miniblog.

← Back to all posts
Nov 2, 2019 at 13:01
How do you prevent "trusting trust" attacks with malicious compilers? You don't need a trusted production-grade compiler. It's sufficient to have a really limited trusted compiler or even an untrusted compiler provided the triggers don't overlap.
Countering "Trusting Trust" - Schneier on Security
Way back in 1974, Paul Karger and Roger Schell discovered a devastating attack against computer systems. Ken Thompson described it in his classic 1984 speech, “Reflections on Trusting Trust.” Basically, an attacker changes a compiler binary to produce malicious versions of some programs, INCLUDING ITSELF. Once this is done, the attack perpetuates, essentially undetectably. Thompson demonstrated the attack in a devastating way: he subverted a compiler of an experimental victim, allowing Thompson to log in as root without using a password. The victim never noticed the attack, even when they disassembled the binaries—the compiler rigged the disassembler, too...

Related Posts

Dec 14, 2025 at 21:45
8
Co-Authored-By: An old Stack Overflow answer, blindly accepting the compiler's suggestions, and a linter.
Oct 5, 2025 at 20:23
2
I would have thought that invoking a C compiler would be a solved problem. Looking at Rust's cc crate there's a remarkable long tail of corner cases to fix. Exotic CPUs, microarchitectures, compiler differences, operating system differences, etc.
cc-rs/CHANGELOG.md at main · rust-lang/cc-rs
cc-rs/CHANGELOG.md at main · rust-lang/cc-rs
Rust library for build scripts to compile C/C++ code into a Rust library - rust-lang/cc-rs
Jan 15, 2025 at 08:19
Today I learnt that `cargo fix` won't fix code with compiler errors by default, but you can override this! $ cargo fix --broken-code --allow-dirty && cargo clippy --fix --allow-dirty This incantation does exactly what I wanted :)