In his 1984 Turing Award lecture, computer scientist Ken Thompson delivered a groundbreaking exploration of the fundamental limits of software security. He demonstrated how malicious code can be embedded within a compiler in a way that makes detection nearly impossible, even when reviewing source code.
Thompson illustrated the concept through a three-stage process, beginning with self-reproducing programs. He then advanced to a sophisticated Trojan horse that infects binary files without leaving any trace in the source code. The attack proves that a developer can never truly verify a program's integrity unless they personally built the entire toolchain—including the hardware itself.
"You can't trust code that you did not totally create yourself." — Ken Thompson
The lecture concludes that absolute trust in software is an illusion because subversion can exist at levels far below human-readable text. Beyond the technical proof, Thompson also addressed the ethical implications, urging the computing community to reconsider the foundations of trust in digital systems.
This classic paper remains profoundly relevant today, as supply-chain attacks and hardware backdoors continue to challenge modern security practices.