Back to blog

DDC: how to detect invisible attacks in compilers

4/23/2025 · 1 min · Cybersecurity

Share

David A. Wheeler introduced Diverse Double-Compiling (DDC) to address a critical software security issue: the Trusting Trust compiler attack.

The problem: Trusting Trust

As described by Ken Thompson in 1984, a compromised compiler can inject backdoors into compiled programs and even infect newly built compilers, while source code still appears clean.

That creates a dangerous gap: compromised binaries with no obvious source-level evidence.

The fix: DDC (diverse double-compiling)

DDC checks whether a final executable truly corresponds to its source code.

High-level flow:

  1. Compile compiler A source with compiler A, producing X.
  2. Compile the same source with a trusted and diverse compiler B, producing

Y.

  1. Recompile the same source using Y, producing Z.
  2. Compare X and Z bit by bit.

If X == Z, the build path is consistent. If not, hidden tampering is likely present.

Practical Bash validation script

#!/bin/bash
# Simple DDC verification

SOURCE="compiler_A.c"
SUSPECT_COMPILER="./gcc-bad"
TRUSTED_OUTPUT="./output-from-trusted-path"

echo "Starting DDC verification..."

# 1. Build with suspect compiler
$SUSPECT_COMPILER -o suspect_binary $SOURCE

# 2. Compare SHA-256 hashes
HASH_A=$(sha256sum suspect_binary | cut -d ' ' -f 1)
HASH_Z=$(sha256sum $TRUSTED_OUTPUT | cut -d ' ' -f 1)

if [ "$HASH_A" = "$HASH_Z" ]; then
  echo "SUCCESS: hashes match."
else
  echo "ALERT: mismatch detected."
  diffoscope suspect_binary $TRUSTED_OUTPUT
fi

Useful tools

Reference projects

DDC strengthens software supply chain trust by validating compilers through independent, diverse build paths. It raises attacker cost and improves verification reliability for critical systems.

CC BY-NC

This post is licensed under CC BY-NC.

Comments

Join the discussion below.