The Unix Heritage Society mailing list
 help / color / mirror / Atom feed
From: "Ron Natalie" <ron@ronnatalie.com>
To: "TUHS main list" <tuhs@minnie.tuhs.org>
Subject: [TUHS] On UNIX Trojans
Date: Mon, 20 Sep 2021 14:48:25 +0000	[thread overview]
Message-ID: <em2cf6e0f0-5d63-45d8-b949-17c208c08899@alien> (raw)
In-Reply-To: <CAKH6PiVEHTfmdpz2iPwm1oSoL2r15WGfEU6xAdE60wq0xubWfw@mail.gmail.com>

I have to say my experience in UNIX systems programming was due to the 
discovery of a trojan.   It also shaped my research into security on 
UNIX and other systems over the coming decades.

At the time, the UNIX system at Johns Hopkins University (there was only 
one) in the EE department was run by an undergraduate activity called 
the "University Computing Society."    This bunch, headed by Mike Muuss 
and another covered all aspects of running the computer:  programming, 
operations, hardware, and documentation support.    I was just a loose 
hangar on at the time, writing my first C programs and the like.

A couple of student operators managed to get access to what would be the 
installed copy of /lib/crt0.o (the small snippet inserted at the 
beginning of all C programs).   They inserted a couple of bytes that did 
an exec of a file "^V" (current directory) and then waited.   Most of 
the time, this is a harmless change as there is no ^V file in the 
current directory.    Then, one day they hit the jackpot and a setuid 
root program got rebuilt and now they had a way of getting a root shell 
easily.

This went largely undetected as they used it for quasi-productive uses 
for a while.   One day one of the other programmers was rebuilding a 
program and noticed the few byte increase in size (back then we were 
running the system on a grand total of 8.5MB so every byte was 
precious).   Subsequent analysis of what changed revealed the trojan.    
This led to an upheaval in the department and the end of the UCS.   They 
did decide to keep the cheap student labor however, and since I had kept 
my nose clean and had some extensive, albeit, non-UNIX programming 
experience, I was brought on board.    I spent the next three and a half 
years looking for and plugging security holes.

I went on (after a brief stint at Martin Marietta) to work for Mike at 
Aberdeen Proving Ground and continued doing random security work 
including being put on the Army's initial tiger team effort.    Also, 
there used to be a discussion in the security groups about what a 
"hacker with a Cray" could do for things about brute forcing decryption. 
    I was given use of the new X/MP the Army bought to see if that was a 
feasibility.    I later got to purchase a $25 million Cray 2, but left 
BRL for Rutgers before that was delivered.


      parent reply	other threads:[~2021-09-20 14:56 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-09-20 11:57 [TUHS] Thompson trojan put into practice Douglas McIlroy
2021-09-20 13:51 ` Ken Thompson
2021-09-20 14:35   ` John P. Linderman
2021-09-20 14:48 ` Ron Natalie [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=em2cf6e0f0-5d63-45d8-b949-17c208c08899@alien \
    --to=ron@ronnatalie.com \
    --cc=tuhs@minnie.tuhs.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).