I think an important part that feels like it was skimmed over was the last part of his paper where he's arguing that you can't just make every bad thing that happens to computer code a crime and expect the problem to go away - you have to understand that you're implicitly trusting everything you use, and everything that thing uses, and we need to understand that we're trusting someone when we use their library that it does what it says it does.

Still a very important idea, that our security model(s) are mostly built on trust. With all the layers of software and chips today, few can admit they even understand all of the details. It comes down to trust.

That's a really interesting topic for a Sci-Fi movie. Like, imagine a trojan that has been dormant for the last 50 years in all the compilers and OS kernels of every computer of the world, and it is a timebomb that's going to wreak havoc at an unexpected moment.

Imagine a man so f'ing ahead of his time that, despite an era of global publication, it takes thirty six years before the next smartest guy notices his paper is a bombshell. You have imagined Ken Thompson.

This considers the possibility of a software ‘supply chain attack’, to insert malevolent code in some circumstances. But don’t forget the hardware or firmware and supply chain attack route - that has certainly been deployed... Gotta build your own hardware too!

At the end he talks about what if a printer company starts checking if you have the wrong ink. It's already happening. Just look at HP as an example of a selfish company essentially demanding that their customers either "comply" or get "denied".

We are all standing on the shoulders of the humblest of giants, the amount of things that can trace the origin back to the work of the pioneers is astounding.

I would make a slight addition at 4:15 that you also can't trust code that you did create yourself.

I still have somewhere on my TODO-list a project where I rewrite the basic layers from scratch where I only trust the hardware (which is admittedly already too much). It'd start with PXE booting written in machine code (possibly sent from a micro-controller I'd have designed myself), then I'd work my way up the abstraction ladder in steps. Starting with an extremely basic assembler written in machine code (no comments or labels supported), then a more decent assembler written in this poor-assembly. Then a note-quite-C compiler written in assembly that produce assembly. And finally a true C compiler that support all the C89 syntax. And here we are, we can finally compile a gcc we can trust.

So this basically describes the possibility of the worst kind of supply-chain attack possible, which would be practically unfixable without starting over from scratch. I remember several college discussions regarding trust at the hardware level, while shelving the `conspiracy-path`, security features like the `Execute Disable Bit` or the things in line with `Intel Management Engine/Platform Security Processor`, with the implications that data from memory, storage, network traffic, input and output devices could be evaluated, read and manipulated by `some extra rules` on a hardware level which was guarded by the barrier of proprietary code which should just be trusted.

I did not need this stress this morning.

Professor Brailsford should get the Turing Award for his contribution in documenting computer science history

The only time I ever made a geek pilgrimage to Stanford I stood in the bookstore and read that entire Thompson lecture out of a book I couldn't afford to buy.

I find the paper much easier to understand than his description of it.

The example he gave with printer ink is something that large printer manufacturers have included in their devices; my dad founded and ran a local printing shop for 30 years, and in the more recent printers this was exactly what happened, so you couldn't use ink that you didn't specifically buy from the company. As for the cd-rom example, that was an issue with various games published by EA, they used to not allow the game you purchased to run if you had a cd-rom burner program installed; there were also issues where the "anti-piracy" software EA required as an install literally broke people's computers (some people got broken cd drives, others got completely bricked machines). I don't know if these were intentional references or not, but yes these types of things are happening.

This actually in a way came up in the Rust compiler (in a non-malicious way). Basically they noticed that the Rust compiler's source code never encodes the ASCII values for escape codes at all. So for example if the compiler encounters a ' ' in the source code that it's meant to compile, the source code of the compiler does not contain any information about the byte value of that and is instead also just defined as ' '. It just automatically propagates from the knowledge of the previous compiler.

"New-fangled CD-ROM burners" I love this guy so much

Read that paper some years ago and I've never forgotten about it (it's short, so not that hard to remember). Neat to see a video made about it.

This speech scene is for me; TheMatrix reminded me of the speech that started with the phrase "I created the Matrix" in the last scene of the movie. Thanks Professor Brailsford, Ken Thompson, Dennis Ritchie. We learned a lot from you. Greetings.

I love this channel (Computerphile). It would be so interesting I think to sit in a pub with these folks (e.g. Prof. Brailsford) with a beer and have discussions such as this. Thanks!

Please do a follow-up video on countering "trusting trust" attacks with diverse double compiling, it's fascinating.

You can't know, just like you can't know if a particular restaurant chain is slowly poisening you.

I actually know what the title is! I was just talking about this paper with a friend a week or two ago.

That thumbnail is really clever!!!

Fascinating, I could endlessly listen to professor Brailsford.

7:33 "Are you still with me?"

