heading

Reflecting on 'Reflections on Trusting Trust'
31 October 2014
RSS RSS Feeds

Author:
author

Contact:
contact

 

 

Back in 1984 Ken Thompson delivered his Turing Award lecture entitled, 'Reflections on Trusting Trust'. His speech described a very simply attack on compliers that became known as the 'trusting trust attack'. Thompson demonstrated how to introduce a backdoor into software compiled by a compromised compiler. Such an attack would have a profound effect on the integrity of all software complied using the compromised complier. The clever part of this attack is that once the corrupted compiler is used to compile itself the backdoor functionality it injects becomes completely undetectable even by analysing the source code of the compiler. David A. Wheeler's ACSAC paper 2005 presented a method to counter the trusting trust attack on compilers that Thompson described. Wheeler described the method of Diverse Double-Compiling (DDC) that appears to counter Thompsons trojan horse attack on compliers.

Thompsons concept and Wheelers method of countering the attack have been widely commented on. Bruce Schneier succinctly discussed this attack and its counter measure on his blog in 2006. Further discussion of the attack or its countermeasures are not going to be discussed further here however the references provided for Thompson, Wheeler and Schneier on this topic are highly recommended reading. What is going to be discussed is the key point Thompson was making.

Unfortunately there appears to have been more discussion and focus on the compiler attack that Thompson described than the actual point he was articulating. His point was in his own words,

“The moral is obvious. You can't trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code. In demonstrating the possibility of this kind of attack, I picked on the C compiler. I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs will be harder and harder to detect. A well installed microcode bug will be almost impossible to detect.”.

Thompson delivered his speech to highlight the issue of trusting code back in 1984. However, the impact of trusting trust has never been as relevant or important as it is today. This is because the software development landscape is significantly different today in 2014 than it was in 1985. Many individual programmers developed homebrew software back in 1984. Many of us will have consumed shareware and homebrew applications for personal use. Back in 1984 software and applications purchased and used by large businesses and commercial enterprise would typically have been developed by one of the large corporate software houses at the time or in-house. Times have changed and software developed by bedroom startups or collaboratively within technology hubs is now being procured and deployed within large enterprise.

Browsing the websites of some start-up social and digital marketing tool and service vendors indicates that many global enterprises are deploying their products. This trend is not without its risks. Historically the versions of mainstream tools and utilities used within large enterprise would be several versions behind the latest version. The primary reason for this was to ensure that the latest version of a particular tool would not cause any incompatibility issues or break a build and was secure.

Enterprises appear to be overlooking or bypassing robust software assurance processes and procedures before deployment of digital marketing or collaboration tools and services. This is evident in the weak security or attention to data protection provided in some of the digital tools and services some high profile organisations are using. The risks associated with deploying software and applications developed by start-ups presents significantly higher risks than that of software produced by experienced and established vendors. There is no reason not to consider 'first to market' applications from start-up vendors but as with all software, it must be subject to robust internal software testing and assurance procedures. The impact of Trojaned software tools or applications will have a significantly greater impact today than it would in the 1980's or 90's. The internet and the global connectivity presents a much greater threat of this attack today. A backdoor, either intentional or unintentional, can have devastating and costly consequences for a business yet there appears to be a trend across enterprises to procure and deploy software from venture capital funded bedroom startups emerging from technology hubs.

Thompsons essay is probably more fitting today than it was when it was written. Society and businesses are more connected and cyber crime is growing at a phenomenal rate. Businesses should think carefully before deploying immature digital tools and services just because they see the competition using them. This type of decision making and doing something just because the competition is doing it was fundamental to the recent banking crisis. Not deploying some new imature digital marketing software may actually give a business the competitive advantage in the near future when back-doors and critical security issues due to 'trusting trust' are inevitably exposed.

The moral of this article is that you still cannot trust any software. More notably proceed with extreme caution with software or services that have been rapidly brought to market from bedroom to enterprise. When you hear a vendor substantiate the security of their product by saying, “Ten Fortune 500 companies are using it, so it must be secure”, or, “its only a tag added to your web pages”, think carefully because it could be one of the most costly decisions your comapany will make.

References

“Reflections on Trusting Trust”, Ken Thompson, Communication of the ACM, Vol. 27, No. 8, August 1984, pp. 761-763.

“Fully Countering Trusting Trust through Diverse Double-Compiling”, David A. Wheeler, Author's Ph.D. thesis at George Mason University, 2009

“Countering Trusting Trust", Bruce Schneier, Schneier on Security, 2006

varlogsecurity blog
The place where I share my personal opinion and observations on the world of IT security.

© 2013

Modified heading photo. Original photo by Rick Audet. Creative Commons Attribution