reflections on trusting trust ken thompson. overview introduction introduction “cutest program”...
DESCRIPTION
Introduction Introduction The author’s acknowledgement The author’s acknowledgement UNIX UNIX Background Background Presentation PresentationTRANSCRIPT
Reflections on Trusting Reflections on Trusting TrustTrust
Ken ThompsonKen Thompson
OverviewOverview IntroductionIntroduction ““Cutest Program”Cutest Program”
Stage 1Stage 1 Stage 2Stage 2 Stage 3Stage 3
MoralMoral ConclusionConclusion
IntroductionIntroduction The author’s acknowledgementThe author’s acknowledgement UNIXUNIX BackgroundBackground PresentationPresentation
““Cutest Program”Cutest Program” Stage 1Stage 1
Shortest self-reproducing program Shortest self-reproducing program Write a source program that will produce an Write a source program that will produce an
exact copy of its sourceexact copy of its source Figure 1Figure 1
Produces a self-reproducing programProduces a self-reproducing program Can be easily written by another programCan be easily written by another program Can contain baggage that will be reproduced Can contain baggage that will be reproduced
along with main algorithmalong with main algorithm Source Code next slideSource Code next slide
Source CodeSource Code
““Cutest Program”Cutest Program” Stage 2Stage 2
C Compiler written in C C Compiler written in C ““Chicken and egg” problemChicken and egg” problem
Compilers written in their own languageCompilers written in their own language Example from C compilerExample from C compiler
Figure 2 Figure 2 C compiler interprets the character escape sequenceC compiler interprets the character escape sequence
Figure 3 and 4Figure 3 and 4 Figure 3 adds vertical tab “\v” Figure 3 adds vertical tab “\v” Binary version does not know about “\v” add ASCII valueBinary version does not know about “\v” add ASCII value
if(c == ‘v’)if(c == ‘v’)return(‘11’) return(‘11’)
Stage 2 ExampleStage 2 ExampleFigure 2Figure 2c = next( );c = next( );if(c != ‘\\’)if(c != ‘\\’)
return(c);return(c);c = next( );c = next( );if(c == ‘\\’)if(c == ‘\\’)
return(‘\\’);return(‘\\’);if(c == ‘n’)if(c == ‘n’)
return(‘\n’);return(‘\n’);
Figure 3Figure 3c = next( );c = next( );if(c != ‘\\’)if(c != ‘\\’)
return(c);return(c);c = next( );c = next( );if(c == ‘\\’)if(c == ‘\\’)
return(‘\\’);return(‘\\’);if(c == ‘n’)if(c == ‘n’)
return(‘\n’);return(‘\n’);if(c == ‘v’)if(c == ‘v’)
return(‘\v’);return(‘\v’);
Stage 2 Cont.Stage 2 Cont.Figure 4Figure 4c = next( );c = next( );if(c != ‘\\’)if(c != ‘\\’)
return(c);return(c);c = next( );c = next( );if(c == ‘\\’)if(c == ‘\\’)
return(‘\\’);return(‘\\’);if(c == ‘n’)if(c == ‘n’)
return(‘\n’);return(‘\n’);if(c == ‘v’)if(c == ‘v’)
return(‘11’);return(‘11’);
Stage 3Stage 3 Takes the code and modifies itTakes the code and modifies it Figure 5 Figure 5
High level control of the C compilerHigh level control of the C compiler ““compile” is called to compile next line of codecompile” is called to compile next line of code
Figure 6 Figure 6 Modified to mis-compile source when a pattern Modified to mis-compile source when a pattern
is matchedis matched Not deliberate would be a “bug”. Since Not deliberate would be a “bug”. Since
deliberate should be called “Trojan horse”.deliberate should be called “Trojan horse”.
Source CodeSource CodeFigure 5Figure 5compile(s)compile(s)char char **s;s;{{ }}
Figure 6Figure 6compile(s)compile(s)char char **s;s;{{if(match(s, “pattern”)) {if(match(s, “pattern”)) {
compile (‘bug’);compile (‘bug’);return;return;
}}
}}
Results of CodeResults of Code The bug planted would match code in The bug planted would match code in
UNIX “login” commandUNIX “login” command Replacement code will miscompile Replacement code will miscompile
login commandlogin command Giving access to loginGiving access to login
Accepting the intended encrypted passwordAccepting the intended encrypted passwordOROR Accepting a particular known passwordAccepting a particular known password
Source CodeSource CodeFigure 7Figure 7compile(s)compile(s)char char **s;s;{{
if(match(s, “pattern1”)) {if(match(s, “pattern1”)) {compile (‘bug 1’);compile (‘bug 1’);return;return;
}}if(match(s, “pattern2”)) {if(match(s, “pattern2”)) {
compile (‘bug 2’);compile (‘bug 2’);return;return;
}}
}}
Stage 3 Cont.Stage 3 Cont. Figure 7 adds a second Trojan horse .Figure 7 adds a second Trojan horse .
Aimed for the C compilerAimed for the C compiler Figure 7 shows the use of stage 1 by Figure 7 shows the use of stage 1 by
applying self-reproducing programapplying self-reproducing program This is done by compiling modified source This is done by compiling modified source
with the C compiler with the C compiler Produces bugged binaryProduces bugged binary
The binary is installed as the official CThe binary is installed as the official C Remove the bugs from the compilerRemove the bugs from the compiler
New binary will reinsert the bugs whenever compiledNew binary will reinsert the bugs whenever compiled
MoralMoral Can’t trust code you didn’t writeCan’t trust code you didn’t write Source level verification will not Source level verification will not
protect us from using untrusted codeprotect us from using untrusted code Could be done with any program-Could be done with any program-
handling programhandling program AssemblerAssembler LoadersLoaders Hardware microcodeHardware microcode
Level of program gets lower bugs will be Level of program gets lower bugs will be harder to detectharder to detect
Moral Cont.Moral Cont. Criticizes press on handling of hackers Criticizes press on handling of hackers Author states these acts by kids are Author states these acts by kids are
“vandalism t best”“vandalism t best” States inadequacy of law that saves hackers States inadequacy of law that saves hackers
from real prosecutionfrom real prosecution Companies are pressing to update criminal Companies are pressing to update criminal
codecode 2 major issues2 major issues
Press, TV, and etc. call these hackers “whiz kids”Press, TV, and etc. call these hackers “whiz kids” The acts performed will be sending them to jail for many The acts performed will be sending them to jail for many
yearsyears
ConclusionConclusion Creating bugs and viruses can be Creating bugs and viruses can be
simplesimple There is a cultural gapThere is a cultural gap
Kids have no idea these are serious actsKids have no idea these are serious acts Social StigmaSocial Stigma
Breaking into computers should be the same Breaking into computers should be the same as breaking into homesas breaking into homes
Questions ?