Reflections on Trusting Reflections on Trusting TrustTrust

Ken ThompsonKen Thompson

OverviewOverview IntroductionIntroduction ““Cutest Program”Cutest Program”

Stage 1Stage 1 Stage 2Stage 2 Stage 3Stage 3

MoralMoral ConclusionConclusion

IntroductionIntroduction The author’s acknowledgementThe author’s acknowledgement UNIXUNIX BackgroundBackground PresentationPresentation

““Cutest Program”Cutest Program” Stage 1Stage 1

Shortest self-reproducing program Shortest self-reproducing program Write a source program that will produce an Write a source program that will produce an

exact copy of its sourceexact copy of its source Figure 1Figure 1

Produces a self-reproducing programProduces a self-reproducing program Can be easily written by another programCan be easily written by another program Can contain baggage that will be reproduced Can contain baggage that will be reproduced

along with main algorithmalong with main algorithm Source Code next slideSource Code next slide

Source CodeSource Code

““Cutest Program”Cutest Program” Stage 2Stage 2

C Compiler written in C C Compiler written in C ““Chicken and egg” problemChicken and egg” problem

Compilers written in their own languageCompilers written in their own language Example from C compilerExample from C compiler

Figure 2 Figure 2 C compiler interprets the character escape sequenceC compiler interprets the character escape sequence

Figure 3 and 4Figure 3 and 4 Figure 3 adds vertical tab “\v” Figure 3 adds vertical tab “\v” Binary version does not know about “\v” add ASCII valueBinary version does not know about “\v” add ASCII value

if(c == ‘v’)if(c == ‘v’)return(‘11’) return(‘11’)

Stage 2 ExampleStage 2 ExampleFigure 2Figure 2c = next( );c = next( );if(c != ‘\\’)if(c != ‘\\’)

return(c);return(c);c = next( );c = next( );if(c == ‘\\’)if(c == ‘\\’)

return(‘\\’);return(‘\\’);if(c == ‘n’)if(c == ‘n’)

return(‘\n’);return(‘\n’);

Figure 3Figure 3c = next( );c = next( );if(c != ‘\\’)if(c != ‘\\’)

return(c);return(c);c = next( );c = next( );if(c == ‘\\’)if(c == ‘\\’)

return(‘\\’);return(‘\\’);if(c == ‘n’)if(c == ‘n’)

return(‘\n’);return(‘\n’);if(c == ‘v’)if(c == ‘v’)

return(‘\v’);return(‘\v’);

Stage 2 Cont.Stage 2 Cont.Figure 4Figure 4c = next( );c = next( );if(c != ‘\\’)if(c != ‘\\’)

return(c);return(c);c = next( );c = next( );if(c == ‘\\’)if(c == ‘\\’)

return(‘\\’);return(‘\\’);if(c == ‘n’)if(c == ‘n’)

return(‘\n’);return(‘\n’);if(c == ‘v’)if(c == ‘v’)

return(‘11’);return(‘11’);

Stage 3Stage 3 Takes the code and modifies itTakes the code and modifies it Figure 5 Figure 5

High level control of the C compilerHigh level control of the C compiler ““compile” is called to compile next line of codecompile” is called to compile next line of code

Figure 6 Figure 6 Modified to mis-compile source when a pattern Modified to mis-compile source when a pattern

is matchedis matched Not deliberate would be a “bug”. Since Not deliberate would be a “bug”. Since

deliberate should be called “Trojan horse”.deliberate should be called “Trojan horse”.

Source CodeSource CodeFigure 5Figure 5compile(s)compile(s)char char **s;s;{{ }}

Figure 6Figure 6compile(s)compile(s)char char **s;s;{{if(match(s, “pattern”)) {if(match(s, “pattern”)) {

compile (‘bug’);compile (‘bug’);return;return;

}}

}}

Results of CodeResults of Code The bug planted would match code in The bug planted would match code in

UNIX “login” commandUNIX “login” command Replacement code will miscompile Replacement code will miscompile

login commandlogin command Giving access to loginGiving access to login

Accepting the intended encrypted passwordAccepting the intended encrypted passwordOROR Accepting a particular known passwordAccepting a particular known password

Source CodeSource CodeFigure 7Figure 7compile(s)compile(s)char char **s;s;{{

if(match(s, “pattern1”)) {if(match(s, “pattern1”)) {compile (‘bug 1’);compile (‘bug 1’);return;return;

}}if(match(s, “pattern2”)) {if(match(s, “pattern2”)) {

compile (‘bug 2’);compile (‘bug 2’);return;return;

}}

}}

Stage 3 Cont.Stage 3 Cont. Figure 7 adds a second Trojan horse .Figure 7 adds a second Trojan horse .

Aimed for the C compilerAimed for the C compiler Figure 7 shows the use of stage 1 by Figure 7 shows the use of stage 1 by

applying self-reproducing programapplying self-reproducing program This is done by compiling modified source This is done by compiling modified source

with the C compiler with the C compiler Produces bugged binaryProduces bugged binary

The binary is installed as the official CThe binary is installed as the official C Remove the bugs from the compilerRemove the bugs from the compiler

New binary will reinsert the bugs whenever compiledNew binary will reinsert the bugs whenever compiled

MoralMoral Can’t trust code you didn’t writeCan’t trust code you didn’t write Source level verification will not Source level verification will not

protect us from using untrusted codeprotect us from using untrusted code Could be done with any program-Could be done with any program-

handling programhandling program AssemblerAssembler LoadersLoaders Hardware microcodeHardware microcode

Level of program gets lower bugs will be Level of program gets lower bugs will be harder to detectharder to detect

Moral Cont.Moral Cont. Criticizes press on handling of hackers Criticizes press on handling of hackers Author states these acts by kids are Author states these acts by kids are

“vandalism t best”“vandalism t best” States inadequacy of law that saves hackers States inadequacy of law that saves hackers

from real prosecutionfrom real prosecution Companies are pressing to update criminal Companies are pressing to update criminal

codecode 2 major issues2 major issues

Press, TV, and etc. call these hackers “whiz kids”Press, TV, and etc. call these hackers “whiz kids” The acts performed will be sending them to jail for many The acts performed will be sending them to jail for many

yearsyears

ConclusionConclusion Creating bugs and viruses can be Creating bugs and viruses can be

simplesimple There is a cultural gapThere is a cultural gap

Kids have no idea these are serious actsKids have no idea these are serious acts Social StigmaSocial Stigma

Breaking into computers should be the same Breaking into computers should be the same as breaking into homesas breaking into homes

Questions ?