SlideShare a Scribd company logo

Reflections on Trusting Trust for Go

Download as PPTX, PDF
Y
yeokm1

This document summarizes Ken Thompson's 1984 lecture "Reflections on Trusting Trust" and discusses how a malicious actor could subvert the trust in compilers by creating a self-propagating virus in the compiler code. It outlines how an attacker could introduce an undetectable backdoor into programs by first creating a self-reproducing "Quine" program and then using compiler bootstrapping to propagate the malicious logic through compiler iterations. Finally, it discusses the "Diverse Double Compiling" defense proposed by David Wheeler, which uses multiple independent compilers to verify each other in order to detect such compiler subversion attacks.

Technology
1 of 33
Downloaded 12 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
Reflections on Trusting Trust for Go 1. Turing Award Lecture (1984) Given by: Ken Thompson https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf 2. Fully Countering Trust through Diverse Double Compiling (2009) By: David A. Wheeler http://www.dwheeler.com/trusting-trust/dissertation/wheeler-trusting-trust-ddc.pdf 1 GopherconSG (4 May 2018) By: Yeo Kheng Meng (yeokm1@gmail.com) https://github.com/yeokm1/reflections-on-trusting-trust-go
2 Compiler BinaryCode
Why Reflections on Trusting Trust? 3
• Ken Thompson (left) and Dennis Ritchie • 1983 Turing award for their work on Unix • Thompson presented “Reflections on Trusting Trust” in his acceptance speech 4
5
The problem • How do we know a program is safe? • Inspect the program’s source code. • But isn’t the program source code compiled by a compiler? • Inspect the compiler’s source code, eg. Golang Compiler • https://github.com/golang/go • But isn’t the compiler compiled by another compiler? • Self-hosting compilers compile themselves • -> Eg. Go compiler compiles Go compiler • So how? How deep do we go down the rabbit hole? 6
Real-life compiler attacks • Xcodeghost (found Sept 2015) • Malicious Xcode compiler hosted on Chinese websites • Injects spyware into output binary • Win32/Induc.A virus and its successors (found 2009) • Infects Delphi compiler to inject malicious code into output binary • Create a botnet • Further infects other Delphi compilers 7 Xcodeghost image: https://nakedsecurity.sophos.com/2015/11/09/apples-xcodeghost-malware-still-in-the-machine/
Attack Objectives 1. Create a malicious compiler to target a program eg: login program 2. Not leave a trace in compiler source 3. Subvert verification 8
Presentation Outline 1. Self-reproducing program (Quine) 2. Compiler knowledge propagation (Bootstrapping) 3. Attack on the login program 4. Initial Conclusion 5. Mitigation strategy? 9
Stage 1: Self-reproducing program (Quine) A source program that when compiled and executed, will produce as output an exact copy of its source. 10
Stage 2: Compiler knowledge propagation •Pass knowledge down compiler iterations 11
My ”clean” compiler • ”compiler.go” 1. Reads input source file 2. Prints source file contents to stdout 3. Passes source file to Golang compiler 12
13 My Compiler Binary My Complier Source Code Golang Compiler Hello World Source Code Hello World Binary Hello World (Fetch) Source Code Compiler source that compiles “fetch” Compiler can compile fetch Compiler source that uses “fetch” Latest compilerHello World (Fetch) Binary 1 Hello World (Fetch) Binary 2 Compiler Knowledge Propagation Summary