But even if the compiler is producing machine code without any malicious code in it... we should not forget the CPU and its instructions. Some instructions might have secret behaviour when specific criteria are met - backdoors effectively. So this is not just a problem about trusting a compiler but trusting CPU vendor as well.

If I understand this correctly, the point is that even if I completely read and understand and document the source code for every program running on my computer, and I also completely understand and document the source code for every compiler, I can _still_ have malware hidden in the binaries. Because of the way bootstrapping works, my entire machine could be vulnerable due to some tiny hidden program that _only_ shows up in binaries, never in source code, and so is nearly impossible to find. But the only way that could be the case is if the compilers and everything else had been set up that way to begin with, like maybe Ken Thompson and UNIX. This is a call to stay grounded, like with encryption and man-in-the-middle attacks (or $2 wrench attacks--probably $5 wrenches now with inflation). You really do have to trust people at some point; there is no way around it, no matter how impressive the promises of various new encryption methods. You have to "trust trust," in the same way we all need some minimal amount of trust in other people to do pretty much anything.

This is a terribly sobering video. Excellent production as always. Thank you for sharing these videos!

Thank you professor Brailsford, very entertaining and thought provoking as always

Primeagen chat mentioned this paper and how it relates to the XZ Utils backdoor.

Those nested horses are the best graphic I've seen on this channel so far. That'll stick with me.

I just bought an serial to usb adapter, and found out the driver was disabled by Microsoft -at the request of the manufacturer...- (edit: it was blacklisted by MS) The chip used in the adapter was cloned and pirated, so they decided to automaticaly install a dud driver and disable the whole family in windows 10, including the original chips from the manufacturer. I have no way of knowing if mine is original or pirated, but the solution I was given was a big "FU, buy a new one". Should we put our trust on automatic updates that downgrade products like that?

for those thinking of rewriting gcc from scratch in assembly ... how do you trust that the processor actually does what it is supposed to do when given an instruction? and if you don't trust intel and arm ... and say i'll make my own processor how do you know that nothing malicious has been hidden by the manufacturer at the silicon level ...

Brilliant. I was hoping someone made a video about this. They talked about it at Harvard too at the end of CS50.

I know what this is going to be about. Looking forward to Professor Brailsford's take on it.

Trust these elliptical curves I propose and build your security around them!

The Solar Winds hack isn't exactly what Thompson described but it is close. The Solar Winds hack monitored the filenames of code being compiled and when the one they wanted came along they inserted their malware into the source as it went through the compiler. After compilation they removed the extra code so that the source looked unmodified. A decompilation of the binary would show that the binary and source didn't match. But, who's going to do that? Solar Winds was a remarkably clever hack made all the more scary by the fact that it is very difficult to think of a countermeasure that would prevent it. Another scary idea is that Solar Winds is just a first generation malware. In future infections they may go deeper. Even to the level of doing Thompson's suggested hack to the compiler itself.

It's funny because I had a similar thought the other day about the gcc compiler: what if the first compiler you use to bootstrap gcc injects code in it that will add proprietary blobs to everything you compile with gcc? There's just no way of asserting whether that's the case.

So did Ken Thompson create a monster? No, I'm pretty sure he didn't. For a start, you wouldn't go tipping people off about the possibility if you'd done that, now would you? I'd also trust the work of Richard Stallman, who personally wrote much of the first version of GCC.

I think the point was trust. Do you trust what you can’t see. It would be like having a food replicator from Star Trek that included a little extra something in your food. LSD or maybe something that makes you comer compliant. This is indeed brings about great debate about trust but I think also highlights how we should be more critical of the tools we use.

This is a very interesting topic.

It doesn't really solve the issue, but at the very least we have clang, gcc, MSVC - all independently made. As well as nasm, masm, yasm and that for assemblers

Isn´t this the reason behind the GCC compiler and why it is considered Stallman´s most important contribution to free software?

Its a topical subject. Very worthy content.

Perhaps you could do a video about Xenix. My first IT job in 1989 was in a network of Olvetti MT24s running Dos3.2, but my boss was trailling Xenix, a Unix variant that was owned by Microsoft at the time. I believe that Xenix morphed into SCO Unix, and Microsoft bought the Carnegie-Mellon micro-Unix kernel and adapted it to become Microsoft NT. I've often wondered why, if Microsoft had already bought the Xenix Unix kernel, why didn't they run with that instead of spending a decade to develop an alternative based on another Unix kernel.

I think that's a solved issue in software. The undocumented arm processor that intel embedded into their x86 processors, (demonstrated by Christopher Domas) is the manifestation of this issue.

I like Cory Doctorow's books.

This provides a new meaning of the saying the compiler is smarter than you.

I've heard reports of (though not seen) C compilers that when you build the Unix login program that will grant superuser access to anyone who logs in with the username "kt" and no password.

