Ken Thompson implements compiler backdoor demo

Thompson's "trusting trust" attack moved the backdoor out of the source file and into the compiler binary. The login program could look clean. The compiler that built it could still put the trap back.

The first trigger recognized source for login and emitted extra code that accepted a chosen password. The second trigger recognized source for the C compiler and emitted a new compiler that preserved both triggers. Recompilation did not cleanse the system. It reproduced the compromise.

The uncomfortable part is that every visible artifact can look reasonable. The login source is clean, the compiler source is clean after the bootstrap, and the compiler binary is the only place the knowledge survives. Verification has to reach below the text developers normally review.

The attack was an experiment, not a public distribution incident with known victims. Its force is in the model. Source review is not enough when the tool that reads the source is already hostile.

Modern build security keeps returning to this point. Bootstrapping, reproducible builds, signed provenance, and diverse double-compilation all answer the same old question: who compiled the compiler?

Motive

Experimentation Notoriety

Attribution

Maintainer

Cause

Sabotage

Transitive

Yes

Actor

Author

• cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdfcs.cmu.edu
• niconiconi.neocities.org/posts/ken-thompson-really-did-launch-his-trusting-trust-trojan-attack-in-real-lifeniconiconi.neocities.org
• dl.acm.org/doi/10.1145/358198.358210dl.acm.org