UrlBlogGrey

I read an interesting article on Bruce Schneier's blog regarding a possible solution to the problem of "trusting trust". The basis of the problem is that a chain of trust is formed between source code compilers, and has the potential for exploitation if the first compiler in the chain contains malicious directives. The first compiler could modify all compilers and debuggers it builds to propagate any of its malicious directives.

The role of a compiler is generally to produce a machine-readable form of human-readable source code. The compiled output can take the form of machine-code (native binary), or intermediate byte-code (as in the case of Java and its Virtual Machine). A Java program represented by byte-code is interpreted at run-time by a machine-code program. Frequently, Java programmers will adopt a false sense of security because their programs are represented by byte-code running in a Virtual Machine (VM); however, the VM is a machine-code program that is as vulnerable as any other machine-code program. The difference is that a higher degree of trust is placed on the VM machine-code than on one's own program. The merits of this outcome are debatable. Because the operating system is built using a source code compiler, it is vulnerable, too.

Schneier suggests that having two root compilers with equivalent functionality and different sources can remedy the problem. It's sort of like having two separately-designed factories responsible for producing a widget; if both factories receive the same specifications from the widget designers, there is no need to trust one factory more than another since their output must be the same. If it is not the same, then at least one is incorrect. It is possible for both factories to be wrong, but not in identical ways.