Speaker
Description
In 1984, Ken Thompson presented “Reflections on trusting trust” as part of his Turing Award lecture, demonstrating a theoretical attack, where a backdoored compiler would inject malicious code into compiled programs as well as propagate the backdoor to future versions of itself during self-compilation. The lecture demonstrated one of the darkest scenarios for supply-chain attacks, although its broader implications were not explicitly addressed at the time. This paper will examine the evolution of supply-chain attacks, starting from Thompson’s foundational work to current threat landscapes. It will address historical developments of trusting trust, analyzing their manifestations in current times. The analysis includes various documented supply-chain attacks from over the years, the biggest attack that never was, as well as current exploitation techniques that leverage trust relationships, such as watering-hole attacks, insider threats and deepfakes. This research provides a comprehensive analysis of how Thompson’s theoretical idea has materialized into a practical attack methodology and evaluates the status quo of supply-chain security and trusting trust in light of the current developments in threat actors’ capabilities.
