ACM Classic: Reflections on Trusting Trust

While reading through a mailing list today, I came across a collection of papers that touched on something that interests me. How can you make something trusted out of something you can't trust? As an example, how can you trust that precompiled compiler to not insert a backdoor into your code? I'm linking to the papers here for reference sake, but some of you might find them interesting.

The first document is a lecture given by Ken Thompson on the occasion of winning the ACM's Turing Award.

The moral is obvious. You can't trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code. In demonstrating the possibility of this kind of attack, I picked on the C compiler. I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs will be harder and harder to detect. A well installed microcode bug will be almost impossible to detect.

I've seen this lecture before, but Thompson acknowledges an "Unknown Air Force Document" as the source for his inspiration of a self-replicating trojan. Apparently at some point someone figured out which document it was.

Multics Security Evaluation: Vulnerability Analysis

Last year the original authors issued an update to the paper and compared the computer security posture back in 1974 with the situation today and finds that things have gotten worse.

Thirty Years Later: Lessons from the Multics Security Evaluation