What we have learned so far? • A program can output another program even itself. • Compiler bootstrapping 14
Stage 3: Adding an undetectable backdoor to a login program 15
16 Malicious Compiler binary Malicious Compiler Source Code Golang Compiler Clean Compiler Source Code Login Source Code Malicious Login Binary 1 Adding backdoor to login program Still Malicious compiler Malicious Login Binary 2
Verifying the compiler binary • Expected SHA-256 of Go 1.10.1 darwin/amd64 compiler • 53b31f87d27bfa88c90789654c9dbec8297a6b157f61076037a85bf0c2687b1d 17
Stage 4: Subverting verification • Can we prevent the user from detecting the bugged compiler? 18
19 Hacking the SHA256 Program
Thompson’s conclusion • “You can’t trust code that you did not totally create yourself” • “No amount of source-level verification or scrutiny will protect you from using untrusted code.” • “We can go lower to avoid detection like assembler, loader or microcode” • -> You always have to trust somebody 20
Possible defence? 21
“Fully Countering Trusting Trust through Diverse Double-Compiling (DDC) - Countering Trojan Horse attacks on Compilers” 2009 PhD dissertation by David A. Wheeler George Mason University http://www.dwheeler.com/trusting-trust/dissertation/wheeler-trusting-trust-ddc.pdf 22
Diverse Double Compiling (DDC) • Objective • To detect the trusting-trust attack of a malicious C Compiler • Requirements • Use another compiler in the verification process • Source code of compiler under test needs to be available 23
DDC Process • Assume we are have GCC and Tiny C (TCC) compilers • We suspect GCC is malicious and want to test it • Compiler-under-test : GCC • Independent-compiler: TCC • Independent-compiler can be: • Small: just enough code to compile compiler-under-test • Generate inefficient code 24
DDC Process 25 TCCSourceGCC Self-regeneration test (Control) Should be identical GCC (c. GCC, c. GCC) GCC (c. GCC, c. TCC) Compiler-under-test: GCC Independent-compiler: TCC GCC (c. TCC)GCC (c. GCC) GCC SourceGCC SourceGCC SourceGCC
Why DDC works? • TCC can be malicious but unlikely to be malicious in a way that affects GCC • Hacker must compromise both GCC and TCC to hack each other • Easier to review smaller verifying-compiler source code and binary 26
DDC Scaling 27 TCCSourceGCC Self-regeneration test (Control) Should be identical GCC (c. GCC, c. GCC) GCC (c. GCC, c. TCC) GCC (c. GCC, c. Intel) Compiler-under-test: GCC Independent-compilers: TCC, Intel GCC (c. TCC) GCC (c. Intel) Intel GCC (c. GCC) GCC • Hacker must compromise GCC, TCC and Intel to hack all other compilers to be successful • O(n2) problem for hackers, O(n) for defenders SourceGCC
But there are only 3 Go Compilers… 28 1. Google Go Toolchain (gc) 2. Gccgo • GCC Frontend • Written in C++ 3. Llgo • LLVM Frontend
Possible Solution? 29
History of Go compiler implementation 30 Released: 19 August 2015 https://golang.org/doc/go1.5#introduction
Go Compiler bootstrapping using Go 1.4 31 Released: 10 December 2014 https://golang.org/doc/install/source#go14
Possible Solution Summary 1. Rebuild Go 1.4 with any C Compiler 2. Build newer version of Go with Go 1.4 • (Malicious) C compiler unlikely to affect Go Compiler 32 C Compiler Go 1.10 (c. Go 1.4) Go 1.4 (c. C Comp.) SourceGo 1.4 SourceGo 1.10
Do you still trust your compiler? 33 By: Yeo Kheng Meng (yeokm1@gmail.com) https://github.com/yeokm1/reflections-of-trusting-trust-go

