Ken thompson

Reflections on Trusting TrustTo what extent should one trust a statement that a program is free of Trojan horses?

Perhaps it is more important to trust the people who wrote the software.

夏永锋

上海交通大学软件学院嵌入式实验室

November 3, 2011

夏永锋 Reflections on Trusting Trust

About Ken

Born in New Orleans in 1943

Received a Bachelor of Science in 1965 and amaster’s degree in 1966, both in ElectricalEngineering and Computer Science, from theUniversity of California, Berkeley

Retired from Bell Labs in late 2000, then workedat Entrisphere,Inc as a fellow until 2006

Now works at Google as a Distinguished Engineer.


About Ken

Contributions

the Bon programming language

one of the creators and early developers of the the Unix and Plan 9 operating system

the B programming language, a precursor to Ritchie’s C

participate in creating C programming language

Regular expressions and early computer text editors QED and ed

most recently the co-creation of Google’s programming language Go

developed UTF-8 together with Rob Pike in 1992

participate in creating endgame tablebases and the chess machine Belle

Awards

1983, Turing Award

1990, IEEE Richard W. Hamming Medal

1997, Fellow of the Computer History Museum

1999, National Medal of Technology

1999, The first IEEE Tsutomu Kanai Award

2011, The Japan Prize for Information and Communication


About Ken’s Turing Award acceptance speech

”Reflections on Trusting Trust” presented the backdoorattack now known as the Thompson hack or trustingtrust attack, and is widely considered a seminal computersecurity work in its own right.

— From en.wikipedia.org


Why not to talk about UNIX?

UNIX swept into popularity with an industry-wide changefrom central mainframes to autonomous minis.

The current state of UNIX is the result of the labors of a largenumber of people.

I have not worked on mainstream UNIX in many years.

So what to talk about?The cutest program I ever wrote. and do this in three stages and

bring it together at the end.


Listing 1: Stage I ”a self-reproducing program”

1 c h a r s []={2 ’\ t ’ ,3 ’ 0 ’ ,4 ’\n ’ ,5 ’} ’ ,6 ’ ; ’ ,7 ’\n ’ ,8 ’\n ’ ,9 ’ / ’ ,

10 ’∗ ’ ,11 ’\n ’ ,12 (213 l i n e d e l e t e d )13 014 } ;1516 /∗17 ∗ The s t r i n g s i s a18 ∗ r e p r e s e n t a t i o n o f t h e body19 ∗ o f t h i s program from ’ 0 ’20 ∗ to t h e end .21 ∗/2223 main ( )24 {25 i n t i ;2627 p r i n t f ( ” c h a r s []={\n” ) ;28 f o r ( i =0; s [ i ] ; i ++)29 p r i n t f ( ”\ t%d ,\n” , s [ i ] ) ;30 p r i n t f ( ”%s ” , s ) ;31 }


About the self-reproducing program

This program can be easily written by another program.

This program can contain an arbitrary amount of excessbaggage that will be reproduced along with th main algorithm.


Listing 2: Stage II 2.1

1 . . .2 c=n e x t ( ) ;3 i f ( c != ’\\ ’ )4 r e t u r n ( c ) ;5 c=n e x t ( ) ;6 i f ( c==’\\ ’ )7 r e t u r n ( ’\\ ’ ) ;8 i f ( c==’ n ’ )9 r e t u r n ( ’\n ’ ) ;

10 . . .



10 i f ( c==’ v ’ )11 r e t u r n ( ’\v ’ ) ;12 . . .


About Stage II

Since the binary version of the compiler does not know about”\v”,the source is not legal C. We must ”train” the compiler.After it ”knows” what ”\v” means, then our new change willbecome legal C.

We look up on an ASCII chart that a vertical tab is decimal 11.




10 i f ( c==’ v ’ )11 r e t u r n ( 1 1 ) ;12 . . .

Now the old compiler accepts the new source.We install theresulting binary as the new official C compiler and now we canwrite the portable version the way we had it in Listing 3.

Listing 5: Stage III 3.1

1 c o m p i l e ( s )2 c h a r ∗s ;3 {4 . . .5 }


About Stage III

Listing 5 represents the high level control of the C compiler wherethe routine ”compile” is called to compile the next line of source.

Listing 6 shows a simple modification to the compiler that willdeliberately miscompile source whenever a particular pattern ismatched. If this were not deliberate,it would be called a compiler”bug”. Since it is deliberate, it should be called a ”Trojian horse”.


Listing 6: Stage III 3.21 c o m p i l e ( s )2 c h a r ∗s ;3 {4 i f ( match ( s , ” p a t t e r n ” ) ){5 c o m p i l e ( ”bug” ) ;6 r e t u r n ;7 }8 . . .9 }

The actual bug I planted in the compiler would match code in the UNIX ”login” command. The replacement codewould miscompile the login command so that it would accept either the intended encrypted password or aparticular known password.Such blatant code would not go undetected for long.Even the most casual perusal of the source of the C compilerwould raise suspicions.

Listing 7: Stage III 3.31 c o m p i l e ( s )2 c h a r ∗s ;3 {4 i f ( match ( s , ” p a t t e r n 1 ” ) ){5 c o m p i l e ( ” bug1 ” ) ;6 r e t u r n ;7 }8 i f ( match ( s , ” p a t t e r n 2 ” ) ){9 c o m p i l e ( ” bug2 ” ) ;

10 r e t u r n ;11 }12 . . .13 }


Explain Listing 7

In Listing 7, I simply adds a second Trojan horse to the one thatalready exists.

The second pattern is aimed at the C compiler.Thereplacement code is a Stage I self-reproducing program that insertsboth Trojian horses into the compiler.

This requires a learning phase as in the Stage II example.

1 We compile the modified source with the normal C compilerto produce a bugged binary.

2 We install this binary as the official C.

3 We can now remove the bugs from the source of the compilerand the new binary will reinsert the bugs whenever it iscompiled.

Of course, the login command will remain bugged with no trace insource anywhere.


THANK YOU !
