DDC4j: Diverse Double-Compiling for Java

Diverse Double-Compiling (DDC) is a countermeasure to the covert compiler malware known as the trusting trust attack, which can hide itself inside self-hosting compilers. This thesis aims to explore and implement DDC for the Java compiler javac, and lays the groundwork for the defense against this class of attacks in the Java ecosystem. Diverse Double-Compilation is designed and implemented for Java, and detailed investigations are made to ensure the design is correct. Additionally, the issue of a diverse set of grandparent compilers, necessary for accurate DDC results, is explored, and a bootstrapped Java compiler is employed to increase said diversity. The function of DDC for Java is tested and verified with a proof-of-concept trusting trust attack; DDC is also used to verify the nonexistence of an attack in Temurin 21.0.5, an industry distribution of the Java Development Kit (JDK). This thesis finds that the DDC process designed in this thesis can be used to feasibly and effectively detect trusting trust attacks, even in a production-grade build pipeline; it also finds that the checked Temurin release is not very likely to be hiding a trusting trust attack.