More Related Content

PDF
Continuous Integration on my work
Mu Chun Wang
 
PPTX
Auckland Docker Meetup (July 2015) - DockerCon2015 lightningtalk
Peter Sellars
 
PDF
OpenAPI and gRPC Side by-Side
Tim Burks
 
PPTX
Values & Culture of Continuous Deliver
Sergey Bolshchikov
 
PDF
Improving Code Quality In Medical Software Through Code Reviews - Vincit Teat...
VincitOy
 
PDF
Professional iOS development
Aline Borges
 
PPTX
Continous Delivery and Continous Integration at IKERLAN
Angel Conde Manjon
 
PPTX
Develop At The Speed Of Thought
Roy Ganor
 
Continuous Integration on my work
Mu Chun Wang
 
Auckland Docker Meetup (July 2015) - DockerCon2015 lightningtalk
Peter Sellars
 
OpenAPI and gRPC Side by-Side
Tim Burks
 
Values & Culture of Continuous Deliver
Sergey Bolshchikov
 
Improving Code Quality In Medical Software Through Code Reviews - Vincit Teat...
VincitOy
 
Professional iOS development
Aline Borges
 
Continous Delivery and Continous Integration at IKERLAN
Angel Conde Manjon
 
Develop At The Speed Of Thought
Roy Ganor
 

What's hot (11)

PDF
TopazWroclove2013
timfelgentreff
 
PPTX
FISL 2010: CruiseControl: the open source that changed the way we develop sof...
Paulo Caroli
 
PDF
The parallel universes of DevOps and cloud developers (GlueCon)
Donnie Berkholz
 
PDF
Lecture 12
Tanveer Malik
 
PPTX
EclipseOMRBuildingBlocks4Polyglot_TURBO18
Xiaoli Liang
 
PPTX
Software Craftsmanship for DevOps professionals - Umesh Kumar / Murughan Pala...
Technical Agility institute
 
PDF
Data science, DevOps, and drinks: The perfect combination
Donnie Berkholz
 
PDF
Software Engineering Culture - Improve Code Quality
Dmytro Patserkovskyi
 
PDF
Kotlin for Android
Han Yin
 
PDF
Linux Kernel - Let's Contribute!
Levente Kurusa
 
PPTX
TYPO3 & Composer
Armin Vieweg
 
TopazWroclove2013
timfelgentreff
 
FISL 2010: CruiseControl: the open source that changed the way we develop sof...
Paulo Caroli
 
The parallel universes of DevOps and cloud developers (GlueCon)
Donnie Berkholz
 
Lecture 12
Tanveer Malik
 
EclipseOMRBuildingBlocks4Polyglot_TURBO18
Xiaoli Liang
 
Software Craftsmanship for DevOps professionals - Umesh Kumar / Murughan Pala...
Technical Agility institute
 
Data science, DevOps, and drinks: The perfect combination
Donnie Berkholz
 
Software Engineering Culture - Improve Code Quality
Dmytro Patserkovskyi
 
Kotlin for Android
Han Yin
 
Linux Kernel - Let's Contribute!
Levente Kurusa
 
TYPO3 & Composer
Armin Vieweg
 
Ad

Similar to Reflections on Trusting Trust for Go (20)

PPTX
Reflections on Trusting Trust
yeokm1
 
PPTX
Comparing C and Go
Marcin Pasinski
 
PDF
Mender.io | Develop embedded applications faster | Comparing C and Golang
Mender.io
 
PDF
IRJET- An Efficient Hardware-Oriented Runtime Approach for Stack-Based Softwa...
IRJET Journal
 
PPTX
The GO Language : From Beginners to Gophers
I.I.S. G. Vallauri - Fossano
 
PDF
Introduction to Go
Simon Hewitt
 
PDF
Why and what is go
Mayflower GmbH
 
PDF
Go 1.10 Release Party - PDX Go
Rodolfo Carvalho
 
PDF
Golang
Felipe Mamud
 
PPTX
Ready, set, go! An introduction to the Go programming language
RTigger
 
PDF
Golang workshop
Victor S. Recio
 
PDF
On the Edge Systems Administration with Golang
Chris McEniry
 
PDF
An Introduction to Go
Imesh Gunaratne
 
PDF
Why Go Lang?
Sathish VJ
 
PDF
Why you should care about Go (Golang)
Aaron Schlesinger
 
PPTX
Lab1GoBasicswithgo_foundationofgolang.pptx
stasneemattia
 
PDF
Welcome to Go
philipsahli
 
PDF
Finding a useful outlet for my many Adventures in go
Eleanor McHugh
 
PDF
Develop Android/iOS app using golang
SeongJae Park
 
PDF
Security of Go Modules and Vulnerability Scanning in GoCenter and VS Code
Deep Datta
 
Reflections on Trusting Trust
yeokm1
 
Comparing C and Go
Marcin Pasinski
 
Mender.io | Develop embedded applications faster | Comparing C and Golang
Mender.io
 
