Malicious compiler programs

What are Compiler Programs? 

In computing, a compiler program is a piece of software that translates (compiles) source code into a set of machine-language instructions that can be understood by a computer's CPU (Central Processing Unit). The term compiler was first coined by Grace Hopper, an American computer scientist, who designed one of the first compilers in the 1950s while working on the Harvard Mark 1 computer. 

Malicious Compilers 

In order for source code to be translated, it needs to be run through a compiler. Once this is done, you will get object code, which in a general sense is a sequence of instructions in a computer language. If you run clean source code through a good compiler, you will get clean object code. However, let's say that I program a trapdoor trojan into the source code, this then runs through the compiler and gets translated into dirty object code and then runs on a device. 

Ken Thompson, an American Computer scientist, had a rather ingenious idea about compilers and code. He decided that instead of writing malware into source code and then having the compiler translate it into object code, why not have the compiler insert the dirty code whilst it’s translating the clean code. The implication of something like this is quite profound. If you review codes, you’re likely to find trojan horses or viruses written into them. Code review is always the best way to search for such things, but if the virus or trojan is in the compiler, the chances of you being able to go in and review the code is incredibly low.   

Could my business be at risk? 

As previously stated, once a malicious compiler inserts dirty code whilst translating clean code, the chances of being able to identify it is very low. This means that malware could be running on your device without your knowledge and if you are unaware that something is amiss on your device the more likely greater damage will be done.  

For example:  

• Your data could be stolen or encrypted and by the time you realise, the hackers might demand ransom in exchange for your data 
• Viruses could run on your computer and before you find them, your files may be deleted and unable to be recovered 
• A compiler error is likely to occur if a compiler has a bug. This means the compiler can fail to translate source code into object code, thus crashing the compiler completely 

As a business, it’s always important to ask your software provider to sign a contract promising that the software they have produced does not contain malicious code. 

How can Securiwiser help? 

Securiwiser will monitor your education security twenty-four hours a day and identify any potential threats, such as viruses and trojans that you might be unaware of or unable to identify. With daily scans, Securiwiser will alert you to any cyber security threats or vulnerabilities to your business.