I wonder why Is it so hard to detect this kind of ‘Trojan Horse’ as stated by Ken Thompson’s seminal paper ?
It is clear that compilers cannot be trusted anymore. However, I don’t think that it is hard to detect that the compiler is malicious.
An easy and simple way would be to take a simple program, say the HelloWorld program and a compiled version, a trusted one. For this, the binary code should be reviewed (this is possible, even manually because the code is simple).
Then we compare the compiled version we get using the compiler (to be tested) with the other ‘trusted one’.
No need to go with complex binary analyses, as suggested by Chris’s paper.

Kind regards,
Tejeddine,