The Old Joel on Software Forum: Part 4 (of 5) - Ken Thompson's "Reflections on Trusting Trust"

Ken Thompson's "Reflections on Trusting Trust"

I recently saw this: http://www.acm.org/classics/sep95/ article by Ken Thompson titled "Reflections on Trusting Trust" mentioned in the JoS forum.

Something about it has always bothered me.

First, Thompson talks about how he purposefully put a backdoor in Unix, a product he helped develop for AT&T. The backdoor could not be easily fixed and could not even be detected without great difficulty. Thompson teaches us an important lesson, that we can't trust code we ourselves haven't written. But then, at the end, he condemns hackers as vandals and thieves who need to be locked up.

How on earth is he any different from them?

He intentionally compromised thousands of computes and lied to his employer, the people who paid him money for his work. But because he didn't *actually* (that we know of) exploit the hole, that somehow makes what he did less morally wrong and less harmful than, say, Adrian Lamo "hacking" the New York Times website with nothing but a web browser?

The Iron-Fisted Hot Dog and Pretzel Baron of Futon County
Wednesday, May 12, 2004

Actions independent of motives are amoral. Right and Wrong is for intentions + actions. Not any one of them in isolation.

KayJay
Wednesday, May 12, 2004

Hmmmm. This is an almost urban myth.

In the text of the ACM lecture he talks about a possible trojan, he doesn't say he implemented it.

Elsewhere/elsewhen he admits he created it on a lab machine and that it was never distributed.

Although there have been rumours (and they only date after the 1984 lecture so far as I know), of someone once, twice, everyday logging in using this breach there's no provable event and anyway it was in a version of Unix so far away from what we have now as to be fairly useless.

Someone could implement such a trojan now and if it were distributed the only way you could detect it would be to compile the same compiler source on a known good compiler and compare the binary results.

In the case of Unix distributions discovering who inserted the double trojan would be reasonably easy.

Simon Lucy
Wednesday, May 12, 2004

Hmm... nowhwere does it say that the modifications made their way into the official Unix distributed to millions of computers. I suppose you could read it that way, but you could just as easily assume the changes were to a private copy of the C compiler.

A.T.
Wednesday, May 12, 2004

I also heard Thompson genetically reenginered his wife.
Tricky guy.

son of parnas
Wednesday, May 12, 2004

>Someone could implement such a trojan now and if it were >distributed the only way you could detect it would be to >compile the same compiler source on a known good >compiler and compare the binary results.

IIRC the trick was that not only did the complier know it was compiling the login function and insert a trapdoor but it also knew if it was compiling itself and inserted the trapdoor generator into the compiler it was creating.

It was a gedenken experiment to show that you couldn't trust code even if you had compiled it yourself even on a system you had compiled yourself.

Martin Beckett
Wednesday, May 12, 2004

"I also heard Thompson genetically reenginered his wife."

No way. If he could do that he'd be a billionaire. :)

Take my wife, please
Wednesday, May 12, 2004

Yes the phrase 'known good' is the operative one there. Quite how you know is another matter.

Simon Lucy
Wednesday, May 12, 2004

The usual way to avoid this problem is to choose some amazingly obscure vendor compiler--preferably one that is years out of date, and only runs on some weird Unix--and use it to compile a random version of GCC. Then cross-compile GCC for a more normal architecture, and proceed with the bootstrap from there.

If you're really paranoid, repeat the process a second time with a different vendor compiler. Then take the GCCs you built in the previous two steps, and use them to compile new GCCs. Then do a byte-by-byte comparison of the final results. If you don't get an exact match, build another set of GCCs, etc.

Sooner or later, your compilers should converge.

J. Random Hacker
Wednesday, May 12, 2004

That only works if Ken didn't put the backdoor in the source compiler that was used to compile all future compilers.

Under Bridge Dweller
Wednesday, May 12, 2004

A trojan in the ancestors of all compilers wouldn't work--the Reflections on Trusting Trust compiler would detect itself being compiled--not all compilers in general, right? So if you had the trojaned compiler compile a totally new compiler, then use the resulting compiler to compiler the original compiler, you're PROBABLY in the clear, unless Thompson could somehow have anticipated your compiler and made his compiler trojan that one too--which sounds hard, if not incomputable, to me.

orthodoxomon
Thursday, June 24, 2004