Welcome, those interested in Diverse Double-Compiling (DDC)!
A number of people have recently been discussing or referring to my PhD work, “Fully Countering Trusting Trust through Diverse Double-Compiling (DDC)”, which counters Trojan Horse attacks on compilers. Last week’s discussion on reddit based on a short short slide show discussed it directly, for example. There have also been related discussions such as Tor’s work on creating deterministic builds.
For everyone who’s interested in DDC… welcome! I intentionally posted my dissertation, and a video about it, directly on the Internet with no paywall. That way, anyone who wants the information can immediately get it. Enjoy!
I even include enough background material so other people can independently repeat my experiments and verify my claims. I believe that if you cannot reproduce the results, it is not science… and a lot of computational research has stopped being a science. This is not a new observation; “Reproducible Research: Addressing the Need for Data and Code Sharing in Computational Science” by Victoria C. Stodden (Computing in Science & Engineering, 2010) summarizes a roundtable on this very problem. The roadtable found that “Progress in computational science is often hampered by researchers’ inability to independently reproduce or verify published results” and, along with a number of specific steps, “reproducibility must be embraced at the cultural level within the computational science community.” “Does computation threaten the scientific method (by Leslie Hatton and Adrian Giordani) and “The case for open computer programs” in Nature (by Darrel C. Ince, Leslie Hatton, and John Graham-Cumming) make similar points. For one of many examples, the paper “The Evolution from LIMMAT to NANOSAT” by Armin Biere (Technical Report #444, 15 April 2004) reported that they could not reproduce results because “From the publications alone, without access to the source code, various details were still unclear.” In the end they realized that “making source code… available is as important to the advancement of the field as publications”. I think we should not pay researchers, or their institutions, if they fail to provide the materials necessary to reproduce the work.
I do have a request, though. There is no patent on DDC, nor is there a legal requirement to report using it. Still, if you apply my approach, please let me know; I’d like to hear about it. Alternatively, if you are seriously trying to use DDC but are having some problems, let me know.
Again - enjoy!
path: /security | Current Weblog | permanent link to this entry