IRJET- An Efficient Hardware-Oriented Runtime Approach for Stack-Based Softwa...
IRJET Journal
 
The GO Language : From Beginners to Gophers
I.I.S. G. Vallauri - Fossano
 
Introduction to Go
Simon Hewitt
 
Why and what is go
Mayflower GmbH
 
Go 1.10 Release Party - PDX Go
Rodolfo Carvalho
 
Golang
Felipe Mamud
 
Ready, set, go! An introduction to the Go programming language
RTigger
 
Golang workshop
Victor S. Recio
 
On the Edge Systems Administration with Golang
Chris McEniry
 
An Introduction to Go
Imesh Gunaratne
 
Why Go Lang?
Sathish VJ
 
Why you should care about Go (Golang)
Aaron Schlesinger
 
Lab1GoBasicswithgo_foundationofgolang.pptx
stasneemattia
 
Welcome to Go
philipsahli
 
Finding a useful outlet for my many Adventures in go
Eleanor McHugh
 
Develop Android/iOS app using golang
SeongJae Park
 
Security of Go Modules and Vulnerability Scanning in GoCenter and VS Code
Deep Datta
 
Ad

More from yeokm1 (20)

PPTX
I became a Private Pilot and this is my story
yeokm1
 
PPTX
What's inside a Cessna 172 and flying a light plane
yeokm1
 
PPTX
Speaking at Tech meetups/conferences for Junior Devs
yeokm1
 
PPTX
Meltdown and Spectre
yeokm1
 
PPTX
Gentoo on a 486
yeokm1
 
PPTX
BLE Localiser (Full) for iOS Dev Scout
yeokm1
 
PPTX
BLE Localiser for iOS Conf SG 2017
yeokm1
 
PPTX
Repair Kopitiam Specialty Tools (Part 2): Short Circuit Limiter
yeokm1
 
PPTX
PCB Business Card (Singapore Power)
yeokm1
 
PPTX
SP Auto Door Unlocker
yeokm1
 
PPTX
SP IoT Doorbell
yeokm1
 
PPTX
Distance Machine Locker
yeokm1
 
PPTX
A Science Project: Building a sound card based on the Covox Speech Thing
yeokm1
 
PPTX
A Science Project: Swift Serial Chat
yeokm1
 
PPTX
The slide rule
yeokm1
 
PPT
Windows 3.1 (WFW) on vintage and modern hardware
yeokm1
 
PPTX
Repair Kopitiam Circuit Breaker Training
yeokm1
 
PPTX
A2: Analog Malicious Hardware
yeokm1
 
PPTX
Getting Started with Raspberry Pi
yeokm1
 
PPTX
My Life as a Maker
yeokm1
 
I became a Private Pilot and this is my story
yeokm1
 
What's inside a Cessna 172 and flying a light plane
yeokm1
 
Speaking at Tech meetups/conferences for Junior Devs
yeokm1
 
Meltdown and Spectre
yeokm1
 
Gentoo on a 486
yeokm1
 
BLE Localiser (Full) for iOS Dev Scout
yeokm1
 
BLE Localiser for iOS Conf SG 2017
yeokm1
 
Repair Kopitiam Specialty Tools (Part 2): Short Circuit Limiter
yeokm1
 
PCB Business Card (Singapore Power)
yeokm1
 
SP Auto Door Unlocker
yeokm1
 
SP IoT Doorbell
yeokm1
 
Distance Machine Locker
yeokm1
 
A Science Project: Building a sound card based on the Covox Speech Thing
yeokm1
 
A Science Project: Swift Serial Chat
yeokm1
 
The slide rule
yeokm1
 
Windows 3.1 (WFW) on vintage and modern hardware
yeokm1
 
Repair Kopitiam Circuit Breaker Training
yeokm1
 
A2: Analog Malicious Hardware
yeokm1
 
Getting Started with Raspberry Pi
yeokm1
 
My Life as a Maker
yeokm1
 

Recently uploaded (20)

PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PDF
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
PDF
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
PDF
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
PDF
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
PPTX
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
PDF
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
PDF
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 
PDF
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
PDF
Web App vs Mobile App What Should You Build First.pdf
KodekX
 
PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
PDF
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
PDF
TrustArc Webinar - Click, Consent, Trust: Winning the Privacy Game
TrustArc
 
PPTX
O2C Customer Invoices to Receipt V15A.pptx
ssuserbfa915
 
PPTX
The various Industrial Revolutions .pptx
bandileshozi3
 
PDF
Getting Started with Data Integration: FME Form 101
Safe Software
 
PDF
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
PDF
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
PDF
2021 HotChips TSMC Packaging Technologies for Chiplets and 3D_0819 publish_pu...
KeXue5
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
Web App vs Mobile App What Should You Build First.pdf
KodekX
 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
TrustArc Webinar - Click, Consent, Trust: Winning the Privacy Game
TrustArc
 
O2C Customer Invoices to Receipt V15A.pptx
ssuserbfa915
 
The various Industrial Revolutions .pptx
bandileshozi3
 
Getting Started with Data Integration: FME Form 101
Safe Software
 
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
2021 HotChips TSMC Packaging Technologies for Chiplets and 3D_0819 publish_pu...
KeXue5
 

Reflections on Trusting Trust for Go

  • 1. Reflections on Trusting Trust for Go 1. Turing Award Lecture (1984) Given by: Ken Thompson https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf 2. Fully Countering Trust through Diverse Double Compiling (2009) By: David A. Wheeler http://www.dwheeler.com/trusting-trust/dissertation/wheeler-trusting-trust-ddc.pdf 1 GopherconSG (4 May 2018) By: Yeo Kheng Meng (yeokm1@gmail.com) https://github.com/yeokm1/reflections-on-trusting-trust-go
  • 3. Why Reflections on Trusting Trust? 3
  • 4. • Ken Thompson (left) and Dennis Ritchie • 1983 Turing award for their work on Unix • Thompson presented “Reflections on Trusting Trust” in his acceptance speech 4
  • 5. 5
  • 6. The problem • How do we know a program is safe? • Inspect the program’s source code. • But isn’t the program source code compiled by a compiler? • Inspect the compiler’s source code, eg. Golang Compiler • https://github.com/golang/go • But isn’t the compiler compiled by another compiler? • Self-hosting compilers compile themselves • -> Eg. Go compiler compiles Go compiler • So how? How deep do we go down the rabbit hole? 6
  • 7. Real-life compiler attacks • Xcodeghost (found Sept 2015) • Malicious Xcode compiler hosted on Chinese websites • Injects spyware into output binary • Win32/Induc.A virus and its successors (found 2009) • Infects Delphi compiler to inject malicious code into output binary • Create a botnet • Further infects other Delphi compilers 7 Xcodeghost image: https://nakedsecurity.sophos.com/2015/11/09/apples-xcodeghost-malware-still-in-the-machine/
  • 8. Attack Objectives 1. Create a malicious compiler to target a program eg: login program 2. Not leave a trace in compiler source 3. Subvert verification 8
  • 9. Presentation Outline 1. Self-reproducing program (Quine) 2. Compiler knowledge propagation (Bootstrapping) 3. Attack on the login program 4. Initial Conclusion 5. Mitigation strategy? 9
  • 10. Stage 1: Self-reproducing program (Quine) A source program that when compiled and executed, will produce as output an exact copy of its source. 10
  • 11. Stage 2: Compiler knowledge propagation •Pass knowledge down compiler iterations 11
