Upload
-
View
470
Download
0
Embed Size (px)
Citation preview
Reflections on Trusting TrustTo what extent should one trust a statement that a program is free of Trojan horses?
Perhaps it is more important to trust the people who wrote the software.
夏永锋
上海交通大学 软件学院嵌入式实验室
November 3, 2011
夏永锋 Reflections on Trusting Trust
About Ken
Born in New Orleans in 1943
Received a Bachelor of Science in 1965 and amaster’s degree in 1966, both in ElectricalEngineering and Computer Science, from theUniversity of California, Berkeley
Retired from Bell Labs in late 2000, then workedat Entrisphere,Inc as a fellow until 2006
Now works at Google as a Distinguished Engineer.
夏永锋 Reflections on Trusting Trust
About Ken
Contributions
the Bon programming language
one of the creators and early developers of the the Unix and Plan 9 operating system
the B programming language, a precursor to Ritchie’s C
participate in creating C programming language
Regular expressions and early computer text editors QED and ed
most recently the co-creation of Google’s programming language Go
developed UTF-8 together with Rob Pike in 1992
participate in creating endgame tablebases and the chess machine Belle
Awards
1983, Turing Award
1990, IEEE Richard W. Hamming Medal
1997, Fellow of the Computer History Museum
1999, National Medal of Technology
1999, The first IEEE Tsutomu Kanai Award
2011, The Japan Prize for Information and Communication
夏永锋 Reflections on Trusting Trust
About Ken’s Turing Award acceptance speech
”Reflections on Trusting Trust” presented the backdoorattack now known as the Thompson hack or trustingtrust attack, and is widely considered a seminal computersecurity work in its own right.
— From en.wikipedia.org
夏永锋 Reflections on Trusting Trust
Why not to talk about UNIX?
UNIX swept into popularity with an industry-wide changefrom central mainframes to autonomous minis.
The current state of UNIX is the result of the labors of a largenumber of people.
I have not worked on mainstream UNIX in many years.
So what to talk about?The cutest program I ever wrote. and do this in three stages and
bring it together at the end.
夏永锋 Reflections on Trusting Trust
Listing 1: Stage I ”a self-reproducing program”
1 c h a r s []={2 ’\ t ’ ,3 ’ 0 ’ ,4 ’\n ’ ,5 ’} ’ ,6 ’ ; ’ ,7 ’\n ’ ,8 ’\n ’ ,9 ’ / ’ ,
10 ’∗ ’ ,11 ’\n ’ ,12 (213 l i n e d e l e t e d )13 014 } ;1516 /∗17 ∗ The s t r i n g s i s a18 ∗ r e p r e s e n t a t i o n o f t h e body19 ∗ o f t h i s program from ’ 0 ’20 ∗ to t h e end .21 ∗/2223 main ( )24 {25 i n t i ;2627 p r i n t f ( ” c h a r s []={\n” ) ;28 f o r ( i =0; s [ i ] ; i ++)29 p r i n t f ( ”\ t%d ,\n” , s [ i ] ) ;30 p r i n t f ( ”%s ” , s ) ;31 }
夏永锋 Reflections on Trusting Trust
About the self-reproducing program
This program can be easily written by another program.
This program can contain an arbitrary amount of excessbaggage that will be reproduced along with th main algorithm.
夏永锋 Reflections on Trusting Trust
Listing 2: Stage II 2.1
1 . . .2 c=n e x t ( ) ;3 i f ( c != ’\\ ’ )4 r e t u r n ( c ) ;5 c=n e x t ( ) ;6 i f ( c==’\\ ’ )7 r e t u r n ( ’\\ ’ ) ;8 i f ( c==’ n ’ )9 r e t u r n ( ’\n ’ ) ;
10 . . .
Listing 3: Stage II 2.2
1 . . .2 c=n e x t ( ) ;3 i f ( c != ’\\ ’ )4 r e t u r n ( c ) ;5 c=n e x t ( ) ;6 i f ( c==’\\ ’ )7 r e t u r n ( ’\\ ’ ) ;8 i f ( c==’ n ’ )9 r e t u r n ( ’\n ’ ) ;
10 i f ( c==’ v ’ )11 r e t u r n ( ’\v ’ ) ;12 . . .
夏永锋 Reflections on Trusting Trust
About Stage II
Since the binary version of the compiler does not know about”\v”,the source is not legal C. We must ”train” the compiler.After it ”knows” what ”\v” means, then our new change willbecome legal C.
We look up on an ASCII chart that a vertical tab is decimal 11.
夏永锋 Reflections on Trusting Trust
Listing 4: Stage II 2.3
1 . . .2 c=n e x t ( ) ;3 i f ( c != ’\\ ’ )4 r e t u r n ( c ) ;5 c=n e x t ( ) ;6 i f ( c==’\\ ’ )7 r e t u r n ( ’\\ ’ ) ;8 i f ( c==’ n ’ )9 r e t u r n ( ’\n ’ ) ;
10 i f ( c==’ v ’ )11 r e t u r n ( 1 1 ) ;12 . . .
Now the old compiler accepts the new source.We install theresulting binary as the new official C compiler and now we canwrite the portable version the way we had it in Listing 3.
Listing 5: Stage III 3.1
1 c o m p i l e ( s )2 c h a r ∗s ;3 {4 . . .5 }
夏永锋 Reflections on Trusting Trust
About Stage III
Listing 5 represents the high level control of the C compiler wherethe routine ”compile” is called to compile the next line of source.
Listing 6 shows a simple modification to the compiler that willdeliberately miscompile source whenever a particular pattern ismatched. If this were not deliberate,it would be called a compiler”bug”. Since it is deliberate, it should be called a ”Trojian horse”.
夏永锋 Reflections on Trusting Trust
Listing 6: Stage III 3.21 c o m p i l e ( s )2 c h a r ∗s ;3 {4 i f ( match ( s , ” p a t t e r n ” ) ){5 c o m p i l e ( ”bug” ) ;6 r e t u r n ;7 }8 . . .9 }
The actual bug I planted in the compiler would match code in the UNIX ”login” command. The replacement codewould miscompile the login command so that it would accept either the intended encrypted password or aparticular known password.Such blatant code would not go undetected for long.Even the most casual perusal of the source of the C compilerwould raise suspicions.
Listing 7: Stage III 3.31 c o m p i l e ( s )2 c h a r ∗s ;3 {4 i f ( match ( s , ” p a t t e r n 1 ” ) ){5 c o m p i l e ( ” bug1 ” ) ;6 r e t u r n ;7 }8 i f ( match ( s , ” p a t t e r n 2 ” ) ){9 c o m p i l e ( ” bug2 ” ) ;
10 r e t u r n ;11 }12 . . .13 }
夏永锋 Reflections on Trusting Trust
Explain Listing 7
In Listing 7, I simply adds a second Trojan horse to the one thatalready exists.
The second pattern is aimed at the C compiler.Thereplacement code is a Stage I self-reproducing program that insertsboth Trojian horses into the compiler.
This requires a learning phase as in the Stage II example.
1 We compile the modified source with the normal C compilerto produce a bugged binary.
2 We install this binary as the official C.
3 We can now remove the bugs from the source of the compilerand the new binary will reinsert the bugs whenever it iscompiled.
Of course, the login command will remain bugged with no trace insource anywhere.
夏永锋 Reflections on Trusting Trust
THANK YOU !
夏永锋 Reflections on Trusting Trust