What's scarier is that you could engineer even the debuggers and hex viewers to pretend the extra code doesn't exist. I don't think this is a real problem with compilers but it's a crazy security nightmare with embedded code and the low lvl stuff in your devices etc.

This sort of issue is why the teaching of philosophy is so important. Who polices the policeman? It seems that the little policing there is, is after the fact. As an interested outsider vaguely learning of high profile security breaches, it seems that any database directly connected to a communication system is functionally pre-hacked. Am I wrong in this?.

However I agree with the points made, it's difficult finding the line in trust. Consider the following: your computer is most likely made from parts from various different manufacturers, how can you be sure you can trust any of them not to put anything rogue on them? How can you be sure you can trust any single person or company? There has to be some amount of blind trust otherwise you'd have to try to replicate more than 70 years of progress, not counting the long history of progress in physics, mathematics, and chemistry. And after all that, can you trust yourself with doing the job flawlessly?

Truster Trusting Trust

It should be possible to reverse engineer a compiler to look for suspicious behavior. Aside from that, I don't see how we could be sure we're getting what we expect from looking at the source code.

Once we moved away from discrete components and into ICs we lost all hope of ever being secure or knowing what is really happening.

WOW! STAGGERING.

Just write a C compiler in assmbly language for the target architecture, then assemble it manually and then use that machine code to bootstrap your way up gcc. Easy, right?

I've heard it said when you are asked in a job interview what your biggest weakness is as a software engineer? that the best answer is "I'm not Ken Thompson".

Can you do a video on the RMS and the free software philosophy?

CB UNIX is in my DNA. Brian's new book is most excellent.

It is an interesting thought experiment, but how would the exploit work for cross compiled code for architectures that did not even exist back when Kernighan wrote his first compiler? Seems to me it would fail at some point, but I guess later bad actors could do the same trick.

11:14 Ah, you mean what the companies behind the DMCA actually tried to to? (and the ink comment seconds before is also actually a thing, printer ink is more expensive than gold, seriously)

I wonder if it is feasible to build a physical compiler without any ICs which matches the spec/source of an existing one, and have it be fast enough to compile a clean compiler binary in some reasonable amount of time.

Nowadays people are (formally) proving compilers correct. Of course, you have to "check the proof checker" somehow but its a LOT shorter than "the code" for a C compiler and you only have to "check" one proof checker, which you can use to prove correct any compiler you want (and much more). Of course, proving stuff correct in this way is very hard. But people manage to do it these days.

The moral is: You can never trust anything(not restricted to code or programs) that you didn't create or build from scratch by yourself. If you need any tools to build the thing in question, you have to make the tools from scratch in the same way. This applies recursively until you are down to the simplest tools poseible that are buildable from raw materials and human power. But even if you do all that, you cannot be sure that your mind is not being manipulated. This chain of trust doesn't have a beginning.

For compilers I suspect this will fail as the software evolves over time. Eventually the trojan will no longer be compatible with the new version. The points it was hooking into will eventually be refactored.

Isn't this where reverse engineering tools like Ghidra help? Then again Ghidra could be programmed to ignore specific rogue code... Run Ghidra on Ghidra... Now I'm going cross-eyed

I blindly trust the developers who package my distro and its build tools. This isn't a joke. I just give up. If they can't break the chain of compiler poisoning, I sure can't.

I've brought this paper up many, many times when talking about the supposed "trustless" nature of cryptocurrency. The technical solutions involved in cryptocurrency don't eliminate the need for trust, they simply push it somewhere else in the chain. In crypto-world, everyone is running around talking about how they have solved the problem of having to trust the central banks and the commercial banks, but they've simply shifted the problem to the shady online exchanges. Even the tinfoil hat crowd that does bilateral person-to-person swaps and keeps their cryptocurrency in cold storage, they are eventually at the mercy of some shady guy in the back-alley deal they have to make to swap their crypto for anything useful. The point is that there's no escape. Eventually you have to trust *someone* and you're time is better spent thinking about who you can trust rather than trying to play technological whack-a-mole trying to eliminate the need for trust.

There IS a way to detect the trusting trust attack. Just use completely different compilers (such as clang and gcc), and make them compile the same compiler source. Then make the resulting binaries compile the same source again. If the final binaries are different, one of the compilers you used is compromised!

Dear professor it is late here and i wanted to relax myself with a bit of knowledge, all I got is anxiety ;-)

oh my.

Look into Gnu Guix and Bootstrappable Builds if you want solutions to this problem.

That's why we should use some wacky compiler like movcc for one of the steps in the bootstrapping chain. Because there's no way whoever wrote the original evil gcc would anticipate movcc, so movcc won't get detected as a compiler, so the malware can't propagate through it.

