Beyond Planted Bugs in "Trusting Trust": The Input-Processing Frontier

It’s been nearly thirty years from Ken Thompson’s “Reflections on Trusting Trust” and its famous verdict that “You can’t trust code that you did not totally create yourself.” If there is one practical lesson that the Internet taught us since then, it is that one cannot even trust one’s own code so long as that code meets arbitrary inputs from the Internet. Sooner or later a mixture of bugs or features turns the connected code into an execution engine for hostile inputs – indeed, it was sooner rather than later for the original Internet daemons. Over time, exploitable bugs became more complex, exploit payloads more sophisticated. Their composition first showed aspects of an art and then of a solid engineering process. Still, with a few exceptions, code connected to the Internet cannot be trusted. Even though everything Thompson predicted, including well-placed microcode bugs, has come to pass, there seems to be no need for a malicious entity to insert bugs into the software most of us use daily on the Internet. The input-subvertible bugs are already there. When a mechanism used for subversion is dealt with (as happened to the executable stack and predictable uniform address space layout), bugs simply seem to migrate to another protocol or layer. Input is still just as dangerous as it was for early implementations of SMTP and DNS.