phil@RICE.ARPA (William LeFebvre) (11/13/85)
All this talk of the famous "trojan horse" of Unix has made me go find
the very article where I first read about this. The article is
"Reflections on Trusting Trust" by Ken Thompson, _Communications_of_
the_ACM_, Vol. 27, #8 (August 1984), pp 761--763. It was Thompson's
Turing Award lecture.
I quote:
Figure 3.2 shows a simple modification to the compiler that
will deliberately miscompile source whenever a particular pattern is
matched. If this were not deliberate, it would be called a compiler
"bug". Since it is deliberate, it should be called a "Trojan horse."
The actual bug that I planted in the compiler would match code in
the UNIX "login" command. The replacement code would miscompile the
login command so that it would accept either the intended encrypted
password or a particular known password. Thus if this code were
installed in binary and the binary were used to compile the login
command, I could log into that system as any user.
Such blatant code would not go undetected for long. Even the
most casual perusal of the source of the C compiler would raise
suspicions.
...
The final step ... simply adds a second Trojan Horse to the one that
already exists. The second pattern is aimed at the C compiler. The
replacement code is a ... self-reproducing program that inserts both
Trojan horses into the compiler.... First we compile the modified
source with the normal C compiler to produce a bugged binary. We
install this binary as the official C. We can now remove the bugs from
the source of the compiler and the new binary will reinsert the bugs
whenever it is compiled. Of course, the login command will remain
bugged with no trace in source anywhere.
(Copyright 1984, Association for Computing Machinery,
copied by permission)
I realize that this could give potential hackers out there some ideas.
But I don't feel bad about sending this into the list, since it comes
from a well published document and can probably be found in any decent
sized library.
I would encourage everyone to find a copy of that article and read it.
It isn't very long and it is very good. The final section of it is Ken
Thompson moralizing about "hackers", and severely criticizes the press
in their handling of the situations (414 gang, Dalton gang, etc.).
Well worth reading.
I thought that the article contained some statement like "this bugged
version of the C compiler never made it out of Bell", but no such
statement is made. Suppose it did make it out after all.....
William LeFebvre
Department of Computer Science
Rice University
<phil@Rice.arpa>
or, for the daring: <phil@Rice.edu>rees@apollo.uucp (Jim Rees) (11/18/85)
There was also this, from net.lang.c. Am I the only one around here who keeps news for 3 years? From research!dmr Thu Nov 4 02:30:06 1982 Subject: Joy of reproduction Newsgroups: net.lang.c Some years ago Ken Thompson broke the C preprocessor in the following ways: 1) When compiling login.c, it inserted code that allowed you to log in as anyone by supplying either the regular password or a special, fixed password. 2) When compiling cpp.c, it inserted code that performed the special test to recognize the appropriate part of login.c and insert the password code. It also inserted code to recognize the appropriate part of cpp.c and insert the code described in way 2). Once the object cpp was installed, its bugs were thus self-reproducing, while all the source code remained clean-looking. (Things were even set up so the funny stuff would not be inserted if cc's -P option was used.) We actually installed this on one of the other systems at the Labs. It lasted for several months, until someone copied the cpp binary from another system. Notes: 1) The idea was not original; we saw it in a report on Multics vulnerabilities. I don't know of anyone else who actually went to the considerable labor of producing a working example. 2) I promise that no such thing has ever been included in any distributed version of Unix. However, this took place about the time that NSA was first acquiring the system, and there was considerable temptation. Dennis Ritchie