Home >Documents >Wheeler Trusting Trust Ddc

Wheeler Trusting Trust Ddc

Date post:04-Dec-2015
Category:
View:6 times
Download:3 times
Share this document with a friend
Description:
Wheeler Trusting Trust Ddc
Transcript:
  • Fully Countering Trusting Trust through Diverse Double-Compiling

    A dissertation submitted in partial fulfillment of the requirements for the degree of Doctor ofPhilosophy at George Mason University

    By

    David A. WheelerMaster of Science

    George Mason University, 1994Bachelor of Science

    George Mason University, 1988

    Co-Directors: Dr. Daniel A. Menasc and Dr. Ravi Sandhu, ProfessorsThe Volgenau School of Information Technology & Engineering

    Fall Semester 2009George Mason University

    Fairfax, VA

  • Copyright 2009 David A. Wheeler

    You may use and redistribute this work under theCreative Commons Attribution-Share Alike (CC-BY-SA) 3.0 United States License.

    You are free to Share (to copy, distribute, display, and perform the work)and to Remix (to make derivative works), under the following conditions:

    (1) Attribution. You must attribute the work in the manner specified by the author or licensor(but not in any way that suggests that they endorse you or your use of the work).

    (2) Share Alike. If you alter, transform, or build upon this work, you may distribute theresulting work only under the same, similar or a compatible license.

    Alternatively, permission is also granted to copy, distribute and/or modify this documentunder the terms of the GNU Free Documentation License, Version 1.2

    or any later version published by the Free Software Foundation.

    As a third alternative, permission is also granted to copy, distribute and/or modify this document under the terms of the GNU General Public License (GPL) version 2

    or any later version published by the Free Software Foundation.

    All trademarks, service marks, logos, and company namesmentioned in this work are the property of their respective owners.

    ii

  • Dedication

    This is dedicated to my wife and children, who sacrificed many days so I could perform this work, to my extended family, and to the memory of my former mentors Dennis W. Fife and Donald Macleay, who always believed in me.

    Soli Deo gloriaGlory to God alone.

    iii

  • Acknowledgments

    I would like to thank my PhD committee members and former members Dr. Daniel A. Menasc, Dr. Ravi Sandhu, Dr. Paul Ammann, Dr. Jeff Offutt, Dr. Yutao Zhong, and Dr. David Rine, for their helpful comments.

    The Institute for Defense Analyses (IDA) provided a great deal of help. Dr. Roger Mason and the Honorable Priscilla Guthrie, former directors of IDAs Information Technology and Systems Division (ITSD), partly supported this work through IDAs Central Research Program. Dr. Margaret E. Myers, current IDA ITSD director, approved its final release. I am very grateful to my IDA co-workers (alphabetically by last name) Dr. Brian Cohen, Aaron Hatcher, Dr. Dale Lichtblau, Dr. Reg Meeson, Dr. Clyde Moseberry, Dr. Clyde Roby, Dr. Ed Schneider, Dr. Marty Stytz, and Dr. Andy Trice, who had many helpful comments on this dissertation and/or the previous ACSAC paper. Reg Meeson in particular spent many hours carefully reviewing the proofs and related materials, and Clyde Roby carefully reviewed the whole dissertation; I thank them both. Aaron Hatcher was immensely helpful in working to scale the Diverse Double-Compiling (DDC) technique up to a real-world application using GCC. In particular, Aaron helped implement many applications of DDC that we thought should have worked with GCC, but didnt, and then helped to determine why they didnt work. These Edison successes (which successfully found out what did not work) were important in helping to lead to a working application of DDC to GCC.

    Many others also helped create this work. The work of Dr. Paul A. Karger, Dr. Roger R. Schell, and Ken Thompson made the world aware of a problem that needed solving; without knowing there was a problem, there would have been no work to solve it. Henry Spencer posted the first version of this idea that eventually led to this dissertation (though this dissertation expands on it far beyond the few sentences that he wrote). Henry Spencer, Eric S. Raymond, and the anonymous ACSAC reviewers provided helpful comments on the ACSAC paper. I received many helpful comments and other information after publication of the ACSAC paper, including comments from (alphabetically by last name) Bill Alexander, Dr. Steven M. Bellovin, Terry Bollinger, Ulf Dittmer, Jakub Jelinek, Dr. Paul A. Karger, Ben Laurie, Mike Lisanke, Thomas Lord, Bruce Schneier, Brian Snow, Ken Thompson, Dr. Larry Wagoner, and James Walden. Tawnia Wheeler proofread both the ACSAC paper and this document; thank you! My thanks to the many developers of the OpenDocument specification and the OpenOffice.org implementation, who made developing this document a joy.

    iv

  • Table of Contents

    PageList of Tables...............................................................................................................................viiiList of Figures................................................................................................................................ixList of Abbreviations and Symbols.................................................................................................xAbstract.......................................................................................................................................xiv1 Introduction.................................................................................................................................12 Background and related work......................................................................................................4

    2.1 Initial revelation: Karger, Schell, and Thompson.................................................................42.2 Other work on corrupted compilers.....................................................................................62.3 Compiler bootstrap test........................................................................................................92.4 Analyzing software............................................................................................................10

    2.4.1 Static analysis............................................................................................................112.4.2 Dynamic analysis.......................................................................................................14

    2.5 Diversity for security.........................................................................................................162.6 Subversion of software is a real problem...........................................................................172.7 Previous DDC paper..........................................................................................................21

    3 Description of threat..................................................................................................................233.1 Attacker motivation............................................................................................................233.2 Triggers, payloads, and non-discovery...............................................................................27

    4 Informal description of Diverse Double-Compiling (DDC).......................................................304.1 Terminology and notation..................................................................................................304.2 Informal description of DDC.............................................................................................324.3 Informal assumptions.........................................................................................................354.4 DDC does not require that different compilers produce identical executables...................374.5 Special case: Self-parenting compiler................................................................................384.6 Why not always use the trusted compiler?.........................................................................404.7 Why is DDC different from N-version programming?.......................................................414.8 DDC works with randomly-corrupting compilers..............................................................43

    5 Formal proof..............................................................................................................................445.1 Graphical model for formal proof .....................................................................................45

    5.1.1 Types..........................................................................................................................465.1.2 DDC components.......................................................................................................475.1.3 Claimed origin...........................................................................................................48

    5.2 Formal notation: First-Order Logic (FOL).........................................................................495.3 Proof step rationales (derivation rules or rules of inference)..............................................515.4 Tools and rationale for confidence in the proofs................................................................54

    5.4.1 Early DDC proof efforts............................................................................................545.4.2 Prover9, mace4, and ivy.............................................................................................54

    v

  • 5.4.3 Tool limitations..........................................................................................................565.4.4 Proofs conclusions follow from their assumptions.....................................

Popular Tags:

Click here to load reader

Embed Size (px)
Recommended