I feel this a little pumped up. Just because something is a binary doesn't mean that you can't look at it, disassemble it and analyze its semantics. Interesting topic though, for sure.

Handcrafted a safe minimalist c-compiler in assembly for your Intel chip and recompile everything from that. Safe? Not safe. Was their naughtiness in the binary that created the masks for the CPU etching? (Even in the firmware of the machine that physically applied the mask?) Frightening. Damned frightening. [Edit: I see this was discussed.]

I know it would be a lengthy project, but wouldn't the solution be to rebuild the compiler from assembler? Start with something very basic, just enough to allow a very simple C program to be written and compiled to a compiler, then rebuild feature by feature with all code visible and replicable for security researchers to verify step by step. You'd really only have to do this once, and you'd have in the end a completely traceable line of source code for any compiler that branches from that core project.

I read a paper a few years ago that had some solution to this, although I think it required another trusted compiler. Can't remember the name, though.

I guess I am missing something; I understand the implications of Thompson’s paper, however, what’s to stop someone from doing dynamic analysis on the compiler as it processes source code, and match the binary to expected output, or a hash? While this would be time consuming, my gut is saying that you could leverage automation of manually verified proofs to determine if a compiler is secretly malicious, no?

I suppose one _could_ write one's own C compiler in assembler, and then bootstrap up from that using something like the gcc source tree, which is extremely thoroughly reviewed.

Unless the Trojan Horse is in the CPU, in addition to code you have written yourself, you can trust machine code that you have stepped through in an in-circuit emulator. I used to debug disassemblies of C code on a 286, without source-level debugging. After a while, you become adept at seeing how the machine code corresponds to the source. In principle, you could hand-compare source and binary line by line, function by function--and once you've eliminated all the machine code that can be explained by the source co de, anything left was added by the compiler.

I love him :p

running GNU/Linux this is something I worry about much the time. Is my machine doing something that I don't know about and wouldn't want it to be doing? I implicitly trust the code I'm running (that I didn't write myself; the code I wrote I don't trust at all, but that's another story), but should I....? I implicitly trust Stallman and Torvalds and many others, but who out there is shipping malicious code unrecognized? Easter eggs were a big thing at proprietary corps. Is there something similar but more sinister in binaries that are ostensibly open source where I never look at the source? It's thanks to the tireless workers at FOSS that we have to thank for reducing our levels of anxiety, and to Professor Brailsford and the people at Computerphile, not forgetting the brilliant Ken Thompson of course. But what about the big corps and backdoors? The Intel IME... (surely doing work on behalf of government orgs everywhere)

wow, this is so crazy!

It's especially interesting considering the recent issues with the security of the dotNET build system. I guess that's one of the issues that just have no good solutions.

Happy I am watching this Video on Linux

Do you have a link to the Doctorow article you mentioned please?

With the cloud it gets even more hidden. Hope it rains soon. ;-)

So, a static review of the source wouldn't find this so-called compiler bug.. and dynamic testing would only test for functionality. Isn't it possible to do binary analysis? Perhaps using the source to derive an expected result?

did the fact that thumbnail for this video has an problem with the mirror mess with them too? The on trusting trust isn't mirrored correctly.

Thumbnail broke my trust

Could you include a link to Cory Doctorow’s article in the description.

As long as the language specification is open, can't you always write your own compiler in assembly? And as long as the source code of the popular compiler is open, couldn't you then read through it thoroughly and compile it using your different compiler, to get a fully featured compiler which definitely does not carry the poison any more?

5:50 So there is really no such thing as a password when all that needs to happen is flip a bit in the right place.

what season is there for him to wear an hawayan shirt!

I've seen somewhere that this is somewhat circumventable if you have a compiler A that you can trust (though a bootstrapping mechanism or whatever). If you have another compiler B that you want to test for trustworthiness you can now compile B using B and compare the resulting executable with the executable generated when compiling B using A to C and compiling B with C again. If the generated executable matches exactly, you know that you can also trust the compiler B.

I think KZbin has screwed up. I watched a video by Computerphile considering if we can 'trust trust'. Then I switched to a channel for the Unity 22 li9ve stream, . Waiting for it to start, read the preamble, all okay, and then moved on down to read the comments. And found... all these. Talking about compilers, and bootstraps and such, about 3 months ago. Thought 'WTF has that got to with..." and then it clicked. Still; got the comments section from the previous video. Hmm how often does one get to post on a video, about a different video, and yet still concerns the video one is posting on?

seems like this is becoming a logical uncertainty problem

Can we trust Richard Stallman and his gcc compiler? What if it has secret code to mess with the binaries in case you are compiling proprietary software?!