Main navigation | Main content
Optional background reading:
Ken Thompson.
“Reflections on trusting trust”.
Turing Award lecture, published in Communications of the ACM,
Volume 27, Issue 8, pp. 761&ndsash;763.
[ACM DL]
Optional background reading:
David A. Wheeler.
“Countering Trusting Trust through Diverse
Double-Compiling.”
In Annual Computer Security Applications Conference (ACSAC),
December 2005.
[Author's copy]
[Author's page]
Main reading for Tuesday, April 16th:
Stephen Checkoway, Jacob Maskiewicz, Christina Garman, Joshua Fried,
Shaanan Cohney, Matthew Green, Nadia Heninger, Ralf-Philipp Weinmann,
Eric Rescorla, and Hovav Shacham.
“A Systematic Analysis of the Juniper Dual EC Incident.”
In ACM CCS,
August 2016.
[ACM DL]
Candidate main reading:
Zhilei Ren, He Jiang, Jifeng Xuan, and Zijiang Yang.
“Automated localization for unreproducible builds”.
In International Conference on Software Engineering (ICSE),
May 2018.
[ACM DL]
Candidate main reading:
Nathanaëlle Courant, Julien Lepiller, and Gabriel Scherer.
“Debootstrapping without Archeology: Stacked Implementations in
Camlboot”.
In The Art, Science, and Engineering of Programming, Vol. 6,
Issue 3, Article 13, 2022.
[Journal]
Candidate main reading:
Piergiorgio Ladisa, Henrik Plate, Matias Martinez, and Olivier Barais.
“SoK: Taxonomy of Attacks on Open-Source Software Supply
Chains”.
In IEEE Security and Privacy (“Oakland”), May 2023.
[IEEE Xplore]
Candidate main reading:
Marcel Fourné, Dominik Wermke, William Enck, Sascha Fahl, and
Yasemin Acar.
“It's like flossing your teeth: On the Importance and Challenges
of Reproducible Builds for Software Supply Chain Security”.
In IEEE Security and Privacy (“Oakland”), May 2023.
[IEEE Xplore]
FAQ/link-tree on the xz/ssh backdoor:
Sam James.
“FAQ on the xz-utils backdoor (CVE-2024-3094)”.
[GitHub Gist]