From: "Ron Natalie" <ron@ronnatalie.com>
To: "TUHS main list" <tuhs@minnie.tuhs.org>
Subject: [TUHS] On UNIX Trojans
Date: Mon, 20 Sep 2021 14:48:25 +0000 [thread overview]
Message-ID: <em2cf6e0f0-5d63-45d8-b949-17c208c08899@alien> (raw)
In-Reply-To: <CAKH6PiVEHTfmdpz2iPwm1oSoL2r15WGfEU6xAdE60wq0xubWfw@mail.gmail.com>
I have to say my experience in UNIX systems programming was due to the
discovery of a trojan. It also shaped my research into security on
UNIX and other systems over the coming decades.
At the time, the UNIX system at Johns Hopkins University (there was only
one) in the EE department was run by an undergraduate activity called
the "University Computing Society." This bunch, headed by Mike Muuss
and another covered all aspects of running the computer: programming,
operations, hardware, and documentation support. I was just a loose
hangar on at the time, writing my first C programs and the like.
A couple of student operators managed to get access to what would be the
installed copy of /lib/crt0.o (the small snippet inserted at the
beginning of all C programs). They inserted a couple of bytes that did
an exec of a file "^V" (current directory) and then waited. Most of
the time, this is a harmless change as there is no ^V file in the
current directory. Then, one day they hit the jackpot and a setuid
root program got rebuilt and now they had a way of getting a root shell
easily.
This went largely undetected as they used it for quasi-productive uses
for a while. One day one of the other programmers was rebuilding a
program and noticed the few byte increase in size (back then we were
running the system on a grand total of 8.5MB so every byte was
precious). Subsequent analysis of what changed revealed the trojan.
This led to an upheaval in the department and the end of the UCS. They
did decide to keep the cheap student labor however, and since I had kept
my nose clean and had some extensive, albeit, non-UNIX programming
experience, I was brought on board. I spent the next three and a half
years looking for and plugging security holes.
I went on (after a brief stint at Martin Marietta) to work for Mike at
Aberdeen Proving Ground and continued doing random security work
including being put on the Army's initial tiger team effort. Also,
there used to be a discussion in the security groups about what a
"hacker with a Cray" could do for things about brute forcing decryption.
I was given use of the new X/MP the Army bought to see if that was a
feasibility. I later got to purchase a $25 million Cray 2, but left
BRL for Rutgers before that was delivered.
prev parent reply other threads:[~2021-09-20 14:56 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-20 11:57 [TUHS] Thompson trojan put into practice Douglas McIlroy
2021-09-20 13:51 ` Ken Thompson
2021-09-20 14:35 ` John P. Linderman
2021-09-20 14:48 ` Ron Natalie [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=em2cf6e0f0-5d63-45d8-b949-17c208c08899@alien \
--to=ron@ronnatalie.com \
--cc=tuhs@minnie.tuhs.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).