# Threat Model Reassessment

Thompson's lecture fundamentally undermines the assumption that **source code review provides meaningful security assurance**. This isn't a theoretical concern—it's a practical demonstration of a class of attacks that persists today.

## What Changes

**Before this paper**, the threat model was roughly: "verify source, compile locally, you're safe."

**After**: The supply chain attack surface extends into layers you can't inspect:

1. **Compiler-level trojans** propagate silently across recompilation—they're self-perpetuating and invisible in source code
2. **Binary trust is broken**—you can't trust pre-compiled toolchains, and compiling from source only protects you if your compiler is trustworthy (circular problem)
3. **The attack scales to hardware**—microcode, firmware, and CPU behavior exist below observable layers
4. **Detection becomes asymptotically hard**—a sophisticated attack leaves no forensic traces in source

## Defense Strategy

**Assume nothing is trustworthy in isolation.** Specific tactics:

- **Diversified compilation**: Compile critical infrastructure with multiple independent compiler toolchains (clang, gcc, rustc). A trojan in one likely won't replicate across all.
- **Reproducible builds**: Use bit-for-bit reproducible compilation to catch unauthorized binary modifications. This forces transparency but doesn't solve the fundamental problem—it just raises the cost.
- **Supply chain vetting**: Trust people, not artifacts. Verify developers and organizations, require code review from multiple parties, implement cryptographic signing at every stage.
- **Bootstrapping from first principles**: For the most critical systems, trace the compiler chain back to a minimal, hand-verified bootstrap (e.g., Stage 0 compilers or formally verified kernels).
- **Behavioral monitoring**: Since static analysis fails, monitor runtime behavior anomalously—privilege escalation patterns, unexpected network access, login anomalies.
- **Assume persistent compromise**: Design systems defensively assuming some components are trojaned. Compartmentalize. Defense in depth.

**The hard truth**: You cannot achieve perfect assurance. You can only raise the cost and detectability of attacks to exceed the attacker's resources or motivation.