jump to navigation

Whom Should You Trust? April 13, 2015

Posted by melihbilen in Security.

In his inspiring article, “Reflections on Trusting Trust”, Ken Thompson reveals an inconvenient truth about our development system [1].  We always trust that our development tools are secure. What if, our compiler is trying to put some malicious code to our original source code? Think about it, a stranger changes a compiler binary to create affected versions of original program including itself. This attack is almost undetectable. Since, we are hundred percent sure, we write the code in correct way and we do not include any malicious code parts. We trust our compiler and boom. We just created harmful software without realizing it. Although, there is a way to detect whether our compiler affected or not, we should find a trustable compiler in order to be able to detect. Since we cannot be hundred percent sure than there is no way to understand. Nowadays, our compilers have gotten incredibly complex, this gives attacker more place to hide their malicious software. [3]

Attackers choose our trust as target. They place their code where we trust most. In his article, Tyler Shields says that “Most people would say that proper management of trust is one of the primary cornerstones of information security. Trust is a relative term and all trust relationships should be examined with a very critical eye. ” [4] Many organizations are working moral, ethics and trust. They try to determine characteristics of these issues. ACM is one of the organizations which work on this. They have published their code-of-ethics in 10/16/92[2]. We can list their general moral imperatives:

  1. Contribute to society and human well-being
  2. Avoid harm to others
  3. Be honest and trustworthy
  4. Be fair and take action not to discriminate
  5. Honor property rights including copyrights and patent
  6. Give proper credit for intellectual property
  7.  Respect the privacy of others
  8. Honor confidentiality

Ken Thompson gave us a specific example of how easy to hide a malicious code into other programs. Besides that, it is very complicated to detect that kind of attack. Therefore, we can only prevent this type of actions by raising new honest ages. ACM and other similar organizations play big role in this.



[1] http://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf

[2] http://www.acm.org/about/code-of-ethics

[3] https://www.schneier.com/blog/archives/2006/01/countering_trus.html

[4] http://www.veracode.com/blog/2009/08/trust-your-own-code-trust-your-own-compiler/




No comments yet — be the first.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: