Finding the Bottom Turtle

submited by
Style Pass
2021-06-21 03:30:07

If you’ve never read the classic Reflections on Trusting Trust, and you like the idea of being unsettled about the foundations of computing, go have a read. It’s amazing. It details the strange reality that we can’t truly trust most of the software we use today.

Over time, the ideas from that speech evolved into an important question for open-source software: do we know for sure that the programs we’re running correspond to the source code we have access to?

I’ll start off with a brief recap of the Trusting Trust attack. Say you’re trying to get backdoors into popular pieces of open-source software without being detected. Modifying their source code without being found is hard (although people have gotten close before). Modifying the release binaries is a decent way to get a point-in-time compromise, but a simple rebuild from source will both cure the problem and make it visible in binary diffs (assuming reproducible builds, which is another can of worms I’m not going to get into right now).

A more devious attack would be to insert malicious code into the compiler, to make it recognize that it’s compiling the target software and insert the backdoor there and then. Recompiling from source and source inspection wouldn’t help, because the backdoor gets inserted reliably on every compile.

Leave a Comment