Reflections on Trusting Trust
Ken Thompson
SIGCOM v27 n8 1984
(Summary by Michel Roserens)


Introduction
------------

This paper was written for the Turing Award Lecture '84. Thompson discusses to what extent a program can be trusted. How easy it is to introduce Trojan horses in software. From this kind of weaknesses, in computer system, emerge the need for new laws and new social rules.


C compiler with Trojan horse
----------------------------

Ken Thompson describes an attack to computer systems at the level of the C compiler. He decomposes the attack into three stages:

Stage I:
In this stage we build a C program that is able to reproduce itself. Which means that the output of the execution, of the compiled code, is equal to the source code.
The solution is to build a program that is able to output each character of a given string S in a given format[1] and then also output the string as a whole. The fact that this can be done with a limited number of operations solves the problem. We put the give string equal to the program without the content of the string S itself.

Stage II:
Here he points out that the C compiler is build on top of a previous version of the same C compiler. As in general, computer scientist build/extend their systems on top of other systems. This may have serious consequences. Imagine a C compiler that contains a bug, or in the evil case a Trojan horse, all the compilers build on top of the given one result in a defect compiler.

Stage III:
We can enable a compiler to recognize the source code of the UNIX 'login' program and enlarge it with an evil feature. This feature would recognize a given password as the correct one for every account. With the feature we would be able to log in every machine that uses the login command compiled with our C compiler.

Combining these three Steps, we can build a powerful attack. Envisage that our C compiler would whenever it recompiles itself, introduce some malicious features into the source before compilation (Stage I, Stage III), this attack is invisible to the developer, it's a Trojan horse (Stage II).


Moral
-----

The moral is that you can't trust something you didn't create totally yourself. Since you can't create a complete system by yourself, you have to trust. He makes allusion to the case where microcode of a processor would have been modified. Since this is almost impossible to detect, trust is forced. Or as he writes in the title, "Perhaps it is more important to trust the people who wrote the software".

Out of experience we know that the bigger a company is, the easier it is to break it's security. This explains why big Companies try to enforce a strict criminal code for hackers. But on the other side we have the movie-Industry which makes hacking to a 'cool' thing, makes hackers to genius. This discrepancy in our society needs to be solved. Kids are doing illegal things without realizing it.

I will finish with his last sentence:
"The press must learn that misguided use of a computer is no more amazing than drunk driving of an automobile."



Notes:
------
[1]:
char S[] = {
'T',
'o',
't',
'o',
'.',
'.'
}