, David A. Wheeler wrote: > I've written a paper on an approach to counter this attack. See: > "Countering Trusting Trust through Diverse Double-Compiling" > http://www.acsa-admin.org/2005/abstracts/47.html
Thanks for sharing it here, David. > Here's the abstract: > "... Simply recompile the purported source code twice: once with a second > (trusted) compiler, and again using the result of the first compilation. > If the result is bit-for-bit identical with the untrusted > binary, then the source code accurately represents the binary. ..." This reminded me of an old class of PC viruses (circa 1992) that evaded detection by file scanners by hooking the S-DOS file read interrupt and returning the original, uninfected version of infected files whenever a program opened up an infected file for reading. It tricked a lot of file scanners at the time. If I'm not mistaken, it was the DIR-II family of viruses. I'm sure that you've taken that sort of evasive action into account, but I thought that I'd mention it here for the SC-L folks. Heck, by today's rather loose definitions of what a rootkit is, perhaps the DIR-II family was the first malware to feature rootkit-like stealth techniques. Cheers, Ken van Wyk -- KRvW Associates, LLC http://www.KRvW.com _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
