← Back to Topics

Trusting Trust Compilers

The cluster discusses Ken Thompson's 'Reflections on Trusting Trust' and the challenge of verifying compilers to prevent hidden backdoors, including solutions like Diverse Double-Compiling using multiple independent compilers.

➡️ Stable 0.5x Security
1,983
Comments
20
Years Active
5
Top Authors
#212
Topic ID

Activity Over Time

2007
2
2008
2
2009
7
2010
23
2011
20
2012
44
2013
129
2014
92
2015
128
2016
136
2017
164
2018
119
2019
142
2020
125
2021
184
2022
142
2023
170
2024
193
2025
144
2026
17

Top Contributors

nickpsecurity (67) dwheeler (19) dllthomas (18) kazinator (13) kibwen (11)

Keywords

JS ARM sandroid.org labs.com ldra.com cm.bell www.cs trust.html schneier.com LLVM compiler trusting compilers source code compile source code trust ken binary

Sample Comments

stefs Jul 23, 2018 View on HN

yes, but ken thompsons evil compiler theory states, that a trusted compiler is technically impossible (in the paranoid world of theoretical security where all compiler binaries are possibly tainted already) except if you write your own bootstrap compiler chain in machine code. still, all other running software (OS/drivers/the intel management engine) might be able to modify the binary in memory on the fly. the rabbit hole goes down to the hardware level.

M2Ys4U Dec 17, 2014 View on HN

Actually, you don't.You can use two different compilers that compile each other to prove that the compilation won't be tampered with.See https://www.schneier.com/blog/archives/2006/01/countering_tr...

falcolas Jul 11, 2017 View on HN

I'm curious: if we can solve the "trusting trust" problem - that is identifying compromised compilers, even if the other compiler is compromised - couldn't we potentially solve this problem in a similar way?

gengear Sep 27, 2022 View on HN

even if you compile yourself you can't be sure. [Reflections on Trusting Trust ](https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_Ref...)

DuskStar Oct 30, 2019 View on HN

"every time the NSA's compiler binary builds my code I get the same output" isn't really all that comforting. If you can't build the compiler (and/or build tool) how can you be sure that there isn't anything malicious in it? Trusting trust all over again

ChristianBundy Jul 23, 2018 View on HN

You need a compiler to compile anything, including a compiler, so if your compiler was tampered with then anything you compile can be tampered with as well.The only solution is be to download a binary compiler from someone you trust.

dllthomas May 20, 2017 View on HN

You don't understand the abstract correctly. It relies on having compilers from diverse sources, unlikely to share the same malicious modification. It does not rely on any of them being trusted.

jongraehl Sep 8, 2015 View on HN

You also have to trust the source code of the 'untrusted' compiler (that is, read it and make sure it doesn't directly contain any back door).

yencabulator Oct 11, 2023 View on HN

"Fully Countering Trusting Trust through Diverse Double-Compiling (DDC) - Countering Trojan Horse attacks on Compilers":https://dwheeler.com/trusting-trust/

magicalhippo Apr 26, 2022 View on HN

But it's similar to using a compiler, no?I almost never compile the compiler I use, so I'm implicitly trusting that the compiler actually spits out what I expect and not some kind of backdoor[1].[1]: https://dl.acm.org/doi/10.1145/358198.358210