[TUHS] Thompson trojan put into practice

[TUHS] Thompson trojan put into practice

[Douglas McIlroy]

>> > It's part of my academic project to work on provable compiler security.
>> > I tried to do it according to the "Reflections on Trusting Trust" by Ken
>> > Thompson, not only to show a compiler Trojan horse but also to prove that
>> > we can discover it.
>>
>> Of course it can be discovered if you look for it. What was impressive about
>> the folks who got Thompson's compiler at PWB is that they found the horse
>> even though they weren't looking for it.

> I had not heard this story. Can you elaborate, please? My impression from having
> read the paper (a long time ago now) is that Ken did the experiment locally only.

Ken did it locally, but a vigilant person at PWB noticed there was an
experimental
compiler on the research machine and grabbed it. While they weren't looking for
hidden stuff, they probably were trying to find what was new in the
compiler. Ken
may know details about what they had in the way of source and binary.

Doug

Re: [TUHS] Thompson trojan put into practice

[Ken Thompson]

[-- Attachment #1: Type: text/plain, Size: 1326 bytes --]

pwb recompiled the compiler and it got 1 byte larger.
again, another byte. after that they played with it
until they broke the quine part. i am not sure that
if they ever realized what was going on.

the extra byte was my bug.


On Mon, Sep 20, 2021 at 4:58 AM Douglas McIlroy <
douglas.mcilroy@dartmouth.edu> wrote:

> >> > It's part of my academic project to work on provable compiler
> security.
> >> > I tried to do it according to the "Reflections on Trusting Trust" by
> Ken
> >> > Thompson, not only to show a compiler Trojan horse but also to prove
> that
> >> > we can discover it.
> >>
> >> Of course it can be discovered if you look for it. What was impressive
> about
> >> the folks who got Thompson's compiler at PWB is that they found the
> horse
> >> even though they weren't looking for it.
>
> > I had not heard this story. Can you elaborate, please? My impression
> from having
> > read the paper (a long time ago now) is that Ken did the experiment
> locally only.
>
> Ken did it locally, but a vigilant person at PWB noticed there was an
> experimental
> compiler on the research machine and grabbed it. While they weren't
> looking for
> hidden stuff, they probably were trying to find what was new in the
> compiler. Ken
> may know details about what they had in the way of source and binary.
>
> Doug
>

[-- Attachment #2: Type: text/html, Size: 1834 bytes --]

Re: [TUHS] Thompson trojan put into practice

[John P. Linderman]

[-- Attachment #1: Type: text/plain, Size: 1693 bytes --]

My recollection is that Larry Wehr ran nm on the compiler, possibly in
response to the extra-byte quirk, and found a subroutine reference with no
appearance in the source. If Ken hadn't kept the code so modular, they
might never have noticed.

On Mon, Sep 20, 2021 at 9:53 AM Ken Thompson <kenbob@gmail.com> wrote:

>
> pwb recompiled the compiler and it got 1 byte larger.
> again, another byte. after that they played with it
> until they broke the quine part. i am not sure that
> if they ever realized what was going on.
>
> the extra byte was my bug.
>
>
> On Mon, Sep 20, 2021 at 4:58 AM Douglas McIlroy <
> douglas.mcilroy@dartmouth.edu> wrote:
>
>> >> > It's part of my academic project to work on provable compiler
>> security.
>> >> > I tried to do it according to the "Reflections on Trusting Trust" by
>> Ken
>> >> > Thompson, not only to show a compiler Trojan horse but also to prove
>> that
>> >> > we can discover it.
>> >>
>> >> Of course it can be discovered if you look for it. What was impressive
>> about
>> >> the folks who got Thompson's compiler at PWB is that they found the
>> horse
>> >> even though they weren't looking for it.
>>
>> > I had not heard this story. Can you elaborate, please? My impression
>> from having
>> > read the paper (a long time ago now) is that Ken did the experiment
>> locally only.
>>
>> Ken did it locally, but a vigilant person at PWB noticed there was an
>> experimental
>> compiler on the research machine and grabbed it. While they weren't
>> looking for
>> hidden stuff, they probably were trying to find what was new in the
>> compiler. Ken
>> may know details about what they had in the way of source and binary.
>>
>> Doug
>>
>

[-- Attachment #2: Type: text/html, Size: 2503 bytes --]

[TUHS] On UNIX Trojans

[Ron Natalie]

I have to say my experience in UNIX systems programming was due to the 
discovery of a trojan.   It also shaped my research into security on 
UNIX and other systems over the coming decades.

At the time, the UNIX system at Johns Hopkins University (there was only 
one) in the EE department was run by an undergraduate activity called 
the "University Computing Society."    This bunch, headed by Mike Muuss 
and another covered all aspects of running the computer:  programming, 
operations, hardware, and documentation support.    I was just a loose 
hangar on at the time, writing my first C programs and the like.

A couple of student operators managed to get access to what would be the 
installed copy of /lib/crt0.o (the small snippet inserted at the 
beginning of all C programs).   They inserted a couple of bytes that did 
an exec of a file "^V" (current directory) and then waited.   Most of 
the time, this is a harmless change as there is no ^V file in the 
current directory.    Then, one day they hit the jackpot and a setuid 
root program got rebuilt and now they had a way of getting a root shell 
easily.

This went largely undetected as they used it for quasi-productive uses 
for a while.   One day one of the other programmers was rebuilding a 
program and noticed the few byte increase in size (back then we were 
running the system on a grand total of 8.5MB so every byte was 
precious).   Subsequent analysis of what changed revealed the trojan.    
This led to an upheaval in the department and the end of the UCS.   They 
did decide to keep the cheap student labor however, and since I had kept 
my nose clean and had some extensive, albeit, non-UNIX programming 
experience, I was brought on board.    I spent the next three and a half 
years looking for and plugging security holes.

I went on (after a brief stint at Martin Marietta) to work for Mike at 
Aberdeen Proving Ground and continued doing random security work 
including being put on the Army's initial tiger team effort.    Also, 
there used to be a discussion in the security groups about what a 
"hacker with a Cray" could do for things about brute forcing decryption. 
    I was given use of the new X/MP the Army bought to see if that was a 
feasibility.    I later got to purchase a $25 million Cray 2, but left 
BRL for Rutgers before that was delivered.