Diverse Double-Compiling to Harden Cryptocurrency Software

Abstract: A trusting trust attack is a special case of a software supply-chain attack. The project in this report, named diverse double-compiling for cryptocurrency (DDC4CC), demonstrates and explains a defense for cryptocurrency software against trusting trust attacks. DDC4CC includes a case study that implements a trusting trust attack and the defense applied to a hypothetical theft of cryptocurrency on the Bitcoin blockchain. The motivation for such an attack is easy to understand: An adversary can acquire significant monetary funds by manipulating economic or decentralized financial systems. For a supply-chain attack in general, the outcome is potentially even more severe. An adversary can control entire organizations and even the systems belonging to the organization’s customers if the supply chain is compromised. Attacks are possible when targets are inherently vulnerable due to trust in their suppliers and trust in the supply chain, i.e., the hardware constructors and the software authors, the upstream development team, and the dependencies in the supply chain.