A complete implementation of Ken Thompson's seminal software supply chain attack. This project modified the Tiny C Compiler (TCC) to inject persistent, undetectable backdoors. The source code and detailed technical write-up are withheld to maintain academic integrity; this README documents the implementation scope and validation outcomes.
- Stealth Backdoor Injection: Modifications undetectable through source code review
- Self-Replicating Exploit: Automatically propagates to new compiler generations
- Supply Chain Compromise: Affects all software built with infected compiler
- Academic Validation: Passed chain-of-trust testing procedure
Technical Environment: C | Tiny C Compiler (TCC) | Chain-of-Trust Validation
- Target: TCC compilation pipeline with focus on
tcc_compile()inlibtcc.c - Method: Quine-based self-replication through compiler toolchain
- Components: Compiler frontend, code generation routines, binary output generation, self-compilation capability
- Modified compilation logic to detect and alter authentication programs
- Intercepted
login.cprocessing to inject credential bypass - Maintained source code integrity while injecting runtime backdoor
- Implemented quine behavior in compiler code generation
- Ensured exploit propagation to newly built compilers
- Maintained functionality across toolchain generations
Implementation: Complete and functional
Testing: Passed comprehensive chain-of-trust verification
Result: Backdoor injection and self-replication demonstrated
This project was completed by a team of five students as part of the Information System Security curriculum at Rensselaer Polytechnic Institute.
My Contributions:
- Architecture Analysis: Researched TCC documentation and source code to identify compilation logic in
libtcc.c - Technical Documentation: Authored a comprehensive write-up detailing the exploit methodology and implementation
- Exploit Development: Collaborated on modifying
tcc_compile()for backdoor injection and self-replication - Validation: Participated in chain-of-trust testing to confirm exploit functionality
This project implemented Ken Thompson's "Trusting Trust" attack as an educational exercise. The work passed the course's validation requirements, demonstrating the technical feasibility of compiler-level backdoor injection and self-replication.
The source code and detailed technical analysis are not distributed here to maintain academic integrity. This repository serves as a summary of our implementation accomplishments.
Our implementation validates a core principle of software supply chain security:
"You can't trust code that you did not totally create yourself." - Ken Thompson