bobvan@uiucdcs.UUCP (09/21/83)
#N:uiucdcs:13700040:000:731 uiucdcs!bobvan Sep 20 16:15:00 1983 Quite a while ago, there was a note in unix-wizards about an interesting trojan horse that originated inside Bell Labs. It worked this way: the binary for cpp would recognize when it was processing login.c or cpp.c. It would then insert the trojan horse and pass it on to the compiler. Noone ever saw it in source form because it appeared only in the pipe between cpp and the compiler. I am doing research for a paper and would like to communicate with the author of the article or the folks who thought it up and implemented it. I'd also like to hear from anyone who has a copy of the original article or who has found this on their system. Thanks. Bob Van Valzah Compion Corp. pur-ee!uiucdcs!ccvaxa!bobvan (217) 384-8587
mike@brl-vgr@sri-unix.UUCP (09/24/83)
From: Mike Muuss <mike@brl-vgr> I am of the opinion that it is a clever ruse, cooked up to warn people about ways that things COULD be sabotaged. Besides, can you imagine how much effort it would take to actually implement such a thing? Quite a bit for the sake of a gag. And, of course, when people make local mods to CPP (rare) and LOGIN (common), whatever technique the program used to determine where to twiddle would probably break. POP QUIZ: Design a set of tests which will prove that CPP does NOT contain this auto-sabotage. -Mike
MP@mit-xx@sri-unix.UUCP (09/27/83)
From: Mark Plotnick <MP@mit-xx> Digging into the archives, we find... >From mhtsa!alice!research!dmr Thu Nov 4 02:30:06 1982 Subject: Joy of reproduction Newsgroups: net.lang.c Some years ago Ken Thompson broke the C preprocessor in the following ways: 1) When compiling login.c, it inserted code that allowed you to log in as anyone by supplying either the regular password or a special, fixed password. 2) When compiling cpp.c, it inserted code that performed the special test to recognize the appropriate part of login.c and insert the password code. It also inserted code to recognize the appropriate part of cpp.c and insert the code described in way 2). Once the object cpp was installed, its bugs were thus self-reproducing, while all the source code remained clean-looking. (Things were even set up so the funny stuff would not be inserted if cc's -P option was used.) We actually installed this on one of the other systems at the Labs. It lasted for several months, until someone copied the cpp binary from another system. Notes: 1) The idea was not original; we saw it in a report on Multics vulnerabilities. I don't know of anyone else who actually went to the considerable labor of producing a working example. 2) I promise that no such thing has ever been included in any distributed version of Unix. However, this took place about the time that NSA was first acquiring the system, and there was considerable temptation. Dennis Ritchie >From harpo!zeppo!whuxlb!mash (John Mashey) Thu Nov 4 18:08:24 1982 Subject: Joy of Reproduction - other side Newsgroups: net.lang.c DMR gave an amusing description of Ken's self-reproducing loophole bug done years ago. As a user of (one of the) systems on which it got installed (Piscataway PWBs), I recall a few more amusing items: 1) We never would have found it if Ken hadn't been lazy and made the extra code a function -- the tipoff was the item in the namelist that never appeared in the source. 2) I doubt that anyone would have known what happened if Ken hadn't left everything lying around on research. 3) This occurred when one could seldom expect that one's old cc would compile Dennis's newest cc source (due to continual bootstrapping) -- we always had to grab both new source and new object. this helped the trap considerably. We had been sniping at Ken and Dennis for security problems. The loophole code came soon thereafter... 5) Finally, the scariest/funniest part of the whole business was reading Brunner's Shockwave Rider book several weeks before this, liking it, but thinking that "worm programs with infinitely replicating tails" were ridiculous. Then Ken's program showed up... -john mashey -------
muha%bbn-unix@sri-unix.UUCP (09/27/83)
From: Ralph Muha <muha@bbn-unix> Having worked at Bell Labs, I can testify that the Trojan horse story is true. It was perpetrated by none other than Dennis Ritchie. Interestingly, it was detected by some folks at Bell Labs in Holmdel who were smart enough to compare the sizes of the executables produced by the old and new versions of cp[C[Dp. Just goes to show you that there is no substitute for vigilance when it comes to system security.