I've read this incredible 3-page paper many times over the last few years, but I'm still not sure I grasp all its implications. The author fits three amazing demonstrations into this short paper, each building on the previous one:
- How to create a program that prints its own source code as output
- The bizarre semantics of compiling compilers written in their own language (e.g. the C compiler is written in C).
- And finally, how even if you build a program from source code, the compiler you use can inject malicious code into the program during the compilation process.
The ultimate goal is to show how difficult it is to trust software, even if you build it yourself:
The moral is obvious. You can't trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code.