  • 12. My ”clean” compiler • ”compiler.go” 1. Reads input source file 2. Prints source file contents to stdout 3. Passes source file to Golang compiler 12
  • 13. 13 My Compiler Binary My Complier Source Code Golang Compiler Hello World Source Code Hello World Binary Hello World (Fetch) Source Code Compiler source that compiles “fetch” Compiler can compile fetch Compiler source that uses “fetch” Latest compilerHello World (Fetch) Binary 1 Hello World (Fetch) Binary 2 Compiler Knowledge Propagation Summary
  • 14. What we have learned so far? • A program can output another program even itself. • Compiler bootstrapping 14
  • 15. Stage 3: Adding an undetectable backdoor to a login program 15
  • 16. 16 Malicious Compiler binary Malicious Compiler Source Code Golang Compiler Clean Compiler Source Code Login Source Code Malicious Login Binary 1 Adding backdoor to login program Still Malicious compiler Malicious Login Binary 2
  • 17. Verifying the compiler binary • Expected SHA-256 of Go 1.10.1 darwin/amd64 compiler • 53b31f87d27bfa88c90789654c9dbec8297a6b157f61076037a85bf0c2687b1d 17
  • 18. Stage 4: Subverting verification • Can we prevent the user from detecting the bugged compiler? 18
  • 20. Thompson’s conclusion • “You can’t trust code that you did not totally create yourself” • “No amount of source-level verification or scrutiny will protect you from using untrusted code.” • “We can go lower to avoid detection like assembler, loader or microcode” • -> You always have to trust somebody 20
  • 22. “Fully Countering Trusting Trust through Diverse Double-Compiling (DDC) - Countering Trojan Horse attacks on Compilers” 2009 PhD dissertation by David A. Wheeler George Mason University http://www.dwheeler.com/trusting-trust/dissertation/wheeler-trusting-trust-ddc.pdf 22
  • 23. Diverse Double Compiling (DDC) • Objective • To detect the trusting-trust attack of a malicious C Compiler • Requirements • Use another compiler in the verification process • Source code of compiler under test needs to be available 23
  • 24. DDC Process • Assume we are have GCC and Tiny C (TCC) compilers • We suspect GCC is malicious and want to test it • Compiler-under-test : GCC • Independent-compiler: TCC • Independent-compiler can be: • Small: just enough code to compile compiler-under-test • Generate inefficient code 24
  • 25. DDC Process 25 TCCSourceGCC Self-regeneration test (Control) Should be identical GCC (c. GCC, c. GCC) GCC (c. GCC, c. TCC) Compiler-under-test: GCC Independent-compiler: TCC GCC (c. TCC)GCC (c. GCC) GCC SourceGCC SourceGCC SourceGCC
  • 26. Why DDC works? • TCC can be malicious but unlikely to be malicious in a way that affects GCC • Hacker must compromise both GCC and TCC to hack each other • Easier to review smaller verifying-compiler source code and binary 26
  • 27. DDC Scaling 27 TCCSourceGCC Self-regeneration test (Control) Should be identical GCC (c. GCC, c. GCC) GCC (c. GCC, c. TCC) GCC (c. GCC, c. Intel) Compiler-under-test: GCC Independent-compilers: TCC, Intel GCC (c. TCC) GCC (c. Intel) Intel GCC (c. GCC) GCC • Hacker must compromise GCC, TCC and Intel to hack all other compilers to be successful • O(n2) problem for hackers, O(n) for defenders SourceGCC
  • 28. But there are only 3 Go Compilers… 28 1. Google Go Toolchain (gc) 2. Gccgo • GCC Frontend • Written in C++ 3. Llgo • LLVM Frontend
  • 30. History of Go compiler implementation 30 Released: 19 August 2015 https://golang.org/doc/go1.5#introduction
  • 31. Go Compiler bootstrapping using Go 1.4 31 Released: 10 December 2014 https://golang.org/doc/install/source#go14
  • 32. Possible Solution Summary 1. Rebuild Go 1.4 with any C Compiler 2. Build newer version of Go with Go 1.4 • (Malicious) C compiler unlikely to affect Go Compiler 32 C Compiler Go 1.10 (c. Go 1.4) Go 1.4 (c. C Comp.) SourceGo 1.4 SourceGo 1.10
  • 33. Do you still trust your compiler? 33 By: Yeo Kheng Meng (yeokm1@gmail.com) https://github.com/yeokm1/reflections-of-trusting-trust-go