Reflections on Trusting Trust

Summary

Ken Thompson’s legendary 1984 Turing Award lecture demonstrating how a compiler could be backdoored to insert vulnerabilities into code it compiles - including into future versions of itself - leaving no trace in the source code.

The Attack

Thompson describes a three-stage attack:

1. Modify the compiler to recognize when it’s compiling login and insert a backdoor
2. Modify the compiler to recognize when it’s compiling itself and insert the backdoor insertion code
3. Remove all evidence from the source code

The result: A compiler whose source appears clean but produces compromised binaries forever.

Why This Matters

This paper fundamentally questions:

• Trust: Can we trust binary software without trusting the entire compilation chain?
• Verification: How do we verify something if the verification tools might be compromised?
• Supply Chain: The importance of trusted software supply chains

Modern Relevance

40 years later, this is more relevant than ever:

• SolarWinds supply chain attack
• npm/PyPI package compromises
• Hardware backdoors in chips
• AI training data poisoning

Thompson’s insight: “You can’t trust code that you did not totally create yourself.”

Technical Deep Dive

The elegance of the attack:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

// Step 1: Backdoor login
compile("login.c") {
  if (match("login authentication")) {
    insert_backdoor();
  }
}

// Step 2: Self-replicating backdoor
compile("compiler.c") {
  if (match("compile function")) {
    insert_this_backdoor_code();
  }
}

// Step 3: Clean the source, keep the binary

Defense Mechanisms

Modern mitigations include:

• Reproducible builds
• Diverse double-compiling (DDC)
• Hardware root of trust
• Formal verification
• Supply chain attestation

But perfect defense remains elusive.

My Reflection

This paper shaped my understanding of security. It’s not enough to audit source code - you must trust the entire toolchain. Every layer adds trust dependencies.

In the age of AI-generated code and complex build systems, Thompson’s warning is more prescient than ever. We’re compiling code with tools we didn’t build, on systems we don’t control, for execution in environments we can’t fully verify.

“The moral is obvious. You can’t trust code that you did not totally create yourself. (Especially code from companies that employ people like me.)” - Ken Thompson

Archive Status

• ✅ Multiple PDF backups
• ✅ Archived on Wayback Machine
• ✅ Cited in ACM Digital Library
• ✅ Preserved in academic repositories

Essential Quotes

“The compiler could be modified to insert the Trojan horse in login whenever it was compiled.”

“The moral is obvious. You can’t trust code that you did not totally create yourself.”

“No amount of source-level verification or scrutiny will protect you from using untrusted code.”

Related Reading

• Countering Trusting Trust through Diverse Double-Compiling
• Reproducible Builds
• STRIDE threat modeling

Why I’m Archiving This: This paper is foundational to computer security. It must be preserved and shared with every new generation of developers. The PDF is mirrored multiple times to ensure it